View previous topic :: View next topic |
Author |
Message |
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Mon Jun 18, 2018 3:15 pm Post subject: Gentoo Firewall is choking internet speed. [SOLVED] |
|
|
Hello
We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. That is with their speed test.
I tested with iperf3 on the box .. and get worse..
Code: | Connecting to host iperf.he.net, port 5201
[ 4] local xxx.xxx.xxx.xxx port 50332 connected to 216.218.227.10 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 3.55 MBytes 29.7 Mbits/sec 0 296 KBytes
[ 4] 1.00-2.00 sec 1.35 MBytes 11.3 Mbits/sec 0 363 KBytes
[ 4] 2.00-3.00 sec 1.34 MBytes 11.3 Mbits/sec 0 433 KBytes
[ 4] 3.00-4.00 sec 1.35 MBytes 11.4 Mbits/sec 13 324 KBytes
[ 4] 4.00-5.00 sec 1.35 MBytes 11.3 Mbits/sec 0 372 KBytes
[ 4] 5.00-6.00 sec 1.35 MBytes 11.3 Mbits/sec 0 407 KBytes
[ 4] 6.00-7.00 sec 1.28 MBytes 10.7 Mbits/sec 3 404 KBytes
[ 4] 7.00-8.00 sec 1.41 MBytes 11.8 Mbits/sec 8 315 KBytes
[ 4] 8.00-9.00 sec 1.35 MBytes 11.3 Mbits/sec 0 341 KBytes
[ 4] 9.00-10.00 sec 1.35 MBytes 11.3 Mbits/sec 0 355 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 15.7 MBytes 13.1 Mbits/sec 24 sender
[ 4] 0.00-10.00 sec 13.2 MBytes 11.1 Mbits/sec receiver |
Testing from another box behind the firewall, it even got worse...
Code: | [ 4] local 192.168.xxx.xxx port 54666 connected to 216.218.227.10 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 1.91 MBytes 16.0 Mbits/sec 0 96.2 KBytes
[ 4] 1.00-2.00 sec 871 KBytes 7.13 Mbits/sec 0 96.2 KBytes
[ 4] 2.00-3.00 sec 871 KBytes 7.14 Mbits/sec 0 96.2 KBytes
[ 4] 3.00-4.00 sec 871 KBytes 7.14 Mbits/sec 0 96.2 KBytes
[ 4] 4.00-5.00 sec 871 KBytes 7.13 Mbits/sec 0 96.2 KBytes
[ 4] 5.00-6.00 sec 871 KBytes 7.14 Mbits/sec 0 96.2 KBytes
[ 4] 6.00-7.00 sec 871 KBytes 7.14 Mbits/sec 0 96.2 KBytes
[ 4] 7.00-8.00 sec 871 KBytes 7.14 Mbits/sec 0 96.2 KBytes
[ 4] 8.00-9.00 sec 902 KBytes 7.39 Mbits/sec 0 96.2 KBytes
[ 4] 9.00-10.00 sec 871 KBytes 7.13 Mbits/sec 0 96.2 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 9.60 MBytes 8.05 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 8.40 MBytes 7.04 Mbits/sec receiver |
These are the cards that are on that Gentoo firwall box:
Code: | 02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03) |
Code: | eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.xxx.xxx netmask 255.255.255.0 broadcast 192.168.xxx.xxx
ether d0:67:e5:ee:44:73 txqueuelen 1000 (Ethernet)
RX packets 453321948 bytes 594791527037 (553.9 GiB)
RX errors 0 dropped 3 overruns 0 frame 0
TX packets 268473640 bytes 86843846038 (80.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet xxx.xxx.xxx.xxx netmask 255.255.255.252 broadcast xxx.xxx.xxx.xxx
ether 00:0a:cd:20:b8:4a txqueuelen 1000 (Ethernet)
RX packets 269470690 bytes 86762995524 (80.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 450122190 bytes 593247038718 (552.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
UPDATE.. I tried changing MTU to 1472, since I was getting fragmentation at 1500 to see if that helped. No change after applying MTU to 1472 to both eth0 and eth1
Server is running 4.9.76-gentoo as the kernel.
Load seems okay..
Code: | load average: 0.08, 0.07, 0.07 |
The server is running iptables. I'm wondering if this is a kernel configuration, or iptables setting I'm missing? Any ideas?
