# Gentoo Firewall is choking internet speed. [SOLVED]

## hanj

Hello

We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. That is with their speed test.

I tested with iperf3 on the box .. and get worse..

```
Connecting to host iperf.he.net, port 5201

[  4] local xxx.xxx.xxx.xxx port 50332 connected to 216.218.227.10 port 5201

[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd

[  4]   0.00-1.00   sec  3.55 MBytes  29.7 Mbits/sec    0    296 KBytes

[  4]   1.00-2.00   sec  1.35 MBytes  11.3 Mbits/sec    0    363 KBytes

[  4]   2.00-3.00   sec  1.34 MBytes  11.3 Mbits/sec    0    433 KBytes

[  4]   3.00-4.00   sec  1.35 MBytes  11.4 Mbits/sec   13    324 KBytes

[  4]   4.00-5.00   sec  1.35 MBytes  11.3 Mbits/sec    0    372 KBytes

[  4]   5.00-6.00   sec  1.35 MBytes  11.3 Mbits/sec    0    407 KBytes

[  4]   6.00-7.00   sec  1.28 MBytes  10.7 Mbits/sec    3    404 KBytes

[  4]   7.00-8.00   sec  1.41 MBytes  11.8 Mbits/sec    8    315 KBytes

[  4]   8.00-9.00   sec  1.35 MBytes  11.3 Mbits/sec    0    341 KBytes

[  4]   9.00-10.00  sec  1.35 MBytes  11.3 Mbits/sec    0    355 KBytes

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bandwidth       Retr

[  4]   0.00-10.00  sec  15.7 MBytes  13.1 Mbits/sec   24             sender

[  4]   0.00-10.00  sec  13.2 MBytes  11.1 Mbits/sec                  receiver
```

Testing from another box behind the firewall, it even got worse...

```
[  4] local 192.168.xxx.xxx port 54666 connected to 216.218.227.10 port 5201

[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd

[  4]   0.00-1.00   sec  1.91 MBytes  16.0 Mbits/sec    0   96.2 KBytes

[  4]   1.00-2.00   sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes

[  4]   2.00-3.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes

[  4]   3.00-4.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes

[  4]   4.00-5.00   sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes

[  4]   5.00-6.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes

[  4]   6.00-7.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes

[  4]   7.00-8.00   sec   871 KBytes  7.14 Mbits/sec    0   96.2 KBytes

[  4]   8.00-9.00   sec   902 KBytes  7.39 Mbits/sec    0   96.2 KBytes

[  4]   9.00-10.00  sec   871 KBytes  7.13 Mbits/sec    0   96.2 KBytes

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bandwidth       Retr

[  4]   0.00-10.00  sec  9.60 MBytes  8.05 Mbits/sec    0             sender

[  4]   0.00-10.00  sec  8.40 MBytes  7.04 Mbits/sec                  receiver
```

These are the cards that are on that Gentoo firwall box:

```
02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express

03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)
```

```
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.xxx.xxx  netmask 255.255.255.0  broadcast 192.168.xxx.xxx

        ether d0:67:e5:ee:44:73  txqueuelen 1000  (Ethernet)

        RX packets 453321948  bytes 594791527037 (553.9 GiB)

        RX errors 0  dropped 3  overruns 0  frame 0

        TX packets 268473640  bytes 86843846038 (80.8 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 16

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet xxx.xxx.xxx.xxx  netmask 255.255.255.252  broadcast xxx.xxx.xxx.xxx

        ether 00:0a:cd:20:b8:4a  txqueuelen 1000  (Ethernet)

        RX packets 269470690  bytes 86762995524 (80.8 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 450122190  bytes 593247038718 (552.5 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

UPDATE.. I tried changing MTU to 1472, since I was getting fragmentation at 1500 to see if that helped. No change after applying MTU to 1472 to both eth0 and eth1

Server is running 4.9.76-gentoo as the kernel.

Load seems okay..

```
load average: 0.08, 0.07, 0.07
```

The server is running iptables. I'm wondering if this is a kernel configuration, or iptables setting I'm missing? Any ideas?

Thanks!

hanji

----------

## hanj

Updated kernel to 4.9.95-gentoo. No improvement.

I saw that QoS scheduling was enabled in the kernel. I removed that. Still no improvement.

Verified with ethtool that both interfaces were at gigabit

```
ethtool eth1 | grep Speed

        Speed: 1000Mb/s

ethtool eth0 | grep Speed

        Speed: 1000Mb/s
```

I added the following to /etc/sysctl.conf and ran sysctl -p .. no improvement

```
net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_sack = 1

net.ipv4.tcp_no_metrics_save = 1

net.core.netdev_max_backlog = 2500

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_wmem = 10240 87380 16777216

net.ipv4.tcp_rmem = 10240 87380 16777216

net.ipv4.tcp_mem = 16777216 16777216 16777216

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216
```

I also tried these settings

