Hi there, I'm running squid on this machine I use as gateway/firewall for the users in my LAN:
Code:
CISCO Switch
_______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______|................|Gateway |
|.......|................|........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|_______|<------------->Internet
I'm having some slowdown in speed for LAN users since average download speed is around 50 KB/s behind the firewall with an E3 link (34.368 Mbit/s).
I'm using Iptables for NAT, firewall and redirecting LAN http users to transparent squid port.
I'm wandering why is download speed so slow, since without the firewall some download might hit 300 KB/s, 800 or even 1.2 or 2 MB/s and inside won't go any further than 300 KB/s (on short periods of time), and average speed is around 50KB/s.
I'm not using any squid delay pools. Also, squid doesn't seems to be caching, since I downloaded some .exe file, and then tried to re-download it, but speed was about the same.
Here's my squid.conf
Code:
acl redesinternas src 132.248.172.0/24 10.10.0.0/16
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow redesinternas
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_dir ufs /var/spool/squid 60000 16 256
maximum_object_size 25000 KB
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
always_direct allow all
coredump_dir /var/spool/squid
some of my iptables rules:
Code:
LOCAL_IF="lo"
EXTERNAL_IF="eth0"
INTERNAL_IF="eth1"
VIRTUAL_IF="eth1:1"
$DEPMOD -a
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi
echo "32000 50000" >/proc/sys/net/ipv4/ip_local_port_range
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j DROP --syn -m recent --name antinmap --update --seconds 5 --hitcount 4 -m state --state NEW,INVALID
$IPTABLES -A INPUT -p tcp -i $EXTERNAL_IF -j ACCEPT --syn -m recent --name antinmap --set -m state --state NEW,INVALID
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $NIVEL_LOG --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -t nat -A PREROUTING -s $VIRTUAL_NET -p tcp --dport 80 -j DNAT --to-destination 10.10.254.254:3128
$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp --dport 80 -j DNAT --to-destination 132.248.172.254:3128
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE
My firewall specs:
Code:
# cat /proc/
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 4
model name : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping : 1
cpu MHz : 3391.875
cache size : 1024 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 5
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips : 6787.46
clflush size : 64
processor : 1
vendor_id : GenuineIntel
cpu family : 15
model : 4
model name : Intel(R) Pentium(R) 4 CPU 3.40GHz
stepping : 1
cpu MHz : 3391.875
cache size : 1024 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 5
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl cid cx16 xtpr
bogomips : 6782.98
clflush size : 64
#cat /proc/meminfo
MemTotal: 505664 kB
MemFree: 5520 kB
Buffers: 24324 kB
Cached: 133124 kB
SwapCached: 0 kB
Active: 330344 kB
Inactive: 73868 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 505664 kB
LowFree: 5520 kB
SwapTotal: 2097144 kB
SwapFree: 2097100 kB
Dirty: 1948 kB
Writeback: 0 kB
AnonPages: 246788 kB
Mapped: 25496 kB
Slab: 28044 kB
SReclaimable: 10344 kB
SUnreclaim: 17700 kB
PageTables: 2688 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 2349976 kB
Committed_AS: 358040 kB
VmallocTotal: 516088 kB
VmallocUsed: 6536 kB
VmallocChunk: 509044 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
Hugepagesize: 4096 kB
#df -h
S.ficheros TamaƱo Usado Disp Uso% Montado en
/dev/mapper/VolGroup00-hdhfm
217G 22G 184G 11% /
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 247M 0 247M 0% /dev/shm
# uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
I tried the same configuration on 2 virtual machines, inside the same VLAN as the servers, but this went faster, is it the cisco switch? Too many users for my Hardware capabillities?
Code:
CISCO Switch
_______
|vlan2..|<---------->Users LAN (
|.......|
|.......|<---------->eth1|........|
|_______| |Gateway |
|.......| |........|
|Vlan1..|<---------->eth0|________|
|.......|
|.......|<--->servers
|.......|<------------->Internet
|.......|
|.......|
|_______|
|
___|_____
My machine
turion 64X2 1.6 Ghz 1Gb ram
WinXP
with 2 VMWare machines:
- Fedora Core: #uname -a: Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux
- eth0 briged
- eth1 VMware IF 2 (private)
* Win XP connected to VMWare IF 2 (private
Any ideas or suggestions are welcome.