Find the answer to your Linux question:
Results 1 to 3 of 3
Hi there, I'm running squid on this machine I use as gateway/firewall for the users in my LAN: Code: CISCO Switch _______ |vlan2..|<---------->Users LAN ( |.......| |.......|<---------->eth1|........| |_______|................|Gateway | |.......|................|........| ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    8

    Question LAN is too slow. (Squid, iptables, cisco swtch)


    Hi there, I'm running squid on this machine I use as gateway/firewall for the users in my LAN:

    Code:
    CISCO Switch
     _______
    |vlan2..|<---------->Users LAN (
    |.......|
    |.......|<---------->eth1|........|
    |_______|................|Gateway |
    |.......|................|........|
    |Vlan1..|<---------->eth0|________|
    |.......|
    |.......|<--->servers
    |_______|<------------->Internet
    I'm having some slowdown in speed for LAN users since average download speed is around 50 KB/s behind the firewall with an E3 link (34.368 Mbit/s).
    I'm using Iptables for NAT, firewall and redirecting LAN http users to transparent squid port.

    I'm wandering why is download speed so slow, since without the firewall some download might hit 300 KB/s, 800 or even 1.2 or 2 MB/s and inside won't go any further than 300 KB/s (on short periods of time), and average speed is around 50KB/s.

    I'm not using any squid delay pools. Also, squid doesn't seems to be caching, since I downloaded some .exe file, and then tried to re-download it, but speed was about the same.

    Here's my squid.conf
    Code:
    acl redesinternas src 132.248.172.0/24 10.10.0.0/16
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl CONNECT method CONNECT
    http_access allow redesinternas
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    icp_access allow all
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    cache_dir ufs /var/spool/squid 60000 16 256
    maximum_object_size 25000 KB
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern .		0	20%	4320
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    always_direct allow all
    coredump_dir /var/spool/squid
    some of my iptables rules:
    Code:
    LOCAL_IF="lo"
    EXTERNAL_IF="eth0"
    INTERNAL_IF="eth1"
    VIRTUAL_IF="eth1:1"
    
    $DEPMOD -a
    
    if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
       $MODPROBE ip_tables
    fi
    
    if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
       $MODPROBE ip_conntrack
    fi
    
    if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
       $MODPROBE ip_conntrack_ftp
    fi
    
    if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
       $MODPROBE iptable_nat
    fi
    
    if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
       $MODPROBE ip_nat_ftp
    fi
    
    echo "32000 50000" >/proc/sys/net/ipv4/ip_local_port_range
    
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    
    echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
    
    echo 0 > /proc/sys/net/ipv4/tcp_sack
    
    echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
    $IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j DROP   --syn -m recent --name antinmap --update --seconds 5 --hitcount 4 -m state --state NEW,INVALID
    $IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j ACCEPT --syn -m recent --name antinmap --set -m state --state NEW,INVALID
    
    	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $NIVEL_LOG --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
    	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
    
    	$IPTABLES -t nat -A PREROUTING -s $VIRTUAL_NET -p tcp --dport 80 -j DNAT --to-destination 10.10.254.254:3128
    	$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp --dport 80 -j DNAT --to-destination 132.248.172.254:3128
    
    	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE
    My firewall specs:
    Code:
    # cat /proc/
    processor       : 0
    vendor_id       : GenuineIntel
    cpu family      : 15
    model           : 4
    model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
    stepping        : 1
    cpu MHz         : 3391.875
    cache size      : 1024 KB
    physical id     : 0
    siblings        : 2
    core id         : 0
    cpu cores       : 1
    fdiv_bug        : no
    hlt_bug         : no
    f00f_bug        : no
    coma_bug        : no
    fpu             : yes
    fpu_exception   : yes
    cpuid level     : 5
    wp              : yes
    flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
    bogomips        : 6787.46
    clflush size    : 64
    
    processor       : 1
    vendor_id       : GenuineIntel
    cpu family      : 15
    model           : 4
    model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
    stepping        : 1
    cpu MHz         : 3391.875
    cache size      : 1024 KB
    physical id     : 0
    siblings        : 2
    core id         : 0
    cpu cores       : 1
    fdiv_bug        : no
    hlt_bug         : no
    f00f_bug        : no
    coma_bug        : no
    fpu             : yes
    fpu_exception   : yes
    cpuid level     : 5
    wp              : yes
    flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
    bogomips        : 6782.98
    clflush size    : 64
    
    #cat /proc/meminfo
    MemTotal:       505664 kB
    MemFree:          5520 kB
    Buffers:         24324 kB
    Cached:         133124 kB
    SwapCached:          0 kB
    Active:         330344 kB
    Inactive:        73868 kB
    HighTotal:           0 kB
    HighFree:            0 kB
    LowTotal:       505664 kB
    LowFree:          5520 kB
    SwapTotal:     2097144 kB
    SwapFree:      2097100 kB
    Dirty:            1948 kB
    Writeback:           0 kB
    AnonPages:      246788 kB
    Mapped:          25496 kB
    Slab:            28044 kB
    SReclaimable:    10344 kB
    SUnreclaim:      17700 kB
    PageTables:       2688 kB
    NFS_Unstable:        0 kB
    Bounce:              0 kB
    CommitLimit:   2349976 kB
    Committed_AS:   358040 kB
    VmallocTotal:   516088 kB
    VmallocUsed:      6536 kB
    VmallocChunk:   509044 kB
    HugePages_Total:     0
    HugePages_Free:      0
    HugePages_Rsvd:      0
    Hugepagesize:     4096 kB
    
    #df -h
    S.ficheros          TamaƱo Usado  Disp Uso% Montado en
    /dev/mapper/VolGroup00-hdhfm
                          217G   22G  184G  11% /
    /dev/sda1              99M   12M   82M  13% /boot
    tmpfs                 247M     0  247M   0% /dev/shm
    
    # uname -a
    Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
    I tried the same configuration on 2 virtual machines, inside the same VLAN as the servers, but this went much faster, is it the cisco switch? too many users in the LAN for the For the firewall capabillities?
    Code:
    CISCO Switch
     _______
    |vlan2..|<---------->Users LAN (
    |.......|
    |.......|<---------->eth1|........|
    |_______|                |Gateway |
    |.......|                |........|
    |Vlan1..|<---------->eth0|________|
    |.......|
    |.......|<--->servers
    |.......|<------------->Internet
    |.......|
    |.......|
    |_______|
       |
    ___|_____
    My machine
    turion 64X2 1.6 Ghz 1Gb ram
    WinXP
    
    with 2 VMWare machines: 
    - Fedora Core: #uname -a: Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
    - eth0 briged
    - eth1 VMware IF 2 (private)
    * Win XP connected to VMWare IF 2 (private

    Any Ideas or suggestions are welcome.

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    its kind of confusing of what the problem might be. is squid and iptables on the same machine?

    Also, so you know if its squid vs iptables, what happens if you take squid out of the equation and just use the firewall? If thats not possible, is squid working for everything or just http? if its not doing ftp filtering then try something over ftp and see what kind of speeds you can get? not to muddy the water even further, but you could also do a tcpdump on the firewall to see what its doing with your packets and see if its mishandling it in anyway or delaying it.

  3. #3
    Just Joined!
    Join Date
    Jan 2008
    Posts
    8
    y changes some parameters like mem_cache and disk_cache and it improved the performance, it's not like oustide the firewall, but i guess it's due to the large amount of users in LAN! thanks a lot for taking time to reply!

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •