Hi all,
I've recently set up Zenarmor and noticed an issue where it logs traffic with 10.x.x.x source IPs, but none of this appears in OPNsense. My LAN runs on the 192.168.1.x subnet with around 20 devices (mostly Apple and IoT, all with fixed IPs). I don't have any 10.x.x.x networks configured in OPNsense, just an unused 192.168.20.x VLAN and an unused 192.168.33.x WireGuard interface. I also don't think there's anything unusual in my firewall rules.
The Zenarmor Live Sessions show proper device hostnames, but in the "Src hostname" column I'm seeing randomised 10.x.x.x IPs instead of the 192.168.1.x IPs the devices really have.
Could blocking DNS over HTTPS/TLS be causing devices to randomize their source IPs in the 10.x.x.x range for DNS requests?
I'm running OPNsense 24.7.4 on a Protectli device with Unbound DNS (DNS over TLS enabled, using Cloudflare, Google, and Quad9). Zenarmor is installed as a plugin and only monitors the LAN interface (igc1). My switch is from UniFi, and I use a Linksys Velop mesh system in bridge mode, with the child node connected wirelessly.
The problem is that Zenarmor's reports are nearly unusable. None of my real devices show up, and both the top local and remote hosts are filled with random 10.x.x.x IP addresses. The Egress New Connections Heatmap is also completely populated by these 10.x.x.x IPs.
I initially set Zenarmor to block DNS over HTTPS/TLS in its default policy, but the 10.x.x.x traffic didn't appear immediately. I've since turned off the DNS over HTTPS/TLS block to see if it resolves the problem, but it hasn't yet. I'm wondering if it might take hours or days for my devices to realize that DNS over HTTPS/TLS isn't blocked anymore. The 10.x.x.x issue appeared around the same time I upgraded from the free to the home version of Zenarmor.
I also tried switching to the emulated netmap driver, but that didn't help either. And a block rule on OPNSense blocking all traffic from 10.0.0.0/8 doesn't show a single hit. So why is Zenguard mainly seeing traffic to and from 10.x.x.x?
Any suggestions on how to troubleshoot this?
Thanks for your help!
EDIT: Here is Reports > Facts for the past 30 minutes:
Connections: 2.670
Bytes Uploaded: 5.8 MB
Bytes Downloaded: 128.8 MB
Packets Uploaded: 32.258
Packets Downloaded: 162.663
Active Users: 1
Total Authenticated Users: 0
Unique Local IP Addresses: 2.670
Unique Remote IP Addresses: 2.670
Unique Apps: 55
Unique Local Devices: 16
Isn't that weird? Exactly 2.670 connections, unique local IP addresses (!) and unique remote IP addresses? In 30 minutes, with only 16 local devices?
Hi @aleco,
Any chances you might have "Anonymize IP address" settings enabled in Zenarmor -> Settings -> Privacy?
Quote from: mb on September 24, 2024, 09:48:38 PM
Any chances you might have "Anonymize IP address" settings enabled in Zenarmor -> Settings -> Privacy?
Thanks a lot, that seems to be the issue. When I upgraded from the Free to Home edition, I must have gone through all the settings and mistakenly checked that option, assuming it was about privacy towards Sunny Valley rather than my LAN users (which is mostly just my family).
It would be less confusing if the anonymized data in the reports showed [redacted] instead of random 10.x.x.x addresses, or at least had a note explaining that Zenarmor uses 10.x.x.x for anonymizing. I also hope it switches to a different subnet if the LAN is configured to use 10.0.0.0/8.
Thank you for your valuable suggestion.
You can be sure that your suggestions have been forwarded to the product development team.