[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Clint Miller cmiller at tigerbyte.com
Wed Dec 10 15:09:50 PST 2003


Tom -

On Wednesday 10 December 2003 11:14, Tom Eastep wrote:
> I'm absolutely speechless that someone would even dream of adding that many
> addresses to an interface.
>
> Given that this is a tunnel and there are no ARP or broadcast issues
> involved, I don't see any need to add the addresses at all. Have you tried
> it without doing that?
>
> -Tom

It works flawlessly without adding the addresses, except...
we have a set of LANs that we need to put on our VPN whose internal addresses 
clash with other LANs in our VPN.  In order to route between the two we 
attach these vpn-friendly address to the tunnel interface.  Then we can add 
routes between the new NATd lan and the rest of the VPN.  The result is

192.168.0.1---snat---10.0.0.1---vpn---10.0.1.1---snat---192.168.0.1

can route between one another. 

It works great for a few 10s of hosts on each shorewall server.  This prevents 
us from having to readdress the new networks we inheirit.  It's really very 
cool.  When I was presented with the problem of routing between clashing 
address ranges through a VPN, I was happy to see we could do this with 
shorewall.   However, I freely admit that this is probably a flawed solution 
and will happily try alternatives.

Is there a better method for doing this with 100s of addresses?  I'd live with 
it but each address added get slower and slower as it's adding.  Once the 
firewall activates all the rules, it works fine.  But it can take an hour to 
load 600 addresses which makes it a little impractical.  

Any pointers would be greatly appreciated.  Thanks!
-- 
Clint Miller



More information about the Shorewall-users mailing list