```
net.core.rmem_default = 524288

net.core.rmem_max = 524288

net.core.wmem_default = 524288

net.core.wmem_max = 524288

net.ipv4.tcp_wmem = 4096 87380 524288

net.ipv4.tcp_rmem = 4096 87380 524288

net.ipv4.tcp_mem = 524288 524288 524288

net.ipv4.tcp_rfc1337 = 1

net.ipv4.ip_no_pmtu_disc = 0

net.ipv4.tcp_sack = 1

net.ipv4.tcp_fack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_timestamps = 1

net.ipv4.tcp_ecn = 0

net.ipv4.route.flush = 1
```

I think these don't really matter since auto tuning appears to be on?

```
cat /proc/sys/net/ipv4/tcp_moderate_rcvbuf

1
```

Any ideas?

hanji

----------

## NeddySeagoon

hanj,

What hardware?

----------

## hanj

 *NeddySeagoon wrote:*   

> hanj,
> 
> What hardware?

 

Hello

She's an old Dell box. 

```
vendor_id       : GenuineIntel

cpu family      : 6

model           : 42

model name      : Intel(R) Celeron(R) CPU G530 @ 2.40GHz

MemTotal:        2049020 kB

MemFree:         1634884 kB

02:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5722 Gigabit Ethernet PCI Express

03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)

```

hanji

----------

## NeddySeagoon

hanj,

Al least its PCIe and not just plain old PCI.

That would be a problem.

----------

## bunder

That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long.

----------

## hanj

 *NeddySeagoon wrote:*   

> hanj,
> 
> Al least its PCIe and not just plain old PCI.
> 
> That would be a problem.

 

 *bunder wrote:*   

> That should be more than adequate for at least a gigabit connection, my old router was a p4 3.0E and I only replaced it because generating traffic graphs and applying new rules was taking too long.

 

Anything I should look for? I agree, that I think the box should be able to handle this. I keep having a feeling that this might be a missing kernel piece or sysctl option. The NICs are reporting 0 errors, but could this be a NIC thing? Could this be a cable thing? Or could it be how the box is talking to the modem? When connected directly to the modem, it appears to be ripping fast.

The original kernel config had QoS schedule, and I thought that would be the issue, but removing that no change. That is also the weird thing.. EVERY change shows no change what-so-ever. Which makes me feel.. could it be the modem's relationship with this firewall?

Thanks guys!

hanji

----------

## P.Kosunen

Test Realteks proprietary driver if it is better.

https://packages.gentoo.org/packages/net-misc/r8168

----------

## khayyam

hanj ...

you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf?

You should also describe the topology of this firewall, are you filtering on both eth0 and eth1

I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false".

Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue.

best ... khay

----------

## NeddySeagoon

hanj,

What is the link to the outside world?

Does it have a contention ratio?

e.g. My ADSL used to have a link speed on the phone wire of 8Mbit/sec. That was the theoretical best downlink speed without any overhead.

(Raw bits between the exchange an me). Error correction uses some of that and the Ethernet overhead adds more.

However, the killer was the 50:1 contention ratio on domestic ADSL. That means for every 1 MB of installed capacity, BT sold up to 50MB. 

It was very noticeable in busy times.  

How is your service delivered and what does the "they were getting 123 Mbps" refer to?

Is it the useful data (to you) rate or the raw link speed?

Even reducing that by 20% to account for overheads leaves a big gap between what you see and the reported 123 Mbps.

----------

## Tony0945

 *hanj wrote:*   

> We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps.

 

I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.

If that is not correct, please explain the two setups.

When you say "modem", I think you mean a combined router/modem that ISP's are fond of supplying. These often report your activity to the ISP. If you want privacy, put your own modem behind their combo modem. then they only see the NATed traffic from one ip address.

What make and model of Router and modem?

Finally, ISP speedtests often artificially favor their servers.  Run your tests using "DSL reports speedtest".

----------

## hanj

 *khayyam wrote:*   

> hanj ...
> 
> you didn't mention, but you say "firewall", do you mean that is the machine's purpose, or that there is filtering (ie, iptables) on the interface? If the later, did you '--flush', '--delete-chain', '--zero' the chains (in essence, removed the "firewall") and similarly tested with iperf?

 

Thanks for the reply.

Yes, the machine's purpose is for filtering via iptables. I created a simple flush script that got rid of all the rules but allowed me to do some testing. Not exactly what you're wanting, but I have remote access to the box.

My flush rules...

