Link Load Balancing doesn't work

[massyyyy]

Hi,

I've a scenario as in attached picture:

2
0                                           ---------    --------
0                                     |<--->|Router1|<-->|Modem1|<-->InternetLine1
                                      |     ---------    --------
C    ---------     --------------------     ---------    --------
L <->|Router0|<--->|Link Load Balancer|<--->|Router2|<-->|Modem2|<-->InternetLine2
I    ---------     --------------------     ---------    --------
E                                     |     ---------    --------
N                                     |<--->|Router3|<-->|Modem3|<-->InternetLine3
T                                           ---------    --------
S

I have n users who need access to the internet through 3 ADSL lines belonging to 3 different internet service providers.
So it's necessary that the traffic from the LAN to the INTERNET is balanced. For this it is sufficient to use PFSense (I'm using PFSense 2.0.1 64bit as Router 0-1-2-3). The problem is that in PFSense 2.0.1 64bit version "STICKY CONNECTION" seems doesn'work, so I have problem of improper management of the secure connections (for example the SSO, FTP, etc... ). So I've tried to use Zen Load Balancer which properly handles the balancing and persistent connections, but Zen Loader Balancer configured in DATALINK mode does not admit that its LAN is connected to a device that does routing... I also need some users always go out on internet through a specific ADSL line but Zen Load Balancer does not seem to allow the creation of routing rules. Even if I set Zen Load Balancer in TCP or HTTP mode I would have a problem, because for example I could not get to the admin interface of routers 1-2-3, in addition to having to specify all 65000 ports that must be balanced.

Is ZenLoadBalancer the best choise or some more suitable tool exists? Have someone of you a better idea to achieve my objective?

... please could someone help me?

Thank you very much and... sorry for my very poor English.

Massy

 

[LizardKing]

Have you asked in the PFsense forums re sticky sessions, there a pretty good bunch of people!
I've never needed sticky sessions but always set the likes of https to just use one adsl line.

Have a look at Zeroshell, i've never used it myself but am aware its multi wan capability's are a little better than PFsenses

 

[Solaris]

Wow, massive single point of failure in that topology... unfortunately I have no knowledge of the kit you're using though...

 

[Deleted member 138126]

Why do you have Routers 1 - 3?

 

[massyyyy]

Why do you have Routers 1 - 3?

Hi,

first of all thank you very much for your swift answer

... Routers 1-3 are firewalls to protect network from Internet toward LAN... and I need them to log traffic too.

 

[Angelos_n]

if you have a decent budget, have a look at www.peplink.com/

otherwise there is another software that begins with 'A' i just cant remember its name atm.

Regards

 

[Deleted member 138126]

Routers 1-3 are firewalls to protect network from Internet toward LAN... and I need them to log traffic too.

Surely Router 0 can do both those things? Sorry this isn't really addressing your original question, but your current setup seems over-complicated.

For example, Draytek sell multi-WAN routers, and I'm pretty sure they have load balancing built-in. So your whole setup could be replaced with 3 modems and one router. This single router would be firewall, load balancer and router, including VLAN support.

Just my £0.02.

 

[massyyyy]

Have you asked in the PFsense forums re sticky sessions, there a pretty good bunch of people!
I've never needed sticky sessions but always set the likes of https to just use one adsl line.

Have a look at Zeroshell, i've never used it myself but am aware its multi wan capability's are a little better than PFsenses

Hi LizardKing,

yes I've asked on PFSense forum and I'm waiting for some idea.

If problem would be https, I could resolve it how you've suggested, because https uses 443 port and I can recognize it, but there are some situation in which I can't recognize protocol... for example websites use SSO login.

I've tried Zeroshell too, but it seems not have sticky connections feature... Am I wrong?

 

[massyyyy]

if you have a decent budget, have a look at www.peplink.com/

otherwise there is another software that begins with 'A' i just cant remember its name atm.

Regards

Hi Angelos,

thanks... in this moment I haven't sufficient budget for buying peplink that I've already knew... now I'm using only virtual machines on vmWare ESXi.
I'm trying to search something like "A...."

 

[massyyyy]

Surely Router 0 can do both those things? Sorry this isn't really addressing your original question, but your current setup seems over-complicated.

For example, Draytek sell multi-WAN routers, and I'm pretty sure they have load balancing built-in. So your whole setup could be replaced with 3 modems and one router. This single router would be firewall, load balancer and router, including VLAN support.

Just my £0.02.

... thanks rotor, I've alredy heard spoken about Drytek multi-WAN routers, but it seems have difficults to manage high traffic and high number of clients, and preferibly I have to be able to resolve this problem using virtual machines.

 

[Skidilliplop]

If you want to load balance across ISPs reliably without session mismatches you should use a single box for all the NAT, and preferably have that box NATing to your own IP range and AS number (not one assigned and owned by you ISP) and use BGP to provide connectivity and load balancing across the connections.

It costs more but it's the proper way to do it. Software load balancing is a fudge really and not much more than a round robin mechanism. With BGP the load balancing occurs at layer3 with a common source network on all lines so even if a packet left by connection A and the response returned via line C the layer 4 session that hits the NAT rule would be blissfully unaware and unaffected by the underlying routing choices. I.E it sent a packet from IP A to IP B, and recieved a response from IP B address to IP A. It doesn't care how it arrived at it's interface.

 

[aln]

... thanks rotor, I've alredy heard spoken about Drytek multi-WAN routers, but it seems have difficults to manage high traffic and high number of clients, and preferibly I have to be able to resolve this problem using virtual machines.

Not sure I'd personally virtualize my routers but that doesn't matter. Surely you should still be able to setup 3 connections via your linux/BSD box? Course, that'd still be a single point of failure.

 

[Angelos_n]

I may be back a little late, but i remember what the software is called

http://www.vyatta.com/

 

[Deleted member 138126]

I may be back a little late, but i remember what the software is called

http://www.vyatta.com/

I've been using Vyatta in my VM environment as a gateway between my main network and my play VM network, and I love it. It is tiny, has a simple configuration language, and seems to perform pretty well.