TNSR Software Tip
One of the significant enhancements in the release of TNSR software 24.10 is the addition of VPF, a stateful packet filter which supports filtering and NAT tasks in a more robust and flexible manner than the similar features native to the VPP dataplane. With VPF, NAT and ACLs now work together in the same system. This allows much greater flexibility in configuring NAT and filter rules, and increased stability for NAT.
Although the existing dataplane NAT will be deprecated in the future, it remains in this release. Because VPF replaces the previous NAT and ACL functions, the two are not intended to work together. All TNSR users are encouraged to switch to the new VPF system. Consult our conversion documentation for more information.
This month’s TNSR Software Tip explains how to configure VPF to perform a port-forward on TNSR’s WAN address, to a backend server on the LAN. Consider this simple network diagram. We have a TNSR instance with a WAN IP of 203.0.113.10 and a LAN IP of 172.17.1.1. On the LAN is a web server host at 172.17.1.50, and we would like to port-forward inbound TCP port 80 traffic to this web host.
We must first create our port-forward rule that will forward all traffic destined to the WAN IP on TCP port 80 of TNSR to the internal LAN server’s port 80:
tnsr(config-vpf-nat-ruleset)# rule 100
tnsr(config-vpf-nat-rule)# description Forward port 80
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# protocol tcp
tnsr(config-vpf-nat-rule)# to ifaddrs WAN
tnsr(config-vpf-nat-rule)# to port 80
tnsr(config-vpf-nat-rule)# nat-prefix 172.17.1.50/32
tnsr(config-vpf-nat-rule)# nat-port 80
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
Then, we must create a filter rule that will allow TCP port 80 traffic to reach the external IP address of the WAN port:
Finally, we must apply the WAN-FILTER and WAN-NAT rulesets to the WAN interface:
At this point, any traffic destined to our WAN IP (203.0.113.10) on port 80 will be allowed to pass, and be redirected to our internal host at 172.17.1.50 on port 80.
Conclusion
VPF is easier to configure and much more powerful than existing dataplane NAT and ACLs. Visit our online documentation at the time of release for more information on how to use this new system.