I have a setup where I'm using the typical multiwan setup where you have 2 wan interfaces, a single lan, and a gateway group with both gateways being tier 1. This has worked for me for most setups, but now I have a setup where I have another firewall in my lan so most traffic is coming from the single IP on that firewall.
Yes, another firewall in my LAN zone. Can't argue that's not a great design...but it's what I'm stuck with for now.
The issue I'm seeing is that it seems whatever decides the load balancing round-robin option must only consider the source IP, as all traffic from that particular IP get's sent to the same WAN interface regardless of source port or amount of traffic from other lan clients.
Is there a way to have source based routing look at port number, or any way to modify it at all? Any other load balancing techniques or algorithms?
I can disable sticky connections, and I'll see an improvement in load balancing, but any ssl connections will have to be re-authenticated a few times during a session. It's random but does happen more without stickyness, which is to be expected.
Looking at the pf rules I'm guessing this is what is doing the load balancing:
pass in quick on re0 route-to { (ue0 $WAN1_IP), (ue1 $WAN2_IP) } round-robin sticky-address inet from (re0:network) to any flags S/SA keep state label "somelabel"
I've been going through the docs for pf but I can't seem to find a way to consider an ip/port hash, round-robin seems to be it, and that looks to only consider source IP...but I haven't found docs that specifically state so.
Any help please!