@fargox Sorry for the delay.

In my testing of this I had no trouble using two physical interfaces as bridge members but as soon as I started trying VLAN subifs and Bonds I saw inconsistent behavior. I never saw exactly what you are describing but siminlar things like the ability to ARP in one direction but not the other, etc.

I have opened an internal bug report on the matter.

Thank you for posting.

@jimp said in DNS queryes source interface:

The name resolution at the OS level uses systemd-resolve which as far as I can see in its docs (not the TNSR docs, but the docs for the OS) does not support specifying a source address.

Using unbound to control this behavior isn't a workaround, it's the most flexible and potentially only way to configure the behavior you want.

Ok, now is perfectly clear, thank you again for your help! :)

@jimp Thanks!

@derelict When you said what are you running it on, I thought you were asking for the hardware :)

Anyway, I have turned down the config to just 1 worker. 4 were working fine since last reboot, but since a single core should also service the purpose, I'll put that to 1 worker to see if that works fine.

Thanks for the help.

@derelict Thanks, I was not aware this would imply a certain direction from the router. I appreciate the help.

I solved the issue which wasn't present on my previous design (pfsense only). It was indeed the mikrotik switch and how it handled vlans in this context a bit differently. I was able to routing going after fiddling with bridge vlans on that device.

Sadly, my throughput did not increase as I expected from placing TNSR in as a router for the network, tried some tuning with the dpdk and it just did not get where I was hoping it to go.

I'll revisit tnsr when I get my GNS3/CML lab up and running.

Turns out the service will not work without adding any filters in there. Once I add /interface as a filter, Prometheus service stands up fine showing metrics/data expected.

Thanks

TNSR is unlike traditional firewalls and routers (including pfSense). The way TNSR works it is in a tight CPU loop looking for items to process. It's completely normal and expected for it to be using 100% of its configured CPU cores. Monitoring by CPU usage isn't going to be helpful as it has zero bearing on how busy the system is.

You can get better stats from Prometheus and look at some of the rate values there, such as vector rate per worker, input rate, and vector rate.

Pretty sure this is all well covered by previous threads as well, so search around on those terms and you should find more info.

@marsalans

https://forum.netgate.com/topic/152607/tnsr-cpu-utilization-on-sg-5100

Hi @Derelict and @johnpoz and thank you,

I created a VM in proxmox and use it to install tnsr. Installed proxmox in the VM didn't read all the tnsr requirements. After all the installation I did not did much just went around support and leave it to work on the weekend and that was when i found that when I started my server couldn't access the proxmox WebGUI.
I can access to proxmox ip via ssh but I think that tnsr "took control", the reason is when i login to the server it comes root as user but not the machine name so i get foot@tnsr not root@alexserver.
So when do qm status i get:

root@TNSR:~# qm status
ipcc_send_rec[1] failed: Connection refused
ipcc_send_rec[2] failed: Connection refused
ipcc_send_rec[3] failed: Connection refused
Unable to load access control list: Connection refused
root@TNSR:~#

or pvecm updatecerts

root@TNSR:~# pvecm updatecerts
ipcc_send_rec[1] failed: Connection refused
ipcc_send_rec[2] failed: Connection refused
ipcc_send_rec[3] failed: Connection refused
Unable to load access control list: Connection refused
root@TNSR:~#

This is a server I have to learn and test ideas and so on, so as a tnsr user i am completely new and with some experience in proxmox.
I don't know what i did and I have a post in proxmox to see how i can have the WebGUI back if it helps in some way.
Is there something I can do to fix it?

Cheers,
Alex

note: i run packet sniffer, capture packets of BGP session

i see then keepalive messages and at one point tnsr with IP 10.62.40.245 sends TCP FIN and closes connection without any obvious reason

@sheebz said in TNSR on Proxmox:

@jimp ahh it needs 3 virtual nics? my server has a dual 10g nic, but i do have a node with 2 more 1gig nics. will that work? or does it have to be 3+ nics on the main machine?

It's possible to run with two (e.g. internal and external) in the dataplane only but TNSR works best when you have a management interface. The host management itself doesn't use the dataplane network, it's separate. That doesn't need to be real, it could be internal to Proxmox on a bridge to somewhere else you have a management client. There are ways to nudge things to use the dataplane from within the host for tasks like OS updates, so it's not a complete non-starter, it's just not an ideal setup.

@derelict yes i see ipfix dont giving all data sending only nat data

we cant use fastnetmon right now

if possible please add sflow exported on next version

@derelict

Well there is this page suggesting it could be supported.
https://doc.dpdk.org/guides/nics/axgbe.html
Dunno if the Epyc Embedded 3000 are the same as Ryzen Embedded regarding the NIC. Cannot find much about that.

As I own a system with a v1500b inside maybe I will just try and install TNSR and see what happens.