Traffic Slow with webproxy transparent

wallnas · March 2, 2013, 3:41pm

Good morning,
i have a RB1100 with router os 5.24

I have a big problem.

When navigate with webproxy enable the traffic is slow

My configuration is:

Filter

/ip firewall filter
add action=accept chain=input comment="allow established connections"connection-state=established disabled=no
add action=accept chain=input comment="allow related connections" connection-state=related disabled=no
add action=accept chain=forward comment="allow established connections"     connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections"     connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections"     connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port= 25 protocol=tcp
add action=accept chain=forward comment="Permette SMTP  - Porta 587 TLS" disabled=no dst-port=587 protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - SMTPS" disabled=no dst-port=465 protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - POP3S" disabled=no dst-port=995 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" disabled=no dst-port=801 protocol=tcp
add action=accept chain=input comment="Accetta accesso Telnet" disabled=no dst-port=23 protocol=tcp
add action=accept chain=input comment="Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 protocol=udp
add action=accept chain=forward disabled=no dst-port=53 protocol=udp
add action=accept chain=input disabled=no dst-port=53 protocol=tcp
add action=accept chain=forward comment="Accetta richieste dai PC della rete al server SysLog" disabled=no dst-port=514 protocol=udp
add action=accept chain=input comment="SSH for secure shell" disabled=yes dst-port=22 protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp

Nat

add action=masquerade chain=srcnat comment="Lan eth02 - Test" disabled=no src-address=192.168.98.0/24
add action=redirect chain=dstnat comment="Webproxy - redirect porta 80 a 8080" disabled=no dst-port=80 protocol=tcp to-ports=8080

WebProxy

enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: 
          max-cache-size: 5242880KiB
           cache-on-disk: yes
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: yes
          cache-hit-dscp: 4
             cache-drive: micro-sd1

Tanks

dotnet · March 3, 2013, 6:53am

is it single Wan Link ?
PCC or ECMP ???
Then what’s your Mangle ?
Pls show your complete Configuration with Web-proxy..

Best regards

wallnas · March 3, 2013, 7:49am

Then what’s your Mangle ?

My mange in empty

is it single Wan Link ?

Is single wan link

Any load balancing

Tanks

dotnet · March 3, 2013, 8:13am

you should need 1 mangle rule in starting ..

/ip firewall mangle
add action=mark-packet chain=output comment=“Cache Hits” disabled=no dscp=4 new-packet-mark=cache-hits passthrough=no

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8, 8.8.4.4

/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: Dotnet
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 1000
max-server-connections: 1000
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: primary-slave

Best regards

wallnas · March 3, 2013, 9:33am

I have insert the roule, but the problem is equal

Tanks

dotnet · March 3, 2013, 9:42am

pls show your full configuration.
May be something wrong in your setup …

Best regards

wallnas · March 3, 2013, 10:16am

Attach the configuration.
rb1100-1.txt (18 KB)

dotnet · March 3, 2013, 10:58am

thx for your configuration.
But some change in your /ip firewall Filter or Nat

i am sharing my configuration for your reference:
With PCC or ECMP Load Balancing Method :
++++
PCC
++++
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=wan1
add address=192.168.4.1/24 network=192.168.4.0 broadcast=192.168.4.255 interface=wan2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=2 check-gateway=ping

/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=Local protocol=tcp to-ports=3128
add action=masquerade chain=srcnat disabled=no out-interface=wan1
add action=masquerade chain=srcnat disabled=no out-interface=wan2

/ip firewall mangle
add action=mark-packet chain=output comment=“Cache Hits/Dotnet” out-interface=Local disabled=no dscp=4 new-packet-mark=cache-hits passthrough=no

add action=mark-connection chain=input disabled=no in-interface=wan1 new-connection-mark= wan1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface= wan2 new-connection-mark= wan2_conn passthrough=yes

add action=mark-connection chain=output disabled=no dst-port=80 new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1 protocol=tcp

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local dst-port=!80 in-interface=Local new-connection-mark= wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local dst-port=!80 in-interface=Local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1 protocol=tcp

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no in-interface=Local new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no in-interface=Local new-routing-mark=to_wan2 passthrough=yes

add action=mark-routing chain=output connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8, 8.8.4.4

/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: Dotnet
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 1000
max-server-connections: 1000
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: primary-slave
…
++++++
ECMP
++++++

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LOCAL
add address=192.168.2.1/24 network=192.168.4.0 broadcast=192.168.4.255 interface=WAN1
add address=192.168.4.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN2
add dst-address=0.0.0.0/0 gateway=192.168.2.1,192.168.4.1 check-gateway=ping

/ ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=Local protocol=tcp to-ports=3128
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

/ ip firewall mangle
add action=mark-packet chain=output comment=“Cache Hits/Dotnet” out-interface=Local disabled=no dscp=4 new-packet-mark=cache-hits passthrough=no
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8, 8.8.4.4

/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: Dotnet
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 1000
max-server-connections: 1000
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: primary-slave

Best regards

wallnas · March 3, 2013, 11:24am

Sorry
io do not use load balancing.

Tanks

xtrgeo · May 22, 2013, 11:55am

Hello dotnet

can u help me on that please?

http://forum.mikrotik.com/t/2-lans-2-wans-pcc-load-balancing-and-proxy/66359/1

karina · May 24, 2013, 8:50pm

how much traffic is passing through the router, Also the cache drive is a micro sd card, I am not sure this suitable

dotnet · May 25, 2013, 8:16am

@karina

how much Traffic is passing ???
its depend on your Router (Firewall filter & configuration)
Actually micro sd card is not suitable for heavy data transfer.

best regards

karina · May 25, 2013, 10:09am

I have found that the web proxy will max out an RB1100 at about 30MB of redirected traffic and thats with no caching only directing to a parent proxy

dotnet · May 26, 2013, 4:27am

@karina

We made a RB1100 with full BGP feed on it. Routing traffic from clients to up to 10 000 random Internet IPs

a) Connection tracking disabled - 1200-1300Mbps
b) Connection tracking enabled, but no firewall rules - 680-750Mbps
c) Connection tracking enabled, all traffic passes trough 100 firewall rules - 300-330Mbps

So RB1100 is OK for full BGP feed and 1Gbps throughput, as long as you use it just for this task.
In case you want to do some firewall and queueing just take another RB1100 for this.

This report is published by Normis
http://forum.mikrotik.com/t/rb1100-for-isp/44647/1

best regards