howdy. I''m stuck for ideas trying to improve internet access performance to my pc''s. I''ve read a million faq''s and tutorials and docs and everything else I could find. I initially tried setting up ics from the mandrake control panel, but that balls''d everything up, so I''ve manually setup shorewall. I''m running shorewall 2.0.2f , mandrake 10 community on a 2 interface pc. my setup is exactly as shown in figure 1, shorewall two-interface guide http://www.shorewall.net/two-interface.htm sitting on my shorewall box (no, not literally!), I can download 500meg+ files from my isp''s file servers at 150K/s+. I can download several files at once at a total of 600k/s. (all via http) while downloading at ~300k/s, my cpu load averages 30%, and my load load average is up near 1 (as reported by kde system watch) from my windows 2000 pc (static ip = 192.168.0.2 dns and default gateway = 192.168.0.1), I can download files from the same server at a maximum of 30K/s (through shorewall). #shorewall clear makes no difference #shorewall stop kills everything - I can''t ping the fw or access the net. local ftp transfers run at 5000K/s+ (ftp://192.168.0.1/ from my windows pc), so I don''t believe that my hardware is at fault. Any help for a noob would be greatly appreciated. cheers. eth0 is connected to my lan, and eth1 to the net via cable: # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever inet6 ff02::1/128 scope global valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:e8:89:b7:56 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 inet6 fe80::200:e8ff:fe89:b756/64 scope link valid_lft forever preferred_lft forever inet6 ff02::1:ff89:b756/128 scope global valid_lft forever preferred_lft forever inet6 ff02::1/128 scope global valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:b5:06:e6:89 brd ff:ff:ff:ff:ff:ff inet 144.136.164.103/22 brd 255.255.255.255 scope global eth1 inet6 fe80::210:b5ff:fe06:e689/64 scope link valid_lft forever preferred_lft forever inet6 ff02::1:ff06:e689/128 scope global valid_lft forever preferred_lft forever inet6 ff02::1/128 scope global valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect loc eth0 detect /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet zone loc Local Local network zone /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth1 eth0 /etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT:BURST fw net ACCEPT loc net ACCEPT net all DROP info loc fw ACCEPT fw loc ACCEPT all all REJECT info /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT ACCEPT net fw icmp 8 - ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 /etc/shorewall/routestopped #INTERFACE HOST(S) eth0 192.168.0.2
SimmO wrote:> > from my windows 2000 pc (static ip = 192.168.0.2 dns and default > gateway = 192.168.0.1), I can download files from the same server at a > maximum of 30K/s (through shorewall). > #shorewall clear makes no differenceHuh? You can totally remove all Shorewall-generated rules and still access the ISP''s server?> #shorewall stop kills everything - I can''t ping the fw or access the net.You should be able to access the firewall from 192.168.0.2 according to your routestopped file below.> > local ftp transfers run at 5000K/s+ (ftp://192.168.0.1/ from my windows > pc), so I don''t believe that my hardware is at fault. > > Any help for a noob would be greatly appreciated. cheers. > > /etc/shorewall/routestopped > #INTERFACE HOST(S) > eth0 192.168.0.2Are you seeing any Shorewall messages in your log? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Sounds like wrong MTU settings on modem. Regards, jason -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, June 10, 2004 9:54 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Poor speeds from net to local SimmO wrote:> > from my windows 2000 pc (static ip = 192.168.0.2 dns and default > gateway = 192.168.0.1), I can download files from the same server at a > maximum of 30K/s (through shorewall). > #shorewall clear makes no differenceHuh? You can totally remove all Shorewall-generated rules and still access the ISP''s server?> #shorewall stop kills everything - I can''t ping the fw or access the net.You should be able to access the firewall from 192.168.0.2 according to your routestopped file below.> > local ftp transfers run at 5000K/s+ (ftp://192.168.0.1/ from my windows > pc), so I don''t believe that my hardware is at fault. > > Any help for a noob would be greatly appreciated. cheers. > > /etc/shorewall/routestopped > #INTERFACE HOST(S) > eth0 192.168.0.2Are you seeing any Shorewall messages in your log? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On June 10, 2004 09:13 am, Jason Png wrote:> Sounds like wrong MTU settings on modem. >Not if he is able to download at 600kB/s to the firewall. As a shorewall clear does not help anything, my suspicion is this is a network hardware issue. Perhaps he has a duplex mismatch issue on eth0 or perhaps eth0 is flakey. I would start by looking for errors on the switch (it it''s managed) or looking for errors on the nic. -- Mason Schmitt