```

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

$IPT -t nat -F

$IPT -t nat -X

$IPT -t nat -Z

$IPT -t filter -F

$IPT -t filter -X

$IPT -t filter -Z

$IPT -t nat -F PREROUTING

$IPT -t nat -F POSTROUTING

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -I INPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -I FORWARD 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -I OUTPUT 1 -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -j ACCEPT
```

Output of iptables -L -n

```
iptables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
```

I ran iperf3 with this state.. no improvement...

```
iperf3 -c xxxxxxx.com

Connecting to host xxxxxxx.com, port 5201

[  4] local xxx.xxx.xxx.xxx port 48350 connected to xxx.xxx.xxx.xxx port 5201

[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd

[  4]   0.00-1.00   sec  1.13 MBytes  9.48 Mbits/sec    0    505 KBytes

[  4]   1.00-2.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   2.00-3.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   3.00-4.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   4.00-5.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   5.00-6.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   6.00-7.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   7.00-8.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   8.00-9.00   sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

[  4]   9.00-10.00  sec  1.36 MBytes  11.4 Mbits/sec    0    505 KBytes

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bandwidth       Retr

[  4]   0.00-10.00  sec  13.4 MBytes  11.2 Mbits/sec    0             sender

[  4]   0.00-10.00  sec  13.2 MBytes  11.1 Mbits/sec                  receiver

iperf Done.
```

 *khayyam wrote:*   

> You should also describe the topology of this firewall, are you filtering on both eth0 and eth1

 

The firewall basically does input and output filtering and handles NAT and port forwarding to internal devices. It also runs DHCP and VPN services on the box itself. It has a modem/router connected to it (not sure what it is.. again, remote location) and receives a public IP eth1 and eth0 manages the internal network after hitting a switch internally.

 *khayyam wrote:*   

> I'm seeing ipv4 addressing, do you have ipv6 enabled? If it is (and you're not using ipv6), try adding enable_ipv6_eth0="false".

 

No ipv6 traffic. It's not built in the kernel and I just added the enable_ipv6_ethx="false" to /etc/conf.d/net and restarted both interfaces. No change

```
enable_ipv6_eth0="false"

enable_ipv6_eth1="false"
```

 *khayyam wrote:*   

> Also, can you not obfuscate ip addresses unless absolutely necessary, giving us the full address for '192.168.xxx.xxx' isn't going to make it any easier for us to h4x0r your reserved network ... but it may provide some infomation that turns out in the end to have some relevence to the issue.

 

The internal network is 192.168.1.0/24. eth0 is 192.168.1.1, eth1 is a public IP.

Thanks!

hanji

----------

## hanj

 *Tony0945 wrote:*   

>  *hanj wrote:*   We just upgraded our modem and service via Charter internet. When testing directly from the modem they were getting 123 Mbps but connecting the Gentoo firewall and testing behind it, it drops to 18 Mbps. 
> 
> I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.
> 
> If that is not correct, please explain the two setups.
> ...

 

 *Tony0945 wrote:*   

> I took that to mean that testing with the Gentoo machine and iptables not running, the Charter speed test gave 123 Mbps and with iptables running you only get 18Mbps.

 

Yes, the tech connected to the modem/router with a direct link, excluding the internal network and firewall. He ran the test and got the results, then plugged in on the switch behind the firewall and got the second speed.  I was not there and this was reported to me, so not sure exactly how he connected, or where he did a speed test.  I'm having someone test via iperf direct from the modem/router today. I'll also have him test to speedtest as well.

 *Tony0945 wrote:*   

> What make and model of Router and modem?

 

I'll get that information today.

Thanks!

hanji

----------

## hanj

 *P.Kosunen wrote:*   

> Test Realteks proprietary driver if it is better.
> 
> https://packages.gentoo.org/packages/net-misc/r8168

 

Interesting. I have that driver built in the kernel. What's the process for emerging the driver for the kernel to use it?

hmmmm.. looks like it needs to be loaded as a module.

Thanks!

hanji

----------

## hanj

 *Tony0945 wrote:*   

> 
> 
> What make and model of Router and modem?
> 
> 

 

The router is a hitron w/4 ports

SW Ver: 4.4.10.7

HW Ver: 1A

Thanks!

hanji

----------

## twalter

Aren't Hitron's DOCSIS modems?  Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets  Fragmentation will always ruin your day.

----------

## twalter

Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test.  At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)

Todd

----------

## hanj

 *twalter wrote:*   

> Now that I think of it, if it's really DSL 1472 is too greedy, go for 1356 (IIRC) and test.  At a guess, PMTU works with a straight connection and you are blocking ICMP on the firewall (stop that, if you are.)
> 
> Todd

 

Thanks Todd. I'm rebuilding the kernel with TCPMSS support now. I made sure ICMP isn't being blocked. It was blocking.

Question on the MSS.. would I add it like this?

