TNSR

TNSR Download Link?

fractal_boy — Tue, 17 Feb 2026 20:50:48 GMT

@root0 you have to email Netgate support and ask for a trial TNSR.

Best Practices for Configuring TNSR ACLs to Secure a Containerized Webserver

davidjames78 — Tue, 08 Jul 2025 10:32:39 GMT

Hi @Tyronejackson839, Thanks for the awesome advice! Your ACL tips worked perfectly—enabling fragment-checking and lean rules secured my nginx webserver without sacrificing performance. Really appreciate your detailed help! Best, David James | Founder of The Yes No Button!

VLAN and Internet Access

shor0814 — Tue, 06 May 2025 21:31:09 GMT

I have a 2 TNSR routers connected to a pair of MLAG connected switches. I also have my own IPV4 subnet that is being announcec by BGP via Interface 1 on the first TNSR device. I have no problems at all right now, all of the servers on my network can access the internet and be accessed via their public IP address.

What I am struggling with now is segregating clients into VLANs. When I create an access VLAN (22) for my client, I can no longer access the internet. My understanding is that I must create a bridge so that the VLAN22 can access the LAN interface with the gateway IP assigned. Each VLAN client will have a public IP from the single /24 subnet.

When I followed the instructions for TNSR VLAN, nothing seemed to be problematic, but when I created the bridge things went wonky. Not only do the VLANs not work, but I also lose access to the non-VLAN devices.

interface bridge domain 10
flood
uu-flood
forward
learn
exit

int Interface1
bridge domain 10
enable
exit
int Interface1.22
bridge domain 10
enable
exit
interface loopback bridgeloop
instance 1
exit
interface loop1
ip address 10.25.254.1/24
bridge domain 10 bvi
enable
exit

I did try changing the loop1 IP to my gateway IP and removing it from Interface1 but that didn't help. Maybe I am going about this wrong, but I need some guidance if possible.

Thanks,
Shawn

For background:
On TNSR device1:
Interface1 is connected to a switch that carries my upstream BGP using a 10.34.14.0/24 address for now.
Interface2 is the interface that has my gateway IP 23.x.x.x/24 and is also the port connected to the first switch.
Interface3 is connected to a second switch and has no IP address

TNSR device2 :
Interface1 is connected to the switch that carreies the BGP but has no IP address and for all practical purposes is doing nothing

Interface 2 is connected to the 2nd switch and has no IP address

Interface 3 is connected to the first switch and has no IP address

As you can see, the 2nd TNSR device is mostly sitting around doing nothing but eventually should be integrated in via VRRP or whatever I can get working.

Support for MCLAG

fractal_boy — Thu, 10 Apr 2025 20:00:12 GMT

@michmoor one of the option you have is to use VRRP instead.

MAP-T BR Not Translating Traffic - Seeing unexpected NDP traffic for MAP-T BR implementation

rcoleman612 — Thu, 03 Apr 2025 04:10:27 GMT

@gigabitguru Pro tip - if you have an active tnsr software sub you should open a ticket. You can see, from the parent category, that there's not a lot of tnsr activity over here. I am not someone that can help you out -- but simply directing you to TAC if you need/want more responsive suggestions. Cheers.

bgp address families

michmoor — Wed, 26 Mar 2025 00:56:47 GMT

Is there any plans to have TNSR support address-families that support vpnv4/6 (MPLS) and evpn?
The documentation doesn't state the supported families but i assume ipv4/ipv6 only.

VRRP expected MAC address behavior

fractal_boy — Wed, 05 Mar 2025 19:55:10 GMT

@gigabitguru What TNSR version do you run? This bugs were fixed on TNSR 23.11. Here is the details: https://docs.netgate.com/tnsr/en/latest/releases/release-notes-23.11.html#vrrp

IPv6: Host Interface RA (Router Advertisement) Surpression Missing?

gigabitguru — Wed, 05 Mar 2025 19:48:34 GMT

I've run into what appears to be a missing command line configuration item, but wanted to see if there's a way to do this via proper TNSR CLI commands.

GOAL: Disable any Host Interface RAs from being processed
- This includes creating IPv6 Addresses and/or Routes
ISSUE: RAs come in and apply IPv6 Addrs / Routes on host interfaces
- no configuration options appear present in docs or the CLI to surpress RAs
NON-PERSISTENT FULL WORKAROUND: applying accept_ra: false to the proper section of /etc/netplan/50-tnsr-host-interfaces.yaml temporarily works to suppress RAs
- but as expected, any reboots or changes to Host Interface configuration in the TNSR CLI blow this away
UNACCEPTABLE HACK WORKAROUND: set a more specific route for source client subnets to take a different route versus the default

How can RAs be suppressed in a supported, persistent way? In my situation, they conflict with routes required for SSH connectivity to manage these hosts.

hello

JonathanLee — Wed, 18 Dec 2024 07:23:57 GMT

@retgvtbyrey I think for TNSR licensed users you can open a support ticket with Netgate and skip the forum even.

Using TNSR Software to Conserve Address Space and Improve Security

mwatch — Thu, 26 Sep 2024 16:23:59 GMT

Check out our latest blog post: Using TNSR Software to Conserve Address Space and Improve Security. It dives into how to optimize your network security and conserve address space using TNSR software. Learn about configuring point-to-point links with /31 and /127 network masks for both IPv4 and IPv6.

https://www.netgate.com/blog/using-tnsr-software-to-conserve-address-space-and-improve-security

how to change ring buffer to 4096

c_cloud — Tue, 09 Jul 2024 09:06:31 GMT

this was their answer: "If you get 3 Full Views, please check this guide: https://docs.netgate.com/tnsr/en/latest/dynamicrouting/bgp/tuning.html" well... yes thank you.