Mason Schmitt wrote:> On June 10, 2004 09:13 am, Jason Png wrote: > >>Sounds like wrong MTU settings on modem. >> > > Not if he is able to download at 600kB/s to the firewall. As a shorewall > clear does not help anything, my suspicion is this is a network hardware > issue. Perhaps he has a duplex mismatch issue on eth0 or perhaps eth0 is > flakey. I would start by looking for errors on the switch (it it''s managed) > or looking for errors on the nic. >One might also see something useful in a tcpdump (retries, fragmentation-needed, etc). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Here''s some more info: I''ve got a hundred or more of these records per day... 61.9.224.13 is my isp''s auth server. port 5050 is used by the isp''s login software for a heartbeat. so, I guess that''s where that one came from. the others, I don''t know. /var/log/messages Jun 15 16:30:18 linuxo kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:10:b5:06:e6:89:00:05:5f:ea:d8:8c:08:00 SRC=61.9.224.13 DST=144.136.164.103 LEN=36 TOS=0x00 PREC=0x00 TTL=54 ID=1450 DF PROTO=UDP SPT=5051 DPT=5050 LEN=16 Jun 15 16:30:20 linuxo kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:10:b5:06:e6:89:00:05:5f:ea:d8:8c:08:00 SRC=220.188.135.187 DST=144.136.164.103 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=42055 DF PROTO=TCP SPT=2673 DPT=5554 WINDOW=16384 RES=0x00 SYN URGP=0 Jun 15 16:30:23 linuxo kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:10:b5:06:e6:89:00:05:5f:ea:d8:8c:08:00 SRC=220.188.135.187 DST=144.136.164.103 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=43781 DF PROTO=TCP SPT=4474 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0 Jason wrote: "Sounds like wrong MTU settings on modem." But, I can download at 600k/s on the shorewall pc. as for hardware, I can transfer files from fw to local at 5000K/s+, often 8000K/s. My switch is an el cheapo toy one. It''s not managed. Tom wrote "One might also see something useful in a tcpdump (retries, " fragmentation-needed, etc). how might one do that please?
----- Original Message ----- From: "SimmO"> I''ve got a hundred or more of these records per day... > 61.9.224.13 is my isp''s auth server. port 5050 is used by the isp''s > login software for a heartbeat. so, I guess that''s where that one camefrom.> the others, I don''t know. > Jun 15 16:30:18 linuxo kernel: Shorewall:net2all:DROP:IN=eth1 OUTMAC=00:10:b5:06:e6:89:00:05:5f:ea:d8:8c:08:00 SRC=61.9.224.13DST=144.136.164.103 LEN=36 TOS=0x00 PREC=0x00 TTL=54 ID=1450 DF PROTO=UDP SPT=5051 DPT=5050 LEN=16 LOL.. SimmO... Whether or not the above has anything to do with your problem, you should investigate it anyways. That doesn''t look right or sound right..> Jason wrote: > "Sounds like wrong MTU settings on modem." > > But, I can download at 600k/s on the shorewall pc.SimmO... we need to isolate your problem.. So simply do the following.. You would of course want to do this in conjunction with the tcpdump directions below. So you would start tcpdump and then the following below.>From a machine on the loc_lan can you ping out to the internet by name or ipvia: On M$ Windows: ping -t -l 1472 -f www.yahoo.com or : ping -t -l 1472 -f 66.94.230.39 the "-l" is the lowercase letter L.. Ctrl-c to stop... Or the same thing on a linux pc on the loc_lan: ping -c 20 -s 1472 -s 1472 -M do www.yahoo.com or: ping -c 20 -s 1472 -s 1472 -M do 66.94.230.39 This is pinging with the largest packet size allowable with ethernet without needed to be fragemented. This should help isolate MTU issues pretty quick. What happens. OR.... 1) Take out he switch that is connected to the Shorewall firewall and connect either a Windows pc or a Linux pc directly to eth0 of the Shorewall firewall using a cross-over cable or just use a Hub.. then perform the test below.> as for hardware, I can transfer files from fw to local at 5000K/s+, often8000K/s.> My switch is an el cheapo toy one. It''s not managed.Ofcourse.... you would''nt have an MTU problem from the fw to the loc_lan in my experience unless something was really hacked up the wrong way. Or there''s a problem between the FW interface and your loc_lan segment. Can you download or transfer, initiating the connection from the loc_lan to the fw?> Tom wrote > "One might also see something useful in a tcpdump (retries, " > fragmentation-needed, etc). > > > how might one do that please?I smell flames. :p Jk.. Assuming you have tcpdump installed..... "man tcpdump" for the meaning of the syntax below:>From a console on the Shorewall firewall do:tcpdump -i eth1 -nv -c 1000 -s 1500 not arp Ctrl-c to stop the output You would of course want to do this in conjunction with the testing I outlined above.. I hope that helps..
