One huge weakness of TNSR that I've encountered is that it does not support dhcp relay.

Even though I am a home user, I do not want a DHCP server running on any of my switches or routers. Following the same thought process, I do not want a full Unbound DNS server (any dns server, frankly) running on my router.

It's nice to have the option, but it creates unnecessary vulnerabilities and increases your overall attack surface.

In order to enable DHCP relay, you require a managed switch with a related SVI to relay DHCP requests. This is a huge weakness in my book. Even though TNSR is dumb fast, it does not have many of the basic (crucial) features that other routers have.

Sorry.
I found an issue from my side.
I have to go to configure->route dynamic bgp->server vrf default->address-family ipv4 unicast-> neighbor X.X.X.X
and here it is.
But I tried another path configure->route dynamic bgp->server vrf default->neighbor X.X.X.X

Cisco like config so unfriendly....

@derelict Thanks.
I was having problems with the MCLAG - TNSR connection.
The Aruba switch set both ports to "lacp blocked" after an hour or so.
I've now set both lacp modes to fast - before it was set to slow on the switch and TNSR was set to fast.
The connection is running stable now.

Thanks Jimp, that makes sense using sh for show.

Great I've got my old shell back again.

@kiokoman thanks for getting back to me. Below is my configuration. I did not do anything out of the ordinary and I am perplexed.

