[tproxy] Making a PEP with tproxy and haproxy
Diego M. Vadell
dvadell at linuxclusters.com.ar
Mon Jul 21 22:22:07 CEST 2008
Hi,
We have a satellite link between an ethernet networks full of windows PCs
and the internet. Windows PCs don't have it's TCP stack optimized for a
satellite link (i.e. 700ms delay, 3Mbps) so they barely use it (they wait for
acks and use a little sliding-window, so the rtt kills the throughput).
Our ISP uses something called a PEP,: a tcp proxy that answers all the
LAN's tcp connections. This PEP is well optimized, so it can fully use the
satellite link and feed the ethernet PCs at full speed. This page:
http://www.sonet.at/dsdsl-vpn/dsdsl-vpn.htm
explains the problem with more detail.
Everything works OK except when we put a VPN to connect this place with
another office. The PEP is on the ISP's side, so it sees IPSEC traffic. So I
want to make a PEP (or say, a proxy that can transparently proxy any tcp
connection) in the inside.
From reading I think it can be done: haproxy has tproxy support, so I could
tproxy everything to haproxy, and tune the TCP stack of the proxy for the
satellite link. But as I have never done it, I thought I may ask: Am I
missing something horribly big here?
Thanks in advance,
-- Diego.
More information about the tproxy
mailing list