Performance issue with Windows machines behind a linux gateway.

Jorek · 02-07-2011, 01:20 PM

Hi!

This weekend I decided to add a firewall/gateway/router to my home network. The box is running Slackware 13.1, and is configured pretty strait forward:
- iptables for firewalling/NAT.
- dhcpd for DHCPD.

Figure:
[WAN]-> Gateway/Router [LAN] -> Cisco WIFI AP - - - > Clients

When I use my slackware machines, I really notice a huge performance boost, both in speed and stability(in terms of packets not beeing dropped and so forth).

However, when I use Windows I notice quite less performance. When I type a URL in the address bar, it usually hangs for about 3-10 seconds, before anything gets loaded, while in linux everything is instant.

First I thought it was a DNS issue, but my ISP's DNS-servers respond quite quick(between 10-25ms).

traceroute and tracert gives me pretty much the same output, so I really don't know whats going on here.

I tried setting up dnsmasq as a cache, but it does not make any difference performance wise.

I have tested two linux clients, and three windows clients. Same thing with all of them; windows clients much slower.

I think this i very odd, since everything runs so smooth in linux. Anyone experienced anything similar?

David1357 · 02-07-2011, 01:49 PM

Quote:

Originally Posted by Jorek

I have tested two linux clients, and three windows clients. Same thing with all of them: windows clients much slower. I think this i very odd, since everything runs so smooth in linux.

This is the perfect place to use Wireshark. You can capture traffic on one of the Linux machines and one of the Windows machines and compare them to see what is different.

Jorek · 02-07-2011, 05:15 PM

I just installed Wireshark, seems pretty neat! I does not understand everything yet though!

Anything I should look for?

These look a bit strange:

[TCP Retransmission] [TCP segment of a reassembled PDU]
ICMP Destination unreachable (Fragmentation needed)
[TCP Dup ACK 1652#1]

I get some of each when capturing on the linux box, but a lot more when using windows. Especially the TCP Dup ACK.

Does this make sense to anyone?

David1357 · 02-08-2011, 08:33 AM

Quote:

Originally Posted by Jorek

Does this make sense to anyone?

It makes me think your gateway is improperly configured. Can you describe how you configured your gateway?

Jorek · 02-08-2011, 09:02 AM

Of course! Thanks for taking the time!

Like I said;
The gateway is running Slackware 13.1.
It has two interfaces eth0, which is connected to my DSL modem, and eth1 which is connected to my WIFI AP.
This is the iptables script im using;

Code:

#       IPtables firewall script for host Gateway.
#              
#  
iptables -F
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
#
#LAN Section:
iptables -A INPUT -p tcp --dport 22 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 67 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i eth1 -j ACCEPT

# These open ports is for a ventrilo server I've set up for my brother.

iptables -A INPUT -p udp --dport 3784 -j ACCEPT
iptables -A INPUT -p tcp --dport 3784 -j ACCEPT

iptables -A INPUT -p icmp -i eth1 -j ACCEPT
#
#Routing Section:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
#NAT Section:

This is my dhcpd.conf:

Code:

# Sample /etc/dhcpd.conf
# (add your comments here) 
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers **.***.**.***, **.***.**.***;

subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.10 192.168.1.100;
   range 192.168.1.150 192.168.1.200;
}

The line option domain-name-servers **.***.**.***, **.***.**.***; contain valid DNS servers from my ISP.

If you need any additional info, let me know!

Again, thanks.

David1357 · 02-08-2011, 11:19 AM

Quote:

Originally Posted by Jorek

If you need any additional info, let me know!

I am going to guess that you are using IPV4 forwarding by using

Code:

    # echo 1 > /proc/sys/net/ipv4/ip_forward

This is really meant to be used in a situation where you only have one NIC and you want to forward traffic to one or more machines by sending it back out the NIC.

