Nevermind, figured out after finally finding a few other posts that the bnx2 driver is not supported. I added an additional NIC to the ESXi server that I had, and I was able to turn up a passthrough NIC. If this is your problem, add another NIC.

@elsawhite11 Setting the source address or the source interface to something in that VRF should work for you. Does it not?

Be sure you're running version 21.03-2

@michel-jacob-calculquebec-ca

Thanks for sharing your progress Michel!

@dnet8 Roadwarrior IPsec is not currently supported. The IP addresses on both sides must be specified.

@daniel-jung

We recommend you start much, much smaller on the workers. Say 1.

What kind of performance are you seeing?

How are you testing?

In IOS, the choice of NAT global address pool (or the choice of none at all to disable NAT) can be based on evaluation of an access list or a route map:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html

TNSR does not have named NAT pools, just one nameless global pool per VRF (and, I guess, a "twice-nat" pool per VRF). Unfortunately the capability to choose "no pool at all" was lost along with the capability to choose among pools!

That said I hope you will not emulate Cisco's NAT configuration because it's an incomprehensible disaster, especially when VRF are involved.

Some of these configurations could possibly be achieved more simply than Cisco by a feature to recirculate the packet:

interface looppair natswitch instance 10 interface loopnexthop10 enable interface looprecirculated10 enable nat inside interface outside0 ip address 123.0.1.1/24 enable nat outside nat pool interface outside0 route ipv4 table ipv4-VRF:0 route 123.0.10.0/24 next-hop 0 via 123.0.1.2 # no NAT route 0.0.0.0/0 next-hop 0 via 9.9.9.9 loopnexthop10 resolve-via-attached # yes NAT

Combined with a hypothetical policy-routing feature that could consider source IP in routing decisions this could handle having a mix of rfc1918 and globally-routable hosts behind a single "inside" interface. For example, route source IP 10.0.0.0/8 via loopnexthop10, and route source IP 123.0.20.0/24 via outside0 directly.

It creates a problem that 123.0.1.2 is directly attached to outside0 so, if NAT is wanted for that destination address, it's difficult to ignore outside0's automatically-added direct route. The hypothetical policy-routing(*) feature could fix that, too, by considering ingress interface in routing decisions. Ingress interface looprecirculated10 will use the VRF's ordinary table, while inside0 ingress interface will policy override and send 123.0.1.0/24 via loopnexthop10 at higher priority than the directly-attached route.

Recirculation solves most VRF problems with three simple rules:

outside and inside interfaces don't need to be in the same VRF. to create or freshen a dynamic translation, the packet must enter a 'nat inside' interface and leave a 'nat outside' interface to match an existing static or dynamic translation, the packet must enter a 'nat outside' interface. It doesn't matter where it exits because that's not known at the time of translation. However the translation may move the packet to a different VRF before routing table lookup if the VRFs differed when the dynamic translation was created.

The only things missing are:

policy routing nat static mapping ... route-table outside-vrf local-route-table inside-vrf
(yes, one could add a "via .. next-hop-table" route to <local address> pointing to the other VRF, but this is not general enough. There's no reason <local address> shouldn't still be reachable directly in outside-vrf. The nat static rule should not have to cast a shadow over it. Also there may be 10 inside-vrfs all having local 192.168.1.1 port 22 listening, and we want to use <external ip> port 2220, 2221, ... 2229 to reach each of them.) ability to bind 'nat pool' to 'nat outside' interface.

--
(*) Unfortunately if 'via classify <table>' was the syntax planned for policy routing, that syntax may not work intuitively because the directly-attached outside0 subnet route needs to be overriden, not passed through a layer of indirection.

@derelict Our company is moving from a 16bit mask to smaller segments. This is to be done as smoothly as possible But the problem is the old address’s must stay the same but with new subnets ie 10.23.3.1/16 could now be 10.23.3.1/24. This obviously means there will be temporary overlapping subnets
The idea is to use VRFs to help get this done. I’m trying to get VRF leaking to work but somehow the interfaces aren’t communicating.Therefore I thought it would be good for troubleshooting purposes to be able to ping from one VRF to the other using the cli. I know the cli is using the default VRF so it’s probably not possible to ping from another VRF but maybe there’s some kind of cool command.

