Services do not receive traffic on an interface with NAT enabled¶
When NAT is enabled, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. This includes traffic for services on TNSR such as IPsec and BGP. To allow this traffic, see NAT Forwarding.
NAT session limits / “Create NAT session failed” error¶
The default limit for NAT sessions per IP address in the dataplane is 10240
.
If the number of sessions from a client IP address, including TNSR itself,
exceeds that value, then new connections will fail. This value can be changed in
Endpoint-independent NAT mode by using the nat global-options nat44
max-translations-per-user
command as described in NAT Sizing Options.
ACL rules do not match NAT traffic as expected¶
When NAT is active, ACL rules are always processed before NAT on interfaces where NAT is applied, in any direction. This behavior is different from some other products, such as pfSense. See ACL and NAT Interaction for details.
ACL entries do not have any effect on bridge loopback (BVI) interfaces¶
This is expected behavior when traffic is forwarded between interfaces on the same bridge, as packets can never arrive on the loopback interface in this scenario. ACLs must be applied to the hardware interfaces if the packets only travel within a bridge.
See also
Some Traffic to the host OS management interface is dropped¶
TNSR includes a default set of Netfilter rules which secure the management interface. Only certain ports are allowed by default. See Default Allowed Traffic for details. To allow more traffic, create host ACLs as described in Host ACLs.
To view the current Netfilter rules from within the TNSR CLI, use:
tnsr# show host ruleset
To view the current Netfilter rules from a shell prompt, use:
$ sudo nft list table inet tnsr_filter
The Netfilter service can also be controlled through the shell if necessary when
troubleshooting host OS connectivity by using the nftables
service in
systemd
:
To stop the Netfilter service:
$ sudo service nftables stop
To start the Netfilter service:
$ sudo service nftables start