TNSR adventures on my home network

gabacho4

Hello all,

Preface

Wanted to share my experience setting up TNSR on my home network as well as my impressions and a few wish list items. First of all, I recognize that TNSR is primarily marketed as an enterprise-level product but, given that most internal home networks are capable of at least gigabit speeds, and increasingly 10 gigabit speeds, not to mention FTTH and similar services providing high WAN speeds, I believe TNSR has real promise for those of us who understand/love technology, want to eek all the performance we can out of our network, and are constantly looking for new things to learn and improve upon. TNSR certainly ins't going to be something that the average Joe "I just want to plug it in and have it do everything on its own" would use, but there are a large number of technically inclined home users who would do quite well AND could potentially help steer purchasing decisions at work or with friends.

Background

Prior to TNSR, I was solely running PfSense. I unfortunately live overseas where ADSL is the only option. I enjoy a 30 Mbps download speed and a 2.5 Mbps upload speed. Connection is made via PPPoE. I have my DSL modem in passthrough mode and PfSense negotiates the WAN connection. I also use ExpressVPN (OpenVPN) route most all my home network traffic (gets me past geo blocks, prying eyes, etc), a peer to peer PKI OpenVPN and VTI Ipsec connection to my residence in the USA (for access to cameras, NAS, internet), an OpenVPN server instance for accessing my home network whenever I am away and a DMZ for Xbox Live. I have my network segmented up into 5 VLANs so that Kids', IoT and Streaming devices etc don't have access to resources they should not. As I'm constantly looking for opportunities to learn - I decided I wanted to let PfSense serve as my edge firewall and negotiate the VPN connections and host DMZ devices, while having the majority of my routing between VLANs done on an internal router. This decision was impacted by the fact that TNSR does not support:

1. PPPoE on WAN
2. OpenVPN server/client

These two realities aren't a ding against TNSR but rather a reality I willingly accepted as a challenge to get around.

Significant Requirements

1. Must be able to maintain remote access to internal resources via OpenVPN server run on PfSense
2. Would like to be able to continue to take advantage of PfBlockerNG+DNSBL etc
3. Must be able to see/identify individual client IPs on TNSR networks (10.0.x.x.) as they route through PfSense so that I could continue to employ policy-based routing through my various gateways.

Implementation

1. Installation of TNSR on my SG-5100 was fairly easy (the documentation is your friend).
2. Configured my LAN and VLAN interfaces, DHCP (ranges and static ips), DNS and confirmed that I could route between segments. TNSR is on a 10.0.x.x IP scheme. PfSense is on a 192.168.2.x scheme.
3. Did NOT/NOT enable NAT on TNSR. This is so the 10.0.x.x IPs are routed out of TNSR WAN as they are. No masquerading.
4. Set PfSense LAN interface IP as TNSR DNS server
5. Created a new gateway on PfSense using the LAN interface and specifying TNSR WAN IP as the gateway.
6. Established static routes using the new gateway to each of my 10.0.x.x subnets
7. Created outbound NAT rules for each of the 10.0.x.x subnets through the gateways I anticipated routing traffic (WAN, OVPN, IPSEC)
8. Created policy-based routing rules on the LAN firewall rule tab on PfSense in order to route traffic to various gateways/resources.

Hope I'm not missing anything.

Results

1. PfSense continues to provide all VPN connections, as well as PfBlockerNG+DNSBL.
2. TNSR networks are successfully able to access internet resources through PfSense box
3. PfSense displays the unique 10.0.x.x clients that are routing through. This enabled me to policy route individual clients/alias the way I want or need to.
4. Since PfBlockerNG+DNSBL is already set to filter LAN interface, I get no ads on any of my TNSR subnets.
5. I am able to access my network via OpenVPN connection to Pfsense and then access resources within TNSR networks.
6. I did a tired, yet enthusiastic, dance of the nerd at 0200.

Considerations

1. TNSR is still being developed. I've already had a number of forum conversations with @jimp about features I'd like (aliases, ACL rule counter, etc) I'm super excited to see how the product matures more and more over time. @jimp really piqued my interest in learning how to utilize the API in order to simplify configuration, updates, etc.

2. Why is it so hard to get a trial copy of TNSR to run? Making people apply to run it, and potentially be rejected (I assume it happens), seems like it would hinder the ability to really get the TNSR message out there. I'm unsure if there are IP right protections at play or if Netgate just isnt' ready to go large on TNSR yet. Giving people a chance to download, install, and explore would greatly help with adoption in my view.

3. The license cost for TNSR instance/capabilities is steep for the home user base. I absolutely believe in helping support Netgate (PfSense and TNSR). I used to pay the 100 USD yearly subscription fee for PfSense Gold (would have kept paying if they hadn't ended the program), and I have purchased a number of Netgate devices. Something similar with TNSR (no formal support) would help support Netgate and product development, while also making it easier for interested parties to run it. This, in turn, could increase the number of recommendations to work or friends.

Conclusion

I recognize my home network setup is not the average and is more complicated than a lone PfSense box that managed to do everything on its own. However, I think my set up is more in line (albeit in a much smaller scale) to what you'd get in a corporate environment (good practice) and it was a great chance for me to learn and get away from one box setups. For example, the lack of NAT setup on TNSR was something that I had never done before and almost felt dirty. In retrospect, it makes total sense and I've gained insight and experience I didn't have before. I've really become a fan of TNSR in the little while I've had it and look forward to further configuring, tweaking, and learning. I think TNSR absolutely has a place in the home environment if Netgate decides to open it up to home users/IT fanatics. A Negate and user balanced pricing scheme would also be critical. If you made it this far, I hope you enjoyed the read.

tman904

Thank you for posting this. This is hands down the best post around TNSR usage I've seen.

I've also really wanted to try TNSR for myself without any of the hand holding/hoops to jump through etc. Hopefully this starts a discussion to make TNSR easier for the community to access and use as a whole.

I think it would be a good idea to separate TNSR into a free home version VS enterprise support offerings at the very least.

Netgate you could always use the model that vyOS uses:
https://www.vyos.io/rolling-release/

That is to give the bleeding edge rolling release version out to the whole community for no charge. Then keep the licensing/support services etc for the stable version of what would be your TNSR codebase.

If you could implement that change to TNSR. It would really help everyone in the community embrace it.

gabacho4

Very glad that you enjoyed my thoughts and the write up. I was certainly excited to explore and configure new software from the company that has been the source of so much networking learning and discovery for me. Not sure I have the influence or weight (as a user or customer) to steer Netgate's vision on TNSR, but I strongly contend that there are those who would use it at home if given the chance and for the right price point. I'm even fine not to get it for free if it helps with development and viability of the software. Anyway, perhaps Netgate will come up with a program, assuming they haven't already been working one out, to get TNSR to a greater number of us. I'll post updates on any new configurations I decide to implement and, if you haven't seen already, keep posting questions about features, "how do I", etc.

audian

@tman904 said in TNSR adventures on my home network:

Thank you for posting this. This is hands down the best post around TNSR usage I've seen.

I've also really wanted to try TNSR for myself without any of the hand holding/hoops to jump through etc. Hopefully this starts a discussion to make TNSR easier for the community to access and use as a whole.

I think it would be a good idea to separate TNSR into a free home version VS enterprise support offerings at the very least.

Netgate you could always use the model that vyOS uses:
https://www.vyos.io/rolling-release/

That is to give the bleeding edge rolling release version out to the whole community for no charge. Then keep the licensing/support services etc for the stable version of what would be your TNSR codebase.

If you could implement that change to TNSR. It would really help everyone in the community embrace it.

Thanks @tman904. Good ideas for sure.