Back to Blog

TNSR

Using TNSR with VPF to Implement Port-Forwarding

Using TNSR with VPF to Implement Port-Forwarding

TNSR Software Tip

One of the significant enhancements in the release of TNSR software 24.10 is the addition of VPF, a stateful packet filter which supports filtering and NAT tasks in a more robust and flexible manner than the similar features native to the VPP dataplane. With VPF, NAT and ACLs now work together in the same system. This allows much greater flexibility in configuring NAT and filter rules, and increased stability for NAT.

Although the existing dataplane NAT will be deprecated in the future, it remains in this release. One of the many drawbacks of the existing NAT and ACL plugins is that they do not work together. We addressed this shortcoming in VPF. All TNSR users are encouraged to switch to the new VPF system. Consult our conversion documentation for more information.

This month’s TNSR Software Tip explains how to configure VPF to perform a port-forward on TNSR’s WAN address to a backend server on the LAN. Consider this simple network diagram. We have a TNSR instance with a WAN IP of 203.0.113.10 and a LAN IP of 172.17.1.1. On the LAN is a web server host at 172.17.1.50, and we would like to port-forward inbound TCP port 80 traffic to this web host.

Configure VPF

We must first create our port-forward rule that will forward all traffic destined to the WAN IP on TCP port 80 of TNSR to the internal LAN server’s port 80:

tnsr(config)# vpf nat ruleset WAN-NAT
tnsr(config-vpf-nat-ruleset)# rule 100
tnsr(config-vpf-nat-rule)# description Forward port 80
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# protocol tcp
tnsr(config-vpf-nat-rule)# to ifaddrs WAN
tnsr(config-vpf-nat-rule)# to port 80
tnsr(config-vpf-nat-rule)# nat-prefix 172.17.1.50/32
tnsr(config-vpf-nat-rule)# nat-port 80
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit

 

Then, we must create a filter rule that will allow TCP port 80 traffic to reach the external IP address of the WAN port:

tnsr(config)# vpf filter ruleset WAN-FILTER
tnsr(config-vpf-filter-ruleset)# rule 50
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# protocol tcp
tnsr(config-vpf-filter-rule)# to ifaddrs WAN
tnsr(config-vpf-filter-rule)# to port 80
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit

 

Finally, we must apply the WAN-FILTER and WAN-NAT rulesets to the WAN interface:

tnsr(config)# vpf options
tnsr(config-vpf-option)# interface WAN filter-ruleset WAN-FILTER
tnsr(config-vpf-option)# interface WAN nat-ruleset WAN-NAT
tnsr(config)# vpf enable

 

At this point, any traffic destined to our WAN IP (203.0.113.10) on port 80 will be allowed to pass, and be redirected to our internal host at 172.17.1.50 on port 80.

Conclusion

VPF is easier to configure and much more powerful than existing dataplane NAT and ACLs. Visit our online documentation at the time of release for more information on how to use this new system.