I'm now getting the following error after the recent update of Zenarmor.
Zenarmor - v.1.17.1
Zenarmor Application DB: 1.17.24042216
I haven't changed anything with my configuration - and Zenarmor is strictly configured for the LAN interfaces across different VLANs.
Is anyone facing a similar problem?
"Possible deployment misconfiguration: devices with public IP addresses detected" To correct this, please see the following document: https://www.zenarmor.com/docs/opnsense/installing/web-ui-initial-configuration#3-deployment-mode--interface-selection
I'm currently experiencing the same issue. I've tried switching between the different deployment modes and removed all vpn interfaces so that there is only a lan interface being probed my zenarmor. all my ports are closed.
edit:
- ok I've disabled ipv6 thinking i don't understand that stuff to well maybe that's the culprit, but no still getting a misconfiguration warning twice a day.
- at some point in my trouble shooting adventures 700+ devices showed up (they appeared to be the endpoints of everything being queried within my network local & wan destinations)
- netmap appears to be installed and functioning nominally
- opnsense healthcheck produces this maybe related entry
Version 24.1.5 is correct.
>>> Check for missing or altered base files
Error 2 occurred.
etc/sysctl.conf:
size (299, 464)
sha256digest (0x45f469e7a9b4eef887bab7b55397305043fe101e1d6ce6f7e23d758e72f56dc6, 0x13f0a06a1c6d76492abd3424150cd1f80e55d8837409a6e11a2288a968ff9277)
- zenarmor database health check does not initiate the misconfiguration warning again & produces no warnings or error (only tailed the last 25 lines of mongodb.log file)
opnsense 24.1.6
zenarmor 1.17.1
Zenarmor Application DB: 1.17.24042216
Just ran a health check audit, and similarly, had a similar error 2 in regards to sysctl.conf - size issue.
I think this is a false positive on zenarmors part. dnsleaktest looks normal...
I'm pretty new to opnsense & freebsd in general so my diagnostics are bit rudimentary. I'd really like to get zenarmor functioning properly or understand why it isn't playing well w/ my setup before my 2 week trail is up.
But cant find any documentation on using zenarmor or os-sensei via cli or instructions on probing zenarmor notifications further. I guess I'm not really even sure what the error in question is trying to indicate. Any links or instruction on achieving this would be much appreciated.
I've simplified my network to defaults now using 8.8.8.8 1.1.1.1 on dns, only 1 lan 1 wan, only using ipv4. I've cycled through all combinations of the deployment modes and interface selection on zenarmors settings tab w/ the same results.
Hi,
Please can you share a report by checking Zenarmor logs and config checkboxes via Have Feedback option in UI?
Done - just sent the requested feedback.
Thank you,
Can the message mention the interface? I don't know what to do with this message, no clue what could cause it. in ntopng, for example, they would tell me explicitely, and i would see it visually in the GUI, but this message is mysterious and there's no clue in the GUI.
The recent update that was rolled out a couple of days ago - solves the issue. All is working correctly now.
the message pops up when it accumulates 10000+ devices so need to wait. Running health check on CLI won't make it appear asap.
So it still pops up on the new version. In subscription page, number of devices: 2500. I have only few devices. I track WG marked as WAN (as there's no "VPN" predefined => won't be treated as WAN). One of them is forward for few VPN clients.
so i investigated how to trigger the message in v1.17.3, here's how:
* configctl zenarmor notice-public-ip-devices
* in browser you do have to refresh the Dashboard view manually
then you get the popup instantly.
now with this procedure, i've checked interfaces, and the popup appears for ANY interface.
-> ignore the popup. just like "local", "remote" hosts, it doesnt' work.
Hi,
Do you see the device(s) with public IP address in device list?
I am also seeing this error, as a banner on the dashboard:
> Possible deployment misconfiguration: devices with public IP addresses detected
> Zenarmor's health check system detected 7195 devices with public ip addresses associated with them.
Under "Live Sessions" I see connections with correct internal src and external dst addresses, but where the "Device" is listed as the IP of the destination address. For example, I see a connection from a local Macbook to iCloud on VLAN1, where the device shows up as a public iCloud IP "Device (ip4:#.#.#.#)" instead of the private Macbook IP.
This started in May, but I just upgraded to 1.17.4 and opnsense 24.1.8 with no change. After rebooting, I still see the warning and incorrect Device names for new connections.
I currently have Zenarmor running in passive mode, monitoring 7 VLANs on a LAGG. (Zenarmor is configured to monitor each VLAN individually, as having it monitor the underlying LAGG interfaces separately resulted in packet loss in the past, due to some connections using both interfaces.)
I have multi-wan setup, but only internal VLANs are configured.
Hi,
Zenarmor uses pcap technology, which gives the engine very limited capability over packets when used in Passive Mode. As a result, the Zenarmor packet engine may not correctly determine the packet direction, resulting in mixed reporting. For more accurate reporting results, it is recommended to use Zenarmor in Directed mode. In addition, Device identification therefore enables IP detection on the WAN side
Just change your IP local to a local IP address, you are using a IP public on your LAN here's the private IP address
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
If your LAN IP is out this range is considered IP public and Zenarmor will show you this problem.
Quote from: IHK on June 20, 2024, 12:51:13 PM
For more accurate reporting results, it is recommended to use Zenarmor in Directed mode.
Is this theoretically possible to have a hybrid mode, not filtering connection which has high throughput? I have too many dropped packets during downloads (~1gbps), so i stick to passive mode. During that time every component misreports size, and the slow connections which are the most dangerous are skipped.
Hi,
It could be an insufficient CPU issue. You can check Zenarmor HW requirements for 1Gbps with Zenarmor.
https://www.zenarmor.com/docs/introduction/hardware-requirements
What is your CPU model?
Hi
actually the dropped packets just disappeared with the new BSD14 kernel. Wireguard is faster.👍
I've Pentium Gold 8505, 12GB RAM, NVME. Few dozen devices. Should be fine for WAN but I don't use it for anything other than firewall contacting DNS. So i need to accomodate both ZenArmor and Wireguard for 2Gb/s line. The VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard. I wish there was a calculator:)
Hi,
For the dropped packest, can you check dev.netmap.buf_num in ""sysctl -a | grep netmap" command if it is 1000000 or not?
To use Zenarmor in mix mode is not possible. Passive mode uses pcap instead of netmap.
Quote from: 36thchamber on July 31, 2024, 02:50:35 AM
Hi
actually the dropped packets just disappeared with the new BSD14 kernel. Wireguard is faster.👍
I've Pentium Gold 8505, 12GB RAM, NVME. Few dozen devices. Should be fine for WAN but I don't use it for anything other than firewall contacting DNS. So i need to accomodate both ZenArmor and Wireguard for 2Gb/s line. The VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard. I wish there was a calculator:)
For ZA related interface errors and why those happen you can read here >
https://forum.opnsense.org/index.php?topic=41230.msg202594#msg202594
https://forum.opnsense.org/index.php?topic=41230.msg202554#msg202554
In regards of the other question
QuoteThe VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard.
They have a hardware scaling table.
https://www.zenarmor.com/docs/introduction/hardware-requirements
You would need to keep a certain higher freq constantly in order to achieve such huge throughput. The HW sizing they have I believe is done for pure port-2-port throughput not including WG. But you can do an educated guess. Anyway as long we are still locked to single core/thread operations for ZA, its doesn't matter. It will always bottleneck and create back pressure.
However there is a light on end of the tunnel, ZA finished their SASE product (more or less) and we were told that devs started to work on multicore/thread support for ZA. There is a topic in regard of this on the forum.
Regards,
S.