Re: diagnosing network speed bottlenecks [SOLVED]
On Wed, Sep 30, 2009 at 9:47 PM, Greg Rundlett (freephile) g...@freephile.com wrote: Sorry, I was misreading Comcast service as being measured in megaBytes (big B) while it's actually stated in megabits (little b). Be aware there's no standard symbol for bytes, bits, or octets. The B = byte, b = bit convention used by some is by no means universal. When dealing with communications, I always spell out byte or bit, for this reason. In communications technology, speeds are almost always given in bits per second. Further, prefixes like mega and kilo are almost always the actual SI prefixes, not the binary prefixes. In other words, one kilobit/sec is 1000 bits per second, not 1024 bits per second. For those interested in history, there is a technical reason for this difference: Computers don't process bits, they process machine words (e.g., on i386, a word is 32 bits). Storage devices generally store blocks. For example, IDE and SATA hard disks work with blocks of 512 octets. So the machine is actual incapable of working with 10 bytes or 1000 bytes as unit quantities. If you want 1000 octets of SATA disk, the computer had to work with two blocks totaling 1024 octets. So working in bytes, with unit quantities based on multiples of 2, makes sense. (Which is why computer scientists adopted a bastardized version of the SI prefixes: They needed prefixes. SI already had a system of prefixes, in base ten. The base ten multiples weren't useful, but the prefix names were handy. In retrospect, that was a bad move, as the double meaning of the prefixes has caused endless confusion since. It's not always clear by context even when everyone is being honest. And salesmen always use the meaning that makes their product sound better.) Communications equipment, on the other hand, is almost always serial in nature. You send a bit, then another bit, then another bit. It's up to higher levels in the communications stack to impose framing. With dial-up modems, you have to tell the system how many bits are in a byte, and how many stop bits come after each byte, because those concepts don't exist in the serial data stream itself. In the world of cable modems, that's all handled by the DOCSIS specs, but on the wire, it's still fundamentally a serial data stream. So the transceiver works in bits per second. There's no byte at that level. 1024 bits isn't anything in particular. 1000 bits isn't anything in particular, either, but the SI system uses multiples of ten, so that's what the telecom world adopted. (And the telecom world was already using bits per second for voice encoding back when the computer world was just getting started -- there was no standard for word and byte size back then. If they could have seen into the future, they might have picked the binary prefix system instead, just to be consistent with the major application.) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
[GNHLUG] [DLSLUG-Announce] DLSLUG: next meeting November 5th
Just a quick note so everybody knows the next meeting will be November 5th. We'll be in Haldeman 041 (with desktop power), so we'll do the encryption / key-signing meeting then. -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle ___ DLSLUG-Announce mailing list dlslug-annou...@dlslug.org http://dlslug.org/mailman/listinfo/dlslug-announce ___ gnhlug-announce mailing list gnhlug-annou...@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-announce/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: diagnosing network speed bottlenecks [SOLVED]
On Thu, Oct 1, 2009 at 12:28 PM, Jerry Feldman g...@blu.org wrote: Basically, (as you did mention in the last paragraph) data communications are almost always serial. However dialup modems are capable of transmitting synchronized signals. I didn't think this was the case, but I just checked the V.32 standard, and it does indeed say that the signaling on the telephone line is synchronous. Now, I think every modem I've encountered only implemented the RS-232 lines needed for async. So the modem must be buffering synchronous data to/from the telephone line internally, so it can go back and forth to the host asynchronously. The host then has to buffer the UART for the same reasons. How's that for backwards? :) But it's still serial, and still bit oriented. Synchronous transmission doesn't necessarily mean you have to have only one particular framing discipline. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
VPN problem...
