LHC@home

This should be implemented. If the VM detects a BOINC proxy has been configured with the default squid port, it will try to use it for CVMFS.

sometimes it works...

and sometimes it doesn't...

Checking through the project database for the last few days shows:-

9 hosts ran 24 VM tasks (5 CMS, 5 LHCb and 14 Theory).

1 CMS failed no heartbeat file,

All the remaining 23 tasks detected the proxy correctly.

1 Theory failed to connect on port 80.

Of the remaining 22 tasks, 7 (3 Theory, 3 CMS and 1 LHCb), failed to set
the VM to use the proxy.

Is this what is meant by "try to use" the proxy?

About 4 weeks ago Laurence changed the bootstrap script that is executed by every Theory, CMS and LHCb VM.
This script transfers the proxy setting from your local BOINC client into your starting VM and configures the VM internal CVMFS to use the local proxy.

A successful configuration can be seen in the stderr.txt like in this example from a Theory VM:

2018-04-03 04:02:53 (8078): Guest Log: Probing /cvmfs/grid.cern.ch... OK
2018-04-03 04:02:55 (8078): Guest Log: Probing /cvmfs/sft.cern.ch... OK
2018-04-03 04:02:55 (8078): Guest Log: VERSION PID UPTIME(M) MEM(K) REVISION EXPIRES(M) NOCATALOGS CACHEUSE(K) CACHEMAX(K) NOFDUSE NOFDMAX NOIOERR NOOPEN HITRATE(%) RX(K) SPEED(K/S) HOST PROXY ONLINE
2018-04-03 04:02:55 (8078): Guest Log: 2.2.0.0 3368 1 20384 5825 3 1 325888 10240001 2 65024 0 15 100 0 0 http://cvmfs-stratum-one.cern.ch/cvmfs/grid.cern.ch http://<your_local_proxy_IP>:3128 1

Unfortunally there seems to be a bug or a permission issue (at CERN) regarding CMS that has not been solved since the change has been applied.
This results in the following error line:

2018-02-26 17:17:07 (35323): Guest Log: Probing /cvmfs/cms.cern.ch... Failed!

As a result a local proxy can only be used for Theory and LHCb until the mentioned issues are solved at CERN.
CMS works with a local proxy but the BOINC client's proxy configuration has to be cleared and the IP packets have to be routed via iptables or similar methods.

From what I see here,

About 4 weeks ago Laurence changed the bootstrap script that is executed by every Theory, CMS and LHCb VM. This script transfers the proxy setting from your local BOINC client into your starting VM

this works every time, but

and configures the VM internal CVMFS to use the local proxy..

this works roughly 2/3 of the time.

Most of your WUs were finished prior to the bootstrap change.
The WUs below are young enough but show different error conditions.


Guest Log: [DEBUG] nc: getaddrinfo: Temporary failure in name resolution
Happens sometimes
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186131716


206 (0x000000CE) EXIT_INIT_FAILURE
Most likely no subtask
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186091180


CMS error (Guest Log: Probing /cvmfs/cms.cern.ch... Failed!)
Has to be checked by CERN's CVMFS experts.
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186060630
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186094066
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186281612
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186491940


Success but strange.
Proxy information was available but not configured.
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186201207
https://lhcathome.cern.ch/lhcathome/result.php?resultid=186124307

2018-04-22 09:46:52 (59022): Guest Log: [DEBUG] Detected squid proxy http://<hostname_censored_by_volunteer/>:3128
2018-04-22 09:47:57 (59022): Guest Log: Probing /cvmfs/grid.cern.ch... OK
2018-04-22 09:47:58 (59022): Guest Log: Probing /cvmfs/cms.cern.ch... Failed!
2018-04-22 09:47:58 (59022): Guest Log: VERSION PID UPTIME(M) MEM(K) REVISION EXPIRES(M) NOCATALOGS CACHEUSE(K) CACHEMAX(K) NOFDUSE NOFDMAX NOIOERR NOOPEN HITRATE(%) RX(K) SPEED(K/S) HOST PROXY ONLINE
2018-04-22 09:47:58 (59022): Guest Log: 2.2.0.0 3408 1 22656 5981 3 1 1163564 10240001 2 65024 0 15 100 0 0 http://cvmfs-stratum-one.cern.ch/cvmfs/grid.cern.ch http://128.142.33.31:3125 1

