Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Performance impact of large network CIDR Aliases

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 607 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MaxBishop
      last edited by

      If I were to have several IP-Network aliases, each consisting of CIDRs representing millions of addresses, and I were to include those aliases in firewall rules, would this degrade the firewall's performance? I know that the answer depends on my machine's capabilities but I am interested in an "all other things being equal" answer.

      So, I guess my question relates to: does the algorithm for checking an IP's match with an aliased CIDR set require iterating over a large set of potential IPs before a firewall match decision is complete? Or, is a fast algorithm that does not require storage or inspection of each potential IP being used?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @MaxBishop
        last edited by johnpoz

        If you use the network alias vs IP, then it would just be the cidr.. There would be no real difference if a /29 or a /8 - where you would have a problem is putting a large cidr into the IP alias - where the range is broken out into individual IP vs the network.

        If you are putting hundreds or thousands of cidr ranges - this could have an effect on rule evaluation.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • M Offline
          MaxBishop
          last edited by

          Hi,
          Thanks

          Just to be sure, that's:

          use Firewall/Aliases/IP : type = Network

          and not Firewall/Aliases/IP: type = URL Table (IP)

          Is that correct?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @MaxBishop
            last edited by johnpoz

            Set the type here for IP

            network.png

            here is one I have

            aliases.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • M Offline
              MaxBishop
              last edited by

              Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.