* Jason Healy <[email protected]> [2012-08-22 03:37]: > We used to have a direct handoff (ISP router was on the same subnet as our IP > range) and we explicitly requested a transit network. We were using CARP > aliases for the /23 that we had, and it was affecting performance.
that is some time ago? > From my understanding, each alias is a virtual interface, no. > and interfaces are searched in linear order when matching for > firewall rules. err... oversimplifying. there are multiple point where the number of addresses (interfaces less so) matter. one surprisingly expensive point was the "is the packet destined for the local machine" decision. that used to be pretty expensive, but I optimized that some time ago and it should be pretty cheap and foremost close to constant right now. the pf side is another topic, but should not be expensive either. > By changing to a /30 transit and doing away with the aliases, performance on > the OpenBSD box improved substantially. We now have CARP answer for our end > of the /30, so it just answers for one address. All other > routing/NAT/firewalling is done using PF and static routes, and the > performance there is much better. again, it matters a lot when (i. e. what release) you did that. things changed. I don't remember the exact release, but roughly 2 years ago. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
