Date: Fri, 18 May 2001 08:27:16 -0500 From: Andrew Hesford <ajh3@usrlib.org> To: Aaron Hill <fbsdlist@futureuse.net> Cc: freebsd-questions@FreeBSD.org Subject: Re: IP Alias limit? Message-ID: <20010518082716.A23608@core.usrlib.org> In-Reply-To: <51915.203.11.225.5.988850756.squirrel@www.futureuse.net>; from fbsdlist@futureuse.net on Thu, May 03, 2001 at 10:45:56AM %2B1000 References: <51915.203.11.225.5.988850756.squirrel@www.futureuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 03, 2001 at 10:45:56AM +1000, Aaron Hill wrote: > > Hello, > > Do you know if there's a limit on the number of IP address aliases you can > run on one FreeBSD ethernet interface? > > If there isn't a limitation or if there's a realistically unreachable limit > does anyone have an opinion on why a large number of aliases shouldn't be > used? For example the man page for ifconfig suggests that aliases are good > to use for temporary solutions but I'm planning to do this for a permanent > solution. > > The scenario I have is a FreeBSD server being a router for a DMZ/Internet > setup. The server will act as the default gateway for multiple DMZ hosts. > Putting too many addresses on one NIC (100Mb/s) and overloading it isn't > really an issue because we'll have traffic shapers in the setup to keep > things sane. > > Thanks. > Aaron Hill Using aliases, espcially more than one, for any sort of permanent solution is bad style. Furthermore, since NICs can be obtained for $15 (like the ones I keep in my router), it shows that you are cheap beyond belief. As a router, you are going to be moving packets back and forth from at least two different sources at one time. Your collision rate will skyrocket, and performance will plummet. Also, any buffering the card does to improve performance is effectively cut in half. If you want any modicum of security in the router, aliasing takes a chunk out of that, since it means anyone with a physical line to your router also has a physical line to everything it is routing for. With two NICs, you can physically separate your DMZ from the Internet, and keep a good bit of security if you want it. It's just a foolish idea. -- Andrew Hesford ajh3@usrlib.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010518082716.A23608>