MONZ wrote: > > Bernd Eckenfels wrote: > > > > In article <39F2CF2F.F71BE884@danbbs.dk> you wrote: > > > Another thing is funny: ipchains -L takes a l-o-n-g time to finish > > > showing up masqueraded nets in the forward chain; they get through > > > one by one, 10-20 secs apart. Definitely seems related. > > > > it is a nameserver issue, use -L -n > > Not sure. The setup at my customer doesn't differ that much from my own, > except for two things: Here I am running a caching nameserver, and have > dhcp on only one netsegment, so I never used dhcrelay. Did away with dhcrelay, and of course dhcp still worked. Nameresolution still sucks; I simply don't understand what's going on. If I restart network, inet and firewall, the first few hits comes blazing through; after that clients sometimes get through, sometimes get the nameresolution done, but the site doesn't load, and remaining attempts simply times out, or so it seems. _Any_ attempts right from the firewall, using lynx, goes right through. Ipchains -L goes right through now, though. Could it be a routing problem? The five segments are: eth0: 10.10.0.0/16 3c509TX DHCP, few slow clients eth1: 10.0.0.0/16 DFE570TX DMZ<->inet-router eth2: 10.1.0.0/16 DFE570TX Servers (when everything works) eth3: 10.12.0.0/16 DFE570TX DHCP, clients eth4: 10.13.0.0/16 DFE570TX DHCP, clients Yes, the firewall default router is set to eth1. As a test, I tried disabling the 3c509TX, though all interfaces do have separate IRQ's and I/O. I also tried setting a client up with fixed IP# and so forth, alos tried using different nameservers, no change. Resolv.conf contains search domain.dk and three nameservers at the ISP. Gee, I dunno what next to test... Except shutting down interfaces to have only the DMZ and one segment. -- Regards, Mogens Valentin Networking - Security - Programming Linux configuration and troubleshooting http://www.danbbs.dk/~monz - monz@danbbs.dk - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
