One Web Site 2 ISP

byorkouk · February 1, 2023, 8:43pm

Hello,
I have the product Hap ac2. I also have 2 ISP services. Some websites(Banks) do not allow 2 ISP. How should I set up for these sites? Thans

AidanAus · February 1, 2023, 10:58pm

Can you post your configuration without any sensitive data so we can check how your routing is set up as well as let us know what you are trying to achieve with the dual isp I.e fail over, load balancing etc/

The issue sounds like we might be using both ISP’s to send out traffic going to the same connection so secure sites like banking wont like that, depending on how this is currently set up we can either fix this in the routing table (preferred) or do some packet marking through the firewall to guide the traffic out the right ISP.

byorkouk · February 2, 2023, 9:39am

rextended · February 2, 2023, 9:46am

@AidanAus ask configuration, not screenshot…

vaka · February 2, 2023, 10:02am

In firewall create address-list with hostnames (not addresses) of banks.
Create rule in firewall mangle prerouting dst address list=banks-list, set action mark routing and new routing mark to_WAN1

byorkouk · February 2, 2023, 10:36am

how do we get i'm so new

byorkouk · February 2, 2023, 10:37am

another site?

AidanAus · April 4, 2023, 1:41am

Sorry I am not that active here you can export the configuration by opening a terminal and using the export command, note you can use file=“file name” to put some outputs into files and the export command has options like hide-sensitive that might be usefull for this.

You can also get into the submenu you would like to export so ip/firewall export just to export the firewall menu for instance.

anav · April 4, 2023, 1:49am

I dont understand the concern.
If you have a session where you access your bank account the hapac is not going to switch in the middle of a session your WAN connection.

loloski · April 4, 2023, 3:08am

I think the issue of the topic author is something to do with NAT, he is probably telling us that the public IP represent outside his network is rotating probably ECMP or PCC or anything that make rotate his IP that lead to some application like HTTPS for banks is tearing down his connection.

Please attached actual config so that some people here might be able to help you

chechito · April 4, 2023, 3:21am

if you are using PCC Per connection classifier

set the ValuesToHash to src-address

anav · April 4, 2023, 2:37pm

PCC does not mean change IP in the middle of a session.
Perhaps and more likely and rather bizarre, his bank only excepts connections from a customer for ONE IP address.
Seems stupid in an era of dynanic WANIPs being available. As stated do not understand.

In any case, the goal is to keep the mangling the same for a particular destination IP address ( assuming at least the bank WANIP is fixed/static ).