Slow speeds when going LAN -> Debian Firewall -> WAN

Cacciari · 05-01-2008, 06:38 PM

Greetings,

Perhaps one if you can help me.

I´ve googled, LQ'ed and found nothing like the problem i'm having. Perhaps im looking with wrong keywords or else. My problem is that I resurrected a Toshiba Satellite 335CDS. It's configuration is clearly not cutting-edge:

Pentium 233 MMX
64 RAM
4GB HD
No native NICs.

I've installed two NICs on it to construct my firewall.

On eth0: Encore 10/100Mbps (WAN)
On eth1: Xircom 10Mpbs (LAN) 192.168.119.0/24

My distro is Linux Debian Etch 2.6.18-6-486

Notes
* Configured 1 for IP forwarding
* 50% of RAM filled, Swap at 0%, +-5% CPU time
* Running dhcpd, nagios, sshd.
* Configured routes as this:

Code:

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Localhost:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.119.0   *               255.255.255.0   U     0      0        0 eth1
189.34.32.0     *               255.255.248.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth1
default         bd222001.virtua 0.0.0.0         UG    0      0        0 eth0
default         192.168.119.254 0.0.0.0         UG    0      0        0 eth1

Also, configured iptables, as this site instructs:

Code:

   # Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
   iptables --flush            - Flush all the rules in filter and nat tables
   iptables --table nat --flush
   iptables --delete-chain     - Delete all chains that are not in default filter and nat table
   iptables --table nat --delete-chain

   # Set up IP FORWARDing and Masquerading
   iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
   iptables --append FORWARD --in-interface eth1 -j ACCEPT

   echo 1 > /proc/sys/net/ipv4/ip_forward             - Enables packet forwarding by kernel

I've read about 8 hours before posting this. I really wanted to avoid this but im very frustrated. My LAN cannot get speeds above 15KBs,20KBs to outside world. Listening to shoutcast is a torture.

wget things from firewall bash is like flying.. 512KBps Max.

Something must be very very wrong with my firewall. If you got through a problem like this, i would be very thankful if you expose your solution, or just give me a tip.

I hope it's just a "why dont you set blabla to 1" issue.

Thanks in advance.

beadyallen · 05-01-2008, 07:17 PM

I'm not sure if it's the problem, but why have you got the 10mbps card on the LAN side, with the faster on the WAN? I'd swap them over. With the current setup, all the other LAN machines have to downgrade to 10mbps, which will probably cause poor performance. Swapping them over means that the internal machines can go fast, and since the WAN doesn't get over 512KBps, the 10mbps card will do fine. I'd imagine that the firewall is getting web data too fast, and can't hand it off to the destination machine.
As I said, I don't know if it'll work, but it's worth a try.

Cacciari · 05-01-2008, 08:52 PM

I've tried it, but nothing.

Im testing only one host, listening to a shoutcast stream of 128Kbps. With such a small bandwidth occupation like that, it must be something wrong with linux, not with the NICs.