I recently was relating on the list how a client was having a problem with their Linksys BEFSX41 router and the solution was that Linksys RMA'd the router. They apparently have removed the BEFSX41 model from their active product list so they sent me a BEFVP41 v2 model. I received it yesterday, configured it and tested it from my office network. The router was set to obtain it's WAN address dynamically from it's WAN connection. It connected fine to a wireless bridge that I use for this purpose and I could surf the web from behind it with a PC. I then configured the VPN tunnel exactly as the old router was set up and it immediately connected to the customer's end point and I could ping systems located at the end point LAN. I tore down the setup and put the router in a container to set up at my client's location this morning. I got to the client site and thought that all that was going to be necessary was to set the WAN address of the Linksys router to match the static address being provided by Comcast at the customer location. As soon as I did that I was able to connect to the internet from behind the router. But I then noticed that the VPN was not connected. Since the VPN settings were identical to the previous router there shouldn't have been a problem. For the fun of it I set the router to obtain it's WAN address dynamically and immediately the VPN tunnel connected. I checked the logs but didn't see anything obviously wrong. I did notice that when the router is setup to use a dynamic address, it has the correct date and time. When it's set up with a static address the status page says time unavailable. I think this might be part of the problem. If the router doesn't know the time (perhaps the clock can't be used?) then the VPN connection might not work. I'm also puzzled as to what server it's requesting date/time data from. It has the ability to manually set the time zone but doesn't give any choices as to which ntp server to use. Does anyone have any ideas? So far Linksys support hasn't been very useful. -Alex ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On Thu, Oct 1, 2009 at 4:59 PM, Alex Hewitt hewitt_t...@comcast.net wrote: If the router doesn't know the time .. then the VPN connection might not work. Quite possible. If it's using X.509 certificates (like SSL does), one can specify effective and expiration dates in the certificate. If they are set, and the LinkSys box is checking them, having the wrong time will likely cause it to conclude its certificate is invalid. Any idea what protocols the LinkSys is using? IPsec? IKE? SSL/TLS? X.509? Does anyone have any ideas? (1) Check for a firmware update. (2) Look for a way to set the clock manually (no time server). (3) Set up a DHCP reservation on the WAN side for the LinkSys box, and give an NTP server in the DHCP options, in the hope that time is actually the problem, and the LinkSys box will listen. Beyond that, you're at the mercy of the vendor. Which leads me to: (4) I've never heard anything good about SOHO+VPN scenarios. Which in turn leads me to: (4)(a) Throw out the SOHO crap and buy a real VPN appliance. (4)(b) Grab a couple PCs, install Linux and OpenVPN, and use that. Again: SOHO stuff has its uses. I had a LinkSys router+WAP+switch at home, and was happy with it. Their products are appropriate for home use, and I recommend them for that. If you're running a real business on them, you're crazy. :) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: diagnosing network speed bottlenecks [SOLVED]
P.S.: On Thu, Oct 1, 2009 at 12:28 PM, Jerry Feldman g...@blu.org wrote: Actually, it really does not matter because very few of us actually use a phone modem any longer. That too. :-) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: RCN business services reliability and bandwidth
On Thu, Oct 1, 2009 at 1:04 PM, Jerry Feldman g...@blu.org wrote: So when they run our product it is X over IP, which is very slow (and considerably slower since the upgrade). There were ways to manipulate the X protocol to perform better over high-latency links, with things like special proxy servers, compression algorithms, etc. They may still work to help that. Another option would be to run a VNC X desktop locally, and then export the VNC session remotely. As I recall, VNC can be pretty good over a high-latency link if you tweak the right options and aren't doing high res graphics work. Also, is it possible to bypass the doubled-up remote GUI thing? Maybe export X or VNC or whatever directly from Boston to the field client, bypassing the Citrix GUI repeater? That's going to kill performance, I'm sure. Citrix has all sorts of products and options for remote access. Even something as simple a port forwarding rule might do it for you. I know this isn't the problem you asked about, but speeding up the GUI is likely to yield other benefits, too, so it's worth thinking about anyway. And once it's done, you don't have to pay as much for Internet feeds. RCN's service is assymetric 20Mbps/2Mbps for a savings of several hundred bucks a month. I have no experience with RCN in the past decade, I'm afraid. But the usual recommendation is to ask to see the SLA (Service Level Agreement) terms. I know when I looked at Comcast's SLA for their 2 mbit/sec symmetric feed, the terms were a joke. It basically just said Comcast would feel extra bad if their symmetric feed failed to deliver. And Comcast was the one who got to decide if they were delivering or not; they disclosed no metrics. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On Thu, 2009-10-01 at 16:59 -0400, Alex Hewitt wrote: For the fun of it I set the router to obtain it's WAN address dynamically and immediately the VPN tunnel connected. I checked the logs but didn't see anything obviously wrong. I did notice that when the router is setup to use a dynamic address, it has the correct date and time. When it's set up with a static address the status page says time unavailable. I think this might be part of the problem. If the router doesn't know the time (perhaps the clock can't be used?) then the VPN connection might not work. I'm also puzzled as to what server it's requesting date/time data from. It has the ability to manually set the time zone but doesn't give any choices as to which ntp server to use. Does anyone have any ideas? So far Linksys support hasn't been very useful. Name servers??? The DHCP server provides good name servers. You have a static name server setup that limps along at the client (blocked from recursive queries??). -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/rsshtml/recent/dlslug http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On Thu, Oct 1, 2009 at 5:50 PM, Hewitt_Tech hewitt_t...@comcast.net wrote: Any idea what protocols the LinkSys is using? IPsec? IKE? SSL/TLS? X.509? It's definitely using IKE. Okay, IPsec with IKE can use PSK or X.509 certificates. Which one is your LinkSys using? If it's PSK (pre-shared keys, also called a shared secret), you have to enter the same password into both devices. There will be no clock time element involved. So that isn't the problem. (I think.) If it's X.509 certificates, you either register the device with a Certificate Authority, or you exchange peer certificates between each device. X.509 allows the time stuff. so that *MAY* be the problem. If you want to persue the certificate+time thing: Does the device have the option of letting you load your own certificate and key? If so, you could use OpenSSL's CA support on a Linux box to generate certificates for each device, specifying a Not Before date of 1/1/1900 or whatever the device thinks the date is. One word of warning: If you haven't used the OpenSSL CA stuff already, it is extremely cryptic and very poorly documented. Even by Linux standards. It doesn't help that X.509 is a nightmare, too. It will probabbly be cheaper to just buy a real VPN box than spend the time and effort in figuring it all out -- especially since we're not even sure that's the problem. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On Thu, 2009-10-01 at 18:50 -0400, Hewitt_Tech wrote: Thanks for the help guys. I fixed it by setting up the cable modem as I was describing. I changed the Linksys router to get it's WAN address dynamically. I then re-configured the cable modem to create a DMZ which only has one computer (in this case the router). I changed the cable modem's DHCP lease to forever so that the IP address being used by the Linksys router wouldn't change. I then noticed that the WAN IP address was switched by the cable modem to what had previously been the gateway address (which was one off the original WAN IP address). I've seen DSL modems with 2 modes of behavior: * bridge mode where they simply translate DSL/Ethernet bits which is what you want if you supply the router * NAT/router mode where the modem assumes router/firewall duties I don't know if the cable modems offer similar capabilities. The DSL mode was controlled by the phone company and set by tech-support. I was helping a friend install a wireless router and was lucky to encounter a phone company tech support person who knew what she was doing. Perhaps your cable modem switched from bridge mode to router mode when the customer router was removed. So it's up and running despite the weirdness that the Linksys router was displaying. -Alex -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/rsshtml/recent/dlslug http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On Thu, Oct 1, 2009 at 7:48 PM, Lloyd Kvam pyt...@venix.com wrote: I've seen DSL modems with 2 modes of behavior: * bridge mode ... * NAT/router ... I don't know if the cable modems offer similar capabilities. It's a bit different in cable-modem-land. DSL is typically running some kind of PPP feed, so in bridge mode, you need to run your own PPPoE service. Cable is presented more like a regular Ethernet broadcast medium. Most cable modems I've seen act like bridges: You're on one big subnet with all your neighbors. You can see their broadcast traffic. You request a DHCP lease, just like you do on a corporate LAN, and get it from a cable company DHCP server somewhere. This is what I've seen Comcast provide in every residential install. I have seen cable modems with integrated routers. Conceptually, these are the same as other SOHO routers, except the Internet port is a coaxial F connector instead of an Ethernet jack. They typically combine a NAT router, firewall, WAP, Ethernet switch, coffee maker, etc., just like the more general SOHO gateways do. When we subscribed to Comcast's business service with a static IP address, they gave us something like the later. It appears to be a halfheartedly[1] re-badged SMC8014. Built-in four port Ethernet switch. It was configured to do NAT, and assigned IP addresses via DHCP in the 10.1.10.0/24 subnet. But the static IP address is also configured on the Ethernet switch. In other words, the LAN side of the integrated router has multiple IP addresses. You can manage the LAN side by going to http://10.1.10.1/. Default username is cusadmin; default password is highspeed. I recommend changing the password. :) [1] The front panel says Comcast, but the top of the case still has a giant SMC molded into the plastic. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
tweaking sockets / OS parameters for speed
Have a client-server app that is set up to communicate over a local Gbit network. The bottleneck appears in the client to server uplink for large payloads. At this point it isn't clear where the delay is, (client or server side) but the sustained rate is not good enough. Can anyone recommend some tweaks at the OS level? Google has revealed quite a few, such as editing values in sysctl.conf. What appears to be missing for me is a coherent way to figure out decent values. The BDP product for the link is ~ 25K since the RTT is 0.2 ms maximum. I've also tried using setsockopt to set TCP_NODELAY. It doesn't seem to make much of a difference. Changing the data from double to float only reduced the uplink time by ~10%. Kind of puzzling to me since the payload reduced in size by 50%. Any suggestions? Places to look? Guess it is time for wireshark... Anything else? Thanks, Bruce ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
Ben Scott dragonh...@gmail.com writes: On Thu, Oct 1, 2009 at 5:50 PM, Hewitt_Tech hewitt_t...@comcast.net wrote: Any idea what protocols the LinkSys is using? IPsec? IKE? SSL/TLS? X.509? It's definitely using IKE. Okay, IPsec with IKE can use PSK or X.509 certificates. Which one is your LinkSys using? [...] If you want to persue the certificate+time thing: Does the device have the option of letting you load your own certificate and key? If so, you could use OpenSSL's CA support on a Linux box to generate certificates for each device, specifying a Not Before date of 1/1/1900 or whatever the device thinks the date is. One word of warning: If you haven't used the OpenSSL CA stuff already, it is extremely cryptic and very poorly documented. Even by Linux standards. It doesn't help that X.509 is a nightmare, too. It will probabbly be cheaper to just buy a real VPN box than spend the time and effort in figuring it all out -- especially since we're not even sure that's the problem. When I started using x.509 certificates with openVPN, I found that the OpenSSL CA stuff was sufficiently documented in an easy-to-understand way--just not in the OpenSSL documentation :) The *OpenVPN* manpage actually provided (and still does) simple instructions in the style of `this is the command that you need to run to generate a CA key and certificate, and this is the commands that you need to run on each system to generate keys and associated certificates signed by the CA that you just created'. When I forget how to use OpenSSL, I still refer to the OpenVPN documentation. -- Don't be afraid to ask (Lf.((Lx.xx) (Lr.f(rr. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: diagnosing network speed bottlenecks [SOLVED]
On 10/01/2009 12:28 PM, Jerry Feldman wrote: Actually, it really does not matter because very few of us actually use a phone modem any longer. Ah, city folk. ;) -Bill (in 35% dial-up country) -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: RCN business services reliability and bandwidth
On 10/01/2009 05:33 PM, Ben Scott wrote: There were ways to manipulate the X protocol to perform better over high-latency links, with things like special proxy servers, compression algorithms, etc. At the risk of being on-topic, the FreeNX suite is an implementation of this with those goals in mind. -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: VPN problem...
On 10/01/2009 08:06 PM, Ben Scott wrote: [1] The front panel says Comcast, but the top of the case still has a giant SMC molded into the plastic. Same model here. After turning off all of its 'features', it seems to work well. The only trick was changing the management interface to run on a private IP range I wasn't using on my LAN and setting the static route on my real firewall so I could still get to it. But with that done I haven't been able to blame anything on their router (up since May 1). -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: tweaking sockets / OS parameters for speed
On 10/01/2009 08:36 PM, Bruce Labitt wrote: Any suggestions? Places to look? Guess it is time for wireshark... Anything else? Are you supporting jumbo frames all the way through your stack? -Bill P.S. if you reply to a message and change the subject, the In-Reply-To headers are preserved, so message nesting gets messed up on threaded readers. Best to create a new message for a new thread. /listmom -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