Please show us the routing table on the Shorewall firewall box as well.. ip route show Thanks, Joshua Banks ----- Original Message ----- From: "Joshua Banks" <syn_ack@comcast.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, June 15, 2004 5:10 AM Subject: Re: [Shorewall-users] Poor Speeds from net to local> > ----- Original Message ----- > From: "SimmO" > > > I''ve got a hundred or more of these records per day... > > 61.9.224.13 is my isp''s auth server. port 5050 is used by the isp''s > > login software for a heartbeat. so, I guess that''s where that one came > from. > > the others, I don''t know. > > Jun 15 16:30:18 linuxo kernel: Shorewall:net2all:DROP:IN=eth1 OUT> MAC=00:10:b5:06:e6:89:00:05:5f:ea:d8:8c:08:00 SRC=61.9.224.13 > DST=144.136.164.103 LEN=36 TOS=0x00 PREC=0x00 TTL=54 ID=1450 DF PROTO=UDP > SPT=5051 DPT=5050 LEN=16 > > LOL.. SimmO... Whether or not the above has anything to do with your > problem, you should investigate it anyways. That doesn''t look right orsound> right.. > > > Jason wrote: > > "Sounds like wrong MTU settings on modem." > > > > But, I can download at 600k/s on the shorewall pc. > > SimmO... we need to isolate your problem.. So simply do the following..You> would of course want to do this in conjunction with the tcpdump directions > below. So you would start tcpdump and then the following below. > > > >From a machine on the loc_lan can you ping out to the internet by name orip> via: > On M$ Windows: ping -t -l 1472 -f www.yahoo.com > or : ping -t -l 1472 -f 66.94.230.39 the "-l" is the lowercase letterL..> Ctrl-c to stop... > > Or the same thing on a linux pc on the loc_lan: > ping -c 20 -s 1472 -s 1472 -M do www.yahoo.com > or: ping -c 20 -s 1472 -s 1472 -M do 66.94.230.39 > > This is pinging with the largest packet size allowable with ethernetwithout> needed to be fragemented. This should help isolate MTU issues prettyquick.> What happens. > > OR.... > > 1) Take out he switch that is connected to the Shorewall firewall and > connect either a Windows pc or a Linux pc directly to eth0 of theShorewall> firewall using a cross-over cable or just use a Hub.. then perform thetest> below. > > > > as for hardware, I can transfer files from fw to local at 5000K/s+,often> 8000K/s. > > My switch is an el cheapo toy one. It''s not managed. > > Ofcourse.... you would''nt have an MTU problem from the fw to the loc_lanin> my experience unless something was really hacked up the wrong way. Or > there''s a problem between the FW interface and your loc_lan segment. Canyou> download or transfer, initiating the connection from the loc_lan to thefw?> > > > > Tom wrote > > "One might also see something useful in a tcpdump (retries, " > > fragmentation-needed, etc). > > > > > > how might one do that please? > > I smell flames. :p Jk.. > Assuming you have tcpdump installed..... > "man tcpdump" for the meaning of the syntax below: > >From a console on the Shorewall firewall do: > tcpdump -i eth1 -nv -c 1000 -s 1500 not arp > Ctrl-c to stop the output > > You would of course want to do this in conjunction with the testing I > outlined above.. > > I hope that helps.. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Woopsee... I put in "-s 1472" twice. [edit]> > ping -c 20 -s 1472 -s 1472 -M do www.yahoo.com > > or: ping -c 20 -s 1472 -s 1472 -M do 66.94.230.39[/edit] Should be: ping -c 20 -s 1472 -M do www.yahoo.com or: ping -c 20 -s 1472 -M do 66.94.230.39 Joshua Banks
pinging yahoo from my firewall (fw->net): --- www.yahoo.akadns.net ping statistics --- 100 packets transmitted, 100 received, 0% packet loss, time 99097ms rtt min/avg/max/mdev = 214.721/219.036/252.462/7.435 ms pinging my isp''s homepage from firewall: --- www.bigpond.com ping statistics --- 100 packets transmitted, 100 received, 0% packet loss, time 99104ms rtt min/avg/max/mdev = 39.914/42.961/65.307/3.270 ms pinging yahoo from winblows (loc->fw->net): Ping statistics for 66.94.230.37: Packets: Sent = 100, Received = 99, Lost = 1 (1% loss), Approximate round trip times in milli-seconds: Minimum = 219 ms, Maximum = 250ms, Average = 217ms Note how the average is less than the minimum? Way to go Billy G. and M$ and my isp from winblows: Ping statistics for 144.135.18.32: Packets: Sent = 100, Received = 100, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 32 ms, Maximum = 63ms, Average = 34ms Now that I''ve installed tcpdump, I''ve run it, I didn''t see any obvious error messages - it all went whizzing by pretty fast. :) 1000 packets captured 1000 packets received by filter 0 packets dropped by kernel ip route show: 192.168.0.0/24 via 192.168.0.1 dev eth0 scope link 192.168.0.0/24 dev eth0 scope link 144.136.164.0/22 dev eth1 proto kernel scope link src 144.136.164.103 127.0.0.0/8 dev lo scope link default via 144.136.164.1 dev eth1 last time I did this (way back at the start of my trouble shooting), there weren''t double entries for 192.168.0.0
SimmO wrote:> Now that I''ve installed tcpdump, > I''ve run it, I didn''t see any obvious error messages - it all went > whizzing by pretty fast. :)Did it occur to you to redirect the output to a file? Also, tcpdump has a "-w" option which permits writing the raw packets to a file for later analysis using tcpdump or (better) ethereal. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
do i feel like a boob: I made a crossover cable to test things out - "weeee look at it go now", I said as soon as it was plugged in. seems the problem is my shitty toy switch or the other ethernet cables. Thanks for your help guys anyways. It''s been a learning experience for me. It''s good to see a support crew that actually try to help. :) keep up your good work. ps: I looked closer at the output from ethereal. It didn''t show any significant error messages. maybe a dozen retransmissions over 1Megabytes'' worth of packets.
