Re: [LARTC] Problems with ICQ etc. on nano-setup

From: "Ben Efros" <ben-ra@efros.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Problems with ICQ etc. on nano-setup
Date: Mon, 15 Dec 2003 06:25:35 +0000	[thread overview]
Message-ID: <marc-lartc-107147508930632@msgid-missing> (raw)
In-Reply-To: <marc-lartc-107145755020004@msgid-missing>

Since you are doing SNAT on all the dsl lines, I'd suggest using the -j SAME
target available for netfilter.

http://netfilter.org/documentation/pomlist/pom-base.html#SAME

----- Original Message ----- 
From: "Steen Suder, privat" <steen@suder.dk>
To: <lartc@mailman.ds9a.nl>
Sent: Sunday, December 14, 2003 6:57 PM
Subject: [LARTC] Problems with ICQ etc. on nano-setup

> I administer a nano-setup on a dorm-network with a couple of hundred 
> active users.
> 
> The setup uses 2 x 2 2Mb/s DSLs, meaning two DSLs from each of two 
> different ISPs.
> 
> It works fine except for some minor glitches:
> 
> https-sites often kicks users. This was solved by tying outbound https 
> to a single DSL. Not the best solution but it works so far that users 
> dont kicked from the sites anymore. Now they can put credits on the 
> SIM-cards again ;-)
> 
> ICQ-logins is a pain as it often takes several attempts (4-8 usually) to 
> get connected to ICQ.
> I've tested with the latest micq from a host on the LAN and it says 
> "Connection refused (111)". The same behaviour goes for all other 
> (reported) clients of all kinds on the LAN. On the same time ICQ works 
> fine from othe locations.
> 
> Now I'm wondering and it is somewhat ICQspecific: when one connects to 
> ICQ one gets redirected to another server. Perhaps this redirect causes 
> the connection to take another DSL on its way onto the Internet... and 
> maybe the new sourceaddress causes the ICQ-server to drop the connection 
> attempt due to difference between the initial sourceaddress and the 
> "second" sourceaddress.
> 
> Now, the simple way to solve this issue is to bind anything even 
> remotely related to ICQtraffic to one single DSL, but I'd really like to 
> solve this "The Proper Way".
> 
> Suggestion:
> Can one "bind" traffic from one LAN-user to the same DSL, effective in 
> lets say 10 minutes from the initial connection?
> Can some magic with conntrack be put to use?
> 
> 
> 1. How can I find out what is causing this "glitch"?
> 
> This would be rather important since it could be the cause of other 
> "irregularities" in the operation.
> 
> 
> 2. How is this solved?
> 
> 
> 
> A snippet from the /etc/sysctl.conf:
> 
> net.ipv4.route.max_size2768
> net.ipv4.route.gc_min_interval=5
> net.ipv4.route.gc_interval00
> 
> It's a 2.4.23-box and it does SNAT on all four DSLs.
> It's pretty open from the inside towards the Internet.
> 
> -- 
> Mvh. / Best regards,
> Steen Suder <http://www.suder.dk/>
> ICQ UIN 4133803
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/