On Aug 17, 2012, at 10:39 AM, Tobias Crefeld wrote: > Any idea how to deal with this issue? Or should we try to discuss with > the ISP to leave out this transit network?
We used to have a direct handoff (ISP router was on the same subnet as our IP range) and we explicitly requested a transit network. We were using CARP aliases for the /23 that we had, and it was affecting performance. From my understanding, each alias is a virtual interface, and interfaces are searched in linear order when matching for firewall rules. By changing to a /30 transit and doing away with the aliases, performance on the OpenBSD box improved substantially. We now have CARP answer for our end of the /30, so it just answers for one address. All other routing/NAT/firewalling is done using PF and static routes, and the performance there is much better. Jason -- Jason Healy | jhe...@logn.net | http://www.logn.net/
