Hi,
My previous question about which chain/table to use for TEE on the
"out interface" is because if I only use this:
IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.13 -
!udp
then I have no network performance issues.
However, if I use the following in mangle:
IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.13 -
!udp
IPTABLES(TEE --gateway $IPS_SOC_PROBE):T -
${IF_LAN}.13 !udp
then I'm starting to see trouble.
I have sporadic ping failures between hosts in ${IF_LAN} and ${IF_LAN}.13.
The amount of traffic is really "not that much", way below the hardware limit.
Furthermore, there are only 3 hosts behind ${IF_LAN}.13.
I'm pretty sure that if I increase the number of hosts/servers behind
${IF_LAN}.13 and only set the first rule (-i ; PREROUTING) then I will
not have any network issues.
I am under the impression that the POSTROUTING rule is the cause of
what I'm seeing.
Switching to FORWARD (:F) instead of POSTROUTING (:T) seems to yield
less performance issues, but I'm just getting to this conclusion by
observing continuous ping results in different time frames. It's not a
thorough analysis.
Why do you think this could be?
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
