[Shorewall-users] Many subnets on one interface

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi guys,

I have a router that is managing around 12 to 15 different subnets 
within a /23, all through one interface (ugly, I know, don't ask).

I am experiencing a fluctuating latency for traffic passing through the 
router.  It seems to fluctuate between 2ms and 20ms, and occasionally 
has packet loss (though not too often since increasing the conntrack_max 
sysctl variable).

The question that I have is in regards to 
"net.ipv4.netfilter.ip_conntrack_count".  This has been increasing since 
the router has been installed, and I have had to increase it beyond the 
default of 16k to 64k, though it is currently at 30k entries, and within 
a few days, it will probably hit the 64k limit.

My 'shorewall status' is available http://tusker.sg/status.gz for anyone 
that wish to have a look, it is an old copy since I can't get my current 
status (there is a bug in that status.gz which I have since solved, I 
had defined the 'net' zone as 0.0.0.0/24, which is obviously not 'net' 
[it is now 0.0.0.0/0]).  (I recieve out of space errors while trying 
shorewall status, because of "cat: /proc/net/ip_conntrack: No space left 
on device")

I also have a requirement to traffic shape (using tcrules etc), though 
I'm afraid that the traffic control will also increase the 
conntrack_count.  Will adding the tcrules/traffic control put a drain on 
the router, and make the latency worse ?

Thanks in advance,

Damien