This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASL 3.2 Routing goes so slow in the DMZ!!!

Hi,
I got a problem thats bugging me and my users real bad.

The problem:
When we surf from the DMZ zone things go slow and extreamly slow. But when i surf from my office thats masq to the ext.intf then things fly lik a jet plane. [:S]

The setup:
Eth0 (The office network) 192.168.2.100/24
Eth1 (The internet interface) 213.x.x.150
Eth2 (The DMZ zone, internet surfers) 80.x.x.1/24
Note!: The 80.x.x.1/24 is offical/Public IP's.

This is how it is put togeter.
First a Cisco 2600 Router (213.x.x.145)
Second: ASL 3.2 Fwall (213.x.x.150) (Eth1)
Third: Eth0 (Office) & Eth2 (DMZ)
All the 80.x.x.x adresses is routed by my ISP to 213.x.x.150 that sends it to the Eth2 DMZ.

Eth0 is Masq > Eth1 (The Internet) 213.x.x.145 as GW, Eth2 is 80.x.x.1 and uses itself as GW 80.x.x.1. Packetfilter rules: DMZ can do anything all ports open.

Does anyone see a problem with this setup, that would make it go slow!

Hope of fast response, thanx in advance,
Kevin

[size="1"][ 15 June 2002, 04:54: Message edited by: kvatn ][/size]

This thread was automatically locked due to age.

0 tom_01 over 23 years ago

Can you please post the kernel routing table [Network->Routing] and both "current" tables from [Packet Filter -> Filter LiveLog]. You should do a search and replace on the 3rd IP address numbers before posting.

/tom
Cancel
Vote Up 0 Vote Down

Cancel
0 kvatn over 23 years ago in reply to tom_01

Hi, here is what you asked!
Thanx for youre help.

Kernel routing table:
213.236.248.145 dev eth0  scope link
213.236.248.144/29 dev eth1  scope link
192.168.2.0/24 dev eth0  scope link
80.x.x.0/24 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 213.236.248.145 dev eth1
default via 80.x.x.1 dev eth2  scope link
default via 213.236.248.145 dev eth0

Current Packet filter rules:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1433K  286M LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1279K  271M PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1279K  271M FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1272K  271M IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1272K  271M HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
1272K  271M AUTO_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1033K  198M USR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1033K  198M LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
172M  105G LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
172M  105G PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
172M  105G FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
172M  105G IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
172M  105G AUTO_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2723K  236M USR_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   16   811 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
298K   36M LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
144K   21M FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
143K   21M IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
143K   21M HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
143K   21M AUTO_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7724  439K USR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3441  233K LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AUTO_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
172K  111M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:53:65535 dpt:53
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            255.255.255.255    tcp spt:68 dpt:67
   53 17522 ACCEPT     udp  --  eth2   *       0.0.0.0/0            255.255.255.255    udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth2   *       80.x.x.0/24       80.x.x.1        tcp spt:68 dpt:67
    1   328 ACCEPT     udp  --  eth2   *       80.x.x.0/24       80.x.x.1        udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22
  175 14221 ACCEPT     tcp  --  *      *       192.168.2.0/24       0.0.0.0/0          tcp spts:1024:65535 dpt:443
    0     0 ACCEPT     tcp  --  *      *       80.x.x.0/24       0.0.0.0/0          tcp spts:1024:65535 dpt:443
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:443
   12   660 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:113
    2    80 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            195.70.164.130     tcp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            195.70.164.130     udp spts:53:65535 dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            195.70.161.40      tcp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            195.70.161.40      udp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.36.143.151     udp spts:1024:65535 dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:222
    0     0 ACCEPT     tcp  --  *      eth2    80.x.x.1          255.255.255.255    tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth2    80.x.x.1          255.255.255.255    udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      eth2    80.x.x.1          80.x.x.0/24     tcp spt:67 dpt:68
    1   328 ACCEPT     udp  --  *      eth2    80.x.x.1          80.x.x.0/24     udp spt:67 dpt:68
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:113
  442  223K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain FIX_CONNTRACK (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain HA (2 references)
pkts bytes target     prot opt in     out     source               destination

Chain IPSEC (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCAL (3 references)
pkts bytes target     prot opt in     out     source               destination
154K   15M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
154K   15M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Chain LOGDROP (5 references)
pkts bytes target     prot opt in     out     source               destination
1046K  198M LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1046K  198M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGREJECT (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable

Chain LOG_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination
5078  321K LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
979K  196M LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0
61514 2043K LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        2    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_ACTION (2 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_MATCHER (2 references)
pkts bytes target     prot opt in     out     source               destination
3845  494K RETURN     all  --  *      *       192.168.2.0/24       0.0.0.0/0
    0     0 RETURN     all  --  *      *       213.236.248.148      0.0.0.0/0
88149   65M RETURN     all  --  *      *       80.x.x.0/24       0.0.0.0/0
  369 57783 RETURN     all  --  *      *       195.70.164.130       0.0.0.0/0
    0     0 PSD_ACTION  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          psd options
    0     0 PSD_ACTION  udp  --  *      *       0.0.0.0/0            0.0.0.0/0          psd options

