At 10:34 98-11-17 +1100, Robert Thomas wrote:
>Wensong Zhang wrote:
>
>> You must set the default route of hosts 203.63.158.2 and 203.63.158.9 to
>> 203.63.158.10. Because in the current virtual server implementation, the
>
>Yup, figured that one out, and I've actually managed to get it working - the
>trick was the ipfwadm -F -a m .. line that was hidden, too 8-)
>
>> By the way, you can use the private internet for your proxy servers.
>
>I did that when I was originally setting it up. But, for some unknown
reason,
>using 10.1.3.x address space resulted in -very- slow accepts of the
It will be a little bit slow when private internet addresses are used for
proxy servers, because the proxy servers access the Internet through the
virtual server box's IP Masquerading. There are over 4,000 concurrent
network connections for your proxy servers, it need to adapt some kernel
parameter to good performance. For example, if the number of the expected
concurrent connections are 30,000, tune parameters as follows to increase
free masquerading ports and hash table size:
linux/include/net/ip_masq.h
...
#define PORT_MASQ_BEGIN 32000
#define PORT_MASQ_END (PORT_MASQ_BEGIN+32768)
linux/net/ipv4/ip_masq.c
...
#define IP_MASQ_TAB_SIZE 65536
I don't know why it was -very- slow when private internet addresses were
used. Maybe we can analyze it if you are like to describe your network
topology including your routers in detail and what your virtual proxy
server for.
>connections. I ended up using a real, routable, addresss space, and forcibly
>routing those addresses (inwards) through the virt server. It's now pretty
>quick. At the moment, I've got it set up with only one machine on the
private
>lan, and I'm in the middle of getting ready to move some more of the proxys
>onto it 8)
>
>Here's the current setup:
>
>
>203.63.158.9,2,10,others 8-) vv eth0
>----100mb switched segment----proxy0
> eth1 | 203.63.12.2 203.63.12.3
> 203.63.12.1 ^^ | proxy1 proxy2
> | | |
> x--+--------^-------------------^----x
>
Would you please tell who are using this virtual proxy server? If you just
provide it for your dial-in users, the proxy1 and proxy2 reach them via the
virtual server box, that's OK. If not, the proxy1 can reach the proxy users
without routing through the virtual server box, i don't think it will work.
:-)
>At the moment, the machines are on a pretty basic unswitched 10mb LAN, but
>it'll be nice and easy to upgrade to a decent 100mb full-duplex if I start
>getting a bottleneck there.
>
>My next task is to figure out if I can redirect to the local machine, so I
can
>put Squid on 203.63.12.1 as well as 2 and 3.
>
>--Rob
>
>
|