Just an fyi, Netgate has free TNSR v22 homelab edition ISO available on website, it's a turnkey vpp + dpdk appliance.
Vyos 10GbE Router
- Thread starter tsteine
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Interesting! Humm, it says "BMI, KVM, or VMWare (not HyperV, Proxmox etc.)".
Why not Proxmox?
Proxmox uses KVM for virtualization, meaning the KVM image covers Proxmox as well.
Exactly. But they have stated Not Proxmox on their site?
Reading further, the only thing I could gather was that they have only tested on other hypervisors, but not Proxmox, so everything they recommend is not for Proxmox.
I see them stating they haven't tested it. But, to openly state No Proxmox, that's harsh... that would seem they found something bad.
But again, only thing I found was that they haven't tested it.
There was also one discussion, I think in their forums, where someone was reporting issues with Proxmox and and this ISO. To me, and the logs they posted, it seemed to be an ARP issue with their switch. But that was all I could find on the combo.
Oh, it completely slipped by me that it was a quote, supporting KVM, but outright stating "No Proxmox" makes no sense to me. It's not like KVM in Proxmox is some weird aberration, it's just KVM on Debian with management middleware and frontend added on top.
To me that is just lawyer speak for netgate has working/tested downloads for (kvm,BMI,VMware), but do not have supported downloads that directly work on Proxmox or hyperV.
the kvm download can obviously be made to work on Proxmox but it is not a download and directly run scenario and takes a few steps to get the vm up from the kvm qcow2. Big diff between works but unsupported, doesn't work at all and netgate forbids you from running TNSR under Proxmox.
the kvm download can obviously be made to work on Proxmox but it is not a download and directly run scenario and takes a few steps to get the vm up from the kvm qcow2. Big diff between works but unsupported, doesn't work at all and netgate forbids you from running TNSR under Proxmox.
@blunden
TNSR Documentation - ACL
TNSR supports both stateful and stateless firewall.
with that in mind, given that FD.IO/VPP is the underlying routing technology for TNSR, I assume they use this plugin for firewalling, which has the lowest relative performance out of the different firewall plugins.
That being said, I never had any noticeable performance degradation from using ACLs with TNSR, but I had relatively few ACL rules it needed to chew through.
TNSR Documentation - ACL
TNSR supports both stateful and stateless firewall.
with that in mind, given that FD.IO/VPP is the underlying routing technology for TNSR, I assume they use this plugin for firewalling, which has the lowest relative performance out of the different firewall plugins.
That being said, I never had any noticeable performance degradation from using ACLs with TNSR, but I had relatively few ACL rules it needed to chew through.
@blunden
Parsing through the performance tests here, adding ACLs does seem to affect performance a bit.
baseline shows just north of 18 mpps for 1 core 2 threads.
10k stateful inbound/outbound acl shows just north of 10 mpps for 1 core 2 threads.
Unless you have insane pps requirements and very few cores to throw at TNSR, I would assume you would have no problems.
Parsing through the performance tests here, adding ACLs does seem to affect performance a bit.
baseline shows just north of 18 mpps for 1 core 2 threads.
10k stateful inbound/outbound acl shows just north of 10 mpps for 1 core 2 threads.
Unless you have insane pps requirements and very few cores to throw at TNSR, I would assume you would have no problems.
Somwhere they explicitly said that TNSR was a router, not firewall. It was written in a way that implied that it might not even offer that functionality.
I'm not looking for crazy pps numbers. Basically, I'm looking for a relatively cheap ($500-600 range), power efficient and fanless router that can handle a 10G WAN connection that I might be getting at home. Since I'm not going for very powerful hardware (something like an Intel N100 or N305 mini PC most likely), I'm looking for ways to squeeze the most amount of performance out of it.
Since it's a typical home setup, I will be needing NAT for IPv4, presumably handled as part of a stateful firewall plugin (unless that's handled separately).
If you're open to a different option, I use a CCR2004-16G-2S+PC for this and it can route/NAT 10Gb wire speed just fine. I do not use it as a IPS/IDS though.
That might be an option.
Would be nice to see some routing benchmarks, but it's probably too off-topic for this thread.However, I had hoped to virtualize the router in order to also run a small server for Wireguard, the Unifi Controller, nginx, etc. on the same box. It would replace a small Atom X5-Z8300 based box, so it should take much performance away from the router.
They now have a free license for lab/home use though, so pricing shouldn't affect anyone that isn't using it in production
Mikrotik has that on their product page.That might be an option.
CCR2004-16G-2S+PC | MikroTik
Up to 300% faster than the previous CCR1009 routers - in a blissful silence! Luxury you deserve for the price you can afford. 16x Gigabit Ethernet ports, 2x10G SFP+ cages.
mikrotik.com
Performance is nowhere near what you'd get with TNSR(or FD.io), but I don't see why it wouldn't be usable as a home firewall/router.
Fair enough. If I can get closer to line rate for roughly the same price, that's a more interesting proposition. It's good to know about different options though.