Hi, We would like to put approx 2 public class C ip-ranges accessible through proxyarp. For each IP the possibility has to exist to assign different rules. (as it works right now) Are there any performance considerations we should keep in mind? Any limits on shorewall/iptables? Second step is trying to work out a ''multiple uplink'' scenario on the firewall to allow local LAN->NET traffic to pass through a separate ADSL connection. This to make sure we do not interfere with regular traffic to the webservers. (thanks for the URL in one of the previous posts, Tom!) Thanks in advance for any hints/tips/.. anyone would like to share. -- Best regards, Kristof mailto:kristof.hardy@catsanddogs.com
On Fri, 12 Jul 2002, Kristof Hardy wrote:> Hi, > > We would like to put approx 2 public class C ip-ranges accessible > through proxyarp.This may be a stupid question but why are you using Proxy ARP with that many IPs? With so many IPs, why wouldn''t you configure the up-stream routers to use the firewall system as a gateway for those subnets? With that many IPs, you certainly aren''t going to be worried about dedicating two or four of them to subnetting (the usual reason for using proxy arp).> For each IP the possibility has to exist to assign > different rules. (as it works right now) > > Are there any performance considerations we should keep in mind? Any > limits on shorewall/iptables? >I hope that you aren''t using Shorewall to define the Proxy ARP. With that many IPs, it''s much better done by simply setting the proxy-arp flag on the internal and external interfaces. Other than that, there''s no shorewall/iptables limits to worry about; Shorewall has no pre-defined limits and iptables isn''t involved in Proxy ARP (other than with the rules that you define for these hosts). You probably want to increase the size of the connection tracking hash table unless you have a lot of RAM in the firewall box (I posted instructions for how to do that recently on this list).> Second step is trying to work out a ''multiple uplink'' scenario on the > firewall to allow local LAN->NET traffic to pass through a separate > ADSL connection. This to make sure we do not interfere with regular > traffic to the webservers. (thanks for the URL in one of the previous > posts, Tom!)Since I only have one ADSL line here, I haven''t been able to experiment with multiple uplinks -- possibly someone else can offer some experience. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hello Tom, Friday, July 12, 2002, 3:54:50 PM, you wrote:>> We would like to put approx 2 public class C ip-ranges accessible >> through proxyarp.TE> This may be a stupid question but why are you using Proxy ARP with TE> that many IPs? With so many IPs, why wouldn''t you configure the Mainly because reconfiguration is kept to a minimum when using ProxyARP. TE> I hope that you aren''t using Shorewall to define the Proxy ARP. TE> With that many IPs, it''s much better done by simply setting the TE> proxy-arp flag on the internal and external interfaces. Mm, we are using shorewall to define the Proxy ARP. I found were to set the flag on the interfaces but what is the advantage/difference of this compared to the Shorewall-way? I do need to split up our ip range in 2 subnets if I want to turn on the ProxyARP flag on the interfaces, right? TE> You probably want to increase the size of the connection tracking TE> hash table unless you have a lot of RAM in the firewall box (I TE> posted instructions for how to do that recently on this list). Okay, thanks! TE> Since I only have one ADSL line here, I haven''t been able to TE> experiment with multiple uplinks -- possibly someone else can TE> offer some experience. Just to let you know. It seems to work. I have been playing around with the "Advanced Routing & Traffic Control HOWTO" and it seems to work pretty good. -- Best regards, Kristof mailto:kristof.hardy@catsanddogs.com
On Mon, 15 Jul 2002, Kristof Hardy wrote:> > TE> I hope that you aren''t using Shorewall to define the Proxy ARP. > TE> With that many IPs, it''s much better done by simply setting the > TE> proxy-arp flag on the internal and external interfaces. > > Mm, we are using shorewall to define the Proxy ARP. I found were to > set the flag on the interfaces but what is the advantage/difference of > this compared to the Shorewall-way? > > I do need to split up our ip range in 2 subnets if I want to turn on > the ProxyARP flag on the interfaces, right? >That''s correct!> TE> Since I only have one ADSL line here, I haven''t been able to > TE> experiment with multiple uplinks -- possibly someone else can > TE> offer some experience. > > Just to let you know. It seems to work. I have been playing around > with the "Advanced Routing & Traffic Control HOWTO" and it seems to > work pretty good. >Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net