Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo Firewall is choking internet speed. [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Mon Jun 18, 2018 3:15 pm    Post subject: Gentoo Firewall is choking internet speed. [SOLVED] Reply with quote

Hello

We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. That is with their speed test.

I tested with iperf3 on the box .. and get worse..

Code:
Connecting to host iperf.he.net, port 5201
[  4] local xxx.xxx.xxx.xxx port 50332 connected to 216.218.227.10 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  3.55 MBytes  29.7 Mbits/sec    0    296 KBytes
[  4]   1.00-2.00   sec  1.35 MBytes  11.3 Mbits/sec    0    363 KBytes
[  4]   2.00-3.00   sec  1.34 MBytes  11.3 Mbits/sec    0    433 KBytes
[  4]   3.00-4.00   sec  1.35 MBytes  11.4 Mbits/sec   13    324 KBytes
[  4]   4.00-5.00   sec  1.35 MBytes  11.3 Mbits/sec    0    372 KBytes
[  4]   5.00-6.00   sec  1.35 MBytes  11.3 Mbits/sec    0    407 KBytes
[  4]   6.00-7.00   sec  1.28 MBytes  10.7 Mbits/sec    3    404 KBytes
[  4]   7.00-8.00   sec  1.41 MBytes  11.8 Mbits/sec    8    315 KBytes
[  4]   8.00-9.00   sec  1.35 MBytes  11.3 Mbits/sec    0    341 KBytes
[  4]   9.00-10.00  sec  1.35 MBytes  11.3 Mbits/sec    0    355 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  15.7 MBytes  13.1 Mbits/sec   24             sender
[  4]   0.00-10.00  sec  13.2 MBytes  11.1 Mbits/sec                  receiver


Testing from another box behind the firewall, it even got worse...

Code:
[  4] local 192.168.xxx.xxx port 54666 connected to 216.218.227.10 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.91 MBytes  16.0 Mbits/sec    0   96.2 KBytes
[  4]   1.00-2.00   sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes
[  4]   2.00-3.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes
[  4]   3.00-4.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes
[  4]   4.00-5.00   sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes
[  4]   5.00-6.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes
[  4]   6.00-7.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes
[  4]   7.00-8.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes
[  4]   8.00-9.00   sec   902 KBytes  7.39 Mbits/sec    0   96.2 KBytes
[  4]   9.00-10.00  sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  9.60 MBytes  8.05 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  8.40 MBytes  7.04 Mbits/sec                  receiver


These are the cards that are on that Gentoo firwall box:

Code:
02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)


Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.xxx.xxx  netmask 255.255.255.0  broadcast 192.168.xxx.xxx
        ether d0:67:e5:ee:44:73  txqueuelen 1000  (Ethernet)
        RX packets 453321948  bytes 594791527037 (553.9 GiB)
        RX errors 0  dropped 3  overruns 0  frame 0
        TX packets 268473640  bytes 86843846038 (80.8 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xxx.xxx.xxx.xxx  netmask 255.255.255.252  broadcast xxx.xxx.xxx.xxx
        ether 00:0a:cd:20:b8:4a  txqueuelen 1000  (Ethernet)
        RX packets 269470690  bytes 86762995524 (80.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 450122190  bytes 593247038718 (552.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


UPDATE.. I tried changing MTU to 1472, since I was getting fragmentation at 1500 to see if that helped. No change after applying MTU to 1472 to both eth0 and eth1

Server is running 4.9.76-gentoo as the kernel.

Load seems okay..

Code:
load average: 0.08, 0.07, 0.07


The server is running iptables. I'm wondering if this is a kernel configuration, or iptables setting I'm missing? Any ideas?

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com


Last edited by hanj on Thu Jun 28, 2018 6:30 pm; edited 2 times in total
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Mon Jun 18, 2018 8:26 pm    Post subject: Reply with quote

Updated kernel to 4.9.95-gentoo. No improvement.

I saw that QoS scheduling was enabled in the kernel. I removed that. Still no improvement.

