From zorp@lists.balabit.hu Mon May 2 19:29:08 2005 From: zorp@lists.balabit.hu (Joseph Kim) Date: Mon, 2 May 2005 11:29:08 -0700 Subject: [zorp] Zorp slows down web page viewing? Message-ID: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> This is a multi-part message in MIME format. ------=_NextPart_000_006E_01C54F0A.27B27040 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable Hi, I installed Zorp and other necessary modules on Linux 2.4.27. The = software I installed is as follows: linux-2.4.27.tar.gz zorp_2.0.9.tar.gz libzorpll_2.0.26.24.tar.gz cttproxy-2.4.27-1.2.1.tar.gz iptables-1.2.7a.tar bridge-utils-1.0.4.tar I connected a client pc to one ethernet interface, and the other = interface to the internet gateway router. And from the client pc, I'm able to view the web pages through the linux = machine that has Zorp installed. But, for some reason it is very slow. I compared the speed between the = pure bridge mode and Zorp. And, it appears that going through Zorp is = almost 10 times slower than with pure bridge mode. Did I install wrong? Wrong version? Or, have I configured Zorp wrong? I would appreciate any help. Thanks. Joseph ------=_NextPart_000_006E_01C54F0A.27B27040 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable

Hi,

I installed Zorp and other necessary = modules on=20 Linux 2.4.27. The software I installed is as follows:

linux-2.4.27.tar.gz

zorp_2.0.9.tar.gz

libzorpll_2.0.26.24.tar.gz

cttproxy-2.4.27-1.2.1.tar.gz

iptables-1.2.7a.tar

bridge-utils-1.0.4.tar

I=20 connected a client pc to one ethernet interface, and the other interface = to the=20 internet gateway router.

And=20 from the client pc, I'm able to view the web pages through the linux = machine=20 that has Zorp installed.

But, for=20 some reason it is very slow. I compared the speed between the pure = bridge=20 mode and Zorp. And, it appears that going through = Zorp is=20 almost 10 times slower than with pure bridge=20 mode.

Did I=20 install wrong? Wrong version? Or, have I configured Zorp=20 wrong?

I=20 would appreciate any help.

Thanks.