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com
Last edited by hanj on Thu Jun 28, 2018 6:30 pm; edited 2 times in total |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Mon Jun 18, 2018 8:26 pm Post subject: |
|
|
Updated kernel to 4.9.95-gentoo. No improvement.
I saw that QoS scheduling was enabled in the kernel. I removed that. Still no improvement.
Verified with ethtool that both interfaces were at gigabit
Code: | ethtool eth1 | grep Speed
Speed: 1000Mb/s
ethtool eth0 | grep Speed
Speed: 1000Mb/s |
I added the following to /etc/sysctl.conf and ran sysctl -p .. no improvement
Code: | net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 10240 87380 16777216
net.ipv4.tcp_rmem = 10240 87380 16777216
net.ipv4.tcp_mem = 16777216 16777216 16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216 |
I also tried these settings
Code: | net.core.rmem_default = 524288
net.core.rmem_max = 524288
net.core.wmem_default = 524288
net.core.wmem_max = 524288
net.ipv4.tcp_wmem = 4096 87380 524288
net.ipv4.tcp_rmem = 4096 87380 524288
net.ipv4.tcp_mem = 524288 524288 524288
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_ecn = 0
net.ipv4.route.flush = 1 |
I think these don't really matter since auto tuning appears to be on?
Code: | cat /proc/sys/net/ipv4/tcp_moderate_rcvbuf
1 |
Any ideas?
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Mon Jun 18, 2018 9:04 pm Post subject: |
|
|
hanj,
What hardware? _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Mon Jun 18, 2018 9:19 pm Post subject: |
|
|
NeddySeagoon wrote: | hanj,
What hardware? |
Hello
She's an old Dell box.
Code: | vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel(R) Celeron(R) CPU G530 @ 2.40GHz
MemTotal: 2049020 kB
MemFree: 1634884 kB
02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)
|
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Mon Jun 18, 2018 9:22 pm Post subject: |
|
|
hanj,
Al least its PCIe and not just plain old PCI.
That would be a problem. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Mon Jun 18, 2018 9:58 pm Post subject: |
|
|
That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Mon Jun 18, 2018 11:45 pm Post subject: |
|
|
NeddySeagoon wrote: | hanj,
Al least its PCIe and not just plain old PCI.
That would be a problem. |
bunder wrote: | That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long. |
Anything I should look for? I agree, that I think the box should be able to handle this. I keep having a feeling that this might be a missing kernel piece or sysctl option. The NICs are reporting 0 errors, but could this be a NIC thing? Could this be a cable thing? Or could it be how the box is talking to the modem? When connected directly to the modem, it appears to be ripping fast.
The original kernel config had QoS schedule, and I thought that would be the issue, but removing that no change. That is also the weird thing.. EVERY change shows no change what-so-ever. Which makes me feel.. could it be the modem's relationship with this firewall?
Thanks guys!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
P.Kosunen Guru
Joined: 21 Nov 2005 Posts: 309 Location: Finland
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue Jun 19, 2018 11:07 am Post subject: |
|
|
hanj ...
you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf?
You should also describe the topology of this firewall, are you filtering on both eth0 and eth1
I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false".
Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue.
best ... khay |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Tue Jun 19, 2018 11:36 am Post subject: |
|
|
hanj,
What is the link to the outside world?
Does it have a contention ratio?
e.g. My ADSL used to have a link speed on the phone wire of 8Mbit/sec. That was the theoretical best downlink speed without any overhead.
(Raw bits between the exchange an me). Error correction uses some of that and the Ethernet overhead adds more.
However, the killer was the 50:1 contention ratio on domestic ADSL. That means for every 1 MB of installed capacity, BT sold up to 50MB.
It was very noticeable in busy times.
How is your service delivered and what does the "they were getting 123 Mbps" refer to?
Is it the useful data (to you) rate or the raw link speed?
Even reducing that by 20% to account for overheads leaves a big gap between what you see and the reported 123 Mbps. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Tue Jun 19, 2018 1:49 pm Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] |
|
|
hanj wrote: | We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. |
I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.
If that is not correct, please explain the two setups.
When you say "modem", I think you mean a combined router/modem that ISP's are fond of supplying. These often report your activity to the ISP. If you want privacy, put your own modem behind their combo modem. then they only see the NATed traffic from one ip address.
What make and model of Router and modem?
Finally, ISP speedtests often artificially favor their servers. Run your tests using "DSL reports speedtest". |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 3:22 pm Post subject: |
|
|
khayyam wrote: | hanj ...
you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf? |
Thanks for the reply.
Yes, the machine's purpose is for filtering via iptables. I created a simple flush script that got rid of all the rules but allowed me to do some testing. Not exactly what you're wanting, but I have remote access to the box.
My flush rules...
Code: |
#!/bin/sh
IPT=/sbin/iptables
$IPT -F
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -t filter -F
$IPT -t filter -X
$IPT -t filter -Z
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -I INPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -I FORWARD 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -j ACCEPT |
Output of iptables -L -n
Code: | iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 |
I ran iperf3 with this state.. no improvement...
Code: | iperf3 -c xxxxxxx.com
Connecting to host xxxxxxx.com, port 5201
[ 4] local xxx.xxx.xxx.xxx port 48350 connected to xxx.xxx.xxx.xxx port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 1.13 MBytes 9.48 Mbits/sec 0 505 KBytes
[ 4] 1.00-2.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 2.00-3.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 3.00-4.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 4.00-5.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 5.00-6.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 6.00-7.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 7.00-8.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 8.00-9.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
[ 4] 9.00-10.00 sec 1.36 MBytes 11.4 Mbits/sec 0 505 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 13.4 MBytes 11.2 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 13.2 MBytes 11.1 Mbits/sec receiver
iperf Done. |
khayyam wrote: | You should also describe the topology of this firewall, are you filtering on both eth0 and eth1 |
The firewall basically does input and output filtering and handles NAT and port forwarding to internal devices. It also runs DHCP and VPN services on the box itself. It has a modem/router connected to it (not sure what it is.. again, remote location) and receives a public IP eth1 and eth0 manages the internal network after hitting a switch internally.
khayyam wrote: | I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false". |
No ipv6 traffic. It's not built in the kernel and I just added the enable_ipv6_ethx="false" to /etc/conf.d/net and restarted both interfaces. No change
Code: | enable_ipv6_eth0="false"
enable_ipv6_eth1="false" |
khayyam wrote: | Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue. |
The internal network is 192.168.1.0/24. eth0 is 192.168.1.1, eth1 is a public IP.
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 3:31 pm Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] |
|
|
Tony0945 wrote: | hanj wrote: | We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. |
I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.
If that is not correct, please explain the two setups.
When you say "modem", I think you mean a combined router/modem that ISP's are fond of supplying. These often report your activity to the ISP. If you want privacy, put your own modem behind their combo modem. then they only see the NATed traffic from one ip address.
What make and model of Router and modem?
Finally, ISP speedtests often artificially favor their servers. Run your tests using "DSL reports speedtest". |
Tony0945 wrote: | I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps. |
Yes, the tech connected to the modem/router with a direct link, excluding the internal network and firewall. He ran the test and got the results, then plugged in on the switch behind the firewall and got the second speed. I was not there and this was reported to me, so not sure exactly how he connected, or where he did a speed test. I'm having someone test via iperf direct from the modem/router today. I'll also have him test to speedtest as well.
Tony0945 wrote: | What make and model of Router and modem? |
I'll get that information today.
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 3:33 pm Post subject: |
|
|
Interesting. I have that driver built in the kernel. What's the process for emerging the driver for the kernel to use it?
hmmmm.. looks like it needs to be loaded as a module.
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 5:17 pm Post subject: Re: Gentoo Firewall is choking internet speed. [URGENT] |
|
|
Tony0945 wrote: |
What make and model of Router and modem?
|
The router is a hitron w/4 ports
SW Ver: 4.4.10.7
HW Ver: 1A
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
twalter Tux's lil' helper
Joined: 07 Apr 2004 Posts: 103 Location: Churchill, Canada
|
Posted: Tue Jun 19, 2018 7:28 pm Post subject: |
|
|
Aren't Hitron's DOCSIS modems? Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets Fragmentation will always ruin your day. |
|
Back to top |
|
|
twalter Tux's lil' helper
Joined: 07 Apr 2004 Posts: 103 Location: Churchill, Canada
|
Posted: Tue Jun 19, 2018 7:34 pm Post subject: |
|
|
Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test. At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)
Todd |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 7:53 pm Post subject: |
|
|
twalter wrote: | Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test. At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)
Todd |
Thanks Todd. I'm rebuilding the kernel with TCPMSS support now. I made sure ICMP isn't being blocked. It was blocking.
Question on the MSS.. would I add it like this?
Code: | $IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356
|
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Tue Jun 19, 2018 8:01 pm Post subject: |
|
|
hanj,
Try ping with the -M option. See man ping.
You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.
Bare ethernet is 1500.
If you have PPoE' 1492 is a good value.
The more layers you have, the lower it gets.
When you set the MTU, set it for the entire network, or something, somewhere, will have to do fragmentation for outgoing packets. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 8:20 pm Post subject: |
|
|
twalter wrote: | Aren't Hitron's DOCSIS modems? Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets Fragmentation will always ruin your day. |
I went with this.. not seeing much of an improvement.. but there is a small improvement. I'm playing with MTU in conjunction to this
Code: | $IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jun 19, 2018 8:22 pm Post subject: |
|
|
NeddySeagoon wrote: | hanj,
Try ping with the -M option. See man ping.
You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.
Bare ethernet is 1500.
If you have PPoE' 1492 is a good value.
The more layers you have, the lower it gets.
When you set the MTU, set it for the entire network, or something, somewhere, will have to do fragmentation for outgoing packets. |
Thanks.. I'll do some research on the -M option for ping.
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
ChrisJumper Advocate
Joined: 12 Mar 2005 Posts: 2400 Location: Germany
|
Posted: Tue Jun 19, 2018 8:50 pm Post subject: |
|
|
Hi hanj
here is a short story by myself...
Code: | 03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03) |
I am not 100 percent sure, but i bought some similar card. Because at first the mainboard had an "RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)" which work fine.
It was hard to find a working driver... and with the original driver from realtec just one card work as expected (the onboard one). The first time i thought my provider had issues with its dhcp infrastructure because my logs look well but i did not got an ip etc..
However it was the stupid DRIVER for that Card! No i could not fixed it. Because the Card seems to behave normal on terminal or to the kernel. But in the Background nothing work as expected. I think it did not even send one network packet on the Line. Do yourself a favour and replace that card with another...
There might be an existing driver for your card. But Realtek have many many revisions with slightly other chips on it and no different Model-Line because they sold well. But that made it nearly impossible to choose the right driver. And i download some from the the official Manufacturer Internet page, which should work.. but didn't.
You have hiccups because you updated the kernel or driver, which works with other revisions than your one.
Maybe you know the driver before.. or have the sources from the working previous kernel. Than you have a chance or know where to find the proprietary driver on your hard drive, and you have the luck that it will work with a new kernel.
However, save your time and go shopping for a new card, some one about you know that its working flawlessly with Linux.
Edit: I checked my logs.. i had that one:
Code: | 04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 07) |
So it might be possible that you find a working driver for your card. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Tue Jun 19, 2018 10:31 pm Post subject: |
|
|
Re: Drivers
Realtek is indeed a real mess. I have several boards, old and new, with onboard Realtek.
By any chance do you have one of these:
MSI B350 TOMAHAWK ARCTIC
GIGABYTE GA-F2A88X-D3HP (rev. 1.0)
GIGABYTE GA-880GA-UD3H
GIGABYTE GA-M61P-S3 |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Tue Jun 19, 2018 10:36 pm Post subject: |
|
|
I have that same RTL8111/8168/8411 in my laptop as well as two gigabyte z270 boards, seems to work fine with the required firmware, but I only have a 100mbit LAN so I'm probably not really much help there. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Jun 19, 2018 10:39 pm Post subject: |
|
|
I wasn't going to say anything but I have a system (Asus P6T) with realtek cards (1x on-board and a 4-way pcie card) and I can verify that they suck. In my case I have an i7 on the board, and I can get near wire speed out of them but the cpu load is artificially high.
I have another test system, a c2758 board with 7x Intel NICs using i210, i350 and i354 cards, all built-in on the board.
Out of the two systems, increasing network load ramps up CPU interrupts much faster on the system with Realtek cards, and the cpu load ramps up much faster there. It's a bit apples and oranges in the sense that the system with intel nics has an atom processor and the system with the realtek nics has an i7, I don't have two systems with similar processors to compare.
I think Realtek NICs are somewhat like a 'smart-modem' from the Windows 95 era. There's minimal hardware and a whole lot of the implementation done in the driver. The card causes a lot more interrupts than a well-constructed card (Intel using 'igb' driver) and those interrupts suck time from your CPU when it could be doing other things.
I recommend that you get an Intel I210 or I350 or something like that with the number of ports you need. These cards implement as much functionality as possible in the card itself, allowing the CPU to go do its thing elsewhere. |
|
Back to top |
|
|
|