LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-17-2008, 01:26 PM   #1
nukoso
LQ Newbie
 
Registered: Jan 2008
Posts: 19

Rep: Reputation: 0
LAN is too slow. (Squid, iptables, cisco swtch)


Hi there, I'm running squid on this machine I use as gateway/firewall for the users in my LAN:

Code:
CISCO Switch
 _______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______|................|Gateway |
|.......|................|........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|_______|<------------->Internet
I'm having some slowdown in speed for LAN users since average download speed is around 50 KB/s behind the firewall with an E3 link (34.368 Mbit/s).
I'm using Iptables for NAT, firewall and redirecting LAN http users to transparent squid port.

I'm wandering why is download speed so slow, since without the firewall some download might hit 300 KB/s, 800 or even 1.2 or 2 MB/s and inside won't go any further than 300 KB/s (on short periods of time), and average speed is around 50KB/s.

I'm not using any squid delay pools. Also, squid doesn't seems to be caching, since I downloaded some .exe file, and then tried to re-download it, but speed was about the same.

Here's my squid.conf
Code:
acl redesinternas src 132.248.172.0/24 10.10.0.0/16
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow redesinternas
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_dir ufs /var/spool/squid 60000 16 256
maximum_object_size 25000 KB
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
always_direct allow all
coredump_dir /var/spool/squid
some of my iptables rules:
Code:
LOCAL_IF="lo"
EXTERNAL_IF="eth0"
INTERNAL_IF="eth1"
VIRTUAL_IF="eth1:1"

$DEPMOD -a

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack
fi

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_ftp
fi

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi

echo "32000 50000" >/proc/sys/net/ipv4/ip_local_port_range

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time

echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j DROP   --syn -m recent --name antinmap --update --seconds 5 --hitcount 4 -m state --state NEW,INVALID
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j ACCEPT --syn -m recent --name antinmap --set -m state --state NEW,INVALID

	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $NIVEL_LOG --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
	$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

	$IPTABLES -t nat -A PREROUTING -s $VIRTUAL_NET -p tcp --dport 80 -j DNAT --to-destination 10.10.254.254:3128
	$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp --dport 80 -j DNAT --to-destination 132.248.172.254:3128

	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE
My firewall specs:
Code:
# cat /proc/
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping        : 1
cpu MHz         : 3391.875
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips        : 6787.46
clflush size    : 64

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping        : 1
cpu MHz         : 3391.875
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips        : 6782.98
clflush size    : 64

#cat /proc/meminfo
MemTotal:       505664 kB
MemFree:          5520 kB
Buffers:         24324 kB
Cached:         133124 kB
SwapCached:          0 kB
Active:         330344 kB
Inactive:        73868 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       505664 kB
LowFree:          5520 kB
SwapTotal:     2097144 kB
SwapFree:      2097100 kB
Dirty:            1948 kB
Writeback:           0 kB
AnonPages:      246788 kB
Mapped:          25496 kB
Slab:            28044 kB
SReclaimable:    10344 kB
SUnreclaim:      17700 kB
PageTables:       2688 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   2349976 kB
Committed_AS:   358040 kB
VmallocTotal:   516088 kB
VmallocUsed:      6536 kB
VmallocChunk:   509044 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     4096 kB

#df -h
S.ficheros          TamaƱo Usado  Disp Uso% Montado en
/dev/mapper/VolGroup00-hdhfm
                      217G   22G  184G  11% /
/dev/sda1              99M   12M   82M  13% /boot
tmpfs                 247M     0  247M   0% /dev/shm

# uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
I tried the same configuration on 2 virtual machines, inside the same VLAN as the servers, but this went faster, is it the cisco switch? Too many users for my Hardware capabillities?
Code:
CISCO Switch
 _______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______|                |Gateway |
|.......|                |........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|.......|<------------->Internet
|.......|
|.......|
|_______|
   |
___|_____
My machine
turion 64X2 1.6 Ghz 1Gb ram
WinXP

with 2 VMWare machines: 
- Fedora Core: #uname -a: Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
- eth0 briged
- eth1 VMware IF 2 (private)
* Win XP connected to VMWare IF 2 (private
Any ideas or suggestions are welcome.
 
Old 04-19-2008, 05:04 PM   #2
ARC1450
Member
 
Registered: Jun 2005
Location: Odenton, MD
Distribution: Gentoo
Posts: 290

Rep: Reputation: 30
You say that the servers run just fine and up to speed, right?

Well, the thing is that the servers don't have to go through any 802.1q to get to the internet it seems. I'd check your gateway, make sure everything is up to par. Check CPU usage, all that good stuff.

One thing I can suggest though (I only have this suggestion because I did it). . .make sure your mtu's can get through. I accidentally blocked my MTU's from getting out of my network one time. . .woopsie. It'll cause slow downloads due to being unable to make the window size bigger.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cisco router messing my lan server around nephish Linux - Networking 4 08-02-2005 10:56 AM
Help using freebsd 5.0 + squid + wccp + cisco ios nazzymac *BSD 1 07-27-2004 03:11 PM
HELP with cisco+smoothwall+lan geekygreek Linux - Networking 1 01-02-2004 09:50 AM
linux squid and iptables for secure lan for internet access. pune_abhishek Linux - Networking 4 11-30-2003 07:20 PM
Iptables Behind Cisco NAT djlightman Linux - Security 6 07-29-2003 02:28 PM


All times are GMT -5. The time now is 10:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration