Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Rob_G]

Hi, I have a web server and database server in the DMZ that is working perfectly, but when I try to connect to the database server from the internal LAN there is a 5-10 second delay before the connection is made. After I am connected to the database server there is a 3-5 second delay for every SQL command even though the responce in MySQL says the results were returned in under 1 second. I have a feeling it is a DNS problem but thought I would throw it out here to see if anybody else has had this problem.

I have set rules to allow the SQL connection between the LAN and DMZ, in testing I even tried allowing all TCP/UDP traffic between the two just to eliminate the chance that the firewall was blocking something, but still I got the same delay.

Any one any ideas?

[Fatman]

You mention the possiblity of DNS error, could you reference the server by IP not DNS?
Do you still see the delay then?

[Rob_G]

Yeah I still see the delay, I was thinking more like a entry in the hosts file on the database server in the DMZ that states the address to the DFL-860 gateway maybe?

[Fatman]

Are you using a NAT or an Allow with your SAT rule for your port forward?

What happens if you use the other type of rule?

[Rob_G]

I am using an allow rule, did not realise you could use NAT and SAT together. I will try using NAT instead this weekend and see if it works any better. I have just noticed the subnet on the machines in the DMZ is different than the ones in the LAN, duno why it is setup like that I will try setting that the same, dont think that would make much difference though. 

[Fatman]

The DMZ needs to have a different network than your LAN (there are other methods but they are a lot of work in comparison), because the LAN and DMZ interfaces are routed interfaces.

[Rob_G]

I tried changing the allow rule to a NAT rule and there was no difference unfortunately. The DMZ has the 172. IP with 255.255.0.0 subnet and the LAN has 10. IP with 255.255.255.0 subnet. I am still thinking there should possibly be a DNS server in the DMZ, then again I am trying to connect using IP so that probably won't make a difference, I am pretty new to all this so am not sure.

The strange thing is the responce time over the internet to the database server is instant so WAN to DMZ is fine its just LAN to DMZ.

[Fatman]

Are you seeing logged ALG drops?

Is your server on both interfaces or networks, or have multiple gateways by any chance?

[Rob_G]

Not to sure what you mean about the server, it has one nic that has a 172. IP and that is all, and the gateway is the gateway on the DFL-860 for the DMZ. Not to sure about ALG drops, I did seem to notice some drops in the log for UDP connections when ever a SQL command is sent from the LAN to the DMZ.

Incidentally, I tried putting the database server in the LAN and having the web server call it there but had the delay that direction as well. I am unsure where the best place for a database server that needs to be accessed by a web server and from a program inside the LAN would be security wise, so I am open to any advice on that as well lol.

[Rob_G]

I have found the problem, the dfl-860 seems to be dropping all requests from the database server in the DMZ to the DFL's DMZ gateway for UDP 137 this shows up in the logs for every SQL request from the LAN, all I need to know now is how to allow that request to go through and that will be the problem solved.

[Fatman]

According to IANA UDP 137 is NetBIOS-NS, is your SQL server trying to reference your PC or another server resource by NetBIOS name?

The quick fix would be to point the NBNS/WINS servers on your server to an actual NBNS server.

or

Quit referencing NB names.

[Rob_G]

Thats it, its working fine now, I set MySQL to not lookup the names for the IP's and now its faster than ever. Thanks for all your help with this, much appreciated.

[Fatman]

Very cool, I am glad this all worked out.