LAN is too slow. (Squid, iptables, cisco swtch)

[nukoso]

Hi there, I'm running squid on this machine I use as gateway/firewall for the users in my LAN:

Code:

CISCO Switch
 _______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______|................|Gateway |
|.......|................|........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|_______|<------------->Internet

I'm having some slowdown in speed for LAN users since average download speed is around 50 KB/s behind the firewall with an E3 link (34.368 Mbit/s).
I'm using Iptables for NAT, firewall and redirecting LAN http users to transparent squid port.

I'm wandering why is download speed so slow, since without the firewall some download might hit 300 KB/s, 800 or even 1.2 or 2 MB/s and inside won't go any further than 300 KB/s (on short periods of time), and average speed is around 50KB/s.

I'm not using any squid delay pools. Also, squid doesn't seems to be caching, since I downloaded some .exe file, and then tried to re-download it, but speed was about the same.

Here's my squid.conf

Code:

acl redesinternas src 132.248.172.0/24 10.10.0.0/16
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow redesinternas
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_dir ufs /var/spool/squid 60000 16 256
maximum_object_size 25000 KB
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
always_direct allow all
coredump_dir /var/spool/squid

some of my iptables rules:

Code:

LOCAL_IF="lo"
EXTERNAL_IF="eth0"
INTERNAL_IF="eth1"
VIRTUAL_IF="eth1:1"

$DEPMOD -a

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack
fi

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_ftp
fi

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi

echo "32000 50000" >/proc/sys/net/ipv4/ip_local_port_range

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time

echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j DROP   --syn -m recent --name antinmap --update --seconds 5 --hitcount 4 -m state --state NEW,INVALID
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j ACCEPT --syn -m recent --name antinmap --set -m state --state NEW,INVALID

	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $NIVEL_LOG --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

	$IPTABLES -t nat -A PREROUTING -s $VIRTUAL_NET -p tcp --dport 80 -j DNAT --to-destination 10.10.254.254:3128
	$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp --dport 80 -j DNAT --to-destination 132.248.172.254:3128

	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE

My firewall specs:

Code:

# cat /proc/
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping        : 1
cpu MHz         : 3391.875
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips        : 6787.46
clflush size    : 64

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping        : 1
cpu MHz         : 3391.875
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips        : 6782.98
clflush size    : 64

#cat /proc/meminfo
MemTotal:       505664 kB
MemFree:          5520 kB
Buffers:         24324 kB
Cached:         133124 kB
SwapCached:          0 kB
Active:         330344 kB
Inactive:        73868 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       505664 kB
LowFree:          5520 kB
SwapTotal:     2097144 kB
SwapFree:      2097100 kB
Dirty:            1948 kB
Writeback:           0 kB
AnonPages:      246788 kB
Mapped:          25496 kB
Slab:            28044 kB
SReclaimable:    10344 kB
SUnreclaim:      17700 kB
PageTables:       2688 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   2349976 kB
Committed_AS:   358040 kB
VmallocTotal:   516088 kB
VmallocUsed:      6536 kB
VmallocChunk:   509044 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     4096 kB

#df -h
S.ficheros          Tamaño Usado  Disp Uso% Montado en
/dev/mapper/VolGroup00-hdhfm
                      217G   22G  184G  11% /
/dev/sda1              99M   12M   82M  13% /boot
tmpfs                 247M     0  247M   0% /dev/shm

# uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux

I tried the same configuration on 2 virtual machines, inside the same VLAN as the servers, but this went much faster, is it the cisco switch? too many users in the LAN for the For the firewall capabillities?

Code:

CISCO Switch
 _______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______|                |Gateway |
|.......|                |........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|.......|<------------->Internet
|.......|
|.......|
|_______|
   |
___|_____
My machine
turion 64X2 1.6 Ghz 1Gb ram
WinXP

with 2 VMWare machines: 
- Fedora Core: #uname -a: Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
- eth0 briged
- eth1 VMware IF 2 (private)
* Win XP connected to VMWare IF 2 (private

Any Ideas or suggestions are welcome.

[jledhead]

its kind of confusing of what the problem might be. is squid and iptables on the same machine?

Also, so you know if its squid vs iptables, what happens if you take squid out of the equation and just use the firewall? If thats not possible, is squid working for everything or just http? if its not doing ftp filtering then try something over ftp and see what kind of speeds you can get? not to muddy the water even further, but you could also do a tcpdump on the firewall to see what its doing with your packets and see if its mishandling it in anyway or delaying it.

[nukoso]

y changes some parameters like mem_cache and disk_cache and it improved the performance, it's not like oustide the firewall, but i guess it's due to the large amount of users in LAN! thanks a lot for taking time to reply!