Performance issue with Windows machines behind a linux gateway.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Performance issue with Windows machines behind a linux gateway.
Hi!
This weekend I decided to add a firewall/gateway/router to my home network. The box is running Slackware 13.1, and is configured pretty strait forward:
- iptables for firewalling/NAT.
- dhcpd for DHCPD.
When I use my slackware machines, I really notice a huge performance boost, both in speed and stability(in terms of packets not beeing dropped and so forth).
However, when I use Windows I notice quite less performance. When I type a URL in the address bar, it usually hangs for about 3-10 seconds, before anything gets loaded, while in linux everything is instant.
First I thought it was a DNS issue, but my ISP's DNS-servers respond quite quick(between 10-25ms).
traceroute and tracert gives me pretty much the same output, so I really don't know whats going on here.
I tried setting up dnsmasq as a cache, but it does not make any difference performance wise.
I have tested two linux clients, and three windows clients. Same thing with all of them; windows clients much slower.
I think this i very odd, since everything runs so smooth in linux. Anyone experienced anything similar?
I have tested two linux clients, and three windows clients. Same thing with all of them: windows clients much slower. I think this i very odd, since everything runs so smooth in linux.
This is the perfect place to use Wireshark. You can capture traffic on one of the Linux machines and one of the Windows machines and compare them to see what is different.
Like I said;
The gateway is running Slackware 13.1.
It has two interfaces eth0, which is connected to my DSL modem, and eth1 which is connected to my WIFI AP.
This is the iptables script im using;
Code:
# IPtables firewall script for host Gateway.
#
#
iptables -F
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
#
#LAN Section:
iptables -A INPUT -p tcp --dport 22 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 67 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i eth1 -j ACCEPT
# These open ports is for a ventrilo server I've set up for my brother.
iptables -A INPUT -p udp --dport 3784 -j ACCEPT
iptables -A INPUT -p tcp --dport 3784 -j ACCEPT
iptables -A INPUT -p icmp -i eth1 -j ACCEPT
#
#Routing Section:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
#NAT Section:
I am going to guess that you are using IPV4 forwarding by using
Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward
This is really meant to be used in a situation where you only have one NIC and you want to forward traffic to one or more machines by sending it back out the NIC.
When you have two NICs, you should really use a bridge. Your kernel should have the bridge module enabled by default, unless your distro is really brain damaged. To use the bridge, you will need to install "bridge-utils" for your distro.
There are plenty of bridging tutorials. However, you should be able to get by with
This should also make your iptables rules less complicated.
There is probably a similar bridge in your wireless access point. Because of this, you may want to enable spanning tree protocol (STP) for your bridge. This will prevent packets from infinitely looping in your network. That being said, try your bridge without STP first.
You are probably extremely confused by now. Rather than guess what you are thinking, I will simply request that you ask questions about what you do not yet understand.
Last edited by David1357; 02-08-2011 at 11:20 AM.
Reason: Added suggestion to try without STP first.
Yup, I'm using the echo 1 > /proc/sys/net/ipv4/ip_forward approach.
Did it this way a couple of years ago, and I seem to remember that it worked out pretty well.
I used a old embedded router instead of my gateway,just to test, and it seems like things run much better. I guess this indicates that my gateway is
not configured properly. When doing a packet capture with the embedded router, I do not get the "ICMP Destination unreachable (Fragmentation needed)" anymore.
And you are right, now I'm confused.
If I use this bridge approach, wouldn't the gateway be transparent to the clients on my LAN?
And how is it able to act as a dhcp server and firewall?
Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router, as well as a ssh and ventrilo serve.
The HOW-TO's I've read seem to use the iptables /w NAT approach, even on computers with multiple NICs.
Again, thanks for taking the time. I really appreciate it!
If I use this bridge approach, wouldn't the gateway be transparent to the clients on my LAN?
Yes.
Quote:
Originally Posted by Jorek
And how is it able to act as a dhcp server and firewall?
DHCP requests are sent to the broadcast address, so there is no problem with the machine acting as a DHCP server.
You can write iptables rules that operate on the bridge0 device just like you would if you only had an eth0 device.
Quote:
Originally Posted by Jorek
Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router...
This is the part that confuses me. Your wireless AP should be able to act as your gateway and I am completely at a loss to understand why you need to do NAT. Can you explain what you are trying to achieve in more detail?
Quote:
Originally Posted by Jorek
...as well as a ssh and ventrilo server.
This will still work with a bridge.
Quote:
Originally Posted by Jorek
The HOW-TO's I've read seem to use the iptables /w NAT approach, even on computers with multiple NICs.
I think this is because not everyone knows about the bridge driver. However, I have been working with the internals of the Linux network stack for several years now, and I feel that using iptables to bridge two NICs is at best inefficient and at worst an abuse of the utility.
Just to clarify; my intentions is to use my gateway in the same manner as a embedded NAT router...
I finally took the time to look into NAT routing so I could understand what you are trying to achieve.
That being said, this looks like a better iptables command set
Code:
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# use this line only if you have dynamic IP address from your ISP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# This rule will prevent packet looping, which might be the cause
# of your current problem.
/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT
Obviously, you will have to add your situation specific rules to this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.