OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: jkemp on October 07, 2022, 05:22:51 pm

Title: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: jkemp on October 07, 2022, 05:22:51 pm

Hello,

I have a question about why Zenamour is using my WAN interface to contact Google user content servers when my default gateway is on a VPN? When I disable Cloud Threat it stops logging those connections on port :5355, but as one would guess I need it enable to get up-to-date info. That's okay, but why bypass my VPN to do that?

I'm I wrong here? Can someone help me understand why or how is this package is able to do that?
Use my ISP WAN connection, instead of my VPN?

James

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: mb on October 07, 2022, 05:43:04 pm

Hi @jkemp,

Cloud queries should be routed through according to the FW's routing table. Zenarmor does not modify routing entries.

Maybe the VPN route is not in effect for FW originated connections?

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: jkemp on October 07, 2022, 05:54:20 pm

All of my other traffic goes through the VPN interface. If the VPN fails, I have no internet. Kind of a kill switch. This is why I am asking how is Zenamour able to go directly through my WAN interface? I have seen OPNsense timeservers do this also.

Thanks for the quick response, also I really like the Zenamour filtering and reporting capabilities, So I really want to find out why this is happening.

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: mb on October 07, 2022, 06:07:30 pm

Got it, thanks. Any chance you run a traceroute to 1.1.1.1 from the firewall console? Does that use the expected route?

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: jkemp on October 07, 2022, 06:18:02 pm

No it doesn't. It also passes right through on the WAN interface. Can you point me to where I can close this bypass? Maybe do a little more studying on the situation?

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: mb on October 07, 2022, 10:57:21 pm

Hi @jkemp,

Got it. This means the firewall itself does not use the VPN route.

It's a bit tricky and also very hard to provide guidance without having a look at the whole configuration.

But in a nutshell, you'd want to route everything (0.0.0.0/0) through the VPN gateway, with the exception of the VPN server. The communications to the VPN server should use the existing ISP route; since otherwise you'd lose VPN connection.

Title: Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
Post by: jkemp on October 08, 2022, 01:33:46 am

I agree, I mention the time-servers are also bypassing. Thank you for all the quick responses. Got a little digging to do. I suspect it may be a race going on. 99% of the traffic does use the VPN. Seems to be what's built into OPNsense that's on the move.