Timeline on TNSR for XG-7100? (And will SG-3100 ever get TNSR?)



  • We have quite a few Netgate XG-7100 devices, as well as some SG-3100 devices.

    I'm not sure if SG-3100 will ever get TNSR?

    For the XG-7100, we were told it's on the roadmap a few months ago - however, is there any update on the ETA for TNSR for the XG-7100?


  • Netgate

    Hi, @victorhooi

    Sorry, I don't have an ETA for TNSR on the XG-7100 right now, but I'd love to hear how you'd put it to use. We're prioritizing development resources based on customer requirements, so your feedback counts!



  • Sure, we have around six XG-7100 units, which we use as the main firewall for some VM test labs. We use the inbuilt SFP+ ports for connectivity back to our switch, and for the uplink WAN connection. (We would really like more SFP+ ports, but we hit various issues trying to get SFP+ NICs in there).

    We use a Promox HA cluster with a Ceph cluster, so we have a few VLANs and firewall rules setup for the various networks (VM traffic, management network, Ceph client traffic, corosync for HA failover etc.)

    We are also looking at using ntopng to analyse the traffic passing through from the labs (to prevent abuse), and to detect certain anomalous behaviour (ntopng recently added anomaly detection, data exfiltration detection etc.)

    It's getting to the point where it's becoming unwieldy to manage all these pfSense instances - would be great to manage these from a single pane, and also get the config into configuration management.


  • Netgate

    Got it. Thanks for the detail!

    I totally get the issue of management scalability. That's one of the main reasons we built TNSR. I'll go back to the engineering folks and let them know about your vote for TNSR on the XG-7100.

    FWIW, you might still find an interesting application for TNSR in your Proxmox cluster... If you're using that (or other virtual infrastructure) for any of the labs you mentioned that need monitoring, you might want to take a look at the TNSR IDS project over on Github: https://github.com/Netgate/TNSR_IDS

    If you imagine replacing Snort in that diagram with ntopng, you'll see what I'm getting at. You could even put a TNSR VM in every virtual cluster, use it as your vswitch (except that you'd have more than just a switch) and mirror the traffic over GRE to ntopng.

    This would be somewhat like using ntop's nProbe product, except that you wouldn't need to install a probe everywhere - you'd have TNSR as the dataplane for all of the VMs in that environment. We have customers doing something like this in AWS. They don't want to install agents in every AMI, so they route all internal traffic through TNSR and use it as a transparent mirror to their traffic inspection systems.


Log in to reply