Joseph

------=_NextPart_000_006E_01C54F0A.27B27040-- From zorp@lists.balabit.hu Tue May 3 13:20:18 2005 From: zorp@lists.balabit.hu (Balazs Scheidler) Date: Tue, 03 May 2005 14:20:18 +0200 Subject: [zorp] Zorp slows down web page viewing? In-Reply-To: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> References: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> Message-ID: <1115122818.4566.8.camel@bzorp.balabit> On Mon, 2005-05-02 at 11:29 -0700, Joseph Kim wrote: > Hi, > > I installed Zorp and other necessary modules on Linux 2.4.27. The > software I installed is as follows: > > linux-2.4.27.tar.gz > zorp_2.0.9.tar.gz > libzorpll_2.0.26.24.tar.gz > cttproxy-2.4.27-1.2.1.tar.gz > iptables-1.2.7a.tar > bridge-utils-1.0.4.tar > > I connected a client pc to one ethernet interface, and the other > interface to the internet gateway router. > And from the client pc, I'm able to view the web pages through the > linux machine that has Zorp installed. > But, for some reason it is very slow. I compared the speed between the > pure bridge mode and Zorp. And, it appears that going through Zorp is > almost 10 times slower than with pure bridge mode. > > Did I install wrong? Wrong version? Or, have I configured Zorp wrong? > I would appreciate any help. What do you mean slow? Zorp surely adds some latency but for a single PC this change should not be noticable. It is possible that there are some problems with PMTU, ECN or MSS. Those might cause connection hangups. Can you post your configuration? -- Bazsi From zorp@lists.balabit.hu Tue May 3 19:08:57 2005 From: zorp@lists.balabit.hu (Joseph Kim) Date: Tue, 3 May 2005 11:08:57 -0700 Subject: [zorp] Zorp slows down web page viewing? References: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> <1115122818.4566.8.camel@bzorp.balabit> Message-ID: <00d701c5500b$2e74dc40$070ba8c0@notebook4bzao8> Thank you for your reply. "Slow" means the following: For the same webpage, without Zorp, it takes about a second to display. But, with Zorp, it takes about 20 seconds to display. I understand that Zorp would some latency, but not to this extent. So I thought there should be something wrong. Configuration is like the following: (1) Zorp machine is configured as a bridge mode with a bridge (br0) IP address 192.168.11.101. Currently, both eth2 and eth3 are added to the bridge. And Zorp is running. (2) Client notebook's IP address is 192.168.11.13, and is connected to eth2 of the Zorp machine. (3) Eth3 of Zorp machine is connected to our Internet Gateway Router (IP address 192.168.11.1) through which it can go to the internet. The file instances.conf includes the following line: zorp --verbose=10 --policy /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4 And the file policy.py includes the following lines: =============================================================================== from Zorp.Core import * from Zorp.Plug import * from Zorp.Http import * from Zorp.Ftp import * Zorp.firewall_name = 'zorp@MC1' InetZone("all", "0.0.0.0/0", inbound_services=['*'], outbound_services=['*']) # # The name of this function is passed to the Zorp binary with the --as # command line option. # class IntraFtp(FtpProxy): def config(self): FtpProxy.config(self) self.transparent_mode = TRUE self.data_mode = FTP_DATA_PASSIVE class IntraHttp(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE def zorp(): Service('ftp', FtpProxy, router=TransparentRouter(forge_addr=TRUE)) Service('http', IntraHttp, router=TransparentRouter(forge_addr=TRUE)) Service('https', PlugProxy, router=TransparentRouter(forge_addr=TRUE)) Listener(SockAddrInet("0.0.0.0", 50021), "ftp") Listener(SockAddrInet("0.0.0.0", 50080), "http") Listener(SockAddrInet("0.0.0.0", 50443), "https") =============================================================================== And I do the following to run zorp: iptables -F iptables -A INPUT -m tproxy -j ACCEPT iptables -t tproxy -A PREROUTING -p tcp --dport 21 -j TPROXY --on-port 50021 iptables -t tproxy -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 50080 iptables -t tproxy -A PREROUTING -p tcp --dport 443 -j TPROXY --on-port 50443 #dummy interface ifconfig dummy0 1.2.3.4 #zorp sleep1 zorpctl start Look forward to hearing your comments. Joseph ----- Original Message ----- From: "Balazs Scheidler" To: Sent: Tuesday, May 03, 2005 5:20 AM Subject: Re: [zorp] Zorp slows down web page viewing? > On Mon, 2005-05-02 at 11:29 -0700, Joseph Kim wrote: >> Hi, >> >> I installed Zorp and other necessary modules on Linux 2.4.27. The >> software I installed is as follows: >> >> linux-2.4.27.tar.gz >> zorp_2.0.9.tar.gz >> libzorpll_2.0.26.24.tar.gz >> cttproxy-2.4.27-1.2.1.tar.gz >> iptables-1.2.7a.tar >> bridge-utils-1.0.4.tar >> >> I connected a client pc to one ethernet interface, and the other >> interface to the internet gateway router. >> And from the client pc, I'm able to view the web pages through the >> linux machine that has Zorp installed. >> But, for some reason it is very slow. I compared the speed between the >> pure bridge mode and Zorp. And, it appears that going through Zorp is >> almost 10 times slower than with pure bridge mode. >> >> Did I install wrong? Wrong version? Or, have I configured Zorp wrong? >> I would appreciate any help. > > What do you mean slow? Zorp surely adds some latency but for a single PC > this change should not be noticable. > > It is possible that there are some problems with PMTU, ECN or MSS. Those > might cause connection hangups. Can you post your configuration? > > -- > Bazsi > > _______________________________________________ > zorp mailing list > zorp@lists.balabit.hu > http://lists.balabit.hu/mailman/listinfo/zorp From zorp@lists.balabit.hu Wed May 4 14:44:57 2005 From: zorp@lists.balabit.hu (Balazs Scheidler) Date: Wed, 04 May 2005 15:44:57 +0200 Subject: [zorp] Zorp slows down web page viewing? In-Reply-To: <00d701c5500b$2e74dc40$070ba8c0@notebook4bzao8> References: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> <1115122818.4566.8.camel@bzorp.balabit> <00d701c5500b$2e74dc40$070ba8c0@notebook4bzao8> Message-ID: <1115214297.3734.21.camel@bzorp.balabit> On Tue, 2005-05-03 at 11:08 -0700, Joseph