On 7/3/2012 5:05 AM, Ezequiel Birman wrote:
>>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:
>
> > hey there Ezequiel, the Cisco RV042 is a nice product but.. 100
> > users on this device might not be the problem. i think that the
> > main problem is the wan connections them-self. if it's a cable
> > line with 6 and 3 Mbps bandwidth is the problem and not routing.
> > 100 users means that each user gets about 9 Kbps if will be
> > divided equally. in the case that most of your bandwidth usage is
> > http the squid can help you. i would first make a basic analysis
> > of the network traffic and make sure what is consuming the speed.
> > instead of doing some tricks and replacing the RV02 i would start
> > with linux bridge between the switch and the RV042.
>
> I think you are right, and since upload speeds are even slower that must
> be the culprit.
>
> > you can use this box to analyze the network traffic and with just
> > 2 nics. also you can block p2p using ipp2p iptables module and
> > use squid+trpoxy to serv cache content.
>
> > i have used this setup with ubuntu before and it made the effect!.
> > today ubuntu 12.04 LTS will give you everything you need. if you
> > want you can add snmp and other tools for graphing and other
> > stuff..
>
>
> > with squid as bridge you do not need to bother yourself with the
> > wan settings\load balancing and setting the linux box as dhcp or
> > routing stuff. what i would recommend for you in this kind of
> > setup is to make the squid box as dns server(cache and forward
> > dns).
>
> From what I gather, squid is capable of caching DNS right? or will I
> need bind too?
you need also bind because the clients will query the server and not
squid.. squid has an internal dns cache.
>
> > using this setup you can test settings very easily on part of the
> > clients or test computer.
>
> > for network usage analysis you can use ntop, it also gives p2p and
> > other protocols detection.
>
> I am trying it right now, nice!
>
> > so the setup i propose is not from your list:
>
> > 5) wan1---+--------+ +------------+ |
> > RV042 |---|squid\bridge|--switch-+--[lan clients]
> > wan2---+--------+ +------------+
>
> > - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p
> > block\throttling + http cache
>
> Thanks, I am giving it a try.
>
> I'll start by following
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
>
this is a good way to start but it wont be a transparent proxy but a
"nat" proxy but it can be good for your needs as anyway you have nat in
the RV042.
> which seems similar to what i am trying to achive. If I am mistaken,
> please let me know.
>
> and also most of
> http://wiki.squid-cache.org/Features/Tproxy4
tproxy will ggive you the benefit of some graphing tools with a more
accurate vision on your clients requests.
update me
Regards,
Eliezer
>
> > things you should consider about pfsense and ClearOS: - they do
> > have nice web interface but lack updated software. - they take up
> > from your machine more then you need. - they leave you in the big
> > cloud of "what to h### happen when i did apply???"
>
> > about accessing the squid in this setup the box is behind nat so
> > it's ok and if you will every decide that you want the squid to
> > take over the RV042 LB and dhcp you can just use iptables to block
> > access to squid port or bind squid only to local net port and
> > of-course the basic way of acls to allow only local users access.
>
> > about content filtering: i prefer to use squidguard and not
> > danshguardian. there always the option of using some icap server
> > such as qlprpxy.
>
> > about cache: i have composed a nice method to cache youtube and
> > some other dynamic content video sites using icap and squid. (now
> > working on embedding filtering in my icap server based on public
> > blacklists.)
>
> May be I'll try that after basic http :)
>
> > it's a nice project you have there.
>
> > i will be happy to talk with you about it.
>
> > Regards, Eliezer
>
> > -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> > Nonprofit organizations eliezer <at> ngtech.co.il
>
>
> Thanks for sharing your insights.
>
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Tue Jul 03 2012 - 08:46:37 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 04 2012 - 12:00:02 MDT