Services do not receive traffic on an interface with NAT enabled

When NAT is enabled, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. This includes traffic for services on TNSR such as IPsec and BGP. To allow this traffic, see NAT Forwarding.

NAT session limits / “Create NAT session failed” error

The default limit for NAT sessions per IP address in the dataplane is 10240. If the number of sessions from a client IP address, including TNSR itself, exceeds that value, then new connections will fail. This value can be changed by using the dataplane nat max-translations-per-user command as described in Advanced Dataplane Configuration: NAT.

ACL rules do not match NAT traffic as expected

When NAT is active, ACL rules are always processed before NAT on interfaces where NAT is applied, in any direction. This behavior is different from some other products, such as pfSense. See ACL and NAT Interaction for details.

Some Traffic to the host OS management interface is dropped

TNSR includes a default set of Netfilter rules which secure the management interface. Only certain ports are allowed by default. See Default Allowed Traffic for details. To allow more traffic, create host ACLs as described in Host ACLs.