SimmO wrote:> ps: I looked closer at the output from ethereal. It didn''t show any > significant error messages. maybe a dozen retransmissions over > 1Megabytes'' worth of packets.With this type of problem, you might have been able to see errors with "ip -s link ls" (I know -- hindsight is always perfect). gateway:/usr/share/shorewall# ip -s link ls eth2 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 02:00:08:e3:4c:48 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 1917950498 12132441 1 0 0 0 TX: bytes packets errors dropped carrier collsns 3800630297 19924857 4 0 2 0 gateway:/usr/share/shorewall# The above is a very low error rate -- I suspect you were seeing a higher rate on the interface connected to the ersatz switch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "SimmO"> do i feel like a boob: > I made a crossover cable to test things out - "weeee look at it go now", > I said as soon as it was plugged in. seems the problem is my shitty toy > switch or the other ethernet cables.LOL. :D SimmO, Thats why I, (quoting my initial post to you), made the suggestion too, among other things, "1) Take out he switch that is connected to the Shorewall firewall and connect either a Windows pc or a Linux pc directly to eth0 of the Shorewall firewall using a cross-over cable or just use a Hub." If this wasn''t blatently obvious sorry. But I don''t know how more clearer I could''ve been.> Thanks for your help guys anyways. It''s been a learning experience forme.> It''s good to see a support crew that actually try to help. :) keep up > your good work. > ps: I looked closer at the output from ethereal. It didn''t show any > significant error messages. maybe a dozen retransmissions over > 1Megabytes'' worth of packets.Looking at the output of either of these two commands should of clued you in as to ethernet problems between your swtich and shorewall''s connecting internal interface. Allot of times this can be a duplex mismatch issue.. where you need to manually set a duplex speed on one end because the other is having troubles AutoSensing.. Or maybe one side autosensed wrong and put its link into full duplex mode when it should''nt have. This happens allot in my experience.. You can manually set you duplex speed and mtu levels... among other things with the two utilities below. "man ifconfig" and "man ip" I believe ifconfig is slowly being phased out with the "ip utility" But as you can see.. this shows packet counts with "collisions, errors,dropped. ect.. etc.." As an experiment I would run both of these commands below without the switch in place to see what statistics are displayed and then with the switch in place. Surf the net durning both tests or do sustained pings and then run the commands.. I''m sure it will be very obvious with the amount of packet errors and drops.. ect.. ect.. root@fusion toejam # ip -s link show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 14129 174 0 0 0 0 TX: bytes packets errors dropped carrier collsns 14129 174 0 0 0 0 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:05:40:1f:65 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 347941530 3029476 1 0 0 0 TX: bytes packets errors dropped carrier collsns 21803069 149028 1 0 1 0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:02:7f:70:9b brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 27156395 195425 0 0 0 0 TX: bytes packets errors dropped carrier collsns 163843069 236870 0 0 0 0 root@fusion toejam # ifconfig eth0 Link encap:Ethernet HWaddr 00:40:05:40:1F:65 inet addr:67.170.99.253 Bcast:255.255.255.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3033527 errors:1 dropped:0 overruns:0 frame:0 TX packets:149028 errors:1 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:348194074 (332.0 Mb) TX bytes:21803069 (20.7 Mb) Interrupt:16 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:08:02:7F:70:9B inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:195502 errors:0 dropped:0 overruns:0 frame:0 TX packets:236952 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27163637 (25.9 Mb) TX bytes:163852129 (156.2 Mb) Interrupt:20 Base address:0x7000 I''m glad to see that you figured out your problem. That''s a nice way to start the weekend. :) Joshua Banks