The proxy configuration in a CMS VM changed a bit - to the worse:

1. Bootstrap detects the proxy that is configured in the BOINC settings. (good)
2. /cvmfs/grid.cern.ch works (most likely using the local proxy)
3. Probing /cvmfs/cms.cern.ch... Failed! (not good!)
4. CVMFS log configures lhchomeproxy.cern.ch (not good; should be the local proxy)

The local proxy works:
1. for Theory and LHCb
2. for CMS only if it is not configured in the BOINC client but the IP packets are routed to the proxy via iptables.


It should be investigated why the different projects behave different.

A perfect example how a local squid speeds up even fast connections to openhtc.io.
The (slightly modified) log shows 5 requests from different clients to the same URL.
Squid collapsed them to only 1 real internet request and sent the answer to all 5 clients.

client1 [25/Jul/2018:10:12:30 +0200] "GET http://s1cern-cvmfs.openhtc.io/cvmfs/cvmfs-config.cern.ch/.cvmfspublished HTTP/1.1" 200 1363 "-" "cvmfs Fuse 2.4.4" TCP_REFRESH_MODIFIED:HIER_NONE
client2 [25/Jul/2018:10:12:30 +0200] "GET http://s1cern-cvmfs.openhtc.io/cvmfs/cvmfs-config.cern.ch/.cvmfspublished HTTP/1.1" 200 1363 "-" "cvmfs Fuse 2.4.4" TCP_REFRESH_MODIFIED:HIER_NONE
client3 [25/Jul/2018:10:12:30 +0200] "GET http://s1cern-cvmfs.openhtc.io/cvmfs/cvmfs-config.cern.ch/.cvmfspublished HTTP/1.1" 200 1326 "-" "cvmfs Fuse 2.5.0" TCP_REFRESH_MODIFIED:HIER_NONE
client4 [25/Jul/2018:10:12:30 +0200] "GET http://s1cern-cvmfs.openhtc.io/cvmfs/cvmfs-config.cern.ch/.cvmfspublished HTTP/1.1" 200 1326 "-" "cvmfs Fuse 2.5.0" TCP_REFRESH_MODIFIED:HIER_NONE
client5 [25/Jul/2018:10:12:30 +0200] "GET http://s1cern-cvmfs.openhtc.io/cvmfs/cvmfs-config.cern.ch/.cvmfspublished HTTP/1.1" 200 1467 "-" "cvmfs Fuse 2.4.1" TCP_REFRESH_MODIFIED:FIRSTUP_PARENT

Of course, an advantage of only a few ms in this case but this also happens on requests to large files.

Since the bootstrap script used by all VMs except ATLAS has been modified a while ago it seems that it reliably configures a local proxy that is set via BOINC client.

The following section shows a basic squid.conf that is tuned for BOINC.
It supports the VM's internal CVMFS instances as well as the local CVMFS that is used by ATLAS (native).

Frontier requests generated by ATLAS (vbox) or CMS still need some iptables rules to be routed through the proxy.

# Squid configuration for BOINC
# Based on squid version 3.5
# See also: http://www.squid-cache.org/


# Define your local hosts/networks here
# Examples:
# acl crunchers src 172.16.0.20
# acl crunchers src 172.16.0.25
# acl localnet src 172.16.0.0/12
# acl localnet src fc00::/7


# required for some extras
acl to_httpport port 80
acl to_http8000 port 8000
acl to_squidport port 3128

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535	# unregistered ports

acl CONNECT method CONNECT



follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all



#
# Start of extra section 1
# Requests that need special handling

# worldcommunitygrid doesn't like data from the local cache
# use the following lines as template if other projects also have problems
acl wcg_nocache dstdomain .worldcommunitygrid.org
always_direct allow wcg_nocache
cache deny wcg_nocache


