Messages

To be a little more explicit: Zenarmor + Home license works as a filter for internet (bad IPs, bad websites, porn, and so on). If that's what you mean by SWG, then it is a SWG, otherwise it isn't.

The old DHCP still exist, you are not "mandated" to switch to Kea.

And if nothing else helps, erase the Zenarmor database (full erase, meaning all data).

Hint: you have to do it through the OPNsense menu.

You just make an elasticsearch account called myname with the password mypassword, you choose external elasticsearch with myname and mypassword on 127.0.0.1:9200

And, to be clear, there are a January 4 and a January 5 version of Zenarmor 1.16.1.

And now I think I know what it is: Zenarmor works fine, but somehow it cripples some DNS calls (not always: only when you change policy options through dash.zenarmor.com ). Both using Unbound and Dnsmasq. Use DoH or DoT on the end client, and the problem is solved. If you can't, use some public IPs of DNS servers, but not the IP of your router.

And it's not wholly improbable that it's both of the above (meaning this message and my previous message).

I don't know what you mean. I have an OPNsense with Zenarmor and elasticsearch, it occupies 4.9 GB RAM, i.e. almost 2/3 of RAM are free (16 GB total RAM).

I also have a Debian 12 with Zenarmor, elasticsearch and kibana, at the same time docker with HomeAssistant and another app. This fills 10.9 GB, i.e. about 1/3 of RAM is free.

And 0 MB swap usage is very nice, not a reason for complaining.

If you seek a compromise for power consumption, use Minisforum UN100C. Its CPU has 6 W at peak usage. It also has some USB ports which can be turned off from tunables. It has Realtek Ethernet (2 ports, 1 Gigabit), and works okay with vanilla OPNsense (including Gigabit Zenarmor).

Has the enshitification finally reached ZenArmor too?

IMHO Zenarmor is slowly moving from flitering ads and porn for schools and home users to a highly professional internet security product.

Yup, I also have the Github problem, but IMHO it is the fault of my internet provider (Ziggo) who does not want to pay for good connectivity (getting routed through some internet exchanges costs a lot of money). Otherwise I would see no reason why Zenarmor drops a couple of websites about half the time. I believe that because getting a VPN connection to the Netherlands or to Sweden (i.e. outside the purview of Zenarmor) also drops Github sometimes, but a VPN connection to Norway doesn't. So I guess it is due to the internet exchange they're using. The Jottacloud app doesn't work through the VPN to the Netherlands or Sweden, but works okay through the VPN to Norway. That's another argument that they're using another internet exchange.

In doubt use the program MTR or WinMTR having Zenarmor wholly disabled (meaning Zenarmor engine stopped). Some years ago I saw a lot of traffic dropping at aorta.net . aorta.net is Liberty Global's own exchange (Liberty Global owns Ziggo), but for AMS-IX they would have to pay. AMS-IX is world class service, aorta.net is dubious. It sucks, but shareholders are greedy, and Ziggo managers are yesmen. Ziggo technical support staff know this, but they lack the power to make the required business deals. They do their best to serve their clients, but only within the parameters dictated by the management. A commercial corporation is not a democracy. Its purpose is not offering the best service ever, but simply making money. Offering reasonable internet connectivity to a tiny share of their clients would cost too much money. Most Ziggo clients don't care about Github. And the few who do could simply patch that through using VPN. So, there is no monetary incentive for properly serving all their clients. Otherwise, I'm a happy Ziggo customer and I'm not taking the gamble of changing my internet provider. I know that Ziggo works perfectly in 99% of the cases, and I'm not taking the risk of having another provider, having its own other imperfections.

And yes: about obeying the whitelist, it makes a difference whether you apply changes from the firewall IP or from dash.zenarmor.com . In doubt, only use the firewall IP for controlling Zenarmor.

I came to an odd conclusion: as far as you choose the options via the firewall IP, that's all working fine (set whitelist and policies as you please, then press Apply Changes). If you do it via dash.zenarmor.com it is not working fine, e.g. it does not obey the whitelist. I guess that using Google Chrome as a browser has something to do with it, but I'm not sure about it. E.g. Google Chrome on Debian does not display reports and connections, but Nyxt on Debian and Google Chrome on Windows do. And I still suspect there is something fishy with using Chrome on Windows for accessing dash.zenarmor.com , but I'm not sure about it.

Err... I guess I was being too optimistic about whitelisting.

This really needs to be examined thoroughly.

Solved whitelisting as follows:

# pkg clean

OPNsense menu option 12.

# pkg install -fy os-sensei os-sensei-agent os-sensei-updater

Go to Firewall IP / Zenarmor. Save whitelist. Save registration key.

Go to Firewall IP / Zenarmor / Settings / Uninstall. Stopped Zenarmor engine. Reseted Zenarmor to factory defaults. After that was done, I rebooted the firewall.

Go to Firewall IP / Zenarmor. Re-initialize Zenarmor. Insert registration key. After it is completed, reboot firewall if needed.

Go to Firewall IP / Zenarmor. Import whitelist. Reconfigure Zenarmor. Re-register to dash.zenarmor.com.

Then reboot firewall, just in case.

Bonus: it remembered all my devices, including devices which have gone offline.

The problem with no reports and no connections diplayed has been solved.

Yup, it just seems that dash.zenarmor.com does not like my browser (Google Chrome on Debian 12).

Another problem: Zenarmor does not obey whitelisting.

This applies to whitelisting both the IPs and the URLs. I.e. it is malfunctioning about both of them.

Odd enough, it does obey blacklisting.