Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Evgeny Ferapontov2014-10-29 21:05:59
linux
Evgeny Ferapontov, 2014-10-29 21:05:59

Why does the Internet slow down through the Linux gateway?

The bottom line is this: there is a box with Linux (Debian 7), which terminates vlans, raises pppoe and launches these vlans on the Internet via pppoe. With the help of iptables, a firewall and NAT are configured, rising during boot with one script. ( pastebin.com/7ShyK22N)
Launched a home network (14 machines) through this gateway. After some time (5-7 days), the Internet began to slow down: then Chrome loads the page for a minute with a constant "Waiting ..." at the bottom, then the torrents fall off. With the help , I
/sbin/sysctl net.netfilter.nf_conntrack_count
looked at how many active NAT translations, there were a lot of them. Decreased timeouts and increased table size, tried to stick to RFC5382:

echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max
echo 120 > /proc/sys/net/netfilter/nf_conntrack_generic_timeout
echo 7440 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

but even with one computer on the network anyway

net.netfilter.nf_conntrack_count = 294

and the brakes, albeit reduced, but still remain.
What am I doing wrong? Are there any detailed instructions for raising the Internet gateway on Linux for absolute beginners?
PS pastebin.com/VQ6T19Xp -- a list of NAT translations, provided that only me and my phone are online.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
E
Evgeny Ferapontov, 2015-01-26
@e1ferapontov

The PMTU Discovery blackhole was to blame. The provider somewhere blocked ICMP traffic, and my iptables rule for compressing mtu on the external interface did not work.
It turns out that TCP MSS rules can and should be written exclusively in the mangle table, which I just did not understand the first time due to the lack of documentation. After that everything worked:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

Report
I
Igor, 2014-10-29
@merryjane

And in a broad gull nothing falls?
In the same dmesg\syslog\messages?
Put some statistics server on the server, so that later you can see on the graphs what is happening with the network, the number of errors on the interfaces, memory consumption, processor.

Similar questions
A
Alexander2017-06-23 20:13:44
Accepting cookies. Why is it returning an array? 2Reply
J
JackShcherbakov2017-12-07 00:47:10
The PHP encoding in openserver has failed, what should I do? 3Reply
I
index0h2015-06-27 00:54:43
GIT: How to get the name of the branch being merged? 1Reply
D
DennyD3142017-06-07 11:25:53
Why is the environment variable not exported to the project? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question