# if CVMFS uses geoapi, ensure it's checked directly
acl cvmfs_geoapi urlpath_regex -i ^/+cvmfs/+[0-9a-z._~-]+/+api/+[0-9a-z._~-]+/+geo/+[0-9a-z._~-]+/+[0-9a-z.,_~-]+
always_direct allow cvmfs_geoapi
cache deny cvmfs_geoapi


# avoids polluting the disk cache with typical onetimers, e.g. ATLAS job data
acl boinc_nocache urlpath_regex -i /download[0-9a-z._~-]*/+[0-9a-z._~-]+/+.+
cache deny boinc_nocache


# seriously: do NOT cache that!
# Based on a frontier cache suggestion from Fermilab
acl PragmaNoCache req_header Pragma no-cache
cache deny PragmaNoCache

# End of extra section 1
#


#
# Start of extra section 2
# not used in this basic configuration
# include /etc/squid/extensions.d/cern_extensions.conf
# End of extra section 2
#


#
# Start of extra section 3
# not used in this basic configuration
# parent cache configuration
# doesn't improve performance but gains more data for analysis
#include /etc/squid/parents.d/s1x-cvmfs_openhtc_io.conf
#include /etc/squid/parents.d/lhcb-portal-dirac_cern_ch.conf
#include /etc/squid/parents.d/cvmfs-stratum-one_cern_ch.conf
#include /etc/squid/parents.d/cmsfrontier_cern_ch.conf
#include /etc/squid/parents.d/lcgft-atlas_gridpp_rl_ac_uk.conf
#include /etc/squid/parents.d/lhchomeproxy_cern_ch.conf
# End of extra section 3
#


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# see ACL definition above
# Examples:
# http_access allow crunchers
# http_access allow localnet

http_access allow localhost
http_access deny all


# http_port
# don't bind it to an IP that is accessible from outside unless you know what you do.
# Examples:
# http_port 172.16.0.77:3128

#
# Start of extra section 4
# not used in this basic configuration
# used for additional ports
# Example:
# http_port 172.16.0.77:3129 intercept
# End of extra section 4
#

# if your machine has more than one IP
# Example:
# tcp_outgoing_address 172.16.0.88


# Required OFF for intercepted traffic from LHCb VMs
client_dst_passthru off


# You don't believe this is enough?
# For sure, it is!
cache_mem 192 MB
maximum_object_size_in_memory 24 KB
memory_replacement_policy heap GDSF


# Keep it large enough to store vdi files in the cache.
# See extra section 1 how to avoid onetimers eating up your storage.
# min-size=xxx keeps very small files away from your disk
cache_replacement_policy heap LFUDA
maximum_object_size 6144 MB
cache_dir aufs /var/cache/squid/0 32000 16 64 min-size=7937


# logformat has to be changed according to your needs and the capabilities of your logfile analyser
# See: http://www.squid-cache.org/Versions/v3/3.5/cfgman/logformat.html
# if unsure, use the default setting
logformat my_awstats %>A %lp %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log stdio:/var/log/squid/access_squid.log logformat=my_awstats
strip_query_terms off
netdb_filename none

coredump_dir none
ftp_user anonymous@


# max_stale 1 week  #default
# extended to be prepared for a project reset
max_stale 37 days

# 1 line is required to avoid the ancient default settings
# be conservative
# don't violate the HTTP standards
refresh_pattern .	0	0%	0

store_avg_object_size 1 MB


# booster 1!
collapsed_forwarding on


# booster 2!
client_persistent_connections on
server_persistent_connections on

digest_generation off
log_icp_queries off

# use your preferred language here
error_default_language de

dns_defnames on

#depends on your local setup
dns_v4_first on

forwarded_for transparent

##### End of squid.conf

I have a problem with installation. I download two files, I have Visual Studio but I have no idea which perl need i download, too. Could anybody explan me easly (because I'm not English speaker and I'm not a geek, too) what to do?

