Highlighted
Emerging Member
Posts: 71
Registered: ‎05-24-2014
Kudos: 35
Solutions: 2

FTPS (FTP over TLS) with Load-Balancing – alternative solution aka sticky for specific hosts

Hi there,

 

we all know that FTP over TLS connections require a communication and a data stream. Using load balancing will cause trouble because both connections may become split across the multiple WAN interfaces and connections will fail.

 

The only – I know of – working solution is to set "sticky dest-addr enable" to keep both connections on the same WAN uplink.

 

The problem: that catches all outgoing connections and keeo the same destinations on one WAN. If multiple devices on the network connect to the same host (not only FTPS targets), one WAN will become fully saturated and others stay more or less unused. That's not perfect because we have a bottleneck that load balancig should have solved.

The second problem: If you use Apple Photos (or similar services) you might know that it's upload works across multiple WAN uplinks and huge numbers of photos will upload much faster (it opens multiple parallel connections). Using sticky restricts the upload to one WAN. That's not perfect, too.

 

Everyone using FTPS knows which servers are used to connect to – and that results in the following solution… Sticky only for specific hosts. And it is by far not limited to FTPS, this can be used for other purposes, too.

 

 

1. Create a new firewall address group

 

address-group STICKY_DESTINATIONS {
            address xx.xx.xx.xx
            address xx.xx.xx.xx
            description "All target hosts to enable sticky for"
}

 

2. Create a new load-balance group

 

group STICKYDESTINATION {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            dest-addr enable
        }
}

Change both interfaces to the ones you use.

 

 

3. Add it to your modify ruleset

 

rule 50 {
            action modify
            description "Sticky traffic"
            destination {
                group {
                    address-group STICKY_DESTINATIONS
                }
            }
            modify {
                lb-group STICKYDESTINATION
            }
}

 

This works for FTPS and for any targets that should use the sticky option, but don't affect all connections on the network.

 

I did not find any suitable tutorial on the forums regarding this, so I decided to write it down. Hope this helps somebody facing a similar problem.