Tip

This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.

Services do not receive traffic on an interface with NAT enabled

When NAT is enabled, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. This includes traffic for services on TNSR such as IPsec and BGP. To allow this traffic, see NAT Forwarding.

NAT session limits / “Create NAT session failed” error

The default limit for NAT sessions per IP address in the dataplane is 10240. If the number of sessions from a client IP address, including TNSR itself, exceeds that value, then new connections will fail. This value can be changed in Endpoint-independent NAT mode by using the nat global-options nat44 max-translations-per-user command as described in NAT Sizing Options.

ACL rules do not match NAT traffic as expected

When NAT is active, ACL rules are always processed before NAT on interfaces where NAT is applied, in any direction. This behavior is different from some other products, such as pfSense. See ACL and NAT Interaction for details.

Some Traffic to the host OS management interface is dropped

TNSR includes a default set of Netfilter rules which secure the management interface. Only certain ports are allowed by default. See Default Allowed Traffic for details. To allow more traffic, create host ACLs as described in Host ACLs.

To view the current Netfilter rules from within the TNSR CLI, use:

tnsr# show host ruleset

To view the current Netfilter rules from a shell prompt, use:

$ sudo nft list table inet tnsr_filter

The Netfilter service can also be controlled through the shell if necessary when troubleshooting host OS connectivity by using the nftables service in systemd:

To stop the Netfilter service:

$ sudo service nftables stop

To start the Netfilter service:

$ sudo service nftables start