Subcategories

  • Discussions about TNSR

    16 Topics
    54 Posts
    M

    We're happy to announce the release of TNSR software version 25.02. This regularly scheduled release includes additional hardware support, updates, and bug fixes.

    Here's what's new:

    Unicast Reverse Path Forwarding: Introducing Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing attacks. Both "loose" and "strict" modes available. Enhanced BGP Protection: New BGP Roles implementation (RFC 9234) to prevent route leaks and hijacks. Powerful Threat Detection: Multi-threaded Snort 3 integration for advanced IDS/IPS. NETCONF: The NETCONF service has been made available starting with this release. Regular Updates and Maintenance: Updated VPP and DPDK versions and made over 30 bug fixes and stability enhancements.

    Learn More:

    Release Notes
    Blog
    Video

  • Discussions about TNSR

    60 Topics
    133 Posts
    JonathanLeeJ

    @johnpoz I know I thought maybe he could be my study buddy for a while but never responded so I gave up .

  • Discussions about installing or upgrading TNSR software

    50 Topics
    188 Posts
    patient0P

    @pfsin excellent, happy it worked.

  • DataPlane Error in TNSR 23.02-3

    2
    0 Votes
    2 Posts
    593 Views
    F

    UPDATE, not sure why, but changing the "Adapter Type" under the VM's setting from VMXNET3 to E1000e resolved the issue.
    Important to note, prior to this, I injected additional network drivers from fling in the same fashion as I did from a previous lab system where i was able to use USB network adapters with Esxi7 for a successful tnsr guest install.

    Also, after injecting the network drivers from FLING, the network adapters now display as follows:
    flingnet1.PNG

  • TNSR high rx miss

    5
    0 Votes
    5 Posts
    687 Views
    E

    @derelict

    OK but at what traffic level do you start seeing the misses?

    I made some runs. The problem beginns above 30Gbits

    stf-cap2-imix_1518-m300-d10-c16.png

    stf-cap2-imix_1518-m350-d10-c16.png

    stf-cap2-imix_1518-m400-d10-c16.png

    And you are right. the performance without span interfaces is better. I don't know what I did wrong.

  • TNSR Homelab, introduce latency

    3
    0 Votes
    3 Posts
    772 Views
    S

    Thank you for the reply.

  • TNSR Software version 23.02 has been released!

    Locked
    1
    2 Votes
    1 Posts
    458 Views
    No one has replied
  • Static NAT Port Forward Range

    Moved
    4
    0 Votes
    4 Posts
    700 Views
    JonathanLeeJ

    @swinn

    Sorry about that, I do network address translation with aliases in pfSense plus for lan traffic right now

    Screenshot 2023-03-29 at 8.26.06 PM.png

    Again Static nat for WAN connection can also be done with port ranges 8080:8081 or 8080-8081

    Screenshot 2023-03-29 at 8.27.29 PM.png

    https://docs.netgate.com/pfsense/en/latest/nat/outbound.html

    Does that help?

  • TNSR ISO shasums

    2
    0 Votes
    2 Posts
    741 Views
    F

    @fatred
    if crowdsourcing is a thing, i have the following BTW:

    526275cf9021846401076f454df9a4631a6d2676868479079e8ed78128fd3b04 TNSR-DVD-22.10-2-x86_64-jammy.iso e3b703e3b97657197d93e32bfea2913f8c135f06940c0ae64abc76e50e263c73 TNSR-DVD-23.02-3-x86_64.iso
  • 23.02 WebGUI enable ?

    12
    0 Votes
    12 Posts
    2k Views
    T

    Agreed - great start. I have been working with TNSR for 3-4 years and have found that the CLI combined with the documentation is very useful. The added benefit of a GUI will certainly increase the adoption of the platform.

  • MAP-T not working

    1
    0 Votes
    1 Posts
    393 Views
    No one has replied
  • Is a TNSR Switch Installation Possible

    2
    0 Votes
    2 Posts
    595 Views
    DerelictD

    @sentein Not sure what you are asking. TNSR will almost certainly be able to communicate with it at layer 2/3 it as a switch/router in the regular sense, but loading TNSR directly on it is probably not going to be possible.

