Categories

• TNSR

  Discussions about TNSR

  • TNSR Announcements
  • TNSR Feedback
  • Problems Installing or Upgrading TNSR Software
  454 Topics

  1k Posts

  D

  Hi TNSR Community,
  I’m exploring the best ways to configure Access Control Lists (ACLs) in TNSR to secure a containerized webserver exposed through the dataplane, and I’d love to hear your approaches for robust setups.

  Details:

  Setup: TNSR (v25.02, Home+Lab ISO), Ubuntu 22.04, deployed on bare metal with VPP and DPDK, running a containerized nginx webserver (port 80) via Docker.
  Context: I’m exposing the webserver through the TNSR dataplane, following the VPP nginx example (https://docs.netgate.com/tnsr/en/latest/usecases/nginx.html).
  Observation: The ACL allows HTTP traffic, but I’m concerned about potential vulnerabilities like packet fragmentation attacks or unintended access from other ports. The TNSR ACL docs (https://docs.netgate.com/tnsr/en/latest/acl/index.html) mention basic filtering but lack details on advanced protections.

  Steps Tried:
  Applied the ACL to the dataplane interface (GigabitEthernet0/0/0) via TNSR CLI and verified with show acl.
  Tested connectivity with curl from an external client, confirming HTTP access.
  Checked /var/log/vnet.log for ACL drops, but no clear indicators of fragmentation issues.
  Reserved CPU cores for TNSR/DPDK to avoid resource contention with Docker, per community suggestions.

  Goal: Secure the webserver with a robust ACL setup that minimizes attack surfaces while maintaining performance.

  Questions:

  What are your recommended best practices for configuring TNSR ACLs to secure containerized apps (e.g., nginx) on the dataplane?
  How do you handle protection against packet fragmentation attacks or other advanced threats with TNSR ACLs? Are they equivalent to VPP ACLs?
  Any tips for logging or debugging ACL rules to ensure only intended traffic is allowed?
  For those running similar setups, how do you balance ACL granularity with TNSR’s high-performance routing?

  I’d appreciate any insights or configurations you’ve found effective for securing webserver traffic! Thanks in advance.

• pfSense® Software

  Discussions about pfSense Software, click a category below

  • Messages from the pfSense Team
  • General pfSense Questions
  • Multi-Instance Management
  • Problems Installing or Upgrading pfSense Software
  • Firewalling
  • NAT
  • HA/CARP/VIPs
  • L2/Switching/VLANs
  • Routing and Multi WAN
  • Traffic Shaping
  • DHCP and DNS
  • IPv6
  • IPsec
  • OpenVPN
  • Captive Portal
  • webGUI
  • Wireless
  • SNMP
  • Documentation
  • Development
  • Gaming
  • Virtualization
  • Hardware
  • Bounties
  • Retired
  120k Topics

  762k Posts

  P

  @johnpoz
  Who said I am applying the rule on lan?
  I'm aware interface rules are ingress only, sure.

  Here's screenshot from netgate recommendation illustrating the floating rule on WAN
  1000119912.png

  Now, with that rule, as the doc says, you need an allow rule before it. The thing is that the allow rule must apply to all interfaces the filtered packet travels through and not only Wan
  I suppose it is a strict security that the stateful inspection needs to track the packet through all its lifespan

• pfSense Packages

  Discussions about pfSense software packages

  • Cache/Proxy
  • IDS/IPS
  • Traffic Monitoring
  • pfBlockerNG
  • UPS Tools
  • ACME
  • FRR
  • Tailscale
  • WireGuard
  20k Topics

  127k Posts

  J

  Hello fellow Netgate community members,

  Has anyone ever configured pfsense to push snort logs etc to security onion before or kibana ?

• pfSense International Support

  Discuss pfSense in other languages

  • Chinese
  • Deutsch
  • Español
  • Français
  • Indonesian
  • Italiano
  • Russian
  • Nederlands
  • Norwegian
  • Portuguese
  • Polish
  • Romanian
  • Swedish
  • Turkish
  43k Topics

  267k Posts

  B

  Buen día a todos,

  Sistema Operativo:
  FreeBSD 14.0-CURRENT

  Versión de PFsense:
  2.7.2-RELEASE (amd64)

  Versión de OpenVPN:
  OpenVPN 2.6.8

  Cliente openVPN:
  openvpn-client-export 1.9.2

  Versión OpenVPN Connect:
  3.7.2 (4253)

  Versión de IP:
  IPv6 (Por alguna razón no logro conectarme con IPv4)

  He realizado la configuración de OpenVPN para que se conecten con las siguientes configuraciones de usuarios:

  Usuarios locales sin certificaco Usuarios locales con certificado Usuarios mediante LDAP (AD 2022) sin certificado Usuarios mediante LDAP (AD 2022) con certificado

  Terminada la configuración hago pruebas y me puedo conectar sin problema, pasa un día y sin problemas me conecto pero pasan algunos días más y no logro conectarme y me sale el siguiente error:

  Connection Timeout
  Cannot connect because of the followinf error(s):
  Error calling protect() method on socket: 30 times

  Entonces debo borrar toda la configuración y hacerla de nuevo y pasa lo mismo hago pruebas y me puedo conectar sin problema, pasa un día y sin problemas me conecto pero pasan algunos días más y no logro conectarme y me sale el mismo error

  Me pudieran ayudar con este tema ya que la VPN se utiliza en situaciones extraordinarias en las que por alguna emergencia deben conectarse y terminan llamando en la madrugada para solucionar el problema

• Official Netgate® Hardware

  Information about hardware available from Netgate
  3k Topics

  20k Posts

  J

  @jdstlnet Correction, unit was bought late 2023, early 2024.

• Netgate Announcements

  Information about hardware available from Netgate
  44 Topics

  211 Posts

  A

  It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

• Off-Topic & Non-Support Discussion

  Feel free to talk about anything and everything here

  • Forum Feedback
  • Community Job Board
  3k Topics

  19k Posts

  D

  @Patch I am a paying Plus customer and obviously I would like it to do that.