Re: Using Debian as a Broadband Router
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Jun 12, 2003 at 01:19:20PM -0700, Daniel L. Miller wrote:
> My question is one of performance - I've got 1.5M T-1, and I know I'm
> not getting the full use of that bandwidth. CNET's bandwith meter tests
> at about 500k-800k.
Considering CNET's a busy site and their bandwidth test isn't terribly
accurate at high speeds, nor does it take into account TCP overhead, I
recommend the one at dslreports.com instead. Another good way is to
download a massive package like Mozilla from
http://ftp.us.debian.org/, which has some pretty insane bandwidth,
more than enough to max out your line (I pull about 200 kilobytes per
second from it on my 5Mbps cable). If you test by
downloading packages, you're getting full speed on your connection at
about 120 kilobytes per second.
> Watching the CPU load, I can see a lot of processing going on during
> internet activity. Besides trying to reduce the active services running
> on the server (like X-Windows), what can I do to optimize this? Do I
> need to replace the server network cards?
Here's the basics of what I would do:
Start off with the gateway as it's own dedicated box, and just the
base install. You can use a desktop for this, but performance and
security suffers.
When setting up the base system, adding a user for yourself is
optional since the only time you'll be logged into this box is to edit
the configurations. Avoid logging in to this box if you don't have
to. Set a good root password, since this is what's out on the net.
Install ssh so you can salvage the monitor and possibly keyboard (if
the system will boot without one) after the install's done. I
recommend giving the internal interface the IP 192.168.0.1, netmask
255.255.255.0 (network 10 is frequently used by ISPs for their routing
hardware, and just as frequently collides with people's home networks
when people set up their networks without understanding that you're
supposed to use the smallest netblock you need to get the job done,
and not an /8. If you use network 10, you've got a good chance of
pissing off your netadmin).
Install the ipmasq package if you haven't done so. It's easier than
going it alone by hand and super-easy to modify to your needs.
If you're not planning on serving anything to the outside world, go
through and add iptables lines in /etc/ipmasq/rules to deny TCP and
UDP connections to all ports from 1 to 1023 on the outside interface.
If you are planning on serving stuff to the outside world, don't deny
the ports those services listen on, instead redirect them to another
system.
You can safely stop here, you should have a working gateway. If
you've got the resources to spare, go all the way:
Install bind9. Out of the box it works as a caching nameserver, all
you need to do is edit /etc/bind/named.conf and put your ISP's
nameservers in the forwarders section and restart bind9. bind9 will
then check it's own cache to see if it already knows the answer, then
ask your ISP's nameservers (if they're up), and if all else fails,
they ask the root nameservers. This makes you impervious to your
ISP's DNS servers going down, set your other computer's nameserver to
your gateway.
Install chrony. Find a time server near you that's fairly accurate
and point chrony to that. Frequently your ISP's DNS servers are also
time servers. You can now point your home boxes to your gateway for
time synchronization.
If you want your home network to be "plug and play," install the dhcp
package. It's pretty straightforward to set up, the minimum
configuration you want to give to DHCP (if you use my suggestion
above) is 192.168.0.3 through 192.168.0.254, subnet mask
255.255.255.0, DNS and NTP server as 192.168.0.1.
Install the squid and adzapper packages. Set up squid to use adzapper
as a redirector, run about 30 children and disable bypassing
redirectors. Configure adzapper to run in CLEAR mode. This gives you
a caching proxy that does a pretty good job about not wasting your
bandwidth on advertising[1]. You may want to crank up the default
cache size and maximum object size, I go with a 5GB cache and 10MB
maximum object size. If your connection craps out regularly, you can
compensate by enabling offline mode in squid, you'll still be able to
browse the most recently cached information. Optionally install
calamaris, calamaris will email you daily with squid performance stats
from the last 24 hours, Sunday with stats from the prior week, and on
the first of the month for the prior month.
Once you have squid working to your satisfaction, check out the
documentation on how to make it a transparent proxy. Then you won't
have to specify a proxy, all web requests from your network will
automatically go through the proxy.
Last step, and you're done: Invite all your friends over for a LAN
party. Watch them be amazed that they don't have to coordinate with
each other over who gets what IP, if there's connectivity to the
Internet, what the DNS servers are, etc. If a bunch of people need to
download game updates from a http server, the first person will
download at the speed of your bandwidth, everybody else will get it as
fast as squid can read it back from memory of the disk. Check out
your calamaris stats the next day and bask in awe of the cache stats,
and tweak squid's maximum object size if game updates were larger than
that.
[1] Before anybody complains that this robs websites of revenue,
you're paying for the ads to display on your system. Doing things to
prevent fetching ads is about the same as combating spam, it's not
your fault sites that use advertising have a broken business model.
- --
.''`. Baloo Ursidae <baloo@ursine.ca>
: :' : proud Debian admin and user
`. `'`
`- Debian - when you have better things to do than fix a system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+6stdJ5vLSqVpK2kRAjbmAJsFMLP4rQlS0+oK/mvtpzd9PXX7VQCgnGP+
VdubDHbmlKf2YBbCjxZfsz8=
=dPpu
-----END PGP SIGNATURE-----
Reply to: