TNSR | Netgate Forum

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

TNSR Announcements

Discussions about TNSR

16 Topics

54 Posts

M

We're happy to announce the release of TNSR software version 25.02. This regularly scheduled release includes additional hardware support, updates, and bug fixes. Here's what's new: Unicast Reverse Path Forwarding: Introducing Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing attacks. Both "loose" and "strict" modes available. Enhanced BGP Protection: New BGP Roles implementation (RFC 9234) to prevent route leaks and hijacks. Powerful Threat Detection: Multi-threaded Snort 3 integration for advanced IDS/IPS. NETCONF: The NETCONF service has been made available starting with this release. Regular Updates and Maintenance: Updated VPP and DPDK versions and made over 30 bug fixes and stability enhancements. Learn More: Release Notes Blog Video
TNSR Feedback

Discussions about TNSR

60 Topics

133 Posts

J

@johnpoz I know I thought maybe he could be my study buddy for a while but never responded so I gave up .
Problems Installing or Upgrading TNSR Software

Discussions about installing or upgrading TNSR software

51 Topics

189 Posts

4

@agostonl119 I found this for pfsense 2.4.x - should still be valid as I do not think vlans have changed much in the past 2 years or so :-) https://thunderysteak.github.io/pfsense-single-nic-vlans I'd give it a whirl.

N

no bgp default ipv4-unicast

Watching Ignoring Scheduled Pinned Locked Moved
2

2 Votes

2 Posts

780 Views

A

@NetFreak said in no bgp default ipv4-unicast: 4399 Thanks Joey, the original request is still on our backlog, no roadmap ETA at the moment though.
S

Test TNSR

Watching Ignoring Scheduled Pinned Locked Moved
6

0 Votes

6 Posts

1k Views

A

@sadekyo1712 - Thanks, look forward to your updates
E

state sync?

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

609 Views

E

use case I'm looking at is using tnsr for a ha perimeter firewall deployment (including destination nat port forwarding and outbound nat masquerading). so keeping the nat state table in sync between router instances definitely a concern. Can you use regular Linux Contrack to keep the tables in sync? on regular centos/ubuntu/etc you can use this: https://conntrack-tools.netfilter.org/manual.html.
M

VRRP not setting mac address on vmxnet3 dpdk_add_del_mac_address: mac address add/del failed: -95

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

2k Views

N

@mski your type of vnic driver is just not compatible with it. Check this out for more info: https://docs.netgate.com/tnsr/en/latest/vrrp/compatibility.html Afaik VMware is also capable of the intel e1000 vnic which uses the igb driver. Joey
P

Cannot add IPv6 /128 loopback

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

432 Views

N

Had the same issue some month ago. In some cases it can be usefull to have IP space overlapping on multiple interfaces. For example if you have a routed /24 which is bound to a loopback interfaces to prevent l3 loops while only having a smaller subnet assigned to a different interface. eg: 185.121.69.0/24 dev lo 185.121.69.0/26 dev eth0.502 ... However, the developer of TNSR are aware of this, I had a evaluation meeting longer ago where I explained this issue to them.
Ç

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

4 Views

No one has replied
N

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

8 Views

No one has replied
N

Is TNSR meant to eventually replace pfsense?

Watching Ignoring Scheduled Pinned Locked Moved
2

0 Votes

2 Posts

481 Views

J

They are geared for two very (very) different markets and there isn't likely to be huge overlap between their intended customer bases. I'm vastly oversimplifying it but the tl;dr version is that TNSR is focused on high performance routing and VPN transit, for example, where the architecture of pfSense can't keep up. While pfSense has more flexibility with packages and firewall-type features which don't necessarily require >10GBit/s performance.
?

Hello! I'm about to test TNSR

Watching Ignoring Scheduled Pinned Locked Moved
4

1 Votes

4 Posts

544 Views

A

@kiokoman Thanks for your curiosity :)
E

IPSEC Diagnostics and logging

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

589 Views

D

You can set asymmetric PSKs in tnsr too.
S

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

4 Views

No one has replied
M

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

7 Views

No one has replied
T

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

4 Views

No one has replied
D

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

60 Views

No one has replied
K

This topic is deleted!

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

5 Views

No one has replied
G

TNSR on Google Fiber?

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

897 Views

G

Thanks for the response and the information Jim!
V

Timeline on TNSR for XG-7100? (And will SG-3100 ever get TNSR?)

Watching Ignoring Scheduled Pinned Locked Moved
8

0 Votes

8 Posts

2k Views

A

@nevinsm - What kind of throughput are you getting?
G

TNSR adventures on my home network

Watching Ignoring Scheduled Pinned Locked Moved
4

3 Votes

4 Posts

3k Views

A

@tman904 said in TNSR adventures on my home network: Thank you for posting this. This is hands down the best post around TNSR usage I've seen. I've also really wanted to try TNSR for myself without any of the hand holding/hoops to jump through etc. Hopefully this starts a discussion to make TNSR easier for the community to access and use as a whole. I think it would be a good idea to separate TNSR into a free home version VS enterprise support offerings at the very least. Netgate you could always use the model that vyOS uses: https://www.vyos.io/rolling-release/ That is to give the bleeding edge rolling release version out to the whole community for no charge. Then keep the licensing/support services etc for the stable version of what would be your TNSR codebase. If you could implement that change to TNSR. It would really help everyone in the community embrace it. Thanks @tman904. Good ideas for sure.
0

Deterministic NAT mode breaks VPP

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

861 Views

J

Deterministic NAT is a "CG-NAT". The design goal is to scale out against a very large number of endpoints with reduced (need for) logging. See, for example, RFC 7422. As noted, (thought the docs could be more clear), there isn't much chance of making inbound services work on the outside interface for the interface address in deterministic NAT mode. It could possibly work for services on the inside interfaces if the in2out node becomes an output feature on the outside interface, but that work isn't currently contemplated. If it's important to your use case, please get in-touch so we can help determine how to best proceed.
G

Question regarding ACL memory footprint and stateful connections

Watching Ignoring Scheduled Pinned Locked Moved
3

1 Votes

3 Posts

539 Views

G

Thanks for the response! I ran the prescribed commands and got very similar numbers. In layman's terms, it looks like the answer to my questions is "an insane number" for both. I'm not employing my TNSR instance in a large enterprise or corporate network. Would be very curious to see memory and session numbers for someone who is and who has a robust number of ACLs. Thanks again for the response!

14 / 17