OPNsense Forum

English Forums => General Discussion => Topic started by: Neo on March 17, 2021, 11:16:39 pm

Title: Multi-WAN with VPN and Sticky Connections
Post by: Neo on March 17, 2021, 11:16:39 pm
I run a multi-wan setup with a 300 megabit and a 1 gigabit link. I have 2 separate VPN providers with the client configuration bound to their respective WAN interfaces. I use a Gateway Group and LAN firewall rule to direct traffic down the tunnels on each WAN link in a load balanced configuration with the respective gateways configured to use "weight" to balance more load toward the gigabit link, etc. I have not turned on Sticky Connections in Firewall/Settings/Advanced...

This setup has worked well through testing and produced good numbers via speedtest.net and, until now, I've not had problem with websites other than those that actively try to detect and/or block use of VPN providers (or block due to incorrect GeoIP data). In other words, the load balancing and potentially changing IPs under the covers have not presented a problem, in general.

However, I've now run into a single website (retirement fund custodian) that uses OKTA for MFA and frequently either fails the login process or kicks me off the session... After further research I believe this is because the mechanism they have setup is not tolerant of IP source changes during the session, etc.

Using Sticky Connections should resolve the issue for the site in question but it will also prevent bandwidth aggregation and decrease the benefit of load balancing for all other sites since it is a global (all or nothing) setting... So I'm now trying to brainstorm a solution that would allow me to resolve the issue for the site in question without losing the benefits for all the other sites...

I know I can configure firewall rules such that a particular source IP bypasses the load balancing and is sent down only one specific tunnel... In theory, this could be done for a destination IP as well but the trouble is websites like this have multiple IPs and tend to reference other sites with multiple IPs. I know I can create an alias that is populated via DNS lookup as well but at the very least I'd have to determine all FQDNs used by both this site and OKTA to resolve the issue that way...

So can anyone else think of a creative solution where I don't have to enable sticky connection for all traffic but can force traffic using this site to be sticky (or to only traverse one of the two WAN/VPN routes)?

Looking for something as close to "best of both worlds" as possible here...

Thanks!
Title: Re: Multi-WAN with VPN and Sticky Connections
Post by: tong2x on March 25, 2021, 02:02:53 am
create a rule that will specifically target that domain to use a spefiic gateway
this would be ofcourse tedious if there are alot of domain you need to be
or if the server IP changes regularly

mapped aliad of domain might help...