Chain USR_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
2842  181K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1:65535 dpt:445
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:138 dpt:138
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:138 dpt:138
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:137 dpt:137
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:137 dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpt:139
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpts:33000:34000
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 11 code 0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain USR_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain USR_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
   18   864 ACCEPT     all  --  *      *       80.x.x.1          0.0.0.0/0
    0     0 ACCEPT     47   --  *      *       80.x.x.1          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       80.x.x.1          0.0.0.0/0          tcp spts:1:65535 dpt:445
    0     0 ACCEPT     udp  --  *      *       80.x.x.1          0.0.0.0/0          udp spts:1:65535 dpt:445
    0     0 ACCEPT     tcp  --  *      *       80.x.x.1          0.0.0.0/0          tcp spt:138 dpt:138
    0     0 ACCEPT     udp  --  *      *       80.x.x.1          0.0.0.0/0          udp spt:138 dpt:138
    0     0 ACCEPT     tcp  --  *      *       80.x.x.1          0.0.0.0/0          tcp spt:137 dpt:137
    0     0 ACCEPT     udp  --  *      *       80.x.x.1          0.0.0.0/0          udp spt:137 dpt:137
    0     0 ACCEPT     tcp  --  *      *       80.x.x.1          0.0.0.0/0          tcp spts:1024:65535 dpt:139
    0     0 ACCEPT     udp  --  *      *       80.x.x.1          0.0.0.0/0          udp spts:1024:65535 dpt:139
    0     0 ACCEPT     icmp --  *      *       80.x.x.1          0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     icmp --  *      *       80.x.x.1          0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     udp  --  *      *       80.x.x.1          0.0.0.0/0          udp spts:1024:65535 dpts:33000:34000
    0     0 ACCEPT     icmp --  *      *       80.x.x.1          0.0.0.0/0          icmp type 11 code 0

Current NAT rules
Chain PREROUTING (policy ACCEPT 3113K packets, 317M bytes)
pkts bytes target     prot opt in     out     source               destination
990K  105M SPOOF_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
990K  105M AUTO_NAT_PRE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 1942K packets, 109M bytes)
pkts bytes target     prot opt in     out     source               destination
591K   33M AUTO_NAT_POST  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 18342 packets, 1159K bytes)
pkts bytes target     prot opt in     out     source               destination
8334  517K AUTO_NAT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AUTO_NAT_OUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain AUTO_NAT_POST (1 references)
pkts bytes target     prot opt in     out     source               destination
14235 1164K MASQUERADE  all  --  *      eth1    192.168.2.0/24       0.0.0.0/0

Chain AUTO_NAT_PRE (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOGDROP (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SPOOF_DROP (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth2   *       80.x.x.1          0.0.0.0/0
    0     0 DROP       all  --  eth2   *       80.x.x.1          0.0.0.0/0
    0     0 LOG        all  --  eth2   *       192.168.2.0/24       0.0.0.0/0
    0     0 DROP       all  --  eth2   *       192.168.2.0/24       0.0.0.0/0
    0     0 LOG        all  --  eth2   *       213.236.248.144/29   0.0.0.0/0
    0     0 DROP       all  --  eth2   *       213.236.248.144/29   0.0.0.0/0
    0     0 LOG        all  --  eth0   *       192.168.2.100        0.0.0.0/0
    0     0 DROP       all  --  eth0   *       192.168.2.100        0.0.0.0/0
    0     0 LOG        all  --  eth0   *       80.x.x.0/24       0.0.0.0/0
    0     0 DROP       all  --  eth0   *       80.x.x.0/24       0.0.0.0/0
    0     0 LOG        all  --  eth0   *       213.236.248.144/29   0.0.0.0/0
    0     0 DROP       all  --  eth0   *       213.236.248.144/29   0.0.0.0/0
    0     0 LOG        all  --  eth1   *       213.236.248.150      0.0.0.0/0
    0     0 DROP       all  --  eth1   *       213.236.248.150      0.0.0.0/0
    0     0 LOG        all  --  eth1   *       80.x.x.0/24       0.0.0.0/0
    0     0 DROP       all  --  eth1   *       80.x.x.0/24       0.0.0.0/0
    7   308 LOG        all  --  eth1   *       192.168.2.0/24       0.0.0.0/0
    7   308 DROP       all  --  eth1   *       192.168.2.0/24       0.0.0.0/0
Cancel
Vote Up 0 Vote Down

Cancel
0 tom_01 over 23 years ago in reply to kvatn

Kernel routing table:
213.236.248.145 dev eth0 scope link
213.236.248.144/29 dev eth1 scope link
192.168.2.0/24 dev eth0 scope link
80.x.x.0/24 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 213.236.248.145 dev eth1
default via 80.x.x.1 dev eth2 scope link
default via 213.236.248.145 dev eth0
This is looking fishy. The default GW config is the cause I guess. Please edit the internal and DMZ interfaces and set "Default GW" on them to "none".

If you should have any extra routes please remove them too.

/tom
Cancel
Vote Up 0 Vote Down

Cancel
0 kvatn over 23 years ago in reply to tom_01

That seemed to fix my problem, I set the DMZ GW to none and the gw for The Internal card to none.
Now works like a dream.

Thanx alot
Kevin
FDS AS
Norway
Cancel
Vote Up 0 Vote Down

Cancel