Verified with ethtool that both interfaces were at gigabit

Code:
ethtool eth1 | grep Speed
        Speed: 1000Mb/s

ethtool eth0 | grep Speed
        Speed: 1000Mb/s


I added the following to /etc/sysctl.conf and ran sysctl -p .. no improvement

Code:
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 10240 87380 16777216
net.ipv4.tcp_rmem = 10240 87380 16777216
net.ipv4.tcp_mem = 16777216 16777216 16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216


I also tried these settings

Code:
net.core.rmem_default = 524288
net.core.rmem_max = 524288
net.core.wmem_default = 524288
net.core.wmem_max = 524288
net.ipv4.tcp_wmem = 4096 87380 524288
net.ipv4.tcp_rmem = 4096 87380 524288
net.ipv4.tcp_mem = 524288 524288 524288
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_ecn = 0
net.ipv4.route.flush = 1


I think these don't really matter since auto tuning appears to be on?

Code:
cat /proc/sys/net/ipv4/tcp_moderate_rcvbuf
1




Any ideas?

hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Mon Jun 18, 2018 9:04 pm    Post subject: Reply with quote

hanj,

What hardware?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Mon Jun 18, 2018 9:19 pm    Post subject: Reply with quote

NeddySeagoon wrote:
hanj,

What hardware?


Hello

She's an old Dell box.

Code:
vendor_id       : GenuineIntel
cpu family      : 6
model           : 42
model name      : Intel(R) Celeron(R) CPU G530 @ 2.40GHz

MemTotal:        2049020 kB
MemFree:         1634884 kB

02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)


hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Mon Jun 18, 2018 9:22 pm    Post subject: Reply with quote

hanj,

Al least its PCIe and not just plain old PCI.
That would be a problem.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5934

PostPosted: Mon Jun 18, 2018 9:58 pm    Post subject: Reply with quote

That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long.
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Mon Jun 18, 2018 11:45 pm    Post subject: Reply with quote

NeddySeagoon wrote:
hanj,

Al least its PCIe and not just plain old PCI.
That would be a problem.


bunder wrote:
That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long.



Anything I should look for? I agree, that I think the box should be able to handle this. I keep having a feeling that this might be a missing kernel piece or sysctl option. The NICs are reporting 0 errors, but could this be a NIC thing? Could this be a cable thing? Or could it be how the box is talking to the modem? When connected directly to the modem, it appears to be ripping fast.

The original kernel config had QoS schedule, and I thought that would be the issue, but removing that no change. That is also the weird thing.. EVERY change shows no change what-so-ever. Which makes me feel.. could it be the modem's relationship with this firewall?

Thanks guys!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
P.Kosunen
Guru
Guru


Joined: 21 Nov 2005
Posts: 309
Location: Finland

PostPosted: Tue Jun 19, 2018 9:48 am    Post subject: Reply with quote

Test Realteks proprietary driver if it is better.

https://packages.gentoo.org/packages/net-misc/r8168
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue Jun 19, 2018 11:07 am    Post subject: Reply with quote

hanj ...

you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf?

You should also describe the topology of this firewall, are you filtering on both eth0 and eth1

I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false".

Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue.

best ... khay
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Tue Jun 19, 2018 11:36 am    Post subject: Reply with quote

hanj,

What is the link to the outside world?
Does it have a contention ratio?

e.g. My ADSL used to have a link speed on the phone wire of 8Mbit/sec. That was the theoretical best downlink speed without any overhead.
(Raw bits between the exchange an me). Error correction uses some of that and the Ethernet overhead adds more.
However, the killer was the 50:1 contention ratio on domestic ADSL. That means for every 1 MB of installed capacity, BT sold up to 50MB.
It was very noticeable in busy times.

How is your service delivered and what does the "they were getting 123 Mbps" refer to?
Is it the useful data (to you) rate or the raw link speed?
Even reducing that by 20% to account for overheads leaves a big gap between what you see and the reported 123 Mbps.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Tue Jun 19, 2018 1:49 pm    Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] Reply with quote

hanj wrote:
We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps.


I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.

If that is not correct, please explain the two setups.

When you say "modem", I think you mean a combined router/modem that ISP's are fond of supplying. These often report your activity to the ISP. If you want privacy, put your own modem behind their combo modem. then they only see the NATed traffic from one ip address.

What make and model of Router and modem?

Finally, ISP speedtests often artificially favor their servers. Run your tests using "DSL reports speedtest".
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 3:22 pm    Post subject: Reply with quote

khayyam wrote:
hanj ...

you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf?


Thanks for the reply.

Yes, the machine's purpose is for filtering via iptables. I created a simple flush script that got rid of all the rules but allowed me to do some testing. Not exactly what you're wanting, but I have remote access to the box.

