One of the significant enhancements in the release of TNSR software 24.10 is the addition of VPF, a stateful packet filter which supports filtering and NAT tasks in a more robust and flexible manner than the similar features native to the VPP dataplane. With VPF, NAT and ACLs now work together in the same system. This allows much greater flexibility in configuring NAT and filter rules, and increased stability for NAT.
Although the existing dataplane NAT will be deprecated in the future, it remains in this release. One of the many drawbacks of the existing NAT and ACL plugins is that they do not work together. We addressed this shortcoming in VPF. All TNSR users are encouraged to switch to the new VPF system. Consult our conversion documentation for more information.
This month’s TNSR Software Tip explains how to configure VPF to perform a port-forward on TNSR’s WAN address to a backend server on the LAN. Consider this simple network diagram. We have a TNSR instance with a WAN IP of 203.0.113.10 and a LAN IP of 172.17.1.1. On the LAN is a web server host at 172.17.1.50, and we would like to port-forward inbound TCP port 80 traffic to this web host.
We must first create our port-forward rule that will forward all traffic destined to the WAN IP on TCP port 80 of TNSR to the internal LAN server’s port 80:
Then, we must create a filter rule that will allow TCP port 80 traffic to reach the external IP address of the WAN port:
Finally, we must apply the WAN-FILTER and WAN-NAT rulesets to the WAN interface:
At this point, any traffic destined to our WAN IP (203.0.113.10) on port 80 will be allowed to pass, and be redirected to our internal host at 172.17.1.50 on port 80.
VPF is easier to configure and much more powerful than existing dataplane NAT and ACLs. Visit our online documentation at the time of release for more information on how to use this new system.