[ previous ] [ next ] [ threads ]
 From:  "Albert Lash" <albert dot lash at gmail dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] net4501 webgui slowness tests and results
 Date:  Wed, 20 Jun 2007 20:17:27 -0400

All boxes run m0n0wall. The VPN is IPSEC based and connects two WRAP boxes.
The net4501 is in front of one of them, it allows all traffic to pass
through both the wan and opt1 interfaces.

The long commands do not drop when I have "allow fragmented packets" checked
on the net4501 for both wan and opt1 firewall rules. The MTU is not set and
left to default on all interfaces on all three devices.  This configuration
causes the net4501 webgui to go slower, over one minute for a page refresh.

There is little to no traffic going through the vpn or the bridge.

| SOEKRIS - m0n0wall bridge |
+---------------------------+ (LAN - No DHCP)
|                           |
| (OPT1 PUBLIC IPs)         |
|                           |
+------------+              |
| DMZ SWITCH |              |
+------------+-+----+       |
|             SRV1 SRV2..   |
|                           |
+---------------------+     |
| WRAP - m0n0wall vpn |     |
+---------------------+     |
|                           |
|(LAN)                      |
|                           |
+------------+              |
| LAN SWITCH |              |

On 6/20/07, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 6/20/07, Albert Lash <albert dot lash at gmail dot com> wrote:
> >
> > I think that the slowness has something to do with the fact that I have
> a
> > VPN setup through a filtered bridge. This will cause a shell to drop
> when I
> > run commands like dmesg, ifconfig, or ps -A. This likely causes
> fragmented
> > packets, which I guess are harder for the firewall to manage.
> No. Unless you're pushing enough traffic over that VPN to use a
> substantial amount of CPU, it's entirely unrelated to how fast the GUI
> is.
> Long commands dropping with VPN are the result of MTU issues. You
> don't mention any details about your VPN that I see, so I can't even
> begin to guess where it might be an issue. What happens is a near-1500
> byte packet is generated, with the IPsec encapsulation it becomes over
> 1500 bytes and cannot be sent, and PMTUD should kick in at that point
> and your client should try again with smaller packets. There are lots
> of areas where this can and does fail, and some other VPN's that work
> differently from what I just described.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

My Blogs: