Sorry to post in this old topic but is there any chances TNSR implements a GUI to get closer to non-pro users as pfSense does?

Kind regards

Hi Jake,

A list of components that are tested for compatibility with TNSR specifically can be found here. You'll find compatible processors and NICs in that document.

While AMD Epyc may install and run, we do not test these processors, so it is recommended to stick to Intel so that we can guarantee compatibility with TNSR, not just DPDK and VPP.

The hardware requirements to achieve your throughput requirements will likely depend on the finer details of your use-case. Since you mention a CPIC card, I am assuming there is some IPSec requirement here in addition to the BGP peering you mention in the post. Please feel free to reach out to me at sales@netgate.com and we can set up a call to discuss your requirements in more detail. We'd be happy to assist with an evaluation and help you achieve your goals with TNSR.

Thanks,

Max

i got it , https://docs.netgate.com/tnsr/en/latest/acl/host.html

TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface .

Which metrics are you querying to get the live interface traffic data? I just started setting this up myself and I cannot seem to find the right one, only byte totals used that keeps climbing and never drops. I may be dumb and doing it wrong, though. lol

@gabe-a said in How to get SSH working on my network:

I'll try to trace the route the traffic

There is not a "trace" of traffic - you would need to sniff and see how when you ssh hostname that name is being resolved to an IP, is it a netbios broadcast, was a dns query to your routers IP using a fqdn query or just hostname, or did it add a suffix like .local, etc. , was it mdns via multicast?

If I didn't on purpose completely disable mdns on any client that tries and do it - I would show you an example.. But I on purpose disable mdns on my windows machines - because it a horrible chatty protocol that I have zero use for - I resolve anything on my network via a simple dns query.. to my unbound running on pfsense or my pihole.

What I can show you for example when I ssh to say my nas.. what happens..

I flush the machines local dns cache so I know it has to find the IP for nas.local.lan, as you can see it does a dns query to my dns it points to, in my cache my pihole on 192.168.3.10 and gets an answer

dns.jpg

showing where my client points for dns, and that I have mdns disabled - its horrible horrible chatty noise producing protocol..
mdns.jpg

That it is enabled by default is horrible yet another horrible choice by MS if you ask me ;)

avahi is a tool that will pass mdns across network boundaries - it has zero use for you, because as you have stated all your devices on the same network. But I have gone over how to troubleshoot that and set it up a few times.. Even though I dislike using it, and don't on my network, I know how it works and I know how to set it up, etc. I just not a fan of breaking network boundaries like that.. If you want to discover something via a L2 method - then you need to be on that L2 ;)

None which has anything to do with you, since you have clearly stated all your devices are on the same network connected to a dumb switch..

Here for example is some mdns on my wireless network my phone and printer are on..

mdns.jpg

You can see my phone 192.168.2.198 sending out queries, and the stuff it already knows about, and you see a response from my printer on 192.168.2.50 to the multicast address. What I don't see is any directed unicast responses directly from the printer to the phone for example. I would have to setup span port of where my AP is to see that, since my printer is wired..

Iphone loves to use airprint to find printers - wish I could just give it the fqdn or IP of the printer so I didn't have to allow for that nonsense noise on my network.. My PC for example has no issue just printing to the fqdn of the printer across vlans.. But vs breaking the boundary - I just put the printer on the same vlan as my wireless that devices that insist on using mdns, so I don't have to break boundaries passing mdns across network segments.

edit: here I did a sniff directly on my AP via tcpdump for this sort of traffic.. This way I did not have to really change anything on my networks or clients or create a span port to see the traffic..

12:29:06.767697 IP 192.168.2.198.5353 > 224.0.0.251.5353: 0 A (QU)? BRN30055C116AD9.local. (39) 12:29:06.787748 IP 192.168.2.50.5353 > 192.168.2.198.5353: 0*- [0q] 1/0/0 A 192.168.2.50 (49)

You can see where my phone 2.198 did a query to the multicast address, and the printer at 2.50 did a directed unicast answer back to the phones specific IP..

