[tproxy] Making a PEP with tproxy and haproxy

Balazs Scheidler bazsi at balabit.hu
Fri Jul 25 10:13:48 CEST 2008

On Mon, 2008-07-21 at 17:22 -0300, Diego M. Vadell wrote:
> Hi,
>     We have a satellite link between an ethernet networks full of windows PCs 
> and the internet. Windows PCs don't have it's TCP stack optimized for a 
> satellite link (i.e. 700ms delay, 3Mbps) so they barely use it (they wait for 
> acks and use a little sliding-window, so the rtt kills the throughput).
>     Our ISP uses something called a PEP,: a tcp proxy that answers all the 
> LAN's tcp connections. This PEP is well optimized, so it can fully use the 
> satellite link and feed the ethernet PCs at full speed. This page: 
> http://www.sonet.at/dsdsl-vpn/dsdsl-vpn.htm
> explains the problem with more detail.
>    Everything works OK except when we put a VPN to connect this place with 
> another office. The PEP is on the ISP's side, so it sees IPSEC traffic. So I 
> want to make a PEP (or say, a proxy that can transparently proxy any tcp 
> connection) in the inside.
>    From reading I think it can be done: haproxy has tproxy support, so I could 
> tproxy everything to haproxy, and tune the TCP stack of the proxy for the 
> satellite link. But as I have never done it, I thought I may ask: Am I 
> missing something horribly big here?

If I understand you correctly, then no, you are not missing anything. It
is possible to do that, as a proxy uses separate TCP connections on the
server and the client side. And provided your box is tuned for
high-latency links for its server side connection, the clients will also


More information about the tproxy mailing list