Messages

@Taunt9930,

Thanks for your response & feedback.

We have indeed done several surveys with our existing home users - I was referring to the result of these surveys [1]. About 5% of the respondents had asked for support for multi-gigabit throughputs. Zenarmor's (and OPNsense) home user base is all tech savvy tech professionals who are very specific about their requirements when it comes to home security.

Quick question: You should be able to easily do 900 Mbps even with single-core as of now, with a fairly standard hardware.

Can you tell me a little bit about your hardware?


[1] https://www.zenarmor.com/blog/whats-new-in-zenarmor-home-more-devices-more-policies

Hello @jlficken,

Glad to hear you're excited about the new 5-policy limit — that one came straight from the majority of requests we've been hearing, so we're happy to make it part of the Home subscription.

On multi-core support: we definitely see the value for power users like yourself, but at the same time it's not something the broader Home community has been asking for, and if we make it too powerful, we start seeing the Home plan misused in business environments (which the license isn't meant for). That's why we've kept the Home subscription balanced for personal use while still growing it step by step.

That said — we do want to support the advanced setups that some of our most passionate users are running. We're considering a SASE Starter tier that would fit more of lab-builder needs.

This isn't ready yet and will likely be invite-only rather than a generally available tier — but if that sounds interesting, feel free to reach out to us directly and we'd be happy to explore it with you.

@mimugmail, thanks for putting this together! Much appreciated.

Hi @aleco,

Any chances you might have "Anonymize IP address" settings enabled in Zenarmor -> Settings -> Privacy?

We published a video to serve as a guide for first time ZA users:

https://www.youtube.com/watch?v=xGgG-ki-KvQ&t=300s

Video will start right from the Policy configuration, but feel free to start from the beginning.

Hope this helps as well .

Hi @GuruLee,

OPNsense 24.1 RC1 has the wireguard kernel mode netmap support available. Any chances you can give that a try? Or alternatively you can wait for 24.1 to be generally available.

With OPNsense 24.1 and Zenarmor 1.16.1 and forward, Zenarmor (and Suricata in IPS mode) is able to handle kernel mode wireguard as well.

Hi @Monviech,

That's a very helpful initiative, thanks.

Zenarmor (or Suricata in IPS mode) will be just between Ingress Interface and Scrub; and for the Egress path, it'll be between Traffic Shaping and Egress Interface.

Hope this inforamtion is helpful.

Got it, can you also run below command:

Code Select Expand


/usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/CLI.php settimestamp

Hi @gaurhoth,

We've heard this from a few more users and trying to get to the root cause.

In the meantime, a quick question and a workaround:

- Do you also use zenconsole cloud management ?
- If so, can you restart the cloud-agent to see if this resolves your problem? (You can do so either on the console (service senpai restart) or on Zenconsole FW dashboard.

Hey @franco,

Thanks for the heads-up. Yes, it the tun patch is not in 23.7, that must be the reason.

Looking forward to the test kernel; team will go ahead and test it.

WRT wireguad-kmod netmap support, we're working on it to see whether it would be feasible to develop/maintain. We'll reach out to the team once we have some meaningful progress.

That's good to hear indeed. Another reason why we should focus on improving emulated mode.

Let us check this on our lab as well.

Got it, with IPv6+wan tracking interface initialization take a bit more longer because OPNsense tries to re-initialize the WAN interface as well.

Another question: when you use emulated netmap mode, is it better?

Hi JasMan,

When you start/stop zenarmor engine, zenarmor (same with suricata in IPS mode) issues a call to netmap to start/stop inspecting packets for your protected interfaces respectively.

Once this is requested, netmap re-initializes the interface causing down/up events for the particular ethernet interface.

When OPNsense code notices a link down/up event; it tries to re-initialize and refresh interfaces and services.

This is expected. The thing I'm surprised in your case is that it takes so long for things to "calm down".

Quick question: do you have IPv6 enabled in your network or is it just IPv4?

Hi @zzup,

This looks like a pretty decent system.

I can't see how much in there in ARC memory; but I'm guessing High RAM usage might be due to ZFS ARC cache. When there's available memory, ZFS will want to use it for caching. If it sees that some neighbor processors might need extra memory, it should happily return back some of the ARC memory.

More on this: https://wiki.freebsd.org/ZFSTuningGuide

@doug, sorry that it did not work out for you this time.

Trying to understand what went wrong WRT elasticsearch database, my best guess is our ES installation might be clashing with another Elasticsearch deployment. To our experience, this usually happens if you're also using Michael's community repository. If you also have that repo enabled as well, pkg might be installing the one which is also served by the community repository, instead of Zenarmor-managed ES database.

Is that the case for you?