Performance issues with IPCop & Proxmox

supermario87

Member
Mar 19, 2012
28
0
21
Hi, i've set up a test configuration with IPCop as firewall on a HP Microserver N36L, the two NICs involved are two gigabit intel 82571EB:

http://www.intel.com/design/network/products/lan/controllers/82571eb.htm

This is network configuration:



ETH1 is WAN SIDE
ETH2 is LAN SIDE

ETH1 take a static IP(192.168.1.XXX) from my provider router(DHCP is possible too).
ETH2 has an IP choosed by me(192.168.2.100).
Bridge are used by IPCop.

The DHCP server is IPCop built in one... PCs on LAN side can get their own IP from IPCop without problems.

I've some performance issues during web surf, every page i click has a 75% probability to get HTTP timeout error, WAN side is a 100M optic fiber and surfing outside proxmox(such ad get an IP from provider router) works well as always. HTTP download is 90%-95% of max theorical(9MB/s instead of 10MB/s).
This could be a virtualisation related problem? Any tip?

Thanks!
 
Last edited:

macday

Member
Mar 10, 2010
408
0
16
Stuttgart / Germany
Hi,

I had the same problems with virtual Firewalls in general.

My last tweak was disabling netfilter and iptables on the bridge interface. Now everything is back to normal speed.

nano /etc/sysctl.conf

insert this 3 lines:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

save the file.

Aply it: sysctl -p

restart VM´s
 

supermario87

Member
Mar 19, 2012
28
0
21
Hi, thanks for your help!!

Unfortunately
, this did not help me. Now, it appears that 1 second works and 10 not. :(
 

supermario87

Member
Mar 19, 2012
28
0
21
Hi!
If I set default gw for eth1 IPCop can't reach Internet, if i don't set any default gw nothing changes.
I want to make sure that the only route to reach internet is 192.168.1.254(that's the default gateway received in DHCP from my provider router).
 

supermario87

Member
Mar 19, 2012
28
0
21
whoooops i didnt noticed that before!

IMAG0002.jpg


that's why nothing changed when i added that lines to sysctl.conf... did i need to change smth in the modules loading?
 

supermario87

Member
Mar 19, 2012
28
0
21
I've updated the system with apt-get today
pve-manager: 2.0-42 (pve-manager/2.0/3d6d8258)
running kernel: 2.6.32-7-pve
proxmox-ve-2.6.32: 2.0-60
pve-kernel-2.6.32-7-pve: 2.6.32-60
lvm2: 2.02.88-2pve2
clvm: 2.02.88-2pve2
corosync-pve: 1.4.1-1
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.8-3
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.7-1
pve-cluster: 1.0-25
qemu-server: 2.0-28
pve-firmware: 1.0-15
libpve-common-perl: 1.0-21
libpve-access-control: 1.0-17
libpve-storage-perl: 2.0-14
vncterm: 1.0-2
vzctl: 3.0.30-2pve2
vzprocps: 2.0.11-2
vzquota: 3.0.12-3
pve-qemu-kvm: 1.0-7
ksm-control-daemon: 1.1-1
 

supermario87

Member
Mar 19, 2012
28
0
21
here is, I've done manually a modprobe bridge after the last reboot

root@marioserver:~# sysctl -a | grep net.bridge.bridge-nf
error: permission denied on key 'vm.compact_memory'
error: permission denied on key 'net.ipv4.route.flush'
error: permission denied on key 'net.ipv4.route.flush'
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-filter-pppoe-tagged = 0
error: permission denied on key 'net.ipv6.route.flush'
 

macday

Member
Mar 10, 2010
408
0
16
Stuttgart / Germany
then everything ist fine - but you should use blank bridges instead of bridges with defined ip´s - one bridge for red-interface (bridged to a sepereate nic) and one bridge for green interface (bridged to a separate nic) - i personaly done this with vlans on my hp layer3 switch
 

plewka

Member
Sep 28, 2009
49
1
8
then everything ist fine - but you should use blank bridges instead of bridges with defined ip´s - one bridge for red-interface (bridged to a sepereate nic) and one bridge for green interface (bridged to a separate nic) - i personaly done this with vlans on my hp layer3 switch

We don't use a blank bridge...would be an idea. How do you start such bridge?
On some interfaces we use bridges without IP, but we have to start them by hand:-((

We used IPCop 1.x since ~2006 but we went into some difficulties and finally moved to Endian-Firewall (Community) a few days ago.
We used Endian since a few months for different purpose because it did what we liked. We didn't have a look at IPCOP2 because of that.
We didn't/don't have much traffic on the router (mainly a few rdp-connections).

Main trouble were issues after doing hot migration to the other node and failure of the Web-Frontend when
using a bigger number of static DHCP Entries (we use 100). There were some outages when snapshoting was in progress.
It was stable except of this and managed our traffic causing low cpu load.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!