From owner-freebsd-questions Fri May 18 6:28:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from core.usrlib.org (CC2-861.charter-stl.com [24.217.115.99]) by hub.freebsd.org (Postfix) with ESMTP id B846637B422 for ; Fri, 18 May 2001 06:28:42 -0700 (PDT) (envelope-from ajh3@core.usrlib.org) Received: by core.usrlib.org (Postfix, from userid 1001) id 4A323A814; Fri, 18 May 2001 08:27:16 -0500 (CDT) Date: Fri, 18 May 2001 08:27:16 -0500 From: Andrew Hesford To: Aaron Hill Cc: freebsd-questions@FreeBSD.org Subject: Re: IP Alias limit? Message-ID: <20010518082716.A23608@core.usrlib.org> References: <51915.203.11.225.5.988850756.squirrel@www.futureuse.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <51915.203.11.225.5.988850756.squirrel@www.futureuse.net>; from fbsdlist@futureuse.net on Thu, May 03, 2001 at 10:45:56AM +1000 X-Loop: Andrew Hesford Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, May 03, 2001 at 10:45:56AM +1000, Aaron Hill wrote: > > Hello, > > Do you know if there's a limit on the number of IP address aliases you can > run on one FreeBSD ethernet interface? > > If there isn't a limitation or if there's a realistically unreachable limit > does anyone have an opinion on why a large number of aliases shouldn't be > used? For example the man page for ifconfig suggests that aliases are good > to use for temporary solutions but I'm planning to do this for a permanent > solution. > > The scenario I have is a FreeBSD server being a router for a DMZ/Internet > setup. The server will act as the default gateway for multiple DMZ hosts. > Putting too many addresses on one NIC (100Mb/s) and overloading it isn't > really an issue because we'll have traffic shapers in the setup to keep > things sane. > > Thanks. > Aaron Hill Using aliases, espcially more than one, for any sort of permanent solution is bad style. Furthermore, since NICs can be obtained for $15 (like the ones I keep in my router), it shows that you are cheap beyond belief. As a router, you are going to be moving packets back and forth from at least two different sources at one time. Your collision rate will skyrocket, and performance will plummet. Also, any buffering the card does to improve performance is effectively cut in half. If you want any modicum of security in the router, aliasing takes a chunk out of that, since it means anyone with a physical line to your router also has a physical line to everything it is routing for. With two NICs, you can physically separate your DMZ from the Internet, and keep a good bit of security if you want it. It's just a foolish idea. -- Andrew Hesford ajh3@usrlib.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message