On 7/3/2012 5:05 AM, Ezequiel Birman wrote:
"Eliezer" == Eliezer Croitoru <elie...@ngtech.co.il> writes:
> hey there Ezequiel, the Cisco RV042 is a nice product but.. 100
> users on this device might not be the problem. i think that the
> main problem is the wan connections them-self. if it's a cable
> line with 6 and 3 Mbps bandwidth is the problem and not routing.
> 100 users means that each user gets about 9 Kbps if will be
> divided equally. in the case that most of your bandwidth usage is
> http the squid can help you. i would first make a basic analysis
> of the network traffic and make sure what is consuming the speed.
> instead of doing some tricks and replacing the RV02 i would start
> with linux bridge between the switch and the RV042.
I think you are right, and since upload speeds are even slower that must
be the culprit.
> you can use this box to analyze the network traffic and with just
> 2 nics. also you can block p2p using ipp2p iptables module and
> use squid+trpoxy to serv cache content.
> i have used this setup with ubuntu before and it made the effect!.
> today ubuntu 12.04 LTS will give you everything you need. if you
> want you can add snmp and other tools for graphing and other
> stuff..
> with squid as bridge you do not need to bother yourself with the
> wan settings\load balancing and setting the linux box as dhcp or
> routing stuff. what i would recommend for you in this kind of
> setup is to make the squid box as dns server(cache and forward
> dns).
From what I gather, squid is capable of caching DNS right? or will I
need bind too?
you need also bind because the clients will query the server and not
squid.. squid has an internal dns cache.
> using this setup you can test settings very easily on part of the
> clients or test computer.
> for network usage analysis you can use ntop, it also gives p2p and
> other protocols detection.
I am trying it right now, nice!
> so the setup i propose is not from your list:
> 5) wan1---+--------+ +------------+ |
> RV042 |---|squid\bridge|--switch-+--[lan clients]
> wan2---+--------+ +------------+
> - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p
> block\throttling + http cache
Thanks, I am giving it a try.
I'll start by following
http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
this is a good way to start but it wont be a transparent proxy but a
"nat" proxy but it can be good for your needs as anyway you have nat in
the RV042.
which seems similar to what i am trying to achive. If I am mistaken,
please let me know.
and also most of
http://wiki.squid-cache.org/Features/Tproxy4
tproxy will ggive you the benefit of some graphing tools with a more
accurate vision on your clients requests.
update me
Regards,
Eliezer
> things you should consider about pfsense and ClearOS: - they do
> have nice web interface but lack updated software. - they take up
> from your machine more then you need. - they leave you in the big
> cloud of "what to h### happen when i did apply???"
> about accessing the squid in this setup the box is behind nat so
> it's ok and if you will every decide that you want the squid to
> take over the RV042 LB and dhcp you can just use iptables to block
> access to squid port or bind squid only to local net port and
> of-course the basic way of acls to allow only local users access.
> about content filtering: i prefer to use squidguard and not
> danshguardian. there always the option of using some icap server
> such as qlprpxy.
> about cache: i have composed a nice method to cache youtube and
> some other dynamic content video sites using icap and squid. (now
> working on embedding filtering in my icap server based on public
> blacklists.)
May be I'll try that after basic http :)
> it's a nice project you have there.
> i will be happy to talk with you about it.
> Regards, Eliezer
> -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> Nonprofit organizations eliezer <at> ngtech.co.il
Thanks for sharing your insights.
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
