Slow LAN when Internet fails

[aleix]

Hi everybody,

I would like to tell you a problem than is driving me crazy... this is my LAN situation:

ROUTER ---- PROXY/FIREWALL --- SWITCH --- LAN

Well, the PROXY/FIREWALL are just Squid and iptables with transparent proxy, ans the LAN has some Windows XP clients and a Linux managing accounts with Samba Domain Server.

All these works very well, all the computers acess to the samba server (where there are shared folders), and all the computers have access to Internet isng PROXY/FIREWALL IP adress as a Gateway.

The problem is that, when Internet connection fails (ISP problems), all my LAN goes extremely slow, and the access to the shared folders amb very very slow.

I've been checking a lot of things into the Samba configuration, and the only thing I found that could be the reason is the name resolve order parameter, but I think that it must be correct.

Here is the Samba server configuration:

Code:

[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = DOMAIN
   netbios name = sambaserver
# server string is the equivalent of the NT Description field
   server string = sambaserver
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
   wins support = yes
   name resolve order = wins lmhosts hosts bcast
# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

####### Authentication #######
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes

########## Domains ###########
domain logons = yes
logon path = 
logon home = 

############ Misc ############
os level = 99
preferred master = yes
domain master = yes
local master = yes

#======================= Share Definitions =======================
[homes]
   comment = Home Directories
   browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = no
   create mask = 700
   directory mask = 700

## TEMP
[temporal]
   comment = clears every week
   path = /home/temporal
   read only = no
   browseable = yes
   valid users = @general
   force create mode = 0775
   force directory mode = 0775
   force group = general

[comercial]   
   comment = Comercial (caps department)
   path = /home/qcomercial
   read only = no
   browseable = yes
   valid users = @comercial
   force create mode = 0775
   force directory mode = 0775
   force group = comercial

Any one has eny ideas?

Thanks a lot.

[ptkobe]

Nah, something is wrong in your equation.

ISP failing should have any effect on LAN access. Unless...

If you physically disconnect from internet (not just kind of falling), does things go slower or just stop working?

dns resolution may be a good target. where is it done? (local host files, hardware, software dns, ... ?)

Why do you say
ROUTER ---- PROXY/FIREWALL --- SWITCH

Are they the same hardware, or three different pieces?

Luis

[aleix]

Hi ptkobe,

thanks for your reply...

Why do you say
ROUTER ---- PROXY/FIREWALL --- SWITCH

Ok, the scheme is like this,
ROUTER ---- PROXY/FIREWALL --- SWITCH --- LAN

where I have a PROXY/FIREWALL computer (Squid+iptables) with 2 net interfaces, 1 connected to the ROUTER and the other connected to a SWITCH. Then, this SWITCH connects the LAN in which there are some Windows clients and the Samba Server.

If you physically disconnect from internet (not just kind of falling), does things go slower or just stop working?

I made the test and I can verify that if I physically disconnect the ROUTER from Internet, I get the same effect, so, the LAN goes extremely slow.

Finally, about DNS resolution, I use the ISP DNS.

Any more ideas?

[HROAdmin26]

Review your config from the *client's* perspective. If you want to remove name resolution as a possible cause, test by connecting to the server's IP from the client.

[ptkobe]

Finally, about DNS resolution, I use the ISP DNS.

My bad. You use the ISP DNS to solve external names, but local machines don't use dns, they are using windows netbios/WINS, unless wins/lmhosts/dns fails, and then use broadcast.

Windows Internet Name Service - Wikipedia, the free encyclopedia
[Chapter 7] 7.3 Name Resolution with Samba

log files, don't help anything?

But if it is a name resolution, I think you should have a delay, but no reason for a slow transfer rate. You have both?

On the other hand, found this
Chapter*29.*Integrating MS Windows Networks with Samba

"A common cause of slow network response includes:
* Client is configured to use DNS and the DNS server is down"
* ...

I'm not a samba server/wins expert, sorry I can't really help.
Regard
Luis

[blinky]

It looks like the internal network is waiting for the DNS lookup to happen.

Do you have a localdns server (for the local addresses) on the network?

I have a similar setup, but run dnsmasq on the proxy/firefwall that servers as the dns server for the internal machines (it picks up the ip for local machines from the host file and goes out to the ISP dns when needed - it also provides DHCP for the internal network). When the ISP link goes down the internal network continues to function as normal. Every machine except for the proxy uses DHCP to pick up it's IP address, Default route, DNS server, NTP server (the proxy) etc (which all gets put in the DHCP response).

Don't know if it will help (works well for me), but here's my setup:

/etc/dnsmasq.conf

Code:

domain-needed
bogus-priv
resolv-file=/etc/resolv.conf.external
user=nobody
group=nobody

except-interface=eth0

expand-hosts
domain=mysite.home

dhcp-range=172.16.172.150,172.16.172.200,255.255.255.0,12h 
# Set the NTP time server address to be the same machine as is running dnsmasq
#dhcp-option=42,0.0.0.0

read-ethers

dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
dhcp-authoritative
cache-size=500
selfmx

conf-dir=/etc/dnsmasq.d

read-ethers makes dnsmasq use the /etc/ethers where I fix static IP's for devices that need it using the MAC address

eg.
/etc/ethers

Code:

00:03:0D:49:76:11    ws1
00:03:0D:49:76:12    ws2
00:03:0D:49:76:13    ws3

/etc/hosts

Code:

127.0.0.1       localhost.localdomain   localhost       loghost
172.16.172.254  proxy.mysite.home     proxy

172.16.172.1    ws1.mysite.home     ws1
172.16.172.1    ws2.mysite.home     ws2
172.16.172.1    ws3.mysite.home     ws3

/etc/host.conf

Code:

multi on
order hosts,bind

/etc/resolv.conf

Code:

search mysite.home
nameserver 127.0.0.1

/etc/resolv.conf.external

Code:

; Created by dhclient for eth0
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.yyy

replace xxx.xxx.xxx.xxxx/yyyy with your ISP's dns or internal IP of your router

[aleix]

Hi guys!