<acl-config xmlns="urn:netgate:xml:yang:netgate-acl">
<acl-table>
<acl-list>
<acl-name>internet-in</acl-name>
<acl-rules>
<acl-rule>
<sequence>10</sequence>
<acl-rule-description><![CDATA[allow DHCP responses]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<src-first-port>67</src-first-port>
<src-last-port>67</src-last-port>
<dst-first-port>68</dst-first-port>
<dst-last-port>68</dst-last-port>
<protocol>udp</protocol>
</acl-rule>
<acl-rule>
<sequence>20</sequence>
<acl-rule-description><![CDATA[Allow ICMP]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<protocol>icmp</protocol>
</acl-rule>
<acl-rule>
<sequence>30</sequence>
<acl-rule-description><![CDATA[Allow DNS Responses]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<src-first-port>53</src-first-port>
<src-last-port>53</src-last-port>
<protocol>udp</protocol>
</acl-rule>
</acl-rules>
</acl-list>
<acl-list>
<acl-name>internet-out</acl-name>
<acl-rules>
<acl-rule>
<sequence>10</sequence>
<acl-rule-description><![CDATA[Reflect All Outbound]]></acl-rule-description>
<action>reflect</action>
<ip-version>ipv4</ip-version>
</acl-rule>
</acl-rules>
</acl-list>
</acl-table>
</acl-config>
<dataplane-config xmlns="urn:netgate:xml:yang:netgate-dataplane">
<ethernet>
<default-mtu>1500</default-mtu>
</ethernet>
<dpdk>
<dev>
<id>0000:04:00.0</id>
<device-type>network</device-type>
<name>k8s-lan</name>
</dev>
<dev>
<id>0000:0b:00.0</id>
<device-type>network</device-type>
<name>data-center</name>
</dev>
<dev>
<id>0000:13:00.0</id>
<device-type>network</device-type>
<name>WAN-4G</name>
</dev>
<dev>
<id>0000:1b:00.0</id>
<device-type>network</device-type>
<name>LAN-4G</name>
</dev>
<uio-driver>igb_uio</uio-driver>
</dpdk>
<buffers>
<buffers-per-numa>32768</buffers-per-numa>
</buffers>
<statseg>
<heap-size>96M</heap-size>
<per-node-counters>
<enabled>false</enabled>
</per-node-counters>
</statseg>
</dataplane-config>
<interfaces-config xmlns="urn:netgate:xml:yang:netgate-interface">
<interface>
<name>LAN-4G</name>
<description><![CDATA[LAN]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>172.16.0.1/12</ip>
</address>
</ipv4>
</interface>
<interface>
<name>WAN-4G</name>
<description><![CDATA[WAN-4G]]></description>
<enabled>true</enabled>
<mtu>1500</mtu>
<ipv4>
<address>
<ip>196.223.151.210/29</ip>
</address>
<mtu>1500</mtu>
</ipv4>
<access-list>
<input>
<acl-list>
<acl-name>internet-in</acl-name>
<sequence>10</sequence>
</acl-list>
</input>
<output>
<acl-list>
<acl-name>internet-out</acl-name>
<sequence>10</sequence>
</acl-list>
</output>
</access-list>
</interface>
<interface>
<name>data-center</name>
<description><![CDATA[data-center]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>10.1.1.15/16</ip>
</address>
</ipv4>
</interface>
<interface>
<name>k8s-lan</name>
<description><![CDATA[k8s-lan]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>10.105.0.5/16</ip>
</address>
</ipv4>
</interface>
</interfaces-config>
<kea-config xmlns="urn:netgate:xml:yang:netgate-kea">
<dhcp4-server>
<Dhcp4>
<lease-database>
<type>memfile</type>
<persist>true</persist>
<lfc-interval>0</lfc-interval>
</lease-database>
<interfaces-config>
<dhcp-socket-type>raw</dhcp-socket-type>
</interfaces-config>
</Dhcp4>
</dhcp4-server>
</kea-config>
<nat-config xmlns="urn:netgate:xml:yang:netgate-nat">
<global-options>
<nat44>
<enabled>false</enabled>
</nat44>
</global-options>
<ipfix>
<logging>
<domain>1</domain>
<src-port>4739</src-port>
</logging>
</ipfix>
<nat64>
<ngmap:map xmlns:ngmap="urn:netgate:xml:yang:netgate-map">
ngmap:parameters
ngmap:security-check
ngmap:enabletrue</ngmap:enable>
</ngmap:security-check>
</ngmap:parameters>
</ngmap:map>
</nat64>
</nat-config>
<neighbor-config xmlns="urn:netgate:xml:yang:netgate-neighbor">
<neighbor-table>
<interface>
<if-name>WAN-4G</if-name>
</interface>
</neighbor-table>
</neighbor-config>
<route-table-config xmlns="urn:netgate:xml:yang:netgate-route-table">
<static-routes>
<route-table>
<name>ipv4-VRF:0</name>
<id>0</id>
</route-table>
</static-routes>
</route-table-config>
<route-config xmlns="urn:netgate:xml:yang:netgate-route">
<dynamic>
<ngbgp:bgp xmlns:ngbgp="urn:netgate:xml:yang:netgate-bgp">
ngbgp:global-options
ngbgp:enablefalse</ngbgp:enable>
</ngbgp:global-options>
</ngbgp:bgp>
<ngfrr:manager xmlns:ngfrr="urn:netgate:xml:yang:netgate-frr">
ngfrr:global-options
ngfrr:ptmfalse</ngfrr:ptm>
</ngfrr:global-options>
</ngfrr:manager>
<ngospf:ospf xmlns:ngospf="urn:netgate:xml:yang:netgate-ospf">
ngospf:global-options
ngospf:enablefalse</ngospf:enable>
</ngospf:global-options>
</ngospf:ospf>
<ngospf6:ospf6 xmlns:ngospf6="urn:netgate:xml:yang:netgate-ospf6">
ngospf6:global-options
ngospf6:enablefalse</ngospf6:enable>
</ngospf6:global-options>
</ngospf6:ospf6>
<ngrip:rip xmlns:ngrip="urn:netgate:xml:yang:netgate-rip">
ngrip:global-options
ngrip:enablefalse</ngrip:enable>
</ngrip:global-options>
</ngrip:rip>
</dynamic>
</route-config>
<snmp-config xmlns="https://netgate.com/ns/netgate-snmp">
<snmp-enable>false</snmp-enable>
</snmp-config>
<unbound-config xmlns="urn:netgate:xml:yang:netgate-unbound">
<daemon>
<server>
<do-ip4>true</do-ip4>
<do-tcp>true</do-tcp>
<do-udp>true</do-udp>
<harden-glue>true</harden-glue>
<hide-identity>true</hide-identity>
<outgoing-range>4096</outgoing-range>
</server>
</daemon>
</unbound-config>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>true</enable-nacm>
<read-default>deny</read-default>
<write-default>deny</write-default>
<exec-default>deny</exec-default>
<enable-external-groups>true</enable-external-groups>
<groups>
<group>
<name>admin</name>
<user-name>root</user-name>
<user-name>tnsr</user-name>
</group>
</groups>
<rule-list>
<name>admin-rules</name>
<group>admin</group>
<rule>
<name>permit-all</name>
<module-name></module-name>
<access-operations></access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>

@Derelict

Thanks for reply , I think I got answer for Policy Based VPN ( like PFSense) that it is not supported on TNSR

What I am looking for is have NAT before IPSec due to overlapping of Private Network , is that possible ? the NAT document gives info related to NAT at interface level but not for what I am looking for ( IPSec ).

Is there any reference documents for this ?

Thanks

@gelcom You can certainly create bridged interfaces in tnsr:

https://docs.netgate.com/tnsr/en/latest/interfaces/types-bridge.html

I do not believe I have seen any reports of trying to make IPTV work in that manner, however.

Please report how it goes for you if you try it.

Another thing we are noticing is that we can also have a single listen configuration in FRR
Once we add a second one the first one gets deleted. (We notice this in /etc/frr/bgpd.conf)

We have multiple neighbor peer groups.
We want to use a different listen range for each peer group.

Can we use a custom bgpd config file to overcome both these issues?

I'll add some evidence...

