On Tuesday 12 November 2019 11:37:29 Fatih USTA wrote:
> Hi Pierluigi,
>
> If you don't have ip address on br0 interface.
But, Fatih, I do have an IP address on br0:
root@firewall:~# ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.51 netmask 255.255.255.0 broadcast 10.0.2.255
> If you have a IP address on br0 interface then you should check
> net.ipv4.ip_forward sysctl parameters. (value should be 1)
Routing is enabled:
root@firewall:~# sysctl -a| grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
>
> My other advice to you.
> 1- Use external Ethernet for SYN Proxy.
> /usr/sbin/iptables -A INPUT -m physdev --physdev-in $external_iface_eth0
> -p tcp -m tcp -m conntrack --dport 81 --ctstate INVALID,UNTRACKED -j
> SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1323
I will try this, but, as told in my mail, I have tried the SYNPROXY on either physical ( eth0 eth1 eth2, all with ip address ) than bridge interfaces.
> 2- If you set 0 this parameters then you take the better performance.
>
> net.ipv4.tcp_timestamps = 1
Already on.
root@firewall:~# sysctl -a| grep net.ipv4.tcp_timestamps
net.ipv4.tcp_timestamps = 1
>
> 3- Last advice.
> If you are using HTTPS connection then don't set wscale. And you may use
> mss 1460.
>
I will try with this, but I suspect it will not change my problem.
Thanks for your time.
Pireluigi