My flush rules...
Code:

#!/bin/sh

IPT=/sbin/iptables

$IPT -F
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -t filter -F
$IPT -t filter -X
$IPT -t filter -Z
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -I INPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -I FORWARD 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -j ACCEPT


Output of iptables -L -n

Code:
iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0


I ran iperf3 with this state.. no improvement...

Code:
iperf3 -c xxxxxxx.com
Connecting to host xxxxxxx.com, port 5201
[  4] local xxx.xxx.xxx.xxx port 48350 connected to xxx.xxx.xxx.xxx port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.13 MBytes  9.48 Mbits/sec    0    505 KBytes
[  4]   1.00-2.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   2.00-3.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   3.00-4.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   4.00-5.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   5.00-6.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   6.00-7.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   7.00-8.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   8.00-9.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
[  4]   9.00-10.00  sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  13.4 MBytes  11.2 Mbits/sec    0             sender
[  4]   0.00-10.00  sec  13.2 MBytes  11.1 Mbits/sec                  receiver

iperf Done.


khayyam wrote:
You should also describe the topology of this firewall, are you filtering on both eth0 and eth1


The firewall basically does input and output filtering and handles NAT and port forwarding to internal devices. It also runs DHCP and VPN services on the box itself. It has a modem/router connected to it (not sure what it is.. again, remote location) and receives a public IP eth1 and eth0 manages the internal network after hitting a switch internally.

khayyam wrote:
I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false".


No ipv6 traffic. It's not built in the kernel and I just added the enable_ipv6_ethx="false" to /etc/conf.d/net and restarted both interfaces. No change

Code:
enable_ipv6_eth0="false"
enable_ipv6_eth1="false"


khayyam wrote:
Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue.


The internal network is 192.168.1.0/24. eth0 is 192.168.1.1, eth1 is a public IP.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 3:31 pm    Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] Reply with quote

Tony0945 wrote:
hanj wrote:
We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps.


I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.

If that is not correct, please explain the two setups.

When you say "modem", I think you mean a combined router/modem that ISP's are fond of supplying. These often report your activity to the ISP. If you want privacy, put your own modem behind their combo modem. then they only see the NATed traffic from one ip address.

What make and model of Router and modem?

Finally, ISP speedtests often artificially favor their servers. Run your tests using "DSL reports speedtest".



Tony0945 wrote:
I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.


Yes, the tech connected to the modem/router with a direct link, excluding the internal network and firewall. He ran the test and got the results, then plugged in on the switch behind the firewall and got the second speed. I was not there and this was reported to me, so not sure exactly how he connected, or where he did a speed test. I'm having someone test via iperf direct from the modem/router today. I'll also have him test to speedtest as well.

Tony0945 wrote:
What make and model of Router and modem?


I'll get that information today.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 3:33 pm    Post subject: Reply with quote

P.Kosunen wrote:
Test Realteks proprietary driver if it is better.

https://packages.gentoo.org/packages/net-misc/r8168


Interesting. I have that driver built in the kernel. What's the process for emerging the driver for the kernel to use it?

hmmmm.. looks like it needs to be loaded as a module.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 5:17 pm    Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] Reply with quote

Tony0945 wrote:

What make and model of Router and modem?


The router is a hitron w/4 ports

SW Ver: 4.4.10.7
HW Ver: 1A

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
twalter
Tux's lil' helper
Tux's lil' helper


Joined: 07 Apr 2004
Posts: 103
Location: Churchill, Canada

PostPosted: Tue Jun 19, 2018 7:28 pm    Post subject: Reply with quote

Aren't Hitron's DOCSIS modems? Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets Fragmentation will always ruin your day.
Back to top
View user's profile Send private message
twalter
Tux's lil' helper
Tux's lil' helper


Joined: 07 Apr 2004
Posts: 103
Location: Churchill, Canada

PostPosted: Tue Jun 19, 2018 7:34 pm    Post subject: Reply with quote

Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test. At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)

Todd
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 7:53 pm    Post subject: Reply with quote

twalter wrote:
Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test. At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)

Todd


Thanks Todd. I'm rebuilding the kernel with TCPMSS support now. I made sure ICMP isn't being blocked. It was blocking.

Question on the MSS.. would I add it like this?

Code:
$IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Tue Jun 19, 2018 8:01 pm    Post subject: Reply with quote

hanj,

Try ping with the -M option. See man ping.