When you have two NICs, you should really use a bridge. Your kernel should have the bridge module enabled by default, unless your distro is really brain damaged. To use the bridge, you will need to install "bridge-utils" for your distro.

There are plenty of bridging tutorials. However, you should be able to get by with

Code:

    # brctl addbr br0
    # brctl addif br0 eth0
    # brctl addif br0 eth1
    # ifconfig br0 <ip address>
        or
    # dhclient br0

This should also make your iptables rules less complicated.

There is probably a similar bridge in your wireless access point. Because of this, you may want to enable spanning tree protocol (STP) for your bridge. This will prevent packets from infinitely looping in your network. That being said, try your bridge without STP first.

You are probably extremely confused by now. Rather than guess what you are thinking, I will simply request that you ask questions about what you do not yet understand.

Jorek · 02-08-2011, 01:12 PM

Yup, I'm using the echo 1 > /proc/sys/net/ipv4/ip_forward approach.
Did it this way a couple of years ago, and I seem to remember that it worked out pretty well.

I used a old embedded router instead of my gateway,just to test, and it seems like things run much better. I guess this indicates that my gateway is
not configured properly. When doing a packet capture with the embedded router, I do not get the "ICMP Destination unreachable (Fragmentation needed)" anymore.

And you are right, now I'm confused.
If I use this bridge approach, wouldn't the gateway be transparent to the clients on my LAN?
And how is it able to act as a dhcp server and firewall?

Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router, as well as a ssh and ventrilo serve.

The HOW-TO's I've read seem to use the iptables /w NAT approach, even on computers with multiple NICs.

Again, thanks for taking the time. I really appreciate it!

David1357 · 02-08-2011, 01:39 PM

Quote:

Originally Posted by Jorek

If I use this bridge approach, wouldn't the gateway be transparent to the clients on my LAN?

Yes.

Quote:

Originally Posted by Jorek

And how is it able to act as a dhcp server and firewall?

DHCP requests are sent to the broadcast address, so there is no problem with the machine acting as a DHCP server.

You can write iptables rules that operate on the bridge0 device just like you would if you only had an eth0 device.

Quote:

Originally Posted by Jorek

Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router...

This is the part that confuses me. Your wireless AP should be able to act as your gateway and I am completely at a loss to understand why you need to do NAT. Can you explain what you are trying to achieve in more detail?

Quote:

Originally Posted by Jorek

...as well as a ssh and ventrilo server.

This will still work with a bridge.

Quote:

Originally Posted by Jorek

The HOW-TO's I've read seem to use the iptables /w NAT approach, even on computers with multiple NICs.

I think this is because not everyone knows about the bridge driver. However, I have been working with the internals of the Linux network stack for several years now, and I feel that using iptables to bridge two NICs is at best inefficient and at worst an abuse of the utility.

David1357 · 02-10-2011, 09:33 AM

Quote:

Originally Posted by Jorek

Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router...

I finally took the time to look into NAT routing so I could understand what you are trying to achieve.

That being said, this looks like a better iptables command set

Code:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# use this line only if you have dynamic IP address from your ISP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# This rule will prevent packet looping, which might be the cause
# of your current problem.
/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Obviously, you will have to add your situation specific rules to this.

Jorek · 02-10-2011, 11:39 AM

Hi again!

Testet the rule for preventing looping and it works great!
Now the speed is back to normal! Thanks!

Next time i get a weekend to spare, I'll look into the bridge approach! =)

Again, thanks for helping out!

designator · 02-10-2011, 01:46 PM

Quote:

Originally Posted by David1357

When you have two NICs, you should really use a bridge.

This will only work if you have another router behind the bridge, right? If you want to use the Linux box as a router, you have to use forwarding.

David1357 · 02-10-2011, 03:43 PM

Quote:

Originally Posted by designator

If you want to use the Linux box as a router, you have to use forwarding.

I think it is more correct to say that if you want to use iptables to create a router, you have to use forwarding.