Is it a squid related problem?

If NO, you may have accidentally posted your comment here.
Be so kind as to repeat your question in a related thread.

If YES, I don't understand your problem without additional comments.

Yes, I've got with squid problem - I can't install software and I have no idea, what I do wrong.

Hi Ola,

I still do not fully understand your problem.

This thread mainly discusses optimisations to a standard squid setup that are useful for LHC projects.
It requires that you are able to install a squid proxy either on linux (tested) or on windows (not tested) and do a basic setup as described at the following webpage:
http://www.squid-cache.org/

I was directed here from https://lhcathomedev.cern.ch/lhcathome-dev/forum_thread.phpp?id=475&postid=6396 which is in the Grand announcement today. I cannot find the Instructions on how to get the Proxy working? I see that Squid is needed, but is there any configuration that is needed and do I need to use the BoincManager Proxy function? How does that affect other Projects that I run in BOINC?
If you announce something then don't give us the details on how to use it. It is a non event if no one can use it.

Cheers,

I second what Dingo wrote.

I am running 4x16GB i7 computers and 2x32GB Threadrippers with LHC in about half their capacities, mostly Theory and a little Atlas. I am knowledgeable in computing and Windows, but I am not in Squid.

Perhaps one of the experts here could write a tutorial for us non-experts on how to do it. It would help us AND Cern by reducing traffic.

@ PurpleHat:

Ahh, I see a bit of light!

Thanks for pointing out that the post IS the config (for Linux-type). I will have to try to translate into Windowese to try it.

And also your pointers.

Thanks again, PurpleHat

Today gyllic made me aware that a local proxy will not be used by a VM if the BOINC proxy form is set to "localhost" or "127.x.y.z".
Those entries are reserved for the loopback device and have a different meaning for the processes on the host, e.g. the BOINC client, and the processes inside the VM.

@ computezrmle:

I am a rank noobie in Squid knowledge, but I got it "running" under Windows. This means I don't get error messages or crashes, BOINC runs and gets data, etc.

However, I also don't have tools or techniques to know if it is effective or not. Where do I get the programs to analyze its logs?

Also, with regard to your post just above, it appears to me that using the "::" IPV6 form for "this computer" is also not effective. Can you confirm?

Thanks.

This is what I did to install under Windows:

I started here: http://www.squid-cache.org/ then clicked "download" in the menu

Since I cannot compile Squid, I clicked on "binary package of Squid." part way down

Then clicked link "Squid-3.5" in 1.2.17.1 to get the 3.5 version for Windows

Under the 64bit, I clicked "http://squid.diladele.com/"

Then selected "Squid for Windows" "DOWNLOAD MSI" which starts a 33.6mb download of Squid

I installed it on disk "S" (requires Admin privilege)

Using Notepad, I modified "S:\Squid\etc\squid\squid.conf" as per the below:


# Squid configuration for BOINC under Windows Squid configuration for BOINC under Windows Squid configuration for BOINC under Windows Squid configuration for BOINC under Windows
# Based on squid version 3.5
# See also: http://www.squid-cache.org/

# NOTE: I AM NOT AN EXPERT IN SQUID, and don't know exactly what is and is not required. However, it is sufficient even if not all necessary for my use.

# Where I found info about it: https://lhcathome.cern.ch/lhcathome/forum_thread.php?id=4611&postid=36101#36101
# Many thanks!

# Define your local hosts/networks here
# Examples:
# acl crunchers src 172.16.0.20
# acl crunchers src 172.16.0.25
# acl localnet src 172.16.0.0/12
# acl localnet src fc00::/7
acl crunchers src 192.168.1.120-192.168.1.128 # my local LAN addresses
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range

# required for some extras
acl to_httpport port 80
acl to_http8000 port 8000
acl to_squidport port 3128

acl SSL_ports port 443 # ssl
acl Safe_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 1025-65535 # unregistered ports

acl CONNECT method CONNECT

follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all

#
# Start of extra section 1
# Requests that need special handling

# worldcommunitygrid doesn't like data from the local cache
# use the following lines as template if other projects also have problems
acl wcg_nocache dstdomain .worldcommunitygrid.org
always_direct allow wcg_nocache
cache deny wcg_nocache

# if CVMFS uses geoapi, ensure it's checked directly
acl cvmfs_geoapi urlpath_regex -i ^/+cvmfs/+[0-9a-z._~-]+/+api/+[0-9a-z._~-]+/+geo/+[0-9a-z._~-]+/+[0-9a-z.,_~-]+
always_direct allow cvmfs_geoapi
cache deny cvmfs_geoapi

# avoids polluting the disk cache with typical onetimers, e.g. ATLAS job data
acl boinc_nocache urlpath_regex -i /download[0-9a-z._~-]*/+[0-9a-z._~-]+/+.+
cache deny boinc_nocache

# seriously: do NOT cache that!
# Based on a frontier cache suggestion from Fermilab
acl PragmaNoCache req_header Pragma no-cache
cache deny PragmaNoCache

# End of extra section 1
#

#
# Start of extra section 2
# not used in this basic configuration
# include /etc/squid/extensions.d/cern_extensions.conf
# End of extra section 2
#

#
# Start of extra section 3
# not used in this basic configuration
# parent cache configuration
# doesn't improve performance but gains more data for analysis
#include /etc/squid/parents.d/s1x-cvmfs_openhtc_io.conf
#include /etc/squid/parents.d/lhcb-portal-dirac_cern_ch.conf
#include /etc/squid/parents.d/cvmfs-stratum-one_cern_ch.conf
#include /etc/squid/parents.d/cmsfrontier_cern_ch.conf
#include /etc/squid/parents.d/lcgft-atlas_gridpp_rl_ac_uk.conf
#include /etc/squid/parents.d/lhchomeproxy_cern_ch.conf
# End of extra section 3
#

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

# The following should be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# see ACL definition above
# Examples:
# http_access allow crunchers
# http_access allow localnet
http_access allow crunchers
http_access allow localnet
http_access allow localhost
http_access deny all

# http_port
# don't bind it to an IP that is accessible from outside unless you know what you do.
# Examples:
# http_port 172.16.0.77:3128
http_port 3128

#
# Start of extra section 4
# not used in this basic configuration
# used for additional ports
# Example:
# http_port 172.16.0.77:3129 intercept
# End of extra section 4
#

# if your machine has more than one IP
# Example:
# tcp_outgoing_address 172.16.0.88


# Required OFF for intercepted traffic from LHCb VMs
client_dst_passthru off


# You don't believe this is enough?
# For sure, it is!
cache_mem 192 MB
maximum_object_size_in_memory 24 KB
memory_replacement_policy heap GDSF

# Keep it large enough to store vdi files in the cache.
# See extra section 1 how to avoid onetimers eating up your storage.
# min-size=xxx keeps very small files away from your disk
cache_replacement_policy heap LFUDA
maximum_object_size 6144 MB
cache_dir aufs /var/cache/squid 32000 16 64 min-size=7937

# logformat has to be changed according to your needs and the capabilities of your logfile analyser
# See: http://www.squid-cache.org/Versions/v3/3.5/cfgman/logformat.html
# if unsure, use the default setting
logformat my_awstats %>A %lp %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log stdio:/var/log/squid/access_squid.log logformat=my_awstats
strip_query_terms off
netdb_filename none

coredump_dir none
ftp_user anonymous@

# max_stale 1 week #default
# extended to be prepared for a project reset
max_stale 37 days

# 1 line is required to avoid the ancient default settings
# be conservative
# don't violate the HTTP standards
refresh_pattern . 0 0% 0

# Required for Windows (but perhaps not for Linux?)
dns_nameservers 1.1.1.1 1.0.0.1 # fast DNS resolvers

store_avg_object_size 1 MB

# booster 1!
collapsed_forwarding on

# booster 2!
client_persistent_connections on
server_persistent_connections on

digest_generation off
log_icp_queries off

# use your preferred language here
error_default_language en

dns_defnames on

#depends on your local setup
dns_v4_first on

forwarded_for transparent

##### End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf End of squid.conf

I started the Squid program (S:\Squid\bin\Diladele.Squid.Tray.exe or link on the desktop).

