The more I read your post, the more I realize that your setup is not what I envisioned. It sounds like you are simply connecting one LAN connection in a "Y" to two WAN ports, each with its own Internet connection. Then you want to separate the HTTPS traffic from the rest of the traffic.
The very nature of HTTPS and HTTP is such that they will often work together within the same web pages. There is often mixed content within the same web page. This is not always so but it is quite common. HTTPS sessions are often initiated with HTTP and then redirected to another server or different folder structure in which the security certificate is required. Also, the retrieval of the security certificate is performed via HTTP and once installed on the client, the HTTPS protocol is then initiated.
Another way that mixed content is performed is via secondary connections. This is common with sites like MyYahoo where you sign in for your own custom start page. The connection to the site is initiated with HTTP and then starts your content download via a random highport designation. This means that they will assign your connection with a TCP port starting at 1024 and up. And often the content updates are serialized so that they increment your port by one each time you receive an update. For example, they may start your connection at port 80, your cookie logs you in and then they assign your connection to port 1354. Then after your next update of your stock ticker or news content, you are then incremented to 1355 and so on. This way, they can track who you are and what content you have asked for. If you block all highports (anything over 1023), you would effectively disable this type of streaming content. And if you try to push the content over to a different WAN connection mid-stream, the return pathway has been blocked off.
What it boils down to is that it would be almost impossible to separate the two (HTTP and HTTPS) across two WAN connections. Your greatest security is not in what you allow but in what you disallow.
What you are trying to do would be much easier achieved with protocols that work independent of each other. For example, forwarding your SMTP requests to a different WAN connection and blocking all incoming traffic on that connection except SMTP.
If you are attempting to load balance and perform a failover of your Internet connections, this can not be achieved with the hardware that you have on hand. Your IPCOP device is designed for content filtering and security and not multi-path load balancing. If you are using the two Internet connections for VPN, SMTP, Internet, etc. then you can manually balance your loading by forcing client VPN and WAN VPN over one connection and Internet access and SMTP over the other. Then you can secure each connection type based on its purpose.
|