Messages

I'm running 23.1.6 but was having similar issues before

I've noticed if I try to access https://en.avm.de which is for the fritzbox routers the webpage times out, I'm also getting similar on other sites as well.

I've checked and even disabled zenarmour and that is not blocking the sites, checked firewall and that doesn't seem to be blocking either. No geoip settings enabled

If I switch device to use mobile internet it works fine, other than fully remove opnsense or rebuild it I'm not sure where the issue is.

Any ideas?

So I've upgraded from 22 to 23 and says on latest version 23.1.1_2 yet when checking security audit under updates it's still returning the following

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.1_2 at Sun Mar  5 11:50:38 GMT 2023
vulnxml file up-to-date
strongswan-5.9.9_1 is vulnerable:
  strongSwan -- certificate verification vulnerability
  CVE: CVE-2023-26463
  WWW: https://vuxml.freebsd.org/freebsd/3f9b6943-ba58-11ed-bbbd-00e0670f2660.html

1 problem(s) in 1 installed package(s) found.
***DONE***

the vunerability reports the following
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

If we don't use the vpn's within OpnSense, do we need to be worried

I've recently rebuilt my opnsense system (not used since july 2022) and performed a clean install, setup zenarmour again and enabled the scheduled reporting.

When I perform a test I get the pdf report without any issues, but if I leave it to run overnight the report is 1k in size and when open it, it shows 504 gateway error.

I know the pdf's are generated using an API in Sunny Valley Networks Datacenter, which suggests there is an issue on their network, can SVND confirm if there is a timescale to resolve this problem and if we have to just stick with html version of the reporting.

If you can, get a static ipv6 and set opnsense to use static ipv6 and setup dhcpv6 and router assists, this will allow ipv6 to continue working.

i had this similar issue with a uk based isp and if set dhcpv6 to track ipv4 and wan i lost ipv6 when zenarmour was activated. i raised this with zenarmour around apr-may 2022.

So we had some internet issues recently where a fault on landline was causing my g.fast connection to drop. the isp required me to put on their own router for testing purposes to ensure it was not my router (opnsense on qotum pc) causing the problem, even though I stated it was the DSL light on the g.fast modem itself that was going off.

While performing the testing we had tried different routers (opnsense, fritzbox, deco m5 and Asus Zenwifi XT8) - one of the things we noticed was that when the connection dropped all the routers except the opnsense router were able to function correctly with DHCPv6 and routing was immediate.

The only way we got routing working for IPv6 on opnsense was to switch to static ipv6 instead of tracking wan with dhcpv6 as otherwise we constantly had to restart routing after the drops. there was also occasions where we constantly had to restart radvd.

I'm in two minds on whether to return back to opnsense in case we start having similar issues with routing, especially as the Asus Zenwifi XT8 is performing well. If we do decide would it be best just to reinstall from scratch the latest version (was previously updated from early version and had had many configuration changes along the way) and import any settings, or would it be best to also do them from scratch

Hi,

Is there a way of recycling system routing after a PPPoE drop as whenever it drops, I still have IPv6, DHCPv6 Server is running, but can't route ipv6 unless I recycle system routing. Is this the same as restarting radvd or does radvd do more?

Current settings for RA
Router Advertisements - Assisted
Router Priority - Normal
Source Address - Automatic
Advertise Default Gateway - Ticked

I'm not always available to manually recycle this, so need to get it to recycle routing when the connection is re-established

what happens if you try setting dhcpv6 to dhcpv6 and set router advertisements to assisted.

did you get a PD and ND

try this, as this was my setup for my isp when using dhcpv6 on tracking wan
dhcpv6 client configuration
untick request only an ipv6 prefix
untick send ipv6 prefix hint

services router advertisements lan
change router advertisements to 'assisted'
untick use the dns settings of dhcpv6 server

I also have all my dns entries under system>settings>general

Hi,

I've now got Sensei (free version) fully working on my setup and wondered if I still need to use Suricata at the same time?

Regards

Hi,

Please make sure that you try in bypass mode. In bypass mode, the Zenarmor packet engine just forwards the packages and never inspects them. I remember that it has occurred in bypass mode as well. Most probably it is a netmap issue and needs to look into it. It occurs with Suricate in IPS mode as well. Is Suricata active in your OPNsense?

As stated previously, I have tried in bypass mode and have exactly the same problem, whenever the engine starts DHCPv6 Server stops and can't be restarted. I've even tried with IPS disabled and have the same problem.

Its whenever the packet engine starts, dhcpv6 fails and can't be restarted until I disable zenarmour and reboot the whole system.

Update: 18:37  - I think I have it working - managed to get static ipv6 working after some trial and error, started zenarmour and dhcpv6 server still running, so it looks like when it's set to track interface I have the problem. I'm going to monitor to see if I have any issues as not sure if I've set router advertisements correctly (left these on assisted)

update: Zenarmor report they are unable to reproduce the issues I'm experiencing with the DHCPv6 Server going offline and not restarting after starting their product.

My connection looks to be configured correctly as can get IPv6 through the internet, IPv6-Test shows it is working and I'm getting IPv6 entries in my lease table when I don't use Zenarmour.

Has anyone had similar issues or any other advice regarding the configuration of this plugin before I uninstall it

Ok, so it didn't look right ...

sorry the instructions didn't match up, so wasn't sure if correct

Hi @walkerx,

Yes, this is not directly related to Zenarmor. It's because of netmap(4); an Operating System subsystem we use to grab packets off the wire.

If you have IPv6 WAN tracking enabled in a netmap enabled interface and when an application opens the interface in netmap mode, netmap re-initializes the interface; causing the interface to go DOWN/UP. Since you have WAN tracking here, this in turn triggers the OPNsense code to re-configure the related WAN addresses. This whole process can take up to a minute, during which time you lose WAN connectivity.

The behavior is the same if you use Suricata in IPS mode, which utilizes netmap the same way we do.

Having said that, we are evaluating several options which would potentially solve these sort of issues and would add device-independent IPS capabilities. If we can work out a methodology at least in theory, we'll go ahead and sponsor a development on the Operating System side of things.

Stay tuned for more updates on that.

I hope this is helpful.

I can wait hours with zenarmor enabled and dhcpv6 can't be restarted

I have looked at setting the ipv6 manually based on the info i got from my isp for the pd and nd, but not sure how to set this up as the instructions in the guide were a bit confusing when not using the same references throughout

I think before the UI is updated, any current issues are resolved

Waiting to find out why whenever I start Zenarmor, I lose IPv6 connectivity whether in normal or bypass operation and can't restart the DHCPv6 Server :(

hi,

i tried setting it up but didn't look right.

One of the reasons for setting up in static, is to see if can fix the issue of not having to perform a full reboot to get ipv6 renabled after a line drop, also to get dhcpv6 up faster instead of having to wait 10-20 minutes after a restart of the connection which can happen (sometimes it doesn't restart so need to perform a full reboot)

other reason is to see if can get zenarmour also working with IPv6 as whenever enable it, it takes down DHCPv6 and can't re-enable unless I stop the zenarmour service and prevent it from starting after a reboot. Happens even in bypass mode. Have raised the issue with their support and waiting for an update.