@hashbang It is possible that a combination of endpoint-dependent NAT plus IPfix logging would solve the issue of matching inside addresses with outside NAT translations for compliance purposes, etc.

@derelict yes, it worked.
I changed gw to 192.168.96.5
Many thanks

@alan-jones That means nothing unless you are passing them through directly. Tnsr only sees virtio or vmxnet3. The underlying hardware is obfuscated.

@dbeyzade Can't promise, but I will certainly pass this along to our product manager.

@dbeyzade I assume you're capturing in the host shell on the capture interface presented there.

Your screenshot does not show any ping attempts.

Is it possible to capture your entire test and post the pcap file instead of a screen shot?

The same on the connected switch port would be nice as well.

Thank you.

@kiokoman This did the trick, thank you very much :)

@jamescr We have opened a ticket for you and assigned one of our engineers to see if we can work through these concerns. Thanks!

@derelict if I'm going to try, the problem I see is exactly the one you describe, even in mikrotik the neighbor is recognized and the changes that ospf announces.
ospf.PNG

@helmlein It is not intended to be this way and there is an open bug on the RA. DHCP6 features are simply not implemented yet.

@derelict Thanks.

@vesalius no they do not. RHEL can always be rebuilt from the source code that rhel MUST provide per the GPL. When centos was borged by RHEL the writing was on the wall for Centos. The other rebuilds will continue because the rhel sources will always be available. https://etc-md.com/2020/12/09/the-end-of-centos-and-my-moving-to-bsd/

@robing They need to be a type of NIC that dpdk supports. It should basically work with vmxnet3. Not sure what the capabilities of vmware player are.

@schnitzel_itdept Can do you do a packet capture on server B to double check all advertisements are received correctly?

@capitanblack

Thanks for your interest.

TNSR provides a RESTCONF API. I'm not aware of anyone that has attempted to integrate or test the API against Openstack/Ansible, but if those tools can make RESTCONFI requests it should be possible for them to configure TNSR.

The TNSR API docs can be found here: https://docs.netgate.com/tnsr/en/latest/api/

Feel free to send more questions or update us on your progress!

Time to put a CAPTCHA on logins? I dislike those things but sometimes you do what you gotta do...

The pricing from here is $500 per year for the Business Pro plan. There is no minimum/maximum speed, it's flat rate. It's not a replacement product for pfSense so your network doesn't need to be 'big enough' to benefit from it, you may use it even for the smallest networks if you wanted.

@prx said in TNSR on AMD EPYC ROME:

16.26.1040

i think it was specific for that firmware revision but for the network card you mentioned :

tested platform
https://doc.dpdk.org/guides-20.02/rel_notes/release_20_02.html#tested-platforms
Mellanox® ConnectX®-5 Ex EN 100G MCX516A-CDAT (2x100G)
Host interface: PCI Express 4.0 x16
Device ID: 15b3:1019
Firmware version: 16.27.1000 and above

also,
That is the kind of speed I have when one of my side it's not set with Mtu 9000, double-check that on all your machine.
I found this tuning useful for Ubuntu https://fasterdata.es.net/host-tuning/linux/

Netgate provided an example on how to integrate Snort to create an IDS back in 2018, which needs an update as TNSR has continued to evolve. From a 2018 blog:

TNSR-IDS is written in the Go programming language, allowing it to be easily compiled for a large number of OS and architectures. Details, source code, and setup instructions (including TNSR, SNORT and ERSPAN) can be found at the TNSR-IDS Project GitHub Repository(https://github.com/Netgate/TNSR_IDS). A README file is included in the repository that provides a lot of detail about the process, as well as a TNSR-Snort setup file that gives detailed installation instructions.

I'd use that as a starting point, but there may well be some architectual or setting changes that need to be tweaked to get the spice flowing.

There was an issue with heap-size that will be corrected in version 20.10.1.

The upcoming 20.10 release has IPFIX NAT logging which will fill that need for most situations.

Using "BIOS" boot mode instead of "UEFI" seemed to solve the issue.
Thanks for the hints.
Stefano

Currently the only supported IPsec method is routed IPsec as described in the docs. Policy-based tunnels are something we are looking to add, but there is no ETA.