bad ftp speeds through nat

bad ftp speeds through nat

[Peter Marshall]

I am not sure what is causing this ... I have an ftp server in my DMZ.  I am
getting horrible ftp speeds ... only 200 - 300 KB/s  ... I have 10/100 cards
on both the firewall and the ftp server and they are connected with one 100
Mb switch. If anyone has any ideas as to why this is happening I would
appreciate the wisdom.

Thanks,
Peter

Re: bad ftp speeds through nat

[Jason Opperisano]

On Mon, Nov 22, 2004 at 08:56:44AM -0400, Peter Marshall wrote:
> I am not sure what is causing this ... I have an ftp server in my DMZ.  I am
> getting horrible ftp speeds ... only 200 - 300 KB/s  ... I have 10/100 cards
> on both the firewall and the ftp server and they are connected with one 100
> Mb switch. If anyone has any ideas as to why this is happening I would
> appreciate the wisdom.

have you base-lined the environment?  does FTP through the firewall with
no rules loaded and just IP forwarding enabled allow for significantly
higher throughput?  how about a machine locally in the DMZ directly to
the FTP server, what's that throughput look like?

-j

--
"It's not easy to juggle a pregnant wife and a troubled child, but
 somehow I managed to fit in eight hours of TV a day."
        --The Simpsons

Re: bad ftp speeds through nat

[Peter Marshall]

I have not tried it with the firewall off ... yet ... however, transfer
speeds between boxes in the DMZ are fast .... I transefered a 40 MB file in
3 sec ....

Peter
----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Monday, November 22, 2004 11:04 AM
Subject: Re: bad ftp speeds through nat


On Mon, Nov 22, 2004 at 08:56:44AM -0400, Peter Marshall wrote:
> I am not sure what is causing this ... I have an ftp server in my DMZ.  I
am
> getting horrible ftp speeds ... only 200 - 300 KB/s  ... I have 10/100
cards
> on both the firewall and the ftp server and they are connected with one
100
> Mb switch. If anyone has any ideas as to why this is happening I would
> appreciate the wisdom.

have you base-lined the environment?  does FTP through the firewall with
no rules loaded and just IP forwarding enabled allow for significantly
higher throughput?  how about a machine locally in the DMZ directly to
the FTP server, what's that throughput look like?

-j

--
"It's not easy to juggle a pregnant wife and a troubled child, but
 somehow I managed to fit in eight hours of TV a day."
        --The Simpsons

Re: bad ftp speeds through nat

[Peter Marshall]

It looks like it is slow with any type of file transfer through the firewall
.. not just ftp ...


----- Original Message ----- 
From: "Peter Marshall" <peter.marshall@caris.com>
To: "Jason Opperisano" <opie@817west.com>; "netfilter"
<netfilter@lists.netfilter.org>
Sent: Monday, November 22, 2004 2:31 PM
Subject: Re: bad ftp speeds through nat


I have not tried it with the firewall off ... yet ... however, transfer
speeds between boxes in the DMZ are fast .... I transefered a 40 MB file in
3 sec ....

Peter
----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Monday, November 22, 2004 11:04 AM
Subject: Re: bad ftp speeds through nat


On Mon, Nov 22, 2004 at 08:56:44AM -0400, Peter Marshall wrote:
> I am not sure what is causing this ... I have an ftp server in my DMZ.  I
am
> getting horrible ftp speeds ... only 200 - 300 KB/s  ... I have 10/100
cards
> on both the firewall and the ftp server and they are connected with one
100
> Mb switch. If anyone has any ideas as to why this is happening I would
> appreciate the wisdom.

have you base-lined the environment?  does FTP through the firewall with
no rules loaded and just IP forwarding enabled allow for significantly
higher throughput?  how about a machine locally in the DMZ directly to
the FTP server, what's that throughput look like?

-j

--
"It's not easy to juggle a pregnant wife and a troubled child, but
 somehow I managed to fit in eight hours of TV a day."
        --The Simpsons

Re: bad ftp speeds through nat

[Jason Opperisano]

On Mon, Nov 22, 2004 at 02:39:36PM -0400, Peter Marshall wrote:
> It looks like it is slow with any type of file transfer through the firewall
> .. not just ftp ...

does "netstat -ni" on the firewall show any interface errors?  any
possibility of a speed/duplex mismatch between the firewall's interfaces
and the switches it's connected to (mii-tool/ethtool can help here)?

is your firewall a P-75 that might not be capable of filtering more than
300 Kbps (semi joking...)?

-j

--
"This has purple stuff inside - purple is a fruit."
        --The Simpsons

Re: bad ftp speeds through nat

[Peter Marshall]

here is the output from the netstat -ni ...

[root@radium root]# netstat -ni
Kernel Interface table
Iface     MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR
Flg
eth0       1500   064374866      0      0      169244643      0      0
0 BMRU
eth0:1     1500   0  698461      0      0      0  674916      0           0
BMRU
eth1       1500   067829304      0      0    26760844194      0      0
0 BMRU
eth1:1     1500   0  698461      0      0      0  674916      0      0
0 BMRU
eth2       1500   0  698461      0      0      0  674916      0      0
0 BMRU
lo        16436   0      54      0      0      0      54      0      0
0 LRU

and no my firewall is not a P-75  ... :)  it is a PIII 850 with 512 MB RAM.



Peter


----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Monday, November 22, 2004 2:41 PM
Subject: Re: bad ftp speeds through nat


On Mon, Nov 22, 2004 at 02:39:36PM -0400, Peter Marshall wrote:
> It looks like it is slow with any type of file transfer through the
firewall
> .. not just ftp ...

does "netstat -ni" on the firewall show any interface errors?  any
possibility of a speed/duplex mismatch between the firewall's interfaces
and the switches it's connected to (mii-tool/ethtool can help here)?

is your firewall a P-75 that might not be capable of filtering more than
300 Kbps (semi joking...)?

-j

--
"This has purple stuff inside - purple is a fruit."
        --The Simpsons

Re: bad ftp speeds through nat

[Chris Andrew]

On Mon, 2004-11-22 at 19:08, Peter Marshall wrote:
> here is the output from the netstat -ni ...
> 
> [root@radium root]# netstat -ni
> Kernel Interface table
> Iface     MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR
> Flg
> eth0       1500   064374866      0      0      169244643      0      0
> 0 BMRU
> eth0:1     1500   0  698461      0      0      0  674916      0           0
> BMRU
> eth1       1500   067829304      0      0    26760844194      0      0
> 0 BMRU
> eth1:1     1500   0  698461      0      0      0  674916      0      0
> 0 BMRU
> eth2       1500   0  698461      0      0      0  674916      0      0
> 0 BMRU
> lo        16436   0      54      0      0      0      54      0      0
> 0 LRU
> 
> and no my firewall is not a P-75  ... :)  it is a PIII 850 with 512 MB RAM.

I'm presuming the speeds are poor from your LAN:

Are the transfer speeds OK if you FTP from the firewall?

How do you address the FTP server from your LAN, are you doing any
DNAT/SNAT, or simply routing?

Are transfer speeds always poor from the LAN regardless of which PC
initiates the FTP connection?

What does mii-tool & the above netstat tell you on:
  (a) the ftp server
  (b) the firewall
  (c) LAN workstation

In an attempt to diagnose a failing NIC, try pulling down the speed on
either or both of the NICs on the firewall DMZ interface and FTP server,
using:
mii-tool -F 10baseT-FD eth0

See man mii-tool for available speeds/duplex, etc.

Regards,
Chris