  • BondEthernet interfaces don't get status from slave(s)

    3
    0 Votes
    3 Posts
    747 Views
    M

    After speaking to someone at Netgate, this looks like it is a potential bug with 22.10-2.

    Thanks,
    Mike

  • VRRP / track-interface - Can't use BondEthernet

    4
    0 Votes
    4 Posts
    804 Views
    M

    My specific issue came down to the fact that the BondInterface needs to be enabled before it can be used as a track-interface.

    e.g.

    interface bond 1 mode lacp load-balance l34 exit

    NOTE: interface BondEthernet1 is not enable.

    When trying to add the track-interface

    rtrexllab01 tnsr(config)# interface GigabitEthernet1/0/0 rtrexllab01 tnsr(config-interface)# ip vrrp-virtual-router 1 rtrexllab01 tnsr(config-vrrp4)# tr BondEthernet0 BondEthernet0.610 GigabitEthernet1/0/0 GigabitEthernet1/0/1 TenGigabitEthernet2/0/0 TenGigabitEthernet2/0/1 rtrexllab01 tnsr(config-vrrp4)# track-interface

    As seen above, the BondInterface1 is not available.

    rtrexllab01 tnsr(config)# interface BondEthernet1 rtrexllab01 tnsr(config-interface)# enable rtrexllab01 tnsr(config-interface)# exit rtrexllab01 tnsr(config)# interface GigabitEthernet1/0/0 rtrexllab01 tnsr(config-interface)# ip vrrp-virtual-router 1 rtrexllab01 tnsr(config-vrrp4)# tr BondEthernet0 BondEthernet0.610 BondEthernet1 GigabitEthernet1/0/0 GigabitEthernet1/0/1 TenGigabitEthernet2/0/0 TenGigabitEthernet2/0/1 rtrexllab01 tnsr(config-vrrp4)# track-interface

    BondEthernet1 is not available to use as a track-interface.

    Thanks,
    Mike

  • VRRP with E1000e ESXI 7.0?

    9
    0 Votes
    9 Posts
    1k Views
    Cool_CoronaC

    @machoherbivore9 Use failover on the Vswitch instead so the TNSR works like normal but Vsphere takes over the failover unnoticed.

  • TNSR VRF BGP

    1
    0 Votes
    1 Posts
    457 Views
    No one has replied
  • Routing - LAN w. Public IPs to WAN

    9
    0 Votes
    9 Posts
    1k Views
    DerelictD

    @talwell Perhaps the subnet is not routed properly by the ISP?

  • TNSR 22.10-2 / BNX2X

    3
    0 Votes
    3 Posts
    632 Views
    M

    @russellc

    You are indeed correct. Looking though syslog I see:

    Feb 10 13:33:57 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1': not supported by any plugin Feb 10 13:33:57 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0': not supported by any plugin Feb 10 13:35:05 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0': not supported by any plugin Feb 10 13:35:05 tnsrlab01 ModemManager[821]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1': not supported by any plugin Feb 10 13:49:49 tnsrlab01 vpp[1534]: vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 13:49:49 tnsrlab01 vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 13:49:49 tnsrlab01 vpp[1534]: vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 13:49:49 tnsrlab01 vpp[1534]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:00:04 tnsrlab01 vpp[1573]: vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 14:00:04 tnsrlab01 vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.0 Feb 10 14:00:04 tnsrlab01 vpp[1573]: vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:00:04 tnsrlab01 vpp[1573]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:01:16 tnsrlab01 vpp[1593]: vpp[1593]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1 Feb 10 14:01:16 tnsrlab01 vpp[1593]: dpdk: Unsupported PCI device 0x14e4:0x168e found at PCI address 0000:01:00.1

    Thank you for the information.

    Mike

  • TNSR to SD-WAN

    2
    0 Votes
    2 Posts
    478 Views
    M

    @heinola Can you provide more details? SDWAN is a very broad topic.
    What are you trying to accomplish with TNSR and PA?

  • TNSR & Baremetal Build Recommendations.

    3
    0 Votes
    3 Posts
    884 Views
    M

    Hi Jake,

    A list of components that are tested for compatibility with TNSR specifically can be found here. You'll find compatible processors and NICs in that document.