I'm back again, with more clues to try to resolve the problem.

Well, firstly, HROAdmin26:

Review your config from the *client's* perspective. If you want to remove name resolution as a possible cause, test by connecting to the server's IP from the client.

I tried this, and the result is that I can't access to the server with the Netbios Name and neither using only the IP address.

Secondly, blinky:

Do you have a localdns server (for the local addresses) on the network?

No, I don't have a local DNS.

Finally, I want to tell you more details about the configuration, if you remember the diagram:
ROUTER ---- PROXY/FIREWALL --- SWITCH --- LAN

Ok, the LAN has some Windows XP clients, and the Linux Samba Server (Domain Server).

Well, but there are 2 more servers with shared directories. One of them is another Windows XP, and the other is Linux with Samba and only one shared directory with guest permissions.

These 2 servers are accessible without problems when internet connection is down, so the only problem is with the Samba domain server.

As you saw in the first post, Samba configuration file seems to be ok... so, bufff, i'm driving crazy........ where must be the problem ??

More clues:
- Installed services into this server:

• Apache2
• MySQL Server
• DHCP

From my point of view, only the DHCP server could have any relation, so here is the configuration:

Code:

subnet 192.168.0.0 netmask 255.255.255.0
{
  option domain-name "xxxxxx.com";
  option domain-name-servers 212.145.4.97, 212.145.4.98;
  option subnet-mask 255.255.255.0;
  option routers 192.168.0.100;
  option netbios-name-servers 192.168.0.5;
  option broadcast-address 192.168.0.255;
  range 192.168.0.2 192.168.0.80;
}

### Informatica
host informatic { hardware ethernet XX:XX:XX:XX:XX:XX; fixed-address 192.168.0.8; }
host copies { hardware ethernet XX:XX:XX:XX:XX:XX; fixed-address 192.168.0.3; }

### Enginyeria
host tecnic2 { hardware ethernet XX:XX:XX:XX:XX:XX; fixed-address 192.168.0.30; }
host tecnic1 { hardware ethernet XX:XX:XX:XX:XX:XX; fixed-address 192.168.0.25; }

### and some more

Well, I hope some of you has more clues to finally get the solution..

thanks to all.

Aleix

[ptkobe]

Please post your samba server and linux clients /etc/resolv.conf and /etc/nsswitch.conf files

[aleix]

Hi again ptkobe,

here is the configurations you requested:

Samba server /etc/resolv.conf

Code:

domain local.lan
search local.lan
nameserver 212.145.4.97
nameserver 212.145.4.98

Samba server /etc/nsswitch.conf

Code:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Linux Client /etc/resolv.conf (Windows XP clients CAN access without problems when internet connection is down)

Code:

domain xxxxxx.com
search xxxxxx.com
nameserver 212.145.4.97
nameserver 212.145.4.98

Linux Client /etc/nsswitch.conf

Code:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Finally, I don't know if it can help, but here is the /etc/hosts Windows XP clients:

Code:

127.0.0.1       localhost
192.168.0.197   www.xxxxxx.com
192.168.0.5	agenda.xxxxxx.com
192.168.0.5     controlgn.xxxxxx.com

[ptkobe]

As you can see, your DNS servers are on the internet, so name resolver will fail without internet.

in your dhcpd.conf you have
option domain-name "xxxxxx.com";
option domain-name-servers 212.145.4.97, 212.145.4.98;

and the /etc/resolv.conf
domain local.lan
search local.lan
nameserver 212.145.4.97
nameserver 212.145.4.98

Note: This last "domain local.lan" (should be xxxxxx.com) make me think if you don't have your router/switch DCHP servers active. There can only be one , so please make sure your hardware dhcp servers are off if you want to use the software dhcp server.

Then you may want to set a local name resolver to see if that solves your slow LAN.

as in your /etc/nsswitch.conf
hosts: files dns

This can be done (for the purpose of testing) using the hosts files (lmhosts on windows?), setting there all local ip's. You may even disable the DHCP server.

Other way is to set a dns proxy/forwarded dns on your router (if possible)
or set a bind9 software dns.
Then set your dns server address on your dhcp server or directly on your /etc/resolv.conf files or network advanced properties for windows (for those you can check it on the network device status details).

Another approach you may try to isolate the problem is to power off all hardware and computers, disconnect from internet. Wait a little, power on the hardware (without internet connection) and the server and just one another machine (test lan speed OR with the linux client OR with one windows client).

That's about all I can say for now.
You may have a multiple DHCP server problem
You have your DNS servers outside your lan

I just don't know how dns will affect wins resolution, as you have dns proxy = no
in your samba conf.

Regards
Luis