weird behavior with ping

obensouda

We are currently evaluating tnsr as a possible solution for large scale NAT and things were going great until we tried to setup our WAN with a public ip on a /29 subnet. We currently have tnsr installed on vmware esxi server. We are using vmnet3 interface on 10GB. After configuring the interface we assigned a public IP and then tried to ping the router. A ubiquiti infinity router. We could not ping the router at all. We tried from the router to ping tnsr on the same interface and IP and we had not success.

We thought it was our configuration and changed to DHPC and we could NOT get a dhcp resolution. This is where things get weird. We setup a VM with windows server and then assigned ourselves to the same network on the same vmware interface card using vmnet3 and we were able to ping both the router and tnsr on the respecting IPs.

Based on this we are sure that there is something weird in tnsr as we can ping the router on all other networks it connects to.

When we exit configuration mode we are able to ping the router interface through the manager interface.

kiokoman

@obensouda
hard to tell without seeing your configuration or logs, I have tnsr on Vmware 7 and the only limitation is that vmnet3 does not support MTU 9000 otherwise it works correctly

obensouda

@kiokoman thanks for getting back to me. Below is my configuration. I did not do anything out of the ordinary and I am perplexed.

<acl-config xmlns="urn:netgate:xml:yang:netgate-acl">
<acl-table>
<acl-list>
<acl-name>internet-in</acl-name>
<acl-rules>
<acl-rule>
<sequence>10</sequence>
<acl-rule-description><![CDATA[allow DHCP responses]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<src-first-port>67</src-first-port>
<src-last-port>67</src-last-port>
<dst-first-port>68</dst-first-port>
<dst-last-port>68</dst-last-port>
<protocol>udp</protocol>
</acl-rule>
<acl-rule>
<sequence>20</sequence>
<acl-rule-description><![CDATA[Allow ICMP]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<protocol>icmp</protocol>
</acl-rule>
<acl-rule>
<sequence>30</sequence>
<acl-rule-description><![CDATA[Allow DNS Responses]]></acl-rule-description>
<action>permit</action>
<ip-version>ipv4</ip-version>
<src-first-port>53</src-first-port>
<src-last-port>53</src-last-port>
<protocol>udp</protocol>
</acl-rule>
</acl-rules>
</acl-list>
<acl-list>
<acl-name>internet-out</acl-name>
<acl-rules>
<acl-rule>
<sequence>10</sequence>
<acl-rule-description><![CDATA[Reflect All Outbound]]></acl-rule-description>
<action>reflect</action>
<ip-version>ipv4</ip-version>
</acl-rule>
</acl-rules>
</acl-list>
</acl-table>
</acl-config>
<dataplane-config xmlns="urn:netgate:xml:yang:netgate-dataplane">
<ethernet>
<default-mtu>1500</default-mtu>
</ethernet>
<dpdk>
<dev>
<id>0000:04:00.0</id>
<device-type>network</device-type>
<name>k8s-lan</name>
</dev>
<dev>
<id>0000:0b:00.0</id>
<device-type>network</device-type>
<name>data-center</name>
</dev>
<dev>
<id>0000:13:00.0</id>
<device-type>network</device-type>
<name>WAN-4G</name>
</dev>
<dev>
<id>0000:1b:00.0</id>
<device-type>network</device-type>
<name>LAN-4G</name>
</dev>
<uio-driver>igb_uio</uio-driver>
</dpdk>
<buffers>
<buffers-per-numa>32768</buffers-per-numa>
</buffers>
<statseg>
<heap-size>96M</heap-size>
<per-node-counters>
<enabled>false</enabled>
</per-node-counters>
</statseg>
</dataplane-config>
<interfaces-config xmlns="urn:netgate:xml:yang:netgate-interface">
<interface>
<name>LAN-4G</name>
<description><![CDATA[LAN]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>172.16.0.1/12</ip>
</address>
</ipv4>
</interface>
<interface>
<name>WAN-4G</name>
<description><![CDATA[WAN-4G]]></description>
<enabled>true</enabled>
<mtu>1500</mtu>
<ipv4>
<address>
<ip>196.223.151.210/29</ip>
</address>
<mtu>1500</mtu>
</ipv4>
<access-list>
<input>
<acl-list>
<acl-name>internet-in</acl-name>
<sequence>10</sequence>
</acl-list>
</input>
<output>
<acl-list>
<acl-name>internet-out</acl-name>
<sequence>10</sequence>
</acl-list>
</output>
</access-list>
</interface>
<interface>
<name>data-center</name>
<description><![CDATA[data-center]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>10.1.1.15/16</ip>
</address>
</ipv4>
</interface>
<interface>
<name>k8s-lan</name>
<description><![CDATA[k8s-lan]]></description>
<enabled>true</enabled>
<ipv4>
<address>
<ip>10.105.0.5/16</ip>
</address>
</ipv4>
</interface>
</interfaces-config>
<kea-config xmlns="urn:netgate:xml:yang:netgate-kea">
<dhcp4-server>
<Dhcp4>
<lease-database>
<type>memfile</type>
<persist>true</persist>
<lfc-interval>0</lfc-interval>
</lease-database>
<interfaces-config>
<dhcp-socket-type>raw</dhcp-socket-type>
</interfaces-config>
</Dhcp4>
</dhcp4-server>
</kea-config>
<nat-config xmlns="urn:netgate:xml:yang:netgate-nat">
<global-options>
<nat44>
<enabled>false</enabled>
</nat44>
</global-options>
<ipfix>
<logging>
<domain>1</domain>
<src-port>4739</src-port>
</logging>
</ipfix>
<nat64>
<ngmap:map xmlns:ngmap="urn:netgate:xml:yang:netgate-map">
ngmap:parameters
ngmap:security-check
ngmap:enabletrue</ngmap:enable>
</ngmap:security-check>
</ngmap:parameters>
</ngmap:map>
</nat64>
</nat-config>
<neighbor-config xmlns="urn:netgate:xml:yang:netgate-neighbor">
<neighbor-table>
<interface>
<if-name>WAN-4G</if-name>
</interface>
</neighbor-table>
</neighbor-config>
<route-table-config xmlns="urn:netgate:xml:yang:netgate-route-table">
<static-routes>
<route-table>
<name>ipv4-VRF:0</name>
<id>0</id>
</route-table>
</static-routes>
</route-table-config>
<route-config xmlns="urn:netgate:xml:yang:netgate-route">
<dynamic>
<ngbgp:bgp xmlns:ngbgp="urn:netgate:xml:yang:netgate-bgp">
ngbgp:global-options
ngbgp:enablefalse</ngbgp:enable>
</ngbgp:global-options>
</ngbgp:bgp>
<ngfrr:manager xmlns:ngfrr="urn:netgate:xml:yang:netgate-frr">
ngfrr:global-options
ngfrr:ptmfalse</ngfrr:ptm>
</ngfrr:global-options>
</ngfrr:manager>
<ngospf:ospf xmlns:ngospf="urn:netgate:xml:yang:netgate-ospf">
ngospf:global-options
ngospf:enablefalse</ngospf:enable>
</ngospf:global-options>
</ngospf:ospf>
<ngospf6:ospf6 xmlns:ngospf6="urn:netgate:xml:yang:netgate-ospf6">
ngospf6:global-options
ngospf6:enablefalse</ngospf6:enable>
</ngospf6:global-options>
</ngospf6:ospf6>
<ngrip:rip xmlns:ngrip="urn:netgate:xml:yang:netgate-rip">
ngrip:global-options
ngrip:enablefalse</ngrip:enable>
</ngrip:global-options>
</ngrip:rip>
</dynamic>
</route-config>
<snmp-config xmlns="https://netgate.com/ns/netgate-snmp">
<snmp-enable>false</snmp-enable>
</snmp-config>
<unbound-config xmlns="urn:netgate:xml:yang:netgate-unbound">
<daemon>
<server>
<do-ip4>true</do-ip4>
<do-tcp>true</do-tcp>
<do-udp>true</do-udp>
<harden-glue>true</harden-glue>
<hide-identity>true</hide-identity>
<outgoing-range>4096</outgoing-range>
</server>
</daemon>
</unbound-config>
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>true</enable-nacm>
<read-default>deny</read-default>
<write-default>deny</write-default>
<exec-default>deny</exec-default>
<enable-external-groups>true</enable-external-groups>
<groups>
<group>
<name>admin</name>
<user-name>root</user-name>
<user-name>tnsr</user-name>
</group>
</groups>
<rule-list>
<name>admin-rules</name>
<group>admin</group>
<rule>
<name>permit-all</name>
<module-name></module-name>
<access-operations></access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>