Messages

@mimugmail, thanks for putting this together! Much appreciated.

Hi @aleco,

Any chances you might have "Anonymize IP address" settings enabled in Zenarmor -> Settings -> Privacy?

We published a video to serve as a guide for first time ZA users:

https://www.youtube.com/watch?v=xGgG-ki-KvQ&t=300s

Video will start right from the Policy configuration, but feel free to start from the beginning.

Hope this helps as well .

Hi @GuruLee,

OPNsense 24.1 RC1 has the wireguard kernel mode netmap support available. Any chances you can give that a try? Or alternatively you can wait for 24.1 to be generally available.

With OPNsense 24.1 and Zenarmor 1.16.1 and forward, Zenarmor (and Suricata in IPS mode) is able to handle kernel mode wireguard as well.

Hi @Monviech,

That's a very helpful initiative, thanks.

Zenarmor (or Suricata in IPS mode) will be just between Ingress Interface and Scrub; and for the Egress path, it'll be between Traffic Shaping and Egress Interface.

Hope this inforamtion is helpful.

Got it, can you also run below command:

Code Select Expand


/usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/CLI.php settimestamp

Hi @gaurhoth,

We've heard this from a few more users and trying to get to the root cause.

In the meantime, a quick question and a workaround:

- Do you also use zenconsole cloud management ?
- If so, can you restart the cloud-agent to see if this resolves your problem? (You can do so either on the console (service senpai restart) or on Zenconsole FW dashboard.

Hey @franco,

Thanks for the heads-up. Yes, it the tun patch is not in 23.7, that must be the reason.

Looking forward to the test kernel; team will go ahead and test it.

WRT wireguad-kmod netmap support, we're working on it to see whether it would be feasible to develop/maintain. We'll reach out to the team once we have some meaningful progress.

That's good to hear indeed. Another reason why we should focus on improving emulated mode.

Let us check this on our lab as well.

Got it, with IPv6+wan tracking interface initialization take a bit more longer because OPNsense tries to re-initialize the WAN interface as well.

Another question: when you use emulated netmap mode, is it better?

Hi JasMan,

When you start/stop zenarmor engine, zenarmor (same with suricata in IPS mode) issues a call to netmap to start/stop inspecting packets for your protected interfaces respectively.

Once this is requested, netmap re-initializes the interface causing down/up events for the particular ethernet interface.

When OPNsense code notices a link down/up event; it tries to re-initialize and refresh interfaces and services.

This is expected. The thing I'm surprised in your case is that it takes so long for things to "calm down".

Quick question: do you have IPv6 enabled in your network or is it just IPv4?

Hi @zzup,

This looks like a pretty decent system.

I can't see how much in there in ARC memory; but I'm guessing High RAM usage might be due to ZFS ARC cache. When there's available memory, ZFS will want to use it for caching. If it sees that some neighbor processors might need extra memory, it should happily return back some of the ARC memory.

More on this: https://wiki.freebsd.org/ZFSTuningGuide

@doug, sorry that it did not work out for you this time.

Trying to understand what went wrong WRT elasticsearch database, my best guess is our ES installation might be clashing with another Elasticsearch deployment. To our experience, this usually happens if you're also using Michael's community repository. If you also have that repo enabled as well, pkg might be installing the one which is also served by the community repository, instead of Zenarmor-managed ES database.

Is that the case for you?

Hi @fabricioguzzy,

You'll also need to install os-sensei, which is the actual zenarmor package. os-sunnyvalley just enables the repository which serves actual zenarmor packages.

Please see here for detailed instructions:
https://www.zenarmor.com/docs/opnsense/installing/install-zenarmor-ngfw-plugin-on-opnsense-web-ui#zenarmor-next-generation-firewall-plugin-installation

Hi @Taunt9930,

If you don't have any reliability issues, native netmap mode should produce better performance figures. But this will be only noticeable once you hit your CPU limits, under normal load, there should not be much difference (according to our tests and what we've received as feedback from our users).

We've introduced emulated improvements as an effort to provide netmap support for drivers which do not have their native support; as an effort to bring a driver-agnostic reliable netmap capability for all ethernet drivers. So, if you don't have issues with your native mode, no harm using that.

WRT RSS, you should be able to safely use RSS with either native or emulated mode. The only caveat is you won't see the performance improvements RSS is offering till we ship multi-core enabled zenarmor. Zenarmor will continue to run on a single CPU core (all queues for a single interface will be served through a single CPU core).

Hope this information is helpful.