Sorry to bother you, but I don''t get it. We have two DSL Lines with fixed IPs and our firewall has three physical interfaces. Quite straightforward setup like it seems, an interface for each provider and the remaining interface for local LAN. There is only one thing we want to regulate by using packet marking and tcrules: one of the lines shall be used for www-traffic only. We use Squid as proxy-service on that machine and since upgrade from 3.4.6 (shell) to 4.0.3 (perl) we notice that Squid is behaving strange. After a while Squid seems to go "DIRECT" only and the browsers on the clients seem to hang and or surfing is ultra slow. If we take down the second external interface and use a "single-ISP" setup we don''t see this kind of behaviour and surfing speeds up enormously. Any hints appreciated. Regards from Germany, Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Artur Uszyński
2007-Sep-18 11:14 UTC
Re: Multi-ISP / Squid 2.6 Problem with Shorewall 4.0.3
Hello. Philipp Rusch pisze:> Sorry to bother you, but I don''t get it. > > We have two DSL Lines with fixed IPs and our firewall has three physical > interfaces. > Quite straightforward setup like it seems, an interface for each > provider and the > remaining interface for local LAN. There is only one thing we want to > regulate by > using packet marking and tcrules: one of the lines shall be used for > www-traffic only. > We use Squid as proxy-service on that machine and since upgrade from > 3.4.6 (shell) > to 4.0.3 (perl) we notice that Squid is behaving strange. After a while > Squid seems > to go "DIRECT" only and the browsers on the clients seem to hang and or > surfing is > ultra slow. > If we take down the second external interface and use a "single-ISP" > setup we don''t > see this kind of behaviour and surfing speeds up enormously. > Any hints appreciated. >There were some multiISP problems with shorewall-perl in 4.0.3, check last threads in list archive (at http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users): "MultiISP: perl compiler bug (shorewall 4.0.3)" and "MultiISP: minor(?) problem with route_rules processing". Maybe patches from there will help You. Or wait for shorewall 4.0.4. Regards. -- Artur ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Artur Uszyński wrote:> > There were some multiISP problems with shorewall-perl in 4.0.3, > check last threads in list archive > (at http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users): > "MultiISP: perl compiler bug (shorewall 4.0.3)" and "MultiISP: minor(?) > problem with route_rules processing". Maybe patches from there > will help You.That patch is also available from the 4.0.3 errata. See the 4.0.3 "Known Problems" linked from the Shorewall home page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Eduardo Ferreira
2007-Sep-18 16:25 UTC
Re: Multi-ISP / Squid 2.6 Problem with Shorewall 4.0.3
Tom Eastep wrote on 18/09/2007 10:47:33:> Artur Uszyński wrote: > > > > > There were some multiISP problems with shorewall-perl in 4.0.3, > > check last threads in list archive > > (athttp://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users):> > "MultiISP: perl compiler bug (shorewall 4.0.3)" and "MultiISP:minor(?)> > problem with route_rules processing". Maybe patches from there > > will help You. > > That patch is also available from the 4.0.3 errata. See the 4.0.3 "Known > Problems" linked from the Shorewall home page. >another solution would be the use of tcp_outgoing_ip directive in squid.conf. it lets you define the local address squid will use for the outgoing requests. cheers, -- Eduardo Ferreira Icatu Holding S.A. (21) 3804-8606 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Eduardo Ferreira wrote:> > Tom Eastep wrote on 18/09/2007 10:47:33: > >> Artur Uszyński wrote: >> >> > >> > There were some multiISP problems with shorewall-perl in 4.0.3, >> > check last threads in list archive >> > (at > http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users): >> > "MultiISP: perl compiler bug (shorewall 4.0.3)" and "MultiISP: minor(?) >> > problem with route_rules processing". Maybe patches from there >> > will help You. >> >> That patch is also available from the 4.0.3 errata. See the 4.0.3 "Known >> Problems" linked from the Shorewall home page. >> > > another solution would be the use of tcp_outgoing_ip directive in > squid.conf. it lets you define the local address squid will use for the > outgoing requests.Unfortunately, the bug in 4.0.3 Shorewall-perl prevents that solution from working correctly :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Philipp Rusch
2007-Sep-20 12:42 UTC
Re: SOLVED - Multi-ISP / Squid 2.6 Problem with Shorewall 4.0.3
Tom Eastep schrieb:> Eduardo Ferreira wrote: > >> Tom Eastep wrote on 18/09/2007 10:47:33: >> >> >>> Artur Uszyński wrote: >>> >>> >>>> There were some multiISP problems with shorewall-perl in 4.0.3, >>>> check last threads in list archive >>>> (at >>>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=shorewall-users): >> >>>> "MultiISP: perl compiler bug (shorewall 4.0.3)" and "MultiISP: minor(?) >>>> problem with route_rules processing". Maybe patches from there >>>> will help You. >>>> >>> That patch is also available from the 4.0.3 errata. See the 4.0.3 "Known >>> Problems" linked from the Shorewall home page. >>> >>> >> another solution would be the use of tcp_outgoing_ip directive in >> squid.conf. it lets you define the local address squid will use for the >> outgoing requests. >> > > Unfortunately, the bug in 4.0.3 Shorewall-perl prevents that solution from > working correctly :-( > > -Tom > > ------------------------------------------------------------------------We changed to 4.0.3 PLUS all patches from the /errata directory, this works fine for now. Shall we change to 4.0.4 or is it too early to take this step ? Also, to Eduardo, I want to avoid to have something in squid.conf that sticks with a certain interface or ipadress, in case we need to reconfigure routing because one of the lines is broken (again). -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2007-Sep-20 13:44 UTC
Re: SOLVED - Multi-ISP / Squid 2.6 Problem with Shorewall 4.0.3
Philipp Rusch wrote:> Shall we change to 4.0.4 or is it too early to take this step ?Too early -- Shorewall 4.0.4 has not yet been released. See http://wiki.shorewall.net/roadmap. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/