    While AMD Epyc may install and run, we do not test these processors, so it is recommended to stick to Intel so that we can guarantee compatibility with TNSR, not just DPDK and VPP.

    The hardware requirements to achieve your throughput requirements will likely depend on the finer details of your use-case. Since you mention a CPIC card, I am assuming there is some IPSec requirement here in addition to the BGP peering you mention in the post. Please feel free to reach out to me at sales@netgate.com and we can set up a call to discuss your requirements in more detail. We'd be happy to assist with an evaluation and help you achieve your goals with TNSR.

    Thanks,

    Max

  • What is the function of host acl?

    2
    0 Votes
    2 Posts
    434 Views
    L

    i got it , https://docs.netgate.com/tnsr/en/latest/acl/host.html

    TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface .

  • Prometheus/Grafana Question

    8
    0 Votes
    8 Posts
    2k Views
    R

    Which metrics are you querying to get the live interface traffic data? I just started setting this up myself and I cannot seem to find the right one, only byte totals used that keeps climbing and never drops. I may be dumb and doing it wrong, though. lol

  • How to get SSH working on my network

    20
    0 Votes
    20 Posts
    2k Views
    johnpozJ

    @gabe-a said in How to get SSH working on my network:

    I'll try to trace the route the traffic

    There is not a "trace" of traffic - you would need to sniff and see how when you ssh hostname that name is being resolved to an IP, is it a netbios broadcast, was a dns query to your routers IP using a fqdn query or just hostname, or did it add a suffix like .local, etc. , was it mdns via multicast?

    If I didn't on purpose completely disable mdns on any client that tries and do it - I would show you an example.. But I on purpose disable mdns on my windows machines - because it a horrible chatty protocol that I have zero use for - I resolve anything on my network via a simple dns query.. to my unbound running on pfsense or my pihole.

    What I can show you for example when I ssh to say my nas.. what happens..

    I flush the machines local dns cache so I know it has to find the IP for nas.local.lan, as you can see it does a dns query to my dns it points to, in my cache my pihole on 192.168.3.10 and gets an answer

    dns.jpg

    showing where my client points for dns, and that I have mdns disabled - its horrible horrible chatty noise producing protocol..
    mdns.jpg

    That it is enabled by default is horrible yet another horrible choice by MS if you ask me ;)

    avahi is a tool that will pass mdns across network boundaries - it has zero use for you, because as you have stated all your devices on the same network. But I have gone over how to troubleshoot that and set it up a few times.. Even though I dislike using it, and don't on my network, I know how it works and I know how to set it up, etc. I just not a fan of breaking network boundaries like that.. If you want to discover something via a L2 method - then you need to be on that L2 ;)

    None which has anything to do with you, since you have clearly stated all your devices are on the same network connected to a dumb switch..

    Here for example is some mdns on my wireless network my phone and printer are on..

    mdns.jpg

    You can see my phone 192.168.2.198 sending out queries, and the stuff it already knows about, and you see a response from my printer on 192.168.2.50 to the multicast address. What I don't see is any directed unicast responses directly from the printer to the phone for example. I would have to setup span port of where my AP is to see that, since my printer is wired..

    Iphone loves to use airprint to find printers - wish I could just give it the fqdn or IP of the printer so I didn't have to allow for that nonsense noise on my network.. My PC for example has no issue just printing to the fqdn of the printer across vlans.. But vs breaking the boundary - I just put the printer on the same vlan as my wireless that devices that insist on using mdns, so I don't have to break boundaries passing mdns across network segments.

    edit: here I did a sniff directly on my AP via tcpdump for this sort of traffic.. This way I did not have to really change anything on my networks or clients or create a span port to see the traffic..

    12:29:06.767697 IP 192.168.2.198.5353 > 224.0.0.251.5353: 0 A (QU)? BRN30055C116AD9.local. (39) 12:29:06.787748 IP 192.168.2.50.5353 > 192.168.2.198.5353: 0*- [0q] 1/0/0 A 192.168.2.50 (49)

    You can see where my phone 2.198 did a query to the multicast address, and the printer at 2.50 did a directed unicast answer back to the phones specific IP..

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.