[tproxy] Making a PEP with tproxy and haproxy
bazsi at balabit.hu
Fri Jul 25 10:13:48 CEST 2008
On Mon, 2008-07-21 at 17:22 -0300, Diego M. Vadell wrote:
> We have a satellite link between an ethernet networks full of windows PCs
> and the internet. Windows PCs don't have it's TCP stack optimized for a
> satellite link (i.e. 700ms delay, 3Mbps) so they barely use it (they wait for
> acks and use a little sliding-window, so the rtt kills the throughput).
> Our ISP uses something called a PEP,: a tcp proxy that answers all the
> LAN's tcp connections. This PEP is well optimized, so it can fully use the
> satellite link and feed the ethernet PCs at full speed. This page:
> explains the problem with more detail.
> Everything works OK except when we put a VPN to connect this place with
> another office. The PEP is on the ISP's side, so it sees IPSEC traffic. So I
> want to make a PEP (or say, a proxy that can transparently proxy any tcp
> connection) in the inside.
> From reading I think it can be done: haproxy has tproxy support, so I could
> tproxy everything to haproxy, and tune the TCP stack of the proxy for the
> satellite link. But as I have never done it, I thought I may ask: Am I
> missing something horribly big here?
If I understand you correctly, then no, you are not missing anything. It
is possible to do that, as a proxy uses separate TCP connections on the
server and the client side. And provided your box is tuned for
high-latency links for its server side connection, the clients will also
More information about the tproxy