I have installed OPNsense 25.7.4-amd64 to replace a NetGear Orbi RBR850.
On my home network I occasionally use a work laptop that uses the Zscaler Client Connector to create a secure tunnel to my work. Zscaler provide a Cloud Enforcement Node Ranges (https://config.zscaler.com/zscaler.net/cenr) page that lists all URLs in CIDR format for inclusion into an allow list. I have previously included this whitelist in Crowdsec (https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/) to allow access to my services from my work laptop.
After installing opnsense I noticed the default deny / state violation rule was being triggered when I enabled the Zscaler tunnel on my work laptop. I created an Firewall Alias with the following details:
1. Enabled: checked
2. Name: zscaler_ranges
3. Type: Network(s)
4. Categories: blank
5. Content: CIDRs from Cloud Enforcement Node Ranges (https://config.zscaler.com/zscaler.net/cenr)
6. Statistics: unchecked
7. Description: Whitelist events from zscaler aggregate ip address ranges
I saved and validated this alias and then created a Firewall Rule under my WAN interface:
1. Action: pass
2. Disabled: unchecked
3. Quick: checked
4. Interface: WAN
5. Direction: in
6. TCP/IP Version: IPv4+IPv6
7. Protocol: any
8. Source / Invert: unchecked
9. Source: zscaler_ranges
10. Destination / Invert: unchecked
11. Destination: any
12. Description: allow zscaler traffic
I saved and applied this rule.
When I check Firewall : Log Files : Live View I can still see many entries being denied, and the alias reports the following:
| name | loaded | matched | in block packet | in pass packet |
| zscaler_ranges | 49 | 156 | 0 | 836 |
Is there anything I am missing with this configuration?
I changed the Firewall Rules from WAN to Floating and the matched and pass values in the alias have gone up but some network issues still exist:
| name | loaded | matched | block | pass |
| zscaler_ranges | 49 | 334 | 0 | 1826 |
I expect I am missing something obvious here, being a newbie with opnsense.
Isn't your laptop the one initiating the traffic OUT from your LAN ? In which case you would want the rule on the interface LAN, direction IN.
After a day of testing I can confirm that the issues with my work laptop connected to a zscaler tunnel using the Zscaler Client Connector have been resolved.
The solution was as follows:
1. Copy the URLs listed on the Cloud Enforcement Node Ranges (https://config.zscaler.com/zscaler.net/cenr) page into a comma separated list
2. Create a Firewall Category:
2.1. Colour: blue
2.2. Name: zscaler
3. Create and apply a Firewall Alias:
3.1. Name: ranges_zscaler
3.2. Type: Network(s)
3.3. Categories: zscaler
3.4. Content: Paste comma separated list
3.5. Description: Whitelist events from zscaler aggregate ip address ranges
4. Create and apply a Firewall Rule Floating:
4.1. Action: Pass
4.2. Quick: checked
4.3. Direction: in
4.4. TCP/IP Version: IPv4+IPv6
4.5. Protocol: any
4.6. Source: ranges_zscaler
4.7. Category: zscaler
4.8. Description: allow zscaler traffic
I will continue to monitor the access and behaviour over the next week.