Re: [gentoo-user] Proxy server problem

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 2761 bytes --]

On Saturday 24 Aug 2013 14:23:26 Grant wrote:
> >> I set up squid on a remote system so I can browse the internet from
> >> that IP address.  It works but it stalls frequently.  I had similar
> >> results with ziproxy.  I went over this with the squid list but we got
> >> nowhere as it seems to be some kind of a system or network problem.
> >> 
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-3-5-hangs-the
> >> -en tire-system-td4660893.html
> >> 
> >> Can anyone here help me figure out what is wrong?  I'm not sure where to
> >> start.
> >> 
> >> - Grant
> > 
> > Just a quick pointer in case it applies to you:  if you tunnel into the
> > proxy machine (using ssh, VPN, proxychains and what not) you would
> > suffer from packet fragmentation, which could quickly snowball.  In this
> > case try reducing your mtu to lower values, than the default ethernet
> > 1500 byte packets, to cater for the overhead of the larger tunnelling
> > headers.
> 
> I've tried disconnecting from my SSH tunnel and changing the mtu on my
> laptop and on the remote proxy server via ifconfig and there is some
> kind of an improvement but I can't narrow it down.  I've tried mtu
> down to 1000 on both systems but the proxy server still stalls
> sometimes.  Any tips for narrowing this down further?
> 
> - Grant

Now that you mentioned using ssh, I don't think that you can improve this.  An 
mtu at 1000 bytes is lower than I thought might have helped.  The problem is 
caused by stacking tcp packets (tcp within tcp) each of which is using its own 
timeout for failed fragments.

The problem is explained here (tcp meltdown):

  http://sites.inka.de/~W1011/devel/tcp-tcp.html

and here (useful relevant references to other works are also made):

  http://publications.lib.chalmers.se/records/fulltext/123799.pdf


There are some suggested solutions like increasing buffer size, but I don't 
know this might work in a real world use case.  You can experiment with 
different buffer sizes as suggested here and see if it makes a difference:

   http://www.cyberciti.biz/faq/linux-tcp-tuning/


If the interruptions are not acceptable to you, you could consider using a 
different tunnel method.  A network layer VPN, like IPSec (you can use 
StrongSwan which also offers IKEv2 and MOBIKE for your laptop, or ipsec-tools 
with racoon for IKEv1 only) should work without such problems.  You will be 
tunnelling tcp in udp packets.  If you tunnel to your home router you will 
need to configure an IPSec tunnel mode connection, otherwise you would use an 
IPSec transport mode connection directly to your server after you allow IP 
protocol 50 packets through your router.

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]