UPDATE, not sure why, but changing the "Adapter Type" under the VM's setting from VMXNET3 to E1000e resolved the issue.
Important to note, prior to this, I injected additional network drivers from fling in the same fashion as I did from a previous lab system where i was able to use USB network adapters with Esxi7 for a successful tnsr guest install.

Also, after injecting the network drivers from FLING, the network adapters now display as follows:
flingnet1.PNG

@derelict

OK but at what traffic level do you start seeing the misses?

I made some runs. The problem beginns above 30Gbits

stf-cap2-imix_1518-m300-d10-c16.png

stf-cap2-imix_1518-m350-d10-c16.png

stf-cap2-imix_1518-m400-d10-c16.png

And you are right. the performance without span interfaces is better. I don't know what I did wrong.

Thank you for the reply.

@swinn

Sorry about that, I do network address translation with aliases in pfSense plus for lan traffic right now

Screenshot 2023-03-29 at 8.26.06 PM.png

Again Static nat for WAN connection can also be done with port ranges 8080:8081 or 8080-8081

Screenshot 2023-03-29 at 8.27.29 PM.png

https://docs.netgate.com/pfsense/en/latest/nat/outbound.html

Does that help?

@fatred
if crowdsourcing is a thing, i have the following BTW:

526275cf9021846401076f454df9a4631a6d2676868479079e8ed78128fd3b04 TNSR-DVD-22.10-2-x86_64-jammy.iso e3b703e3b97657197d93e32bfea2913f8c135f06940c0ae64abc76e50e263c73 TNSR-DVD-23.02-3-x86_64.iso

Agreed - great start. I have been working with TNSR for 3-4 years and have found that the CLI combined with the documentation is very useful. The added benefit of a GUI will certainly increase the adoption of the platform.

@sentein Not sure what you are asking. TNSR will almost certainly be able to communicate with it at layer 2/3 it as a switch/router in the regular sense, but loading TNSR directly on it is probably not going to be possible.

After speaking to someone at Netgate, this looks like it is a potential bug with 22.10-2.

Thanks,
Mike

My specific issue came down to the fact that the BondInterface needs to be enabled before it can be used as a track-interface.

e.g.

interface bond 1 mode lacp load-balance l34 exit

NOTE: interface BondEthernet1 is not enable.

When trying to add the track-interface

rtrexllab01 tnsr(config)# interface GigabitEthernet1/0/0 rtrexllab01 tnsr(config-interface)# ip vrrp-virtual-router 1 rtrexllab01 tnsr(config-vrrp4)# tr BondEthernet0 BondEthernet0.610 GigabitEthernet1/0/0 GigabitEthernet1/0/1 TenGigabitEthernet2/0/0 TenGigabitEthernet2/0/1 rtrexllab01 tnsr(config-vrrp4)# track-interface

As seen above, the BondInterface1 is not available.

rtrexllab01 tnsr(config)# interface BondEthernet1 rtrexllab01 tnsr(config-interface)# enable rtrexllab01 tnsr(config-interface)# exit rtrexllab01 tnsr(config)# interface GigabitEthernet1/0/0 rtrexllab01 tnsr(config-interface)# ip vrrp-virtual-router 1 rtrexllab01 tnsr(config-vrrp4)# tr BondEthernet0 BondEthernet0.610 BondEthernet1 GigabitEthernet1/0/0 GigabitEthernet1/0/1 TenGigabitEthernet2/0/0 TenGigabitEthernet2/0/1 rtrexllab01 tnsr(config-vrrp4)# track-interface

BondEthernet1 is not available to use as a track-interface.

Thanks,
Mike

@machoherbivore9 Use failover on the Vswitch instead so the TNSR works like normal but Vsphere takes over the failover unnoticed.

@talwell Perhaps the subnet is not routed properly by the ISP?

@russellc

You are indeed correct. Looking though syslog I see:

Feb 10 13:33:57 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1': not supported by any plugin Feb 10 13:33:57 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0': not supported by any plugin Feb 10 13:35:05 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0': not supported by any plugin Feb 10 13:35:05 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1': not supported by any plugin Feb 10 13:49:49 tnsrlab01 vpp[1534]: vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 13:49:49 tnsrlab01 vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 13:49:49 tnsrlab01 vpp[1534]: vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 13:49:49 tnsrlab01 vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:00:04 tnsrlab01 vpp[1573]: vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 14:00:04 tnsrlab01 vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 14:00:04 tnsrlab01 vpp[1573]: vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:00:04 tnsrlab01 vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:01:16 tnsrlab01 vpp[1593]: vpp[1593]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:01:16 tnsrlab01 vpp[1593]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1

Thank you for the information.

Mike

@heinola Can you provide more details? SDWAN is a very broad topic.
What are you trying to accomplish with TNSR and PA?

Hi Jake,

A list of components that are tested for compatibility with TNSR specifically can be found here. You'll find compatible processors and NICs in that document.

While AMD Epyc may install and run, we do not test these processors, so it is recommended to stick to Intel so that we can guarantee compatibility with TNSR, not just DPDK and VPP.

The hardware requirements to achieve your throughput requirements will likely depend on the finer details of your use-case. Since you mention a CPIC card, I am assuming there is some IPSec requirement here in addition to the BGP peering you mention in the post. Please feel free to reach out to me at sales@netgate.com and we can set up a call to discuss your requirements in more detail. We'd be happy to assist with an evaluation and help you achieve your goals with TNSR.

Thanks,

Max

i got it , https://docs.netgate.com/tnsr/en/latest/acl/host.html

TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface .

Which metrics are you querying to get the live interface traffic data? I just started setting this up myself and I cannot seem to find the right one, only byte totals used that keeps climbing and never drops. I may be dumb and doing it wrong, though. lol

@gabe-a said in How to get SSH working on my network:

I'll try to trace the route the traffic

There is not a "trace" of traffic - you would need to sniff and see how when you ssh hostname that name is being resolved to an IP, is it a netbios broadcast, was a dns query to your routers IP using a fqdn query or just hostname, or did it add a suffix like .local, etc. , was it mdns via multicast?

If I didn't on purpose completely disable mdns on any client that tries and do it - I would show you an example.. But I on purpose disable mdns on my windows machines - because it a horrible chatty protocol that I have zero use for - I resolve anything on my network via a simple dns query.. to my unbound running on pfsense or my pihole.

What I can show you for example when I ssh to say my nas.. what happens..

I flush the machines local dns cache so I know it has to find the IP for nas.local.lan, as you can see it does a dns query to my dns it points to, in my cache my pihole on 192.168.3.10 and gets an answer

dns.jpg

showing where my client points for dns, and that I have mdns disabled - its horrible horrible chatty noise producing protocol..
mdns.jpg

That it is enabled by default is horrible yet another horrible choice by MS if you ask me ;)

avahi is a tool that will pass mdns across network boundaries - it has zero use for you, because as you have stated all your devices on the same network. But I have gone over how to troubleshoot that and set it up a few times.. Even though I dislike using it, and don't on my network, I know how it works and I know how to set it up, etc. I just not a fan of breaking network boundaries like that.. If you want to discover something via a L2 method - then you need to be on that L2 ;)

None which has anything to do with you, since you have clearly stated all your devices are on the same network connected to a dumb switch..

Here for example is some mdns on my wireless network my phone and printer are on..

mdns.jpg

You can see my phone 192.168.2.198 sending out queries, and the stuff it already knows about, and you see a response from my printer on 192.168.2.50 to the multicast address. What I don't see is any directed unicast responses directly from the printer to the phone for example. I would have to setup span port of where my AP is to see that, since my printer is wired..

Iphone loves to use airprint to find printers - wish I could just give it the fqdn or IP of the printer so I didn't have to allow for that nonsense noise on my network.. My PC for example has no issue just printing to the fqdn of the printer across vlans.. But vs breaking the boundary - I just put the printer on the same vlan as my wireless that devices that insist on using mdns, so I don't have to break boundaries passing mdns across network segments.

edit: here I did a sniff directly on my AP via tcpdump for this sort of traffic.. This way I did not have to really change anything on my networks or clients or create a span port to see the traffic..

12:29:06.767697 IP 192.168.2.198.5353 > 224.0.0.251.5353: 0 A (QU)? BRN30055C116AD9.local. (39) 12:29:06.787748 IP 192.168.2.50.5353 > 192.168.2.198.5353: 0*- [0q] 1/0/0 A 192.168.2.50 (49)

You can see where my phone 2.198 did a query to the multicast address, and the printer at 2.50 did a directed unicast answer back to the phones specific IP..