LAN Interface Filter Rules

These LAN rules allow traffic from local clients on the LAN interface to and through TNSR.

Create Ruleset

Create the LAN interface filter ruleset on both nodes:

tnsr(config)# vpf filter ruleset LAN-filter
tnsr(config-vpf-filter-ruleset)# description Filter Rules for LAN

Allow DHCP

If TNSR is acting as a DHCP server (DHCP Server (Optional)), the rules must allow DHCP-related packets from clients on LAN:

tnsr(config-vpf-filter-ruleset)# rule 10
tnsr(config-vpf-filter-rule)# description Allow DHCP Discovery
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from ipv4-prefix 0.0.0.0/32
tnsr(config-vpf-filter-rule)# from port 68
tnsr(config-vpf-filter-rule)# to port 67
tnsr(config-vpf-filter-rule)# to ipv4-prefix 255.255.255.255/32
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 11
tnsr(config-vpf-filter-rule)# description Allow DHCP Requests
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from port 68
tnsr(config-vpf-filter-rule)# to port 67
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.0.1/32
tnsr(config-vpf-filter-rule)# exit

Allow VRRP

These rules allow VRRP to communicate inbound and outbound to ensure both nodes can exchange heartbeats:

tnsr(config-vpf-filter-ruleset)# rule 20
tnsr(config-vpf-filter-rule)# description Allow VRRP inbound
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol vrrp
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# rule 21
tnsr(config-vpf-filter-rule)# description Allow VRRP outbound
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# protocol vrrp
tnsr(config-vpf-filter-rule)# exit

Allow Client Traffic

This rule allows clients on LAN to reach any destination on or through TNSR:

tnsr(config-vpf-filter-ruleset)# rule 30
tnsr(config-vpf-filter-rule)# description Allow LAN inbound to Any destination
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# from ipv4-prefix 10.28.0.0/24
tnsr(config-vpf-filter-rule)# exit

Allow Egress Traffic

This rule allows traffic outbound from TNSR itself and for traffic routed through TNSR egressing through the LAN interface on TNSR:

tnsr(config-vpf-filter-ruleset)# rule 40
tnsr(config-vpf-filter-rule)# description Pass outbound from TNSR to LAN
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction out
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# ip-version ipv4
tnsr(config-vpf-filter-rule)# to ipv4-prefix 10.28.0.0/24
tnsr(config-vpf-filter-rule)# exit

Activate Ruleset

Exit out to complete the ruleset:

tnsr(config-vpf-filter-ruleset)# exit

Next, activate the LAN filter ruleset:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface LAN filter-ruleset LAN-filter
tnsr(config-vpf-option)# exit