```
$IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356

```

Thanks!

hanji

----------

## NeddySeagoon

hanj,

Try ping with the -M option.  See man ping.

You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.

Bare ethernet is 1500.

If you have PPoE' 1492 is a good value.

The more layers you have, the lower it gets. 

When you set the MTU, set it for the entire network, or something, somewhere, will have to do fragmentation for outgoing packets.

----------

## hanj

 *twalter wrote:*   

> Aren't Hitron's DOCSIS modems?  Anyway, make sure you clamp MSS so there's room for the router's bridge mode to tag your packets  Fragmentation will always ruin your day.

 

I went with this.. not seeing much of an improvement.. but there is a small improvement. I'm playing with MTU in conjunction to this

```
$IPT -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1356

$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
```

Thanks!

hanji

----------

## hanj

 *NeddySeagoon wrote:*   

> hanj,
> 
> Try ping with the -M option.  See man ping.
> 
> You can set the packet size and DF bits yourself if you want to set the MTU by hand. With a binary search it won't take long.
> ...

 

Thanks.. I'll do some research on the -M option for ping.

Thanks!

hanji

----------

## ChrisJumper

Hi hanj

here is a short story by myself...

```
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 03)
```

I am not 100 percent sure, but i bought some similar card. Because at first the mainboard had an "RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)" which work fine.

It was hard to find a working driver... and with the original driver from realtec just one card work as expected (the onboard one). The first time i thought my provider had issues with its dhcp infrastructure because my logs look well but i did not got an ip etc..

However it was the stupid DRIVER for that Card! No i could not fixed it. Because the Card seems to behave normal on terminal or to the kernel. But in the Background nothing work as expected. I think it did not even send one network packet on the Line. Do yourself a favour and replace that card with another...

There might be an existing driver for your card. But Realtek have many many revisions with slightly other chips on it and no different Model-Line because they sold well. But that made it nearly impossible to choose the right driver. And i download some from the the official Manufacturer Internet page, which should work.. but didn't. 

You have hiccups because you updated the kernel or driver, which works with other revisions than your one.

Maybe you know the driver before.. or have the sources from the working previous kernel. Than you have a chance or know where to find the proprietary driver on your hard drive, and you have the luck that it will work with a new kernel.

However, save your time and go shopping for a new card, some one about you know that its working flawlessly with Linux.

Edit: I checked my logs.. i had that one:

```
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 07)
```

So it might be possible that you find a working driver for your card.

----------

## Tony0945

Re: Drivers  

Realtek is indeed a real mess. I have several boards, old and new, with onboard Realtek.

By any chance do you have one of these:

MSI B350 TOMAHAWK ARCTIC

GIGABYTE GA-F2A88X-D3HP (rev. 1.0) 

GIGABYTE GA-880GA-UD3H

GIGABYTE GA-M61P-S3

----------

## bunder

I have that same RTL8111/8168/8411 in my laptop as well as two gigabyte z270 boards, seems to work fine with the required firmware, but I only have a 100mbit LAN so I'm probably not really much help there.

----------

## 1clue

I wasn't going to say anything but I have a system (Asus P6T) with realtek cards (1x on-board and a 4-way pcie card) and I can verify that they suck. In my case I have an i7 on the board, and I can get near wire speed out of them but the cpu load is artificially high.

I have another test system, a c2758 board with 7x Intel NICs using i210, i350 and i354 cards, all built-in on the board.

Out of the two systems, increasing network load ramps up CPU interrupts much faster on the system with Realtek cards, and the cpu load ramps up much faster there. It's a bit apples and oranges in the sense that the system with intel nics has an atom processor and the system with the realtek nics has an i7, I don't have two systems with similar processors to compare.

I think Realtek NICs are somewhat like a 'smart-modem' from the Windows 95 era. There's minimal hardware and a whole lot of the implementation done in the driver. The card causes a lot more interrupts than a well-constructed card (Intel using 'igb' driver) and those interrupts suck time from your CPU when it could be doing other things.

I recommend that you get an Intel I210 or I350 or something like that with the number of ports you need. These cards implement as much functionality as possible in the card itself, allowing the CPU to go do its thing elsewhere.

----------

## P.Kosunen

 *hanj wrote:*   

> Interesting. I have that driver built in the kernel. What's the process for emerging the driver for the kernel to use it?
> 
> hmmmm.. looks like it needs to be loaded as a module.

 

Need to blacklist or disable completely the kernel module/driver and compile portages driver module. It needs recompiling after every kernel update.

(I think most hardware works properly with kernel driver, Realtek version is rarely needed/better.)

----------

## hanj

Hello all

I took out the RealTek card and got an Intel Gigabit (Intel Corp 82574L).. and problem is fixed. Thanks again for all the help!

hanji

----------