86119334-3271-4e6d-82de-08a306141fdd-image.png

We've had this in production for over a year. 2 10GbE uplinks using this hardware:

https://shop.netgate.com/products/1537-base-pfsense

with a ram upgrade to 32GB and this expansion card:

10 Gigabit Quad-Port SFP+ Intel® X710BM2

Version: tnsr-v20.10-1 (need to upgrade to 21.03.... next weekend)

Let me know if you have more questions.

Disregard, I figured it out. The problem was between the keyboard and the chair. It works as expected.

Nevermind, figured out after finally finding a few other posts that the bnx2 driver is not supported. I added an additional NIC to the ESXi server that I had, and I was able to turn up a passthrough NIC. If this is your problem, add another NIC.

@elsawhite11 Setting the source address or the source interface to something in that VRF should work for you. Does it not?

Be sure you're running version 21.03-2

@michel-jacob-calculquebec-ca

Thanks for sharing your progress Michel!

@dnet8 Roadwarrior IPsec is not currently supported. The IP addresses on both sides must be specified.

@daniel-jung

We recommend you start much, much smaller on the workers. Say 1.

What kind of performance are you seeing?

How are you testing?

In IOS, the choice of NAT global address pool (or the choice of none at all to disable NAT) can be based on evaluation of an access list or a route map:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html

TNSR does not have named NAT pools, just one nameless global pool per VRF (and, I guess, a "twice-nat" pool per VRF). Unfortunately the capability to choose "no pool at all" was lost along with the capability to choose among pools!

That said I hope you will not emulate Cisco's NAT configuration because it's an incomprehensible disaster, especially when VRF are involved.

Some of these configurations could possibly be achieved more simply than Cisco by a feature to recirculate the packet:

interface looppair natswitch instance 10 interface loopnexthop10 enable interface looprecirculated10 enable nat inside interface outside0 ip address 123.0.1.1/24 enable nat outside nat pool interface outside0 route ipv4 table ipv4-VRF:0 route 123.0.10.0/24 next-hop 0 via 123.0.1.2 # no NAT route 0.0.0.0/0 next-hop 0 via 9.9.9.9 loopnexthop10 resolve-via-attached # yes NAT

Combined with a hypothetical policy-routing feature that could consider source IP in routing decisions this could handle having a mix of rfc1918 and globally-routable hosts behind a single "inside" interface. For example, route source IP 10.0.0.0/8 via loopnexthop10, and route source IP 123.0.20.0/24 via outside0 directly.

It creates a problem that 123.0.1.2 is directly attached to outside0 so, if NAT is wanted for that destination address, it's difficult to ignore outside0's automatically-added direct route. The hypothetical policy-routing(*) feature could fix that, too, by considering ingress interface in routing decisions. Ingress interface looprecirculated10 will use the VRF's ordinary table, while inside0 ingress interface will policy override and send 123.0.1.0/24 via loopnexthop10 at higher priority than the directly-attached route.

Recirculation solves most VRF problems with three simple rules:

outside and inside interfaces don't need to be in the same VRF. to create or freshen a dynamic translation, the packet must enter a 'nat inside' interface and leave a 'nat outside' interface to match an existing static or dynamic translation, the packet must enter a 'nat outside' interface. It doesn't matter where it exits because that's not known at the time of translation. However the translation may move the packet to a different VRF before routing table lookup if the VRFs differed when the dynamic translation was created.

The only things missing are:

policy routing nat static mapping ... route-table outside-vrf local-route-table inside-vrf
(yes, one could add a "via .. next-hop-table" route to <local address> pointing to the other VRF, but this is not general enough. There's no reason <local address> shouldn't still be reachable directly in outside-vrf. The nat static rule should not have to cast a shadow over it. Also there may be 10 inside-vrfs all having local 192.168.1.1 port 22 listening, and we want to use <external ip> port 2220, 2221, ... 2229 to reach each of them.) ability to bind 'nat pool' to 'nat outside' interface.

--
(*) Unfortunately if 'via classify <table>' was the syntax planned for policy routing, that syntax may not work intuitively because the directly-attached outside0 subnet route needs to be overriden, not passed through a layer of indirection.

@derelict Our company is moving from a 16bit mask to smaller segments. This is to be done as smoothly as possible But the problem is the old address’s must stay the same but with new subnets ie 10.23.3.1/16 could now be 10.23.3.1/24. This obviously means there will be temporary overlapping subnets
The idea is to use VRFs to help get this done. I’m trying to get VRF leaking to work but somehow the interfaces aren’t communicating.Therefore I thought it would be good for troubleshooting purposes to be able to ping from one VRF to the other using the cli. I know the cli is using the default VRF so it’s probably not possible to ping from another VRF but maybe there’s some kind of cool command.

@hashbang It is possible that a combination of endpoint-dependent NAT plus IPfix logging would solve the issue of matching inside addresses with outside NAT translations for compliance purposes, etc.