@rmccall2k16 DHCP Relay has an open feature request for tnsr but the functionality does not currently exist.

service dataplane restart restarts the VPP daemon and will definitely affect service.

While that daemon is restarting, no traffic can pass.

Thankfully it usually restarts very quickly so the disruption would be minimal, but still best to do in a brief maintenance window.

@mleighton Thank you, yes I know there is lots of factors, I just wanted to know that IPSEC for a fact is awesome on the TNSR platform.

I am looking forward to get started working with it :) and will update here when we something working with Prisma

Thanks
Felix

when i rebooted tnsr interface looking down on show interface command

@johnpoz Actually quite a few of the proprietary VM's I run in my Lab depend on hairpin NAT to function correctly.
Cisco Expressways - Poly DMA Edge - Audiocodes & Ribbon Session border controllers.
Lack of hairpinning can be worked around but takes more effort :)
Split DNS I agree is easier for domain name look up but some of the advance SIP signaling I use routes back in through the wan IP address.

TNSR is a high-performance software router. If you have a need for 10, 40, 100+ Gbps then TNSR may be the solution for you.

This overview video may help as well. You can see a list of features of TNSR here.

Against other options out there, we feel the price for performance can't be beaten.

@jimp said in Introducing the Netgate 6100 Max with TNSR:

The page is listing the different platforms on which TNSR is available, that sentence doesn't have any bearing on installation media.

There aren't different TNSR software installer images for different bare metal hardware variations like there are for pfSense. Currently the TNSR installation process for hardware only requires a single ISO and that ISO supports everything.

Thanks for clearing this up. :)

@nbhatti As has been said, we don't know. For what you are describing to happen there would need to be practically zero traffic passing, to both BGP peers, at the same time, for long enough to trigger the hold timer expiration. It doesn't sound like that is the case from what you have stated. Some occasional packet loss will not cause two TCP sessions to stop passing traffic at the same time and not recover.

I would packet capture the BGP sessions to the peers (TCP port 179) and try to capture the event. Then load it up into wireshark and see what happened to the session(s).

This would best be done at from place in the topography like a switch mirror port mirroring the traffic of the port connected to the tnsr node.

It is even more odd now. I have it working the only thing I needed to change was the number of CPU assigned. The VM is using 4 threads so I did "dataplane cpu main-core 3" and this prevents the crashing when I reboot after the NAT rule.

I still have this message after a reboot in the log though:
Jun 18 07:11:40 tnsrrouter vpp[1044]: /usr/bin/vpp[1044]: perfmon: skipping source 'intel-uncore' - intel_uncore_init: no uncore units found
Jun 18 07:11:40 tnsrrouter vpp[1044]: /usr/bin/vpp[1044]: perfmon: skipping source 'intel-core' - intel_core_init: not a IA-32 CPU
Jun 18 07:11:40 tnsrrouter /usr/bin/vpp[1044]: perfmon: skipping source 'intel-uncore' - intel_uncore_init: no uncore units found
Jun 18 07:11:40 tnsrrouter /usr/bin/vpp[1044]: perfmon: skipping source 'intel-core' - intel_core_init: not a IA-32 CPU

@sheebz
tnsr is needed for speeds >= 10GBe

@oudenos check private message

@jimp Ah! Cool. Thank you -- I appreciate your patience.

Sorry for the false alarm.

Hello,,

any news? :)

Cheers.

Fabio.

@fargox Sorry for the delay.

In my testing of this I had no trouble using two physical interfaces as bridge members but as soon as I started trying VLAN subifs and Bonds I saw inconsistent behavior. I never saw exactly what you are describing but siminlar things like the ability to ARP in one direction but not the other, etc.

I have opened an internal bug report on the matter.

Thank you for posting.