Subcategories

  • Discussions about TNSR

    16 Topics
    54 Posts
    M

    We're happy to announce the release of TNSR software version 25.02. This regularly scheduled release includes additional hardware support, updates, and bug fixes.

    Here's what's new:

    Unicast Reverse Path Forwarding: Introducing Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing attacks. Both "loose" and "strict" modes available. Enhanced BGP Protection: New BGP Roles implementation (RFC 9234) to prevent route leaks and hijacks. Powerful Threat Detection: Multi-threaded Snort 3 integration for advanced IDS/IPS. NETCONF: The NETCONF service has been made available starting with this release. Regular Updates and Maintenance: Updated VPP and DPDK versions and made over 30 bug fixes and stability enhancements.

    Learn More:

    Release Notes
    Blog
    Video

  • Discussions about TNSR

    60 Topics
    133 Posts
    JonathanLeeJ

    @johnpoz I know I thought maybe he could be my study buddy for a while but never responded so I gave up .

  • Discussions about installing or upgrading TNSR software

    50 Topics
    188 Posts
    patient0P

    @pfsin excellent, happy it worked.

  • state sync?

    3
    0 Votes
    3 Posts
    569 Views
    E

    use case I'm looking at is using tnsr for a ha perimeter firewall deployment (including destination nat port forwarding and outbound nat masquerading). so keeping the nat state table in sync between router instances definitely a concern. Can you use regular Linux Contrack to keep the tables in sync? on regular centos/ubuntu/etc you can use this: https://conntrack-tools.netfilter.org/manual.html.

  • 0 Votes
    4 Posts
    2k Views
    N

    @mski your type of vnic driver is just not compatible with it.

    Check this out for more info:
    https://docs.netgate.com/tnsr/en/latest/vrrp/compatibility.html

    Afaik VMware is also capable of the intel e1000 vnic which uses the igb driver.

    Joey

  • Cannot add IPv6 /128 loopback

    3
    0 Votes
    3 Posts
    401 Views
    N

    Had the same issue some month ago. In some cases it can be usefull to have IP space overlapping on multiple interfaces. For example if you have a routed /24 which is bound to a loopback interfaces to prevent l3 loops while only having a smaller subnet assigned to a different interface.

    eg:

    185.121.69.0/24 dev lo
    185.121.69.0/26 dev eth0.502
    ...

    However, the developer of TNSR are aware of this, I had a evaluation meeting longer ago where I explained this issue to them.

  • This topic is deleted!

    1
    0 Votes
    1 Posts
    4 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    8 Views
    No one has replied
  • Is TNSR meant to eventually replace pfsense?

    2
    0 Votes
    2 Posts
    453 Views
    jimpJ

    They are geared for two very (very) different markets and there isn't likely to be huge overlap between their intended customer bases.

    I'm vastly oversimplifying it but the tl;dr version is that TNSR is focused on high performance routing and VPN transit, for example, where the architecture of pfSense can't keep up. While pfSense has more flexibility with packages and firewall-type features which don't necessarily require >10GBit/s performance.

  • Hello! I'm about to test TNSR

    4
    1 Votes
    4 Posts
    509 Views
    audianA

    @kiokoman Thanks for your curiosity :)

  • IPSEC Diagnostics and logging

    4
    0 Votes
    4 Posts
    552 Views
    DerelictD

    You can set asymmetric PSKs in tnsr too.

  • This topic is deleted!

    1
    0 Votes
    1 Posts
    4 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    7 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    4 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    60 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    5 Views
    No one has replied
  • TNSR on Google Fiber?

    3
    0 Votes
    3 Posts
    838 Views
    G

    Thanks for the response and the information Jim!

  • Timeline on TNSR for XG-7100? (And will SG-3100 ever get TNSR?)

    8
    0 Votes
    8 Posts
    2k Views
    audianA

    @nevinsm - What kind of throughput are you getting?

  • TNSR adventures on my home network

    4
    3 Votes
    4 Posts
    3k Views
    audianA

    @tman904 said in TNSR adventures on my home network:

    Thank you for posting this. This is hands down the best post around TNSR usage I've seen.

    I've also really wanted to try TNSR for myself without any of the hand holding/hoops to jump through etc. Hopefully this starts a discussion to make TNSR easier for the community to access and use as a whole.

    I think it would be a good idea to separate TNSR into a free home version VS enterprise support offerings at the very least.

    Netgate you could always use the model that vyOS uses:
    https://www.vyos.io/rolling-release/

    That is to give the bleeding edge rolling release version out to the whole community for no charge. Then keep the licensing/support services etc for the stable version of what would be your TNSR codebase.

    If you could implement that change to TNSR. It would really help everyone in the community embrace it.

    Thanks @tman904. Good ideas for sure.

  • Deterministic NAT mode breaks VPP

    4
    0 Votes
    4 Posts
    796 Views
    J

    Deterministic NAT is a "CG-NAT". The design goal is to scale out against a very large number of endpoints with reduced (need for) logging. See, for example, RFC 7422.

    As noted, (thought the docs could be more clear), there isn't much chance of making inbound services work on the outside interface for the interface address in deterministic NAT mode.

    It could possibly work for services on the inside interfaces if the in2out node becomes an output feature on the outside interface, but that work isn't currently contemplated. If it's important to your use case, please get in-touch so we can help determine how to best proceed.

  • Question regarding ACL memory footprint and stateful connections

    3
    1 Votes
    3 Posts
    505 Views
    G

    Thanks for the response! I ran the prescribed commands and got very similar numbers. In layman's terms, it looks like the answer to my questions is "an insane number" for both. ☺

    I'm not employing my TNSR instance in a large enterprise or corporate network. Would be very curious to see memory and session numbers for someone who is and who has a robust number of ACLs. Thanks again for the response!

  • Error when attempting to issue show packet-counters command

    14
    0 Votes
    14 Posts
    942 Views
    G

    @audian no problem at all! I'm enjoying the TNSR experience and look forward to seeing the fixes and improvements you all are working on.

  • No mDNS on TNSR?

    2
    0 Votes
    2 Posts
    642 Views
    jimpJ

    Nothing like that available yet and I'm not seeing anything in open feature requests either. If you are already in contact with someone from Sales/CSE, make sure they know it's a feature you'd like to see.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.