Netgate 6100 Max with TNSR and 10GBaseT SFP+ modules

cwhitten-dec — Fri, 28 Jun 2024 21:16:08 GMT

After reading a comment in this thread - https://www.reddit.com/r/Netgate/comments/1bzsv4m/the_sfp_10gbaset_80m_copper_rj45_transceiver_for/ - I found the problem. I was testing to a 1gig port on a Cisco switch. Temporarily moved it to a 10G port on a server and the interface is up and working.

Clarification on ACL and NAT Interaction in TNSR

Derelict — Tue, 09 Apr 2024 05:28:37 GMT

@olivertbuffet For outbound ("in2out") traffic, translation is done first and then output ACLs are evaluated. For inbound ("out2in"), it's the opposite. Input ACLs are evaluated and then translation. This matches the documentation here: https://docs.netgate.com/tnsr/en/latest/acl/acl-nat.html#acl-and-nat-interaction Where in the documentation did you see it is the same in both directions so it can be evaluated and corrected if necessary?

TNSR Load Balancing Methods

fractal_boy — Mon, 05 Feb 2024 02:35:23 GMT

did you try something like this? R1 tnsr(config)# sh run route route table ipv4-VRF:0 id 0 route 0.0.0.0/0 next-hop 0 via 10.100.1.2 e1 next-hop 1 via 10.100.0.2 e2 exit exit R1 tnsr(config)# sh route Route Table ipv4-VRF:0 AF: ipv4 ID: 0 ----------------------------------------- 0.0.0.0/0 via 10.100.0.2 e2 weight 1 preference 0 via 10.100.1.2 e1 weight 1 preference 0

First installation TNSR no interface SR-IOV

asolaro — Wed, 10 Jan 2024 11:19:24 GMT

I solved the problem, the NIC was down no-carrier. Once I had the interface up I was able to configure everything as I wanted. A positive note to Netgate support who gave me assistance in resolving the problem.

Inquiry About API Access for TNSR Models - Integration with Ansible

x11 — Mon, 08 Jan 2024 10:46:58 GMT

ChatGPT

Certainly! Here's a draft email for your request to TNSR community regarding their API:

Subject: Inquiry About API Access for TNSR Models - Integration with Ansible

Dear TNSR Community Team,

I hope this message finds you well. I am reaching out to inquire about the possibility of accessing the TNSR API in a format other than the standard documentation provided. My primary goal is to utilize all available models within the TNSR suite and integrate them with Ansible for streamlined operations.

The current process of copying each module individually is quite time-consuming, and I am seeking a more efficient method. This approach, unfortunately, feels like it could extend indefinitely, perhaps even into the next year, which is not feasible for my project timelines.

I am very interested in exploring whether there exists an alternative way to access and implement the TNSR API that would allow me to use all models in a more consolidated and time-efficient manner. My aim is to automate processes using Ansible, and having a streamlined API access would significantly aid in achieving this.

If there are any existing solutions or suggestions you could offer, it would be immensely helpful. I am open to any recommendations that might assist in making this integration more seamless and efficient.

Thank you for your time and consideration. I look forward to your response and any assistance you can provide.

Best regards

FastNetMon Advanced with TNSR Software

mwatch — Tue, 19 Dec 2023 19:57:59 GMT

This article provides detailed information on how to configure FastNetMon Advanced with TNSR software: https://fastnetmon.com/docs-fnm-advanced/fastnetmon-integration-with-tnsr-high-performance-router-and-vpn-concentrator/

TNSR - ping in a vrf

paulwollner66 — Sat, 09 Dec 2023 11:00:14 GMT

@fractal_boy I can confirm that specifying an interface does indeed work.

RESTCONF & NACM, which modules are needed for RESTCONF access?

kiokoman — Tue, 05 Dec 2023 14:30:20 GMT

@meatprofit there is an interesting section starting from here explaining ACL https://datatracker.ietf.org/doc/html/rfc8341#section-3 As an example, if an action is defined as /interfaces/interface/reset-interface, the group must be authorized to (1) read /interfaces and /interfaces/interface and (2) execute on /interfaces/interface/reset-interface. [image: 1702463566494-7251b782-96b8-4416-98ff-cbc4da408612-image.png] glad you have solved anyway

route-map reducing or increasing local-preference

paulwollner66 — Sun, 29 Oct 2023 19:52:34 GMT

I have created a patch that achieves incrementing and decrementing the local-preference. It is the first time I have worked with yang, but I think I have checked all the boxes. Hopefully this is useful for others. local-preference.patch

Route visibility

paulwollner66 — Sat, 28 Oct 2023 12:18:44 GMT

@Derelict said in Route visibility: show route dynamic bgp ipv4 network 1.1.1.1 Thank you. That was exactly what I was looking for :)

TNSR - clixon_cli hangs when opening

paulwollner66 — Sat, 28 Oct 2023 11:05:28 GMT

@paulwollner66 The documentation explained it rather well. https://docs.netgate.com/tnsr/en/latest/advanced/dataplane-cpu.html

TNSR Route Leak BGP learned routes between VRFs

rcoleman612 — Tue, 17 Oct 2023 22:33:41 GMT

@scourtney2000 said in TNSR Route Leak BGP learned routes between VRFs: but I'm not sure how to engage Netgate in Azure. https://go.netgate.com/ Include a screenshot of your Azure appliance window that shows your TAC subscription of Pro or Enterprise.