Balance 310 algorithm does not work!


#1

Hello,

I am trying to apply enforced algo on a number of machine based on there IP but when I check the IP that am going out with it keep changing this is a BIG problem for us please help!!!

Best regards.


#2

Hi,

We need more details to be able to help. Outbound policy rules are processed in order with the first match determining the result. Can you detail the rule you created and are there any rules possible matching before the enforced rule ? If you submit a ticket with your configuration we can take a look.

Thanks,
-Jonan


#3

Ayach, if you say that your IP keeps on changing, I assume that you refer to your clients’ LAN IP’s. I recommend that you reserve IP adresses for your clients. If you use the DHCP function on the Peplink, you can do this on the Network>LAN configuration page, or from the Status>Client list page. If you use a different DHCP server, you’ll have to reserve the adresses on that server.


#4

Hello Cobus Grobbelaar, nope am talking about WAN.
Jonan Santiago, the rule are all like where I define that this user must go through this WAN the only two others riles are in order starting from the bottom “default” and "HTTPS_persistance"
the https_persistance rule is as follow :



#5

Hello,

Using the enforced algorithm it will not matter if the WAN IP changes as long as that WAN is up. Also, keep in mind that rules take precedence from Top to Bottom.

If you are concerned with the WAN changing IP address then I am guessing that you have a dynamic public IP. To receive a Static so the WAN IP address does not change you would have to talk to your ISP. Otherwise you can create a DYNDNS account and associate a host name to the dynamic public, essentially making it a Static.


#6

Actually when I Enforce it it keep jumping between WANs this is the issue for the time being !


#7

Hello,

This may even be due to the LAN ip’s changing depending on you have your enforced outbound policy setup. I would follow the response made by Cobbus. For example add the IP of you the device your on to the DHCP Reservation list. Then add a outbound policy rule (See image) Make sure this rule is the top rule (above https persistence). Save and apply changes. Just to be thorough go ahead and either restart that PC or go to your command prompt and do a 1. ipconfig /release 2. ipconfig /renew

You should be enforced out the applicable WAN. You can view this by going to Status>Active sessions>Search: Input IP and all traffic for that IP should be out the single WAN you defined. If you are still experiencing issues I would open a support ticket.



#8

Thank you for your answers, I have done the DHCP reservation a long time ago but anyway I’ll give it a try tomorrow when no body is working:



#9

Is it possible that traffic originating from the LAN client is IPsec VPN? Keep in mind that service passthrough support under Network> Misc. Settings> Service Passthrough may override outbound policy rules for certain traffic types.


#10

this is it ?



#11

Correct. For example, if IPsec NAT-T is enabled it will keep client VPN users on the same WAN link when both UDP 500 (IPsec) and 4500 (NAT-T) are used for establishing a client VPN session. It is enabled by default, and it prevents issues that could be introduced with multiple WANs - while it still allows load balancing for multiple LAN clients.

If this sounds like where the problem is, consider service passthough support for IPsec NAT-T like a hidden outbound policy rule using the “persistence” algorithm. It gets placed above the outbound policy rules. If you check “Route IPsec Site-to-Site VPN” it changes the algorithm to “Enforced” for when a router is used on the inside of your network.


#12

Apparently it start causing the issue when I add the third connection. weird !