[tproxy] Making a PEP with tproxy and haproxy

Diego M. Vadell dvadell at linuxclusters.com.ar
Mon Jul 28 22:29:14 CEST 2008

Hi Balazs,
   Thanks. I think this project is going to be fun.

 -- Diego

On Friday 25 July 2008 05:13:48 Balazs Scheidler wrote:
> On Mon, 2008-07-21 at 17:22 -0300, Diego M. Vadell wrote:
> > Hi,
> >     We have a satellite link between an ethernet networks full of windows
> > PCs and the internet. Windows PCs don't have it's TCP stack optimized for
> > a satellite link (i.e. 700ms delay, 3Mbps) so they barely use it (they
> > wait for acks and use a little sliding-window, so the rtt kills the
> > throughput). Our ISP uses something called a PEP,: a tcp proxy that
> > answers all the LAN's tcp connections. This PEP is well optimized, so it
> > can fully use the satellite link and feed the ethernet PCs at full speed.
> > This page:
> >
> > http://www.sonet.at/dsdsl-vpn/dsdsl-vpn.htm
> >
> > explains the problem with more detail.
> >
> >    Everything works OK except when we put a VPN to connect this place
> > with another office. The PEP is on the ISP's side, so it sees IPSEC
> > traffic. So I want to make a PEP (or say, a proxy that can transparently
> > proxy any tcp connection) in the inside.
> >
> >    From reading I think it can be done: haproxy has tproxy support, so I
> > could tproxy everything to haproxy, and tune the TCP stack of the proxy
> > for the satellite link. But as I have never done it, I thought I may ask:
> > Am I missing something horribly big here?
> If I understand you correctly, then no, you are not missing anything. It
> is possible to do that, as a proxy uses separate TCP connections on the
> server and the client side. And provided your box is tuned for
> high-latency links for its server side connection, the clients will also
> benefit.

More information about the tproxy mailing list