You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.
Bare ethernet is 1500.
If you have PPoE' 1492 is a good value.

The more layers you have, the lower it gets.

When you set the MTU, set it for the entire network, or something, somewhere, will have to do fragmentation for outgoing packets.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 8:20 pm    Post subject: Reply with quote

twalter wrote:
Aren't Hitron's DOCSIS modems? Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets Fragmentation will always ruin your day.


I went with this.. not seeing much of an improvement.. but there is a small improvement. I'm playing with MTU in conjunction to this

Code:
$IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Jun 19, 2018 8:22 pm    Post subject: Reply with quote

NeddySeagoon wrote:
hanj,

Try ping with the -M option. See man ping.

You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.
Bare ethernet is 1500.
If you have PPoE' 1492 is a good value.

The more layers you have, the lower it gets.

When you set the MTU, set it for the entire network, or something, somewhere, will have to do fragmentation for outgoing packets.


Thanks.. I'll do some research on the -M option for ping.

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2389
Location: Germany

PostPosted: Tue Jun 19, 2018 8:50 pm    Post subject: Reply with quote

Hi hanj

here is a short story by myself...

Code:
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)


I am not 100 percent sure, but i bought some similar card. Because at first the mainboard had an "RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)" which work fine.
It was hard to find a working driver... and with the original driver from realtec just one card work as expected (the onboard one). The first time i thought my provider had issues with its dhcp infrastructure because my logs look well but i did not got an ip etc..

However it was the stupid DRIVER for that Card! No i could not fixed it. Because the Card seems to behave normal on terminal or to the kernel. But in the Background nothing work as expected. I think it did not even send one network packet on the Line. Do yourself a favour and replace that card with another...

There might be an existing driver for your card. But Realtek have many many revisions with slightly other chips on it and no different Model-Line because they sold well. But that made it nearly impossible to choose the right driver. And i download some from the the official Manufacturer Internet page, which should work.. but didn't.

You have hiccups because you updated the kernel or driver, which works with other revisions than your one.

Maybe you know the driver before.. or have the sources from the working previous kernel. Than you have a chance or know where to find the proprietary driver on your hard drive, and you have the luck that it will work with a new kernel.

However, save your time and go shopping for a new card, some one about you know that its working flawlessly with Linux.

Edit: I checked my logs.. i had that one:
Code:
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 07)

So it might be possible that you find a working driver for your card.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Tue Jun 19, 2018 10:31 pm    Post subject: Reply with quote

Re: Drivers
Realtek is indeed a real mess. I have several boards, old and new, with onboard Realtek.

By any chance do you have one of these:

MSI B350 TOMAHAWK ARCTIC
GIGABYTE GA-F2A88X-D3HP (rev. 1.0)
GIGABYTE GA-880GA-UD3H
GIGABYTE GA-M61P-S3
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5934

PostPosted: Tue Jun 19, 2018 10:36 pm    Post subject: Reply with quote

I have that same RTL8111/8168/8411 in my laptop as well as two gigabyte z270 boards, seems to work fine with the required firmware, but I only have a 100mbit LAN so I'm probably not really much help there.
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Jun 19, 2018 10:39 pm    Post subject: Reply with quote

I wasn't going to say anything but I have a system (Asus P6T) with realtek cards (1x on-board and a 4-way pcie card) and I can verify that they suck. In my case I have an i7 on the board, and I can get near wire speed out of them but the cpu load is artificially high.

I have another test system, a c2758 board with 7x Intel NICs using i210, i350 and i354 cards, all built-in on the board.

Out of the two systems, increasing network load ramps up CPU interrupts much faster on the system with Realtek cards, and the cpu load ramps up much faster there. It's a bit apples and oranges in the sense that the system with intel nics has an atom processor and the system with the realtek nics has an i7, I don't have two systems with similar processors to compare.

I think Realtek NICs are somewhat like a 'smart-modem' from the Windows 95 era. There's minimal hardware and a whole lot of the implementation done in the driver. The card causes a lot more interrupts than a well-constructed card (Intel using 'igb' driver) and those interrupts suck time from your CPU when it could be doing other things.

I recommend that you get an Intel I210 or I350 or something like that with the number of ports you need. These cards implement as much functionality as possible in the card itself, allowing the CPU to go do its thing elsewhere.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum