Date: Thu, 4 May 2000 22:28:48 -0400 From: "Michael R. Wayne" <wayne@staff.msen.com> To: freebsd-isp@FreeBSD.ORG Subject: ipfw causing terrible squid performance Message-ID: <20000504222848.A1016@staff.msen.com>
next in thread | raw e-mail | index | archive | help
After several months of "suggesting" to our users that they should use our webcache, we decided to investigate giving them no choice and force some of them through it using ipfw. On a test network, we have a couple of Win9X boxes, a 2.3STABLE1 squid box configured for transparant mode (following the directions in the squid FAQ chapter 17) and a FreeBSD 3.4STABLE router box w/ 2 ethernets so we can intercept packets heading for the net. If I configure the Win9X boxes to manually use squid, all is fine, preformance is what I would expect. Telling the Win9X boxes to go "direct to the internet", causes them to hit the ipfw rules on the router box: 00301 allow tcp from 148.59.101.66 to any 00302 fwd 148.59.101.66 tcp from any to any 80 And, on 148.59.101.66, the squid box, we have: 00301 allow tcp from 148.59.101.66 to any 00302 fwd 127.0.0.1,3128 log logamount 100 tcp from any to any 80 Everything works PERFECTLY with one exception: It takes 8-15 seconds to load a new page and about 3-7 seconds to load one that should be in the cache (even from a lightly loaded local web server). Netscape sits there with "Connect Host XXX contacted..." and checking the lights on the switch, there is no ethernet activity for most of this time. Obviously, this is not acceptable to drop into production. I'm suspecting that it's a problem in ipfw since pointing the browser at squid works fine but nothing seems obvious. There's no load on the router box. Where do I start digging? /\/\ \/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000504222848.A1016>