Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I am in the process of changing an old 486/slackware-2.2.XX box to a new pentium/debian2.6.4 box for my router. My old box was running standard 2.2 kernel masquerading, and I am trying to set up the (not so) new iptables now available with 2.4/2.6 on the new box, but I can't seem to be able to get speeds as fast. Here are more details.
I have a cable modem connection with pretty fast download speeds ability: ~450 kiloBYTES/sec. With the old box, all clients connecting to the router could easily reach that speed.
When setting up the new firewall on the 2.6 kernel, clients can only reach download speed to the outer world up to 8-10 kB/s. At first, I suspected something wrong w/ the network cards on the new machine, but here's the weird thing I found out: If I try to download a 10mB test-file provided on my ISP's ftp, I do reach maximal speed.
I tried downloading a new kernel from ftp.kernel.org to test speed. That site is generally very reliable. If I download the file directly on the router machine, I reach high speed. If I download it from one of the client connected to the router, I again top @ 10 kB/s.
So the problem is really only when I go outside the ISP.
Here are (yet) some more details (that might be interesting from the search I have done):
- iptables -L is blazzing fast.
- iptables -t nat -L is blazzing fast
- From the client machine, I can see the download speed being very high for about one sec and then dropping suddenly.
- Question: Could my ISP possibly be detecting that I use iptables and slowing down the connection on purpose ?
- Here is the (very simple) script I use to initiate masquerading:
########## script begin
#eth0 is external, connected to the cable modem
#eth1 is internal, connected to a switch
echo "Initiating ipforwarding/NAT policies"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#accept everything coming from our lan
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#everything is dropped except for those exceptions
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
############ script end
"If I download the file directly on the router machine, I reach high speed. If I download it from one of the client connected to the router, I again top @ 10 kB/s."
if you can reach good speed with one pc = not an isp issue whatsoever. full stop.
they are not out to destroy your iptables project or anything.
If the router gets good speed and any pc's behind it do not then the issue should be within the settings/protocols within the lanside nic on the router.
I would check that you are not confusing the network with too many dns servers. I found this to be an issue once before ie. putting dns servers in the pc settings and then possibly specifying the dns on the router to look to the gateway for dns. This can slow down the servers.
check tha the nics on the router are all full duplex if ideally.
try shutting off firewall and proxies to narrow it down.
also - have a client bypass the router to prove it is getting full speed now.
Thx for your help, but I still can't get it to work.
Both cards are working in full-duplex.
What is a good dns server setup ? I tried blanking /etc/resolv.conf on the router and leave it as it was on on the clients, but that didn't change anything.
Again, I would like to state that if I download from ftp.videotron.com (my ISP), the speed is very good on the clients (450kB/s). If I try the same thing from ftp.kernel.org from a client, I get much slower speed (10 kB/s).
je_fro: I tried that script, it works, but I still get the same slow speed.
does traceroute show any latency on the line between you and kernel.org?
I guess I may have understood~ this will help: If you bypass the router does the clients speed increase?
It was my understanding the speed increases- correct?
traceroute to kernel.org (184.108.40.206), 30 hops max, 40 byte packets
1 192.168.1.3 0.882 ms 0.894 ms 0.837 ms
2 * * *
3 modemcable114.243-200-24.mc.videotron.ca (220.127.116.11) 11.110 ms 11.741 ms 16.108 ms
4 10.154.0.26 16.891 ms 14.555 ms 13.214 ms
5 ia-cduc-bb02-ge8-0.vtl.net (18.104.22.168) 18.149 ms 16.915 ms 17.927 ms
6 22.214.171.124 34.528 ms 34.966 ms 34.567 ms
7 dcr1-so-4-2-0.Chicago.cw.net (126.96.36.199) 49.416 ms 47.900 ms 48.454 ms
8 bpr2-so-0-0-0.ChicagoEquinix.cw.net (188.8.131.52) 37.666 ms 36.980 ms 38.126 ms
9 cable-and-wireless-peering.ChicagoEquinix.cw.net (184.108.40.206) 35.088 ms 33.719 ms 34.891 ms
10 p16-1-1-1.r21.snjsca04.us.bb.verio.net (220.127.116.11) 87.423 ms 89.471 ms 89.063 ms
11 xe-0-2-0.r20.snjsca04.us.bb.verio.net (18.104.22.168) 93.712 ms 93.675 ms 94.761 ms
12 p64-0-0-0.r20.plalca01.us.bb.verio.net (22.214.171.124) 93.587 ms 93.886 ms 91.789 ms
13 p16-0-0-0.r00.plalca01.us.bb.verio.net (126.96.36.199) 92.148 ms 95.603 ms 94.901 ms
14 p1-0.isc.plalca01.us.bb.verio.net (188.8.131.52) 95.879 ms 97.555 ms 97.652 ms
15 r7-2.r8.pao1.isc.org (184.108.40.206) 96.657 ms 98.242 ms 98.334 ms
16 r8-pao1.r3.sfo2.isc.org (220.127.116.11) 94.856 ms 90.395 ms 92.112 ms
17 zeus-pub.kernel.org (18.104.22.168) 94.011 ms 96.644 ms 96.369 ms
Step 2 takes a while.
And you're right: If I bypass the server, the speed increases.
[I presume you have a firewall built into the router/gateway. Also If you bypass this then the speed increates. What type of router/firewall are you running?]
192.168.0.3 is the lan side of the router/firewall and 2 * * * is the wan side, firewall.
do me a favour, disable the firewall completely, just to see what happens, then test the speed from the client.