Kenneth Gonsalves
2008-Apr-04 00:48 UTC
can a badly configured firewall affect router performance
hi, lately I have been having problems with a new leased line and router - It performs fine for some time (several days) or a few hours. Then suddenly I am unable to ping the gateway. After some time it reverts to normal - regardless of whether the router is rebooted or not. On one occcasion the router configuration had also got wiped out. Before investigating further I would like to know if there is a possibility that a badly configured firewall could cause this problem. If there is such a possiblity, I will post the complete configuration and dump. -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/code/ ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep
2008-Apr-04 03:16 UTC
Re: can a badly configured firewall affect router performance
Kenneth Gonsalves wrote:> lately I have been having problems with a new leased line and router > - It performs fine for some time (several days) or a few hours. Then > suddenly I am unable to ping the gateway. After some time it reverts > to normal - regardless of whether the router is rebooted or not. On > one occasion the router configuration had also got wiped out.Too much drama for me.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Simon Hobson
2008-Apr-04 07:48 UTC
Re: can a badly configured firewall affect router performance
Kenneth Gonsalves wrote:>lately I have been having problems with a new leased line and router >- It performs fine for some time (several days) or a few hours. Then >suddenly I am unable to ping the gateway. After some time it reverts >to normal - regardless of whether the router is rebooted or not. On >one occcasion the router configuration had also got wiped out. Before >investigating further I would like to know if there is a possibility >that a badly configured firewall could cause this problem. If there >is such a possiblity, I will post the complete configuration and dump.Nothing is impossible, but as Tom has told people so many times, Shorewall isn''t ''running'' (it just configures stuff and quits). I would be VERY surprised if the firewall config itself was causing problems, and even more surprised if it could wipe your config. I''d be more inclined to think along the lines of perhaps, limited resources, flood of <something> from internet, system unable to cope. For example, I had to replace my ADSL model as the old one couldn''t cope with the ARP table when running BitTorrents - and I also had to tune my network tables (maxed them out) for the Linux networking for the same reason. Even then I can''t see how that would alter your config unless you''ve managed to cause filesystem corruption. Perhaps if you posted some key details about your setup - what sort of hardware (eg there''s a bit difference between a router appliance with 64M RAM and a bit of flash, and a PC with a GByte of RAM and hard disk). ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Kenneth Gonsalves
2008-Apr-04 07:53 UTC
Re: can a badly configured firewall affect router performance
On 04-Apr-08, at 1:18 PM, Simon Hobson wrote:> Kenneth Gonsalves wrote: > >> lately I have been having problems with a new leased line and router >> - It performs fine for some time (several days) or a few hours. Then >> suddenly I am unable to ping the gateway. After some time it reverts >> to normal - regardless of whether the router is rebooted or not. On >> one occcasion the router configuration had also got wiped out. Before >> investigating further I would like to know if there is a possibility >> that a badly configured firewall could cause this problem. If there >> is such a possiblity, I will post the complete configuration and >> dump. > > Nothing is impossible, but as Tom has told people so many times, > Shorewall isn''t ''running'' (it just configures stuff and quits). > > I would be VERY surprised if the firewall config itself was causing > problems, and even more surprised if it could wipe your config.this is the problem we face with most ISPs. The moment they see a linux machine they blame all failures on linux, pull out their windows laptop and say: ''see it works perfectly''. But when I connect to a 150 machine LAN the link collapses. The line in question is a 2 Mbps leased line with a huawei router. When installed it ran perfectly for 36 hours giving the full 2 Mbps (measured using iftop) and then failed. The firewall server had 2GB RAM. Then, to prove their point they set up NAT on the router and connected it directly to the LAN and it has been working perfectly since then. However speeds have dropped dramatically - possibly due to lack of proxy cache. Anyway, the setup was Mandriva2007 with and old version of shorewall. I am now setting up a more uptodate box and will investigate further.> > I''d be more inclined to think along the lines of perhaps, limited > resources, flood of <something> from internet, system unable to cope. > For example, I had to replace my ADSL model as the old one couldn''t > cope with the ARP table when running BitTorrents - and I also had to > tune my network tables (maxed them out) for the Linux networking for > the same reason. Even then I can''t see how that would alter your > config unless you''ve managed to cause filesystem corruption. > > Perhaps if you posted some key details about your setup - what sort > of hardware (eg there''s a bit difference between a router appliance > with 64M RAM and a bit of flash, and a PC with a GByte of RAM and > hard disk).I will try out my new setup - and if the problem recurs will post full details>-- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/code/ ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield
2008-Apr-04 10:49 UTC
Re: can a badly configured firewall affect router performance
On Fri, Apr 04, 2008 at 01:23:39PM +0530, Kenneth Gonsalves wrote:> When installed it ran > perfectly for 36 hours giving the full 2 Mbps (measured using iftop) > and then failed.Sounds like a hardware fault to me. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Simon Hobson
2008-Apr-04 11:25 UTC
Re: can a badly configured firewall affect router performance
Kenneth Gonsalves wrote:> > Nothing is impossible, but as Tom has told people so many times, >> Shorewall isn''t ''running'' (it just configures stuff and quits). >> >> I would be VERY surprised if the firewall config itself was causing >> problems, and even more surprised if it could wipe your config. > >this is the problem we face with most ISPs. The moment they see a >linux machine they blame all failures on linux, pull out their >windows laptop and say: ''see it works perfectly''.Yep, know exactly what you mean :-(> But when I connect >to a 150 machine LAN the link collapses. The line in question is a 2 >Mbps leased line with a huawei router. When installed it ran >perfectly for 36 hours giving the full 2 Mbps (measured using iftop) >and then failed. The firewall server had 2GB RAM. Then, to prove >their point they set up NAT on the router and connected it directly >to the LAN and it has been working perfectly since then. However >speeds have dropped dramatically - possibly due to lack of proxy >cache. Anyway, the setup was Mandriva2007 with and old version of >shorewall. I am now setting up a more uptodate box and will >investigate further.Just a couple of data points for comparison : At work we used to have a 2M line - no NAT, we have a class C block. Over a year ago I set up a box (1G Celeron, 1G RAM) to do traffic accounting and traffic control - this was operating as a bridge. There were very few rules as this wasn''t a firewall, just a traffic monitor. It only had that much ram because of the graphing, where I could see the rrd process go up to 2G VM size for one of the graphs ! This box ran without problem for over a year. We recently upgraded the line to 6M (it''s actually a different line), and I set up a new box running in routed mode instead of bridging. The new box is a Pentium III 1G and routes the traffic fine, and does the accounting (in and out for 254 addresses) - it only has 256M ram as the graphing is now done on a different box (the old logger) with the data files on an NFS export. This box cannot also traffic shape - it seems to max out at 4Mbps as soon as I turn on TC. The old box was Debian Sarge, the new one is Debian Etch. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace