Share your Experience

gfeiner

@bbrendon said in Share your Experience:

Interesting product. I was expecting a pfsense with some upgrades and not a completely different system. It seems a lot like Vyos.

It’s not something I’m interested in because the packages are gone and the GUI is gone.

I’ll be interested to see what people do with it.

yeah. Slap a pfsense-like GUI on that puppy for home users and then I'm all over it.

NetFreak

Hi,

hereby I would like to write down my experience with the test version. I was asked by mail to do this here.
The next lines are personal notes on individual functions. They also contain questions. It would be nice if one of the developers could answer them:

1) Install

- Default install --> "A start job is running for dev-mapper.. root device.." (LVM)

        --> Fixed by assigning more memory (was 4G before).

 
2) First start

- VPP and TNSR Daemon not running.. --> Assign more memory to fix (now 16gb ram)
 

3) Configure NICs

- VRRP IPv6 not working if prefix != /64 (e.g. /48)

- Not possible to define a different interface to sync VRRP states - Rolestate updates/keepalives (?)
 

 4) Configure BGP

- Not more than one BGP community configurable (eg. set community 49697:2402 49697:2500 49697:2511)

- "route dynamic bgp --> server 205927 --> neighbor PEERGROUP6 --> enable" does not enable peers related to a peer-group.
        --> fix: neighbor X:X:X:X --> enable

- After "no enable" for a peer-group a "service bgp restart" is requiered to activate the changes (?)

- FRR / BGPd has to be restarted after a route-map has been removed (No reload possible?)

- "no bgp default ipv4-unicast" configurable via vtysh but not via "clixon_cli"


5) Misc

- Strange problem after reboot "clixon_backend: Mar  4 15:18:17: tnsr_err_report: 292: Config error: add:vpp/loopback/bgploop, Invalid registration, Add loopback failed"
        --> Solution: reboot ^^

- Adding new NICs during the VPS is online lead vpp to crash.. (KVM add NIC + dataplane dpkg dev XY:XY network)
        --> Solution: Reset the whole VPP/TNSR config to defaults (delete candidate_db, running_db + startup_db)..

- Is it possible to monitor traffic from external tools (e.g. zabbix)? Afais it's possible to use SNMP.. Is this the only option you have?

- Is netflow or sflow available?

Thanks for reading!

Joey

jestepa

This post is deleted!

kiokoman

Downloaded ver 20.10 home
it's a nice experience
zero-to-ping is easy to follow
I must say that after some time playing with the CLI I don't miss a GUI anymore.
I tested it on my VMware with 8gb and 4 core, 2 x ixgben -driver e1000 (known issue, vmxnet3 does not work with mtu 9000)
the wan side is not free of traffic because I have pfSense with other servers and client running
so.. just to share a simple iperf3 after following the zero-to-ping without any network optimization

NRgia

@kiokoman Maybe you can post a test with your pfSense speeds also, for comparison ?
Thanks

NRgia

In my use case all it needs is a GUI.
I will start to have nightmares if I have to configure all the firewall rules via CLI, configure various services like OPENVPN, IPSEC.

Maybe in the future you can port pfSense GUI, customise it and add the new features for TNSR?

I like what IxSystems are doing with their TrueNas Scale, by porting the middleware to Linux.

I don't think it's the same with pfSense-->TNSR, but you asked use cases.

Thank you

JeGr

@NRgia said in Share your Experience:

OPENVPN

There's no OpenVPN.

Maybe in the future you can port pfSense GUI, customise it and add the new features for TNSR?

AFAIK that's not the scope. Sure, one could add a UI that hooks into the API layer. But the whole system is done with automization and API capability in mind. Not to be single-user-UI friendly. Also as a high performance router, you normally don't change configurations that much.

I'd rather compare it with Ciscos ASR vs the ASA firewall. TNSR is more like a ASR on steroids that you also configure via CLI and it does one (core) thing really good - routing with SPEED. ACLs or rules are "meh" though. That's where ASA/firewalls come into play standing behind it.

So if you have a need for really high performance routing or tunnels (IPSec only) on things like border gateways or fast cloud uplinks etc. that are configurable via automation (ansible et al) TNSR really brings this! If you want firewalling and UI and rely on additional packages like HAproxy, special IDS setups or pfBlocker et al - then pfSense it is. :)

kiokoman

right, it is meant to work like on this diagram https://forum.netgate.com/post/922488
10G / 40 / 100 and up, like chattanooga ... area51... and so on

i don't know who to tell this but i noticed that setting the root password during the install does not work
after the installation it reboots and i can't login with root, i must login with the additional user i created and with sudo passwd i need to change/set the password for the root account.

dennis_s

@kiokoman said in Share your Experience:

i don't know who to tell this but i noticed that setting the root password during the install does not work

Which specific release did you see that on?

kiokoman

both 20.08 and 20.10

dennis_s

@kiokoman Ok thanks! Let me see what I can find out. To be clear this is on initial install?

dennis_s

@kiokoman Looks like that is on purpose. From our installation docs:

Security best practices dictate that it is best not to enable interactive logon for the root account. As such, the root account will be locked out after the installation. Use this process to add at least one alternate administrator account.

kiokoman

ah good to know, that one slipped from my readings