On Wednesday 16 January 2002 09:59, Omppu wrote:
i have the following setup
Internet
| S0
--------------
| internet | | cisco router |
--------------
| F0 195.165.91.1 mask 255.255.255.240
---------- ----------
| HUB |----------------| server | 195.165.91.3 mask
255.255.255.240 ---------- ----------
| 195.165.91.2 netmask 255.255.255.240 GW
195.165.91.1 --------------
| SuSE 7.3 | | | |----------------| 195.165.91.129 netmask
255.255.255.192 --------------
| 195.165.91.193 netmask 255.255.255.192
route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 195.165.91.0 * 255.255.255.240 U 0 0 0 eth0 195.165.91.0 * 255.255.255.240 U 0 0 0 eth0 195.165.91.192 * 255.255.255.192 U 0 0 0 eth2 195.165.91.128 * 255.255.255.192 U 0 0 0 eth1 default 195.165.91.1 0.0.0.0 UG 0 0 0 eth0
SuSE 7.3 running on a pentium3 550Mhz with 128mb ram and intel ethernet pro100+ network cards
for some reason im getting some lags on connections going through the linux box, and the laggs become longer and worse when i startup the firewall.
any ideas what is causing this and how it can be resolved???
What worries me about your set up, is your use of variable netmasks on very similar network numbers. In the past, I've found 'PC support' fairly incapable of setting correct DNS servers never mind static IPs and tricky netmasks, so I'd suspect some misconfiguration on client side. I understand you wanted to divide up the network efficiently without renumbering using private network numbers. I just like simpler schemes, as they're hard enough to set up and keep functioning correctly. When you connect you may well have both ident and DNS ptr and A lookups going on to authorise and log info about the connection. Now if you drop the ICMP reject, to the ident connection which is sent because you either don't permit, or simply don't run an ident server, you will see delays. I'd also check you don't have DNS servers configured to forward requests to each other, as well as trying to resolve them (and perhaps fail) on the Net. Can you use some logging of what's going back and forth in your rules? The rate limitting feature should help, and see if ident's and DNS packets are being sent as expected? If simple analysis doesn't solve it, you might well need heavier duty tools like tcpdump. Rob