-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 12, 2003 at 01:19:20PM -0700, Daniel L. Miller wrote: > My question is one of performance - I've got 1.5M T-1, and I know I'm > not getting the full use of that bandwidth. CNET's bandwith meter tests > at about 500k-800k.
Considering CNET's a busy site and their bandwidth test isn't terribly accurate at high speeds, nor does it take into account TCP overhead, I recommend the one at dslreports.com instead. Another good way is to download a massive package like Mozilla from http://ftp.us.debian.org/, which has some pretty insane bandwidth, more than enough to max out your line (I pull about 200 kilobytes per second from it on my 5Mbps cable). If you test by downloading packages, you're getting full speed on your connection at about 120 kilobytes per second. > Watching the CPU load, I can see a lot of processing going on during > internet activity. Besides trying to reduce the active services running > on the server (like X-Windows), what can I do to optimize this? Do I > need to replace the server network cards? Here's the basics of what I would do: Start off with the gateway as it's own dedicated box, and just the base install. You can use a desktop for this, but performance and security suffers. When setting up the base system, adding a user for yourself is optional since the only time you'll be logged into this box is to edit the configurations. Avoid logging in to this box if you don't have to. Set a good root password, since this is what's out on the net. Install ssh so you can salvage the monitor and possibly keyboard (if the system will boot without one) after the install's done. I recommend giving the internal interface the IP 192.168.0.1, netmask 255.255.255.0 (network 10 is frequently used by ISPs for their routing hardware, and just as frequently collides with people's home networks when people set up their networks without understanding that you're supposed to use the smallest netblock you need to get the job done, and not an /8. If you use network 10, you've got a good chance of pissing off your netadmin). Install the ipmasq package if you haven't done so. It's easier than going it alone by hand and super-easy to modify to your needs. If you're not planning on serving anything to the outside world, go through and add iptables lines in /etc/ipmasq/rules to deny TCP and UDP connections to all ports from 1 to 1023 on the outside interface. If you are planning on serving stuff to the outside world, don't deny the ports those services listen on, instead redirect them to another system. You can safely stop here, you should have a working gateway. If you've got the resources to spare, go all the way: Install bind9. Out of the box it works as a caching nameserver, all you need to do is edit /etc/bind/named.conf and put your ISP's nameservers in the forwarders section and restart bind9. bind9 will then check it's own cache to see if it already knows the answer, then ask your ISP's nameservers (if they're up), and if all else fails, they ask the root nameservers. This makes you impervious to your ISP's DNS servers going down, set your other computer's nameserver to your gateway. Install chrony. Find a time server near you that's fairly accurate and point chrony to that. Frequently your ISP's DNS servers are also time servers. You can now point your home boxes to your gateway for time synchronization. If you want your home network to be "plug and play," install the dhcp package. It's pretty straightforward to set up, the minimum configuration you want to give to DHCP (if you use my suggestion above) is 192.168.0.3 through 192.168.0.254, subnet mask 255.255.255.0, DNS and NTP server as 192.168.0.1. Install the squid and adzapper packages. Set up squid to use adzapper as a redirector, run about 30 children and disable bypassing redirectors. Configure adzapper to run in CLEAR mode. This gives you a caching proxy that does a pretty good job about not wasting your bandwidth on advertising[1]. You may want to crank up the default cache size and maximum object size, I go with a 5GB cache and 10MB maximum object size. If your connection craps out regularly, you can compensate by enabling offline mode in squid, you'll still be able to browse the most recently cached information. Optionally install calamaris, calamaris will email you daily with squid performance stats from the last 24 hours, Sunday with stats from the prior week, and on the first of the month for the prior month. Once you have squid working to your satisfaction, check out the documentation on how to make it a transparent proxy. Then you won't have to specify a proxy, all web requests from your network will automatically go through the proxy. Last step, and you're done: Invite all your friends over for a LAN party. Watch them be amazed that they don't have to coordinate with each other over who gets what IP, if there's connectivity to the Internet, what the DNS servers are, etc. If a bunch of people need to download game updates from a http server, the first person will download at the speed of your bandwidth, everybody else will get it as fast as squid can read it back from memory of the disk. Check out your calamaris stats the next day and bask in awe of the cache stats, and tweak squid's maximum object size if game updates were larger than that. [1] Before anybody complains that this robs websites of revenue, you're paying for the ads to display on your system. Doing things to prevent fetching ads is about the same as combating spam, it's not your fault sites that use advertising have a broken business model. - -- .''`. Baloo Ursidae <[EMAIL PROTECTED]> : :' : proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+6stdJ5vLSqVpK2kRAjbmAJsFMLP4rQlS0+oK/mvtpzd9PXX7VQCgnGP+ VdubDHbmlKf2YBbCjxZfsz8= =dPpu -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
