OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: Mbl on August 16, 2023, 01:22:37 am

Title: New Zenarmor Release does weird things
Post by: Mbl on August 16, 2023, 01:22:37 am: I have igb0 with different VLANS:
- 110 MGMT_VLAN --> very restricted
- 150 CLIENT_VLAN

MGMT_VLAN has a dedicated policy listening on VLAN 110.
CLIENT_VLAN is covered with the default policy.

As you can see from live session explorer print screen hosts being connected to VLAN 150 are somehow covered with policy MGMT_VLAN. As things are still somehow working according the default policy for those hosts in VLAN 150 I assume this is only a logging / display issue. But still it leaves an uneasy feeling...
Title: Re: New Zenarmor Release does weird things
Post by: lawful_milieu on August 16, 2023, 02:39:54 am: +1

I am noticing the same thing after upgrading to ZenArmor Engine 1.14.2 on OPNsense 23.7.1_3-amd64.

I expect some devices to inherit the default policy and they are getting the policy which is assigned to a separate VLAN tag and IPv4 subnet.

I tried limiting the policies to the IPv4 subnet used on the VLAN as I was previously just using the VLAN tag - this did not change the behavior.

One thing I've noticed is the order in which the policies are listed (/ui/zenarmor/#/0/policies - drag and drop) seems to affect which (wrong) policy is applied.

SMF 2.0.19 | SMF © 2021, Simple Machines
Privacy Policy