diff --git a/Shorewall/firewall b/Shorewall/firewall
index ea413f0da..ed521a10a 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2846,7 +2846,7 @@ get_routed_subnets() # $1 = interface name
         done
 }
 #
-# Convert an IP address to an integer
+# Convert an IP address in quad format to an integer
 #
 decodeaddr() {
     local x
@@ -2864,7 +2864,7 @@ decodeaddr() {
     IFS=$ifs
 }
 #
-# convert an integer to an IP address
+# convert an integer to quad format
 #
 encodeaddr() {
     addr=$1
@@ -2901,6 +2901,24 @@ ip_netmask() {
     echo $(( $(( 0xffffffff << $((32 - $1)) )) & 0xffffffff ))
 }
 #
+# Network address from CIDR
+#
+networkaddress() {
+    local decodedaddr=`decodeaddr ${1%/*}`
+    local netmask=`ip_netmask ${1#*/}`
+
+    echo `encodeaddr $((decodedaddr & netmask))`
+}
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr=`decodeaddr ${1%/*}`
+    local netmask=`ip_netmask ${1#*/}`
+
+    echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $(( $netmask ^ 0xffffffff )) ))`
+}
+#
 # Test for subnet membership
 #
 in_subnet() # $1 = IP address, $2 = CIDR network
@@ -3223,28 +3241,30 @@ verify_os_version() {
 #
 add_ip_aliases()
 {
-    local addresses external interface inet cidr brd bcast rest
+    local addresses external interface inet cidr rest val
 
-    do_one()
+    details() 
     {
 	#
 	# Folks feel uneasy if they don't see all of the same
 	# decoration on these IP addresses that they see when their
 	# distro's net config tool adds them. In an attempt to reduce
 	# the anxiety level, we have the following code which sets
-	# the VLSM and BRD from the primary address in the same subnet
+	# the VLSM and BRD from an existing address in the same subnet
 	#
 	# Get all of the lines that contain inet addresses with broadcast
 	#
-	val=
-
-	ip addr show $interface 2> /dev/null | grep 'inet.*brd ' | while read inet cidr brd bcast rest ; do
+	ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
 	    if in_subnet $external $cidr; then
-		val="/${cidr#*/} brd $bcast"
+		echo "/${cidr#*/} brd `broadcastaddress $cidr`"
 		break
 	    fi
 	done
+    }
 
+    do_one()
+    {
+	val=`details`
 	run_ip addr add ${external}${val} dev $interface $label
 	echo "$external $interface" >> ${STATEDIR}/nat
 	[ -n "$label" ] && label="with $label"