Then on my OTHER machines under BOINC Manager, options, Other options, HTTP Proxy entered the IPAddress of THIS machine and port 3128.

Local caching doesn't seem to work but from the other machines, it does.

@ computezrmle:

I agree that local caching doesn't work with "localhost" or "127.x.y.z" or "::".

It DOES work for me with the NAME of the local computer, e.g., "DDW3770K" in the HTTP Proxy address.
NOTE HOWEVER, it uses the second LAN interface IP address on this computer EVEN THOUGH IT IS DISABLED.

I don't have a computer with only a single interface available at the moment for testing, so YMMV.

Anyone able to confirm using the computer name will work with a single LAN interface on the same computer?

Also, using the name from another computer on the LAN instead of an IP address also works.

@ computezrmle:

I agree that local caching doesn't work with "localhost" or "127.x.y.z" or "::".

It DOES work for me with the NAME of the local computer, e.g., "DDW3770K" in the HTTP Proxy address.
NOTE HOWEVER, it uses the second LAN interface IP address on this computer EVEN THOUGH IT IS DISABLED.

I don't have a computer with only a single interface available at the moment for testing, so YMMV.

Anyone able to confirm using the computer name will work with a single LAN interface on the same computer?

Also, using the name from another computer on the LAN instead of an IP address also works.

In a configuration with more than 1 LAN adapter and/or more IPs I suggest to explicitly bind squid to a socket that is visible in your LAN and to the localhost socket.
Hence, you may use both lines

http_port localhost:3128
http_port 172.16.0.77:3128  # use a valid IP of your first LAN adapter here

Check if it works using a webbrowser that is set to use a proxy.
On your proxy machine the browser should "work" with "localhost:3128" as well as with "172.16.0.77:3128".
Browsers on your LAN machines will not "work" with "localhost:3128" but should "work" with "172.16.0.77:3128".

In this context "work" means that you should get at least an error message from your proxy.

If you set the correct acl definitions to be used with http_access your browser should get the requested webpage via your proxy.



same for outgoing traffic

tcp_outgoing_address 172.16.0.88  # use a valid IP of your first LAN adapter here and allow it to pass your firewall

dns_nameservers 1.1.1.1 1.0.0.1 # fast DNS resolvers

I would not use an external DNS as it doesn't resolve local names if they are used anywhere in your config file.
Just let squid use your system's default.
See: http://www.squid-cache.org/Versions/v3/3.5/cfgman/dns_nameservers.html

acl crunchers src 192.168.1.120-192.168.1.128 # my local LAN addresses
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
.
.
.
http_access allow crunchers
http_access allow localnet

Either use lines 1 & 6 or lines 2 & 7.
It's not an error, just avoid redundancy.

I would prefer a setting like lines 1 & 6 as you may have devices in your LAN that you don't want to allow to access the internet.

@ computezrmle:

I already tried removing "dns_nameservers 1.1.1.1 1.0.0.1 # fast DNS resolvers", and it fails with
"CONNECT lhcathome.cern.ch:443 HTTP/1.1" 503 151 "-" "BOINC client (windows_x86_64 7.14.2)" TAG_NONE:HIER_NONE

Replacing it gives
"CONNECT lhcathome.cern.ch:443 HTTP/1.1" 200 45331 "-" "BOINC client (windows_x86_64 7.14.2)" TCP_TUNNEL:HIER_DIRECT
so it appears it must operate differently in Windows vs. Linux.

I will test your suggestions to see which works and which others don't when I have more time available. As for right now, I am running.

Ahh, so much to learn, so little time to do so.