MultiWan and VLAN Firewall Rules

[wiesel2482]

When I disable "Sticky" and enable "SF" then most of the time the traffic shaping works, but sometimes the bufferbloat returns in the "dslreport" speedtest. I'am using shaping prior to do some FQ-CODEL on my lines cause as you know I'am using 2 Wireless WAN connections and this helps a lot against bufferbloat -> Thx to Opnsense. But I can't even tell, if there is a problem with timeout sessions, if I don't have activate "sticky". So I don't know exactly if it works as expected. For me personally it is a little bit odd, that I can't activate both options without breaking my Wan connections. As you know I'am really happy that such a expert as you are, tries to help me with this.  ;)

[mimugmail]

Loadsharing uses the firewall software pf, while shaping uses software ipfw. To mix both a kernel Hack is required. Maybe there is alimitation for using both at a time.

[tong2x]

Thank you! I've already found out what the issue was! If you use sticky connections and shared forwarding then you experience that the internet connection drops if you activate the policy based routing rule in the firewall with the load balancer group. Found an old Github bug report about this and tried it... Et vous la it works if you deactivate shared forwarding and leave sticky connection enabled. So maybe this is a bug from past that never been corrected... I don't know!? The problem is now that I don't know if traffic shaping is working without this shared forwarding setting. Anyone knows?
Regards

hmmm seems to be related issue. in my case if both shared at sticky enabled, and multiwan policy selected connectionn will work intermittent... you would need to refresh most of the time which is anoying, connection is notmal if using one gateway or backup mode.
never tried disabling sticky... as it may destroy legit site that require uniue IP. ... well now i migth need to try....
or maybe disable shaping? then again I also have captive portal turned on...

[mimugmail]

Thank you! I've already found out what the issue was! If you use sticky connections and shared forwarding then you experience that the internet connection drops if you activate the policy based routing rule in the firewall with the load balancer group. Found an old Github bug report about this and tried it... Et vous la it works if you deactivate shared forwarding and leave sticky connection enabled. So maybe this is a bug from past that never been corrected... I don't know!? The problem is now that I don't know if traffic shaping is working without this shared forwarding setting. Anyone knows?
Regards

hmmm seems to be related issue. in my case if both shared at sticky enabled, and multiwan policy selected connectionn will work intermittent... you would need to refresh most of the time which is anoying, connection is notmal if using one gateway or backup mode.
never tried disabling sticky... as it may destroy legit site that require uniue IP. ... well now i migth need to try....
or maybe disable shaping? then again I also have captive portal turned on...

If you have a specfiic site which required one IP you could turn of sharing for this one destination IP with setting a gateway instead of group in firewall rules

[tong2x]

that would be a problem to list specific sites that would require such (banking sites perhaps) but i migth try that.

is this issue specific to opnsense?
or cant sticky connection may be route servers/site to same gateway until no more connection uses the site. it may not multiwan correctly but should not be a problem.

but in may case it is intermittent, which means it is working at some point or level... it just goes down or a few second then back... i just dont know what happens or why

[mimugmail]

It's a limitation of OPNsense when combining shaping/captive portal and loadsharing (with sticky).

[wiesel2482]

that would be a problem to list specific sites that would require such (banking sites perhaps) but i migth try that.

is this issue specific to opnsense?
or cant sticky connection may be route servers/site to same gateway until no more connection uses the site. it may not multiwan correctly but should not be a problem.

but in may case it is intermittent, which means it is working at some point or level... it just goes down or a few second then back... i just dont know what happens or why

For me it's the same. Now I tested both checked (sticky and sf) and it works for some seconds before it's gone. Then it comes back and it goes again......
It everything goes into default deny rule and sometimes it passes the traffic from the wan.

[tong2x]

I have now tried to disable sticky connection (shared connection enabled)

1 computer I am using has a multiwan policy
so far I dont have isse with disconnection or
invalid IP (ip switch to second wan), tried using ip sesitive site
but no errors yet

but this is for 1 PC only... yet

[mimugmail]

Sounds good. Maybe we just can remove the notice in the docs since everything seems to work ok

[wiesel2482]

For me also everything works without sticky connection....for all of my Clients. Maybe sticky this is now integrated if you're using Multiwan?
Regards

[mimugmail]

No, I had a similar provlem with sip and multiple hosts, didnt work

[tong2x]

there is none focus on multiwan feature for opensense?
or any update/upgrade/improvement path?

[mimugmail]

Maybe there's an improvement after 21.1, but no promise

[jzt308]

Hi,

I have the same issue (see my post: https://forum.opnsense.org/index.php?topic=20132.msg93151#msg93151). I now confirmed the issue is with enabling sticky sessions.
After a couple of  sessions (the amount seems to differ) using any connection to WAN/Internet is impossible. (until  you reset the source tracking table).
For now I disabled the sticky session tracking and all is working fine. I'm using some fw rules for sites that don't like the effect but this is not ideal.

[tong2x]

should this be enabled/checked?

just noticed it, it is checked by default