Timeline on TNSR for XG-7100? (And will SG-3100 ever get TNSR?)

victorhooi

We have quite a few Netgate XG-7100 devices, as well as some SG-3100 devices.

I'm not sure if SG-3100 will ever get TNSR?

For the XG-7100, we were told it's on the roadmap a few months ago - however, is there any update on the ETA for TNSR for the XG-7100?

NotHereDave

Hi, @victorhooi

Sorry, I don't have an ETA for TNSR on the XG-7100 right now, but I'd love to hear how you'd put it to use. We're prioritizing development resources based on customer requirements, so your feedback counts!

victorhooi

Sure, we have around six XG-7100 units, which we use as the main firewall for some VM test labs. We use the inbuilt SFP+ ports for connectivity back to our switch, and for the uplink WAN connection. (We would really like more SFP+ ports, but we hit various issues trying to get SFP+ NICs in there).

We use a Promox HA cluster with a Ceph cluster, so we have a few VLANs and firewall rules setup for the various networks (VM traffic, management network, Ceph client traffic, corosync for HA failover etc.)

We are also looking at using ntopng to analyse the traffic passing through from the labs (to prevent abuse), and to detect certain anomalous behaviour (ntopng recently added anomaly detection, data exfiltration detection etc.)

It's getting to the point where it's becoming unwieldy to manage all these pfSense instances - would be great to manage these from a single pane, and also get the config into configuration management.

NotHereDave

Got it. Thanks for the detail!

I totally get the issue of management scalability. That's one of the main reasons we built TNSR. I'll go back to the engineering folks and let them know about your vote for TNSR on the XG-7100.

FWIW, you might still find an interesting application for TNSR in your Proxmox cluster... If you're using that (or other virtual infrastructure) for any of the labs you mentioned that need monitoring, you might want to take a look at the TNSR IDS project over on Github: https://github.com/Netgate/TNSR_IDS

If you imagine replacing Snort in that diagram with ntopng, you'll see what I'm getting at. You could even put a TNSR VM in every virtual cluster, use it as your vswitch (except that you'd have more than just a switch) and mirror the traffic over GRE to ntopng.

This would be somewhat like using ntop's nProbe product, except that you wouldn't need to install a probe everywhere - you'd have TNSR as the dataplane for all of the VMs in that environment. We have customers doing something like this in AWS. They don't want to install agents in every AMI, so they route all internal traffic through TNSR and use it as a transparent mirror to their traffic inspection systems.

victorhooi

Was there any update on this?

Is TNSR for XG-7100 on the roadmap yet, or any timeline? looks hopeful. =)

dennis_s

Hi @victorhooi Still no ETA for TNSR on the 7100, however, the engineers are aware of the ask and soon as it gets added we'll make an announcement on the forum.

nevinsm

@NotHereDave We also have 4 of these appliances and the standard pfsense software doesn't hold up under heavy load. We can't get anywhere near our 10Gbps fiber connection cap so we would love to have the ability to use TNSR on the XG-7100 if it can get us near saturation on the uplinks.

audian

@nevinsm - What kind of throughput are you getting?