OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: jkemp on October 07, 2022, 05:22:51 pm
-
Hello,
I have a question about why Zenamour is using my WAN interface to contact Google user content servers when my default gateway is on a VPN? When I disable Cloud Threat it stops logging those connections on port :5355, but as one would guess I need it enable to get up-to-date info. That's okay, but why bypass my VPN to do that?
I'm I wrong here? Can someone help me understand why or how is this package is able to do that?
Use my ISP WAN connection, instead of my VPN?
James
-
Hi @jkemp,
Cloud queries should be routed through according to the FW's routing table. Zenarmor does not modify routing entries.
Maybe the VPN route is not in effect for FW originated connections?
-
All of my other traffic goes through the VPN interface. If the VPN fails, I have no internet. Kind of a kill switch. This is why I am asking how is Zenamour able to go directly through my WAN interface? I have seen OPNsense timeservers do this also.
Thanks for the quick response, also I really like the Zenamour filtering and reporting capabilities, So I really want to find out why this is happening.
-
Got it, thanks. Any chance you run a traceroute to 1.1.1.1 from the firewall console? Does that use the expected route?
-
No it doesn't. It also passes right through on the WAN interface. Can you point me to where I can close this bypass? Maybe do a little more studying on the situation?
-
Hi @jkemp,
Got it. This means the firewall itself does not use the VPN route.
It's a bit tricky and also very hard to provide guidance without having a look at the whole configuration.
But in a nutshell, you'd want to route everything (0.0.0.0/0) through the VPN gateway, with the exception of the VPN server. The communications to the VPN server should use the existing ISP route; since otherwise you'd lose VPN connection.
-
I agree, I mention the time-servers are also bypassing. Thank you for all the quick responses. Got a little digging to do. I suspect it may be a race going on. 99% of the traffic does use the VPN. Seems to be what's built into OPNsense that's on the move.