[tproxy] Making a PEP with tproxy and haproxy

Diego M. Vadell dvadell at linuxclusters.com.ar
Mon Jul 21 22:22:07 CEST 2008


Hi,
    We have a satellite link between an ethernet networks full of windows PCs 
and the internet. Windows PCs don't have it's TCP stack optimized for a 
satellite link (i.e. 700ms delay, 3Mbps) so they barely use it (they wait for 
acks and use a little sliding-window, so the rtt kills the throughput).
    Our ISP uses something called a PEP,: a tcp proxy that answers all the 
LAN's tcp connections. This PEP is well optimized, so it can fully use the 
satellite link and feed the ethernet PCs at full speed. This page: 

http://www.sonet.at/dsdsl-vpn/dsdsl-vpn.htm

explains the problem with more detail.

   Everything works OK except when we put a VPN to connect this place with 
another office. The PEP is on the ISP's side, so it sees IPSEC traffic. So I 
want to make a PEP (or say, a proxy that can transparently proxy any tcp 
connection) in the inside.

   From reading I think it can be done: haproxy has tproxy support, so I could 
tproxy everything to haproxy, and tune the TCP stack of the proxy for the 
satellite link. But as I have never done it, I thought I may ask: Am I 
missing something horribly big here?

Thanks in advance,
 -- Diego.


More information about the tproxy mailing list