I take it back… I also have problems with https. Looks like there is work needed to be done to overcome this problem in “Load Balancing and Failover” mode.
One good approach is to hash the url and send the packets from the same interface for the same addresses. Or to bind the destination IP address with a specific interface.
Temporarily I created 2 static rules, one for 0.0.0.0/220.127.116.11 and one for 18.104.22.168/22.214.171.124 . That should load balance somehow the packets correctly till we find out a solution.
I’m not sure how one could implement hashing in iptables….
I’ve been doing some searches on Linux routing and load balancing since my last post. Seems like the “Linux Virtual Server” people have been addressing this issue and maybe the kernel mods needed are available for the kernel Zeroshell needs.
One reading starting point is http://kb.linuxvirtualserver.org/wiki/IPVS
I think you only really want to use this level 4 logic on HTTP and HTTPS protocols. SSH, MX, FTP, etc. all are good with successive TCP sessions being on different routes. It is only the “stateless” multiple TCP session type protocols like HTTP/S that have an issue.
And for those people who are trying to speed up downloads there are benefits to having different TCP sessions take different interfaces. So you probably don’t want to break that.
By the way, the routing module does have a “route cache” that attempts to channel all traffic to one interface once it has decided on the first packet which interface to use. But looking at it in action it seems to have a very short life. A second or two maybe. (I haven’t found any description of the exact life time of cache entries nor have I found a way to modify its behavior.) For HTTP/S I think you would want to cache the entries for several minutes.