Announcement

Collapse
No announcement yet.

Slow internet thru Firebox II

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Slow internet thru Firebox II

    Hello all,

    If you read thru my "can't connect to firebox" thread then you know I have been having some trouble getting my firewall solution up and running. In the end the first firebox I had was a bad box but I have corrected the problem and have a new unit up an running.

    My problem now is that the internet is verrrrryyy slow when going thru the firebox. So slow in fact that about half of my internet requests time out before I get a response.

    Has anyone else experienced this through a firebox or thru any firewall? How can I get more speed out of this thing?

    Thanks

  • #2
    Re: Slow internet thru Firebox II

    Hey all I was hoping somone could confirm my client IP settings with this firebox in the network.

    The instructions for the firebox said to change the default gateway to the IP of the firebox. But it never mentioned what to do about the DNS. So, I also changed my 1st DNS server to the firebox. Is this correct or would the DNS still be my old DNS server? If the DNS should still be my old server could this be whats slowing down the internet?

    Thanks!

    Comment


    • #3
      Re: Slow internet thru Firebox II

      If you have an existing DNS server then i would use the settings that you were using.

      Comment


      • #4
        Re: Slow internet thru Firebox II

        I would recommend using your internal DNS rather than the Firebox as having it perform DNS duties will put an additional load on it, and frankly I wouldn't trust a firewall to do anything other than "firewalling". Also note that if the firewall is acting as a proxy server for http (rather than just allowing outbound http) then it will slow down web browsing as well. Also make sure that the ports on your firebox, router, and switches are set to the same speed and duplex settings.

        Comment


        • #5
          Re: Slow internet thru Firebox II

          Thanks for the reply Joe, if I understand you correctly then my client IP settings should look something like this

          IP:192.168.0.x
          Subnet:255.255.255.0
          Default Gateway:192.168.0.5 <-- Firebox
          DNS1:192.168.0.1 <-- Internal DNS server

          My only question then is this...I have the internal DNS server forwarding unresolved DNS requests to the firewall 192.168.0.5. Is this incorrect?

          Should I be forwarding unresolved DNS requests from my internal dns server to the router? Otherwise I don't see the difference between the clients using the firewall as dns or the server forwarding them to the firewall.

          Comment


          • #6
            Re: Slow internet thru Firebox II

            Originally posted by kxcntry99 View Post
            My only question then is this...I have the internal DNS server forwarding unresolved DNS requests to the firewall 192.168.0.5. Is this incorrect?

            Should I be forwarding unresolved DNS requests from my internal dns server to the router? Otherwise I don't see the difference between the clients using the firewall as dns or the server forwarding them to the firewall.
            No both are incorrect. You should forward you're DNS servers to the DNS servers from you're ISP.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Slow internet thru Firebox II

              Originally posted by Dumber View Post
              No both are incorrect. You should forward you're DNS servers to the DNS servers from you're ISP.
              Even if the server is not acting as the router on the network?

              Comment


              • #8
                Re: Slow internet thru Firebox II

                yups.
                DNS is quite different then a router...


                DNS is for providing name resolution.
                when you're trying to contact www.abc.com he will query the .com first, then the abc.com to find the host address of www.abc.com.

                A router well it already answers by itself it routes. This little toy will only help you to find the way to the next hop.

                So for example:


                client:
                IP: 192.168.10.5
                Subnet: 255.255.255.0
                Gateway: 192.168.10.254 (for example a router or firewall)
                DNS: 192.168.10.1


                Ok, Just as an example.
                You start Internet explorer on that client and you type in the addressbar: www.google.com.
                The browser really don't understand a thing about a typed URL so he will ask the Local DNS server what the ip address is.
                The Local DNS server looks into his cache and when he can't find the address he will forward the request to the DNS server of an ISP.
                The remote DNS server will respond met and IPaddress which correspond with the typed host address www.google.com.
                The Local DNS server will cache this Address and send the IPaddress to the Browser.

                Well what happens next?
                The browser generates packages to the ipaddress of www.google.com.
                The IP stack (after doing some broadcasting etc) will forward the packages to his gateway when he can't find the ipaddress on his local broadcast domain.
                The Router looks at the destination address from the package and maches this in his routing table.
                He will forward this to his next hop and off it goes on the internet.
                Last edited by Dumber; 19th December 2007, 17:31. Reason: added an example
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Slow internet thru Firebox II

                  You could also just use the root hints instead of using forwarders. I tend to not trust ISP's very much. Other than that, what you posted earlier should work fine. Here's how I would do it:

                  1. client uses internal server for DNS and firewall for gateway.
                  2. internal server uses itself for DNS and is configured to use the root hints and no forwarders. It uses the firewall as gateway.
                  3. firewall does not use or provide DNS as it does not need to resolve FQDN's. It uses router as gateway.
                  4. router does not use or provide DNS as it does not need to resolve FQDN's.

                  Of course you could set it up any way you like but I like to use a firewall only for firewalling, a router only for routing, a DHCP server only for DHCP, a DNS server only for DNS, etc. In small environments you may have to combine some of these roles on to the same computer, but try to keep everyting inside the firewall.

                  Comment


                  • #10
                    Re: Slow internet thru Firebox II

                    Why not trusting a DNS server from the ISP????
                    Edit:
                    The roothints are often much slower because theire quite busy and you will have more DNS traffic by querying the roothints.
                    Also windows 2003 DNS will query the roothints when the ISP DNS servers are unavailable.

                    http://support.microsoft.com/kb/291382
                    Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders.
                    Last edited by Dumber; 19th December 2007, 17:36.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Slow internet thru Firebox II

                      I just trust the root hint server more than I trust any ISP. It's just my personal feeling on the matter. It probably stems from my having to call the ISP and tell them how to fix the problem instead of the other way around.

                      Comment


                      • #12
                        Re: Slow internet thru Firebox II

                        WOW GREAT POST DUMBER!!! I have been looking for a description like that online for awhile now and I couldn't seem to find it.

                        The reason I had been forwarding all unresolved DNS requests from my local server to the router was because I didn't know any other way to get the requests to the internet. If I understand you right as long as my gateway is set to a route to the internet I should be good. I thought that I needed so set my forwards to the route to the internet, but it sounds like the computer will automatically use the gateway to get to an IP ouside of my LAN. If this is incorrect please let me know.

                        So my IP Client settings should be as below
                        IP: 192.168.0.x
                        Subnet: 255.255.255.0
                        Gateway 192.168.0.5 <--Firebox
                        DNS: 192.168.0.1 <-- local DNS

                        And my Server should be:
                        IP 192.168.0.1
                        Subnet 255.255.255.0
                        Gateway: 192.168.0.5 <--firebox
                        DNS: 192.168.0.1
                        with the forwards pointed to my ISP DNS hosts, which the computer will use the gateway to get there....Right????

                        Comment


                        • #13
                          Re: Slow internet thru Firebox II

                          Originally posted by joeqwerty View Post
                          You could also just use the root hints instead of using forwarders. I tend to not trust ISP's very much. Other than that, what you posted earlier should work fine. Here's how I would do it:

                          1. client uses internal server for DNS and firewall for gateway.
                          2. internal server uses itself for DNS and is configured to use the root hints and no forwarders. It uses the firewall as gateway.
                          3. firewall does not use or provide DNS as it does not need to resolve FQDN's. It uses router as gateway.
                          4. router does not use or provide DNS as it does not need to resolve FQDN's.

                          Of course you could set it up any way you like but I like to use a firewall only for firewalling, a router only for routing, a DHCP server only for DHCP, a DNS server only for DNS, etc. In small environments you may have to combine some of these roles on to the same computer, but try to keep everyting inside the firewall.
                          Good post Joe, I like the idea of separating out everything too. This is howeve a small SOHO network so my DHCP and DNS are on the same server but everything else is separated.

                          Thanks for the input your description is very helpful.

                          Comment


                          • #14
                            Re: Slow internet thru Firebox II

                            YW, hope it all works out for you.

                            Comment


                            • #15
                              Re: Slow internet thru Firebox II

                              If you have any questions just shout
                              Just set every client/server to the correct gateway and you're done..

                              Edit:
                              If you want to learn more about this on an easy way, please see the following animated movie: warriors of the net
                              http://www.warriorsofthe.net/movie.html
                              Last edited by Dumber; 20th December 2007, 00:39. Reason: url added.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X