# help ssh tunnelling in laptop is slow



## topclimber (Jan 26, 2012)

Hi Guys

Need your help to solve the puzzle.

I have got to freebsd FreeBSD setup at home:
A. a high spec server: xeon 4 core cpu with asus mb, 4G Ram, Freebsd FreeBSD 8
B. an old laptop: fujitsu S6010 made 2002: 1.2G PIII, 384M Ram, freebsd FreeBSD 7.0

I am trying to use putty to ssh in to them and do dynamic tunnelling and setup proxy in browser to connect to internet. Every thing is fine with A, [I actually tested the same for my macbook proc, it also worked fine] web page got downloaded smoothly and quick, but when it comes to B, it took long long time (>5 mins) to see a page or the connection just broke. Note that when I try to open a page via the ssh connection via B, the putty session is not responsive at all, until it finish downloading or timed out. But if login with another session into B, I can still type any command like, eg, ls, cat, cd etc.

I am aware a network problem for B: the signal connecting to the router end is always orange. I tried to switch cable or port in the router, as long as it connects to the laptop, the signal is always orange but not green.

So, I would like to understand: what is actually the root cause of the slowness?

1. Is it due to that orange signal, some how the network NIC in lap got a problem. When writing this post, I did a check the port, it has got 4 pins (the metal needles: 1,2,3,5,There are no 4, 6,7,8], check it here: http://www.arcelect.com/10baset.htm, I still can't figure out if anything is wrong with it. I did check my macbook pro, it has all 8 needles. 

I would like to know: what networking tests I can do to determine if the slowness is from networking, and if it's related to this port issue.

If this is really the issue,
a. if it's easy to get wireless network work for this old laptop and how? Is there a generic driver sort of thing to install [FreeBSD 7.0] or I have to check if the manufactory has made any freebsd FreeBSD driver?

b. if it's not possible to do so, is it worth buying a PCMCIA card, what brand is it easy to get installed?

I really need to get some sense if the slowness is because of my network but not related to cpu, ram etc, cause I am thinking to buy some product from: http://soekris.com but the cpu/ram are even lower specs compare to my laptop, if my laptop can not handle such simple ssh tunnelling, then I won't have much confidence to believe the tiny single board will be much better.

I will be looking forward hearing from you

Thanks very much,


Stephen


----------



## SirDice (Jan 26, 2012)

topclimber said:
			
		

> I would like to know: what networking tests I can do to determine if the slowness is from networking, and if it's related to this port issue.


Look at the output of the ifconfig(8) command. It should indicated the connected speed and duplex settings. Judging by the 'orange' light this is probably 10Mbit instead of 100. It might even be half-duplex instead of full.


----------



## topclimber (Jan 27, 2012)

I believe the nic is full duplex. Here's what it has got:


```
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:e0:00:f9:67:1d
        inet 192.168.1.188 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

So what's next to investigate?

I did an fb FreeBSD update from 7.0 release to 7.4 release, it seems the situation is improved a little.

Now it takes nine minutes to open a single page instead forever or timed out, or some strange error: 
	
	



```
Forwarded connection refused by server: Administratively prohibited
```

So again, this kind of performance is not acceptable, how am I able to tell what the bottle neck is? Is it due to the encryption for each single page/picture etc via ssh?

Please guide

Thanks very much,

Stephen


----------



## SirDice (Jan 27, 2012)

topclimber said:
			
		

> Now it takes 9 mins to open a single page instead forever or timed out, or some strange error: Forwarded connection refused by server: Administratively prohibited


This points to a firewall or some really bad routing. 



> So again, this kind of performance is not acceptable, how am I able to tell what the bottle neck is? Is it due to the encryption for each single page/picture etc via ssh?


It shouldn't be a problem, I regularly use an old P2-350MHz as a proxy.


----------



## topclimber (Jan 27, 2012)

*test results*

I did tests for both slow fujitsu and smooth macpro, here's the result.

traceroute to some US sites shows both have similar results; ping tests shows no packet loss at all for fujitsu laptop, the ping time from the fujitsu is even better than mac's [maybe it's because wireless connection for mac].

I did browsing test at home network and corporate network, now the homenetwork can deliver quick response, proxy via ssh is fairly smooth(only since today after I update fb FreeBSD from 7 to 7.4, not sure why). Browsing through the corporate network (putty through corporate proxy first) still buggy and takes long time (a few mins) to open a page. And via the putty event log, it some times shows: 
	
	



```
Forwarded connection refused by server: Administratively prohibited
```

Look at this page for explanation: http://wiki.metawerx.net/wiki/SSHTu...penFailedAdministrativelyProhibitedOpenFailed

I couldn't find OpenPermit either in sshd_config or authorized_keys2 (it's authorized_keys in my fb FreeBSD), but other conditions are all met. So any idea here?

I don't think the corporate proxy has anything to do with the connection since once ssh in, it's all secured, the proxy won't tangle, right?

Please if any idea? I am not good at networking stuff.

Thanks a lot


----------



## Uniballer (Jan 27, 2012)

I didn't catch what equipment you're plugging the laptop in to.  There may be issues with ethernet auto-negotiation between gigabit gear and older equipment or cabling with only pins 1,2,3,6 wired.  Might this apply in your situation?  The only workarounds I know of are to force the gigabit end to run at the appropriate rate (i.e. 10 or 100 Mbps, full or half duplex), or maybe to stick in a 10/100 Mbps switch between your older and newer gear to handle the negotiation on just the existing pairs.


----------



## SirDice (Jan 27, 2012)

I didn't find a lot of info about that Fujitsu laptop but it seems it has a 10/100Mbit ethernet. Normally the LED lights up orange when it's 10 and green when it's 100. You might want to check the manual to confirm.

If it lights up orange to indicate 10Mbit, I'm wondering why ifconfig(8) shows it's connected with 100Mbit. It could be the auto-negotiation Uniballer mentioned.


----------



## topclimber (Jan 28, 2012)

Uniballer said:
			
		

> I didn't catch what equipment you're plugging the laptop in to.  There may be issues with ethernet auto-negotiation between gigabit gear and older equipment or cabling with only pins 1,2,3,6 wired.  Might this apply in your situation?  The only workarounds I know of are to force the gigabit end to run at the appropriate rate (i.e. 10 or 100 Mbps, full or half duplex), or maybe to stick in a 10/100 Mbps switch between your older and newer gear to handle the negotiation on just the existing pairs.



I am using billion 7404vnpx (retailing price $400+) which is a very advanced router, yes, it's Gigabit. It shouldn't be any problem I guess.

http://www.google.com.au/url?sa=t&r...sc0mTP9GDlz6iuiLA&sig2=iIK03hNiqzx9sZVgz19frg

Every thing looks fine if I just use that box to wget/curl, or even do FreeBSD upgrade. I don't go xwindow/kde/gnome to see how it is using firefox to surf internet, but lynx also works fine.

My hunch is the sshd might be the cause. Reasons being:

1. before FreeBSD update to 7.4, I am able to have long maintained ssh session to fujitsu box, but no successful proxy through, while other test to a US box (centos5.6) always hit a "unexpected server closed connection"

2. after the FreeBSD update, at least I got intermittent tunneld proxy surfing but it start showing the symtom of "unexpected server closed connection".

I am just not sure .....


----------



## topclimber (Jan 28, 2012)

Hey guys

I have some finding.

I played with the PermitOpen in both sshd_config and authorized_keys, here's the result:

 do not use ssh key, but password, everything is fine and smooth
 if you use the key, here's the buggy part:
 without the PermitOpen in sshd_config and authorized_keys, you will get 
	
	



```
Forwarded connection refused by server: Administratively prohibited
```

 if you put 
	
	



```
permitopen="google.com:80"
```
 then it works. However this does not let you visit all other site/port, and there is no way to specify PermitOpen all or any. I followed some link saying:




> ```
> PermitOpen
> Specifies the destinations to which TCP port forwarding is perâ€
> mitted.  The forwarding specification must be one of the followâ€
> ...


 
but this totally does not work, man page says: no pattern allowed. Tests done has proven this.

I assume there is bug in sshd in fb FreeBSD 7.4: OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8q 2 Dec 2010, I tested another extern Linux box using openssh4.3, the tunneling works fine without noticing this PermitOpen stuff.

Btw, the other fb FreeBSD 8.0 doesn't have such an issue and I don't remember I configure any such thing to enable/disable restriction, this must be the sshd version problem.

I just don't want to force myself to use password, any idea what to do about it? This is such a tiring process, I have spent a week on this tiny thing.


----------