Kim wrote: > Thank you for your reply. > > "Slow" means the following: > For the same webpage, without Zorp, it takes about a second to display. But, > with Zorp, it takes about 20 seconds to display. I understand that Zorp > would some latency, but not to this extent. > So I thought there should be something wrong. Yes, this latency is too much. > > Configuration is like the following: > (1) Zorp machine is configured as a bridge mode with a bridge (br0) IP > address 192.168.11.101. Currently, both eth2 and eth3 are added to the > bridge. And Zorp is running. > (2) Client notebook's IP address is 192.168.11.13, and is connected to eth2 > of the Zorp machine. > (3) Eth3 of Zorp machine is connected to our Internet Gateway Router (IP > address 192.168.11.1) through which it can go to the internet. > > The file instances.conf includes the following line: > zorp --verbose=10 --policy /usr/local/etc/zorp/policy.py --autobind-ip > 1.2.3.4 I think I've found the problem, --verbose=10 generates a _LOT_ of messages to your system log, try with the default value of 3 which is more sensible. -- Bazsi From zorp@lists.balabit.hu Wed May 4 21:53:46 2005 From: zorp@lists.balabit.hu (Joseph Kim) Date: Wed, 4 May 2005 13:53:46 -0700 Subject: [zorp] Zorp slows down web page viewing? References: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> <1115122818.4566.8.camel@bzorp.balabit> <00d701c5500b$2e74dc40$070ba8c0@notebook4bzao8> <1115214297.3734.21.camel@bzorp.balabit> Message-ID: <017c01c550eb$60c97800$070ba8c0@notebook4bzao8> Thank you for your reply. Your suggestion worked just fine. I went even further and I used verbose=0, and it is much faster now. And, for my own curiosity, I tried to compare the throughputs between using zorp and without using zorp. In one configuration, I download a webpage 100 times through the machine with zorp running. In other configuration, I download the same webpage 100 times directly from our internet gateway router without going through the zorp machine. To my surpise, I got the following results: Each test includes 100 downloads. Test # Average throughput Configuration Zorp Direct 1 737.4 Kbps 642.7 Kbps 2 711.7 Kbps 646.9 Kbps 3 721.6 Kbps 615.7 Kbps According to the result, zorp actually made the connection faster. What kind of magic are you guys playing? Joseph ----- Original Message ----- From: "Balazs Scheidler" To: Sent: Wednesday, May 04, 2005 6:44 AM Subject: Re: [zorp] Zorp slows down web page viewing? > On Tue, 2005-05-03 at 11:08 -0700, Joseph Kim wrote: >> Thank you for your reply. >> >> "Slow" means the following: >> For the same webpage, without Zorp, it takes about a second to display. >> But, >> with Zorp, it takes about 20 seconds to display. I understand that Zorp >> would some latency, but not to this extent. >> So I thought there should be something wrong. > > Yes, this latency is too much. > >> >> Configuration is like the following: >> (1) Zorp machine is configured as a bridge mode with a bridge (br0) IP >> address 192.168.11.101. Currently, both eth2 and eth3 are added to the >> bridge. And Zorp is running. >> (2) Client notebook's IP address is 192.168.11.13, and is connected to >> eth2 >> of the Zorp machine. >> (3) Eth3 of Zorp machine is connected to our Internet Gateway Router (IP >> address 192.168.11.1) through which it can go to the internet. >> >> The file instances.conf includes the following line: >> zorp --verbose=10 --policy >> /usr/local/etc/zorp/policy.py --autobind-ip >> 1.2.3.4 > > I think I've found the problem, --verbose=10 generates a _LOT_ of > messages to your system log, try with the default value of 3 which is > more sensible. > > -- > Bazsi > > _______________________________________________ > zorp mailing list > zorp@lists.balabit.hu > http://lists.balabit.hu/mailman/listinfo/zorp From zorp@lists.balabit.hu Thu May 5 15:42:08 2005 From: zorp@lists.balabit.hu (Balazs Scheidler) Date: Thu, 05 May 2005 16:42:08 +0200 Subject: [zorp] Zorp slows down web page viewing? In-Reply-To: <017c01c550eb$60c97800$070ba8c0@notebook4bzao8> References: <007101c54f44$d5af67e0$070ba8c0@notebook4bzao8> <1115122818.4566.8.camel@bzorp.balabit> <00d701c5500b$2e74dc40$070ba8c0@notebook4bzao8> <1115214297.3734.21.camel@bzorp.balabit> <017c01c550eb$60c97800$070ba8c0@notebook4bzao8> Message-ID: <1115304128.3983.12.camel@bzorp.balabit> On Wed, 2005-05-04 at 13:53 -0700, Joseph Kim wrote: > And, for my own curiosity, I tried to compare the throughputs between using > zorp and without using zorp. > In one configuration, I download a webpage 100 times through the machine > with zorp running. In other configuration, I download the same webpage 100 > times directly from our internet gateway router without going through the > zorp machine. > > To my surpise, I got the following results: > > Each test includes 100 downloads. > > Test # Average throughput > Configuration Zorp Direct > 1 737.4 Kbps 642.7 Kbps > 2 711.7 Kbps 646.9 Kbps > 3 721.6 Kbps 615.7 Kbps > > According to the result, zorp actually made the connection faster. > What kind of magic are you guys playing? It is probably some kind of measuring problem, something changed between the two test invocations, and the test program might also be fooled somewhat (it depends on when the timer is started). For example if it is started after the HTTP response is received, Zorp does not send the HTTP header as long as the first real data byte is received from the server and then it is sent immediately together with the HTTP header. E.g: where a server would: client server GET -> <- HTTP/1.0 200 OK some time <- first data bytes Zorp converts this to: client Zorp server GET -> -> <- HTTP/1.0 200 OK some time <- first data bytes <- HTTP/1.0 200 OK <- first data bytes If the timer starts when the header is received then the actual bandwidth calculated might differ from the case where no Zorp is present. But of course it does not change reality, Zorp is an additional processing burden, thus it effectively has to increase network latency. For deployments where the proxies are not overloaded (and a 1MBit connection does not overload a current box), the latency change should be minimal. -- Bazsi