Messages

@evanrich - Just making sure you aren't getting incorrect info here. From my understanding (albeit limited), it is quite likely there are two, unrelated issues going on here. The thread and fix @beki is referring to is NOT related to the issue I posted here. If you go to the beginning of that thread he referenced, you will see my post asking if it was related, which it is not. If your issue is similar to mine which is specific to Bridge Mode, then we are dealing with a different issue where if_bridge and netmap are not playing nicely (or some variation of that). @franco did reply to my query in that thread indicating they are working on if_bridge compatibility, but he seemed to indicate this was more of a workaround which didn't seem ideal. Again, this quickly got over my head, but I came away with the understanding Bridge mode really isn't a viable option for the time being, so I had to resort to reworking my network setup to use routed mode.

Hope this helps.

[senpai]

Thanks for the reply. Just double checking is this syntax correct?

service senpai restart

Also you mentioned Zenconsole, are you referring to the web console? My problem is with the onboard charts. 

Yeah I tried that. I guess I just have a ton of small connections. Regardless, need to be able to drill down OTHER to analyze this traffic.

In the reporting the majority of the remote host pie chart is represented as "other" which you cannot drill down. This is also an issue in the other charts as well. Ideas in how to analyze this traffic?

Appreciate the clarification, figured that was the case. It seems they don't have a working solution for a transparent bridge config at this time. Like I mentioned, it was previously working without the bridge configured in OPNs, but something changed along the way. Also, good to know the longer term bridge fix for this scenario isn't forthcoming. I have a call with them today and hope to get their reporting only mode functioning which if I understand correctly uses pcap.

Take care, love OPNs and the work you guys are doing here.

I actually did that but I'm not super well versed in SSH shell. I was pretty sure blank means not applicable but wanted to check. What threw me off was Sunny Valley wanted me to try this. I even asked if this applied b/c it seemed like it didn't. Thanks Franco.

Not quite sure if this applies to my situation - looking for clarification.

I have been troubleshooting an issue with Sensei/ZA which I have documented here:

https://forum.opnsense.org/index.php?topic=31544.0

Sunny Valley support has indicated the problem is netmap and asked me to give this a try, which I did yesterday. The result is that it "works", but I still have the interface flapping so it didn't resolve my particular issue. I have a feeling this doesn't apply to me due to the fact that I have OPNs configured as a transparent filtering bridge and using the ZA bridge deployment mode. It doesn't stall, it just doesn't work at all which seems different.

IF I understand correctly (big assumption), their "bridge mode" currently uses netmap and bypasses the OS, but the problem is that ZA won't pass traffic at all unless the bridge is also configured in OPNs (resulting in the flapping). Therefore, the solution is to either fix netmap or add support to if_bridge(4). It should be noted that this config did previously work (with the OPNs bridge or without), so not sure where a change was implemented to break it.

Am I on the right path here? Apologies if I am off target, I am a bit out of my comfort zone on this one.   

Yeah agree that wouldn't be a factor as long as OPNs and ZA are seeing the WAN IP, which it seems it is. I re-read your setup and associated troubleshooting and think it is sound. The only question is if the virtual layer is adding some complexity which is contributing.

FWIW, I have been using both the free and paid versions off/on for over 3 years and the filters have been particularly problematic. Sometimes you can find one that works, sometimes not, wildcards seem to not be a thing, etc. IMO, it  seems to me they are working through some gremlins. That being said, I find their product to have a lot of promise and still provides a lot of insight/value. The good news is they are continually releasing updates/fixes so I am hopeful the progress continues.

Question, is there a reason you can't use routed mode since it seems to work correctly? You can basically make it perform as passive mode by not enabling any of the blocking/filtering. Like I mentioned, their bridge mode is not functioning correctly and I would use routed mode, but I would have to rework my network which I don't want to do (I also agreed to beta test the bridge fixes they are working on). Just a thought. 

Not sure if this is helpful as I am running in a somewhat unique config which I will explain below, but my local/remote hosts are also jumbled up with internal and external IPs. When I drill down into session detail for any of the local or remote host charts they are largely blank. The app breakdown charts at the top are populating session detail correctly.

Now, it should be noted that I am running OPNs as a transparent bridge. ZA has acknowledged that their bridge deployment mode is having issues with Netmap and is working on the fix. In the meantime, I was trying ZA in Passive Mode so I can get the analytics, but I am seeing similar to what you are, if not worse. My guess is ZA just wont work with OPNs bridges yet in either Passive or Bridge Modes.   

Closing the loop on this mystery... Sunny Valley has confirmed this to be a netmap issue. My understanding is they will be developing a fix in the coming weeks which I have volunteered to beta test. It seems not too many are running in a transparent bridge config, but just for awareness I would say it isn't a viable deployment mode until further notice. This of course is simply based on my experience and understanding of the situation and is no way an official word from SV. 

Bug report sent, thanks for taking a look.

Update - I no longer think this is related to OPNs versions as I went back to 22.1 and it still won't pass traffic. The only way it will pass traffic is if I also add the bridge in OPNs. Remove the OPNs bridge and traffic stops. The only theory I can come up with is that the ZA bridging deployment mode broke in a recent ZA update.

One odd thing I have noted is that on the ZA status page the protected interface shows as one of the interfaces (em1) as opposed to the bridge (br0). I could swear back when this was working it showed br0 in the status.

I realize that most likely not many are using this in a transparent bridge config, but would help me if someone could confirm this behavior.

Hi @mb, appreciate your response. I understand what you are describing, and can confirm it previously worked  as you detailed with bridge ONLY configured in ZA (not in OPNs). But it doesn't work this way now. I literally spent an entire afternoon troubleshooting after a recent OPNs upgrade because it wouldn't pass traffic in this config until I added the bridge in OPNs. My troubleshooting indicates something changed in one of the recent OPNs updates that affected the ZA behavior such that it will not pass traffic in a bridge config without it also configured in OPNs.

I can confirm that I have ZA running with the bridge configured and it will not pass traffic UNLESS I also have it configured in OPNs. When I remove the bridge in OPNs it won't pass traffic. I can delete the config in ZA and reconfigure and still no joy. I have tried rebooting after config changes, and also tried with interfaces enabled and disabled in OPNs... but it doesn't matter  (again , all these configs previously had worked). Like I said, this started happening after a recent update. I have reinstalled ZA and also completely reloaded OPNs from scratch so I am at a loss. It is completely possible I am missing something, but I am pretty sure my troubleshooting is sound. Would be happy to work with you guys on it to sort it out.       

Welp I can't get ZA to pass the traffic unless the bridge is also configured in OPNs. I have tried with the interfaces both enabled and disabled in OPNs. I know this worked in this config before and I am pretty sure I ran into this after the last update to 22.7.9_3 and that is why I had to create the bridge in OPNs. I am not sure what ver I was on before I updated, might have fallen behind a few revs, but not much. My theory is the ZA bridge functionality broke somewhere along the way. Another item of note is that the interface shows as em1 on the ZA status page as opposed to the configured bridge br0 which seems odd. 

Hope to get this sorted, really enjoy ZA and hope to use it, but I need the transparent bridging to work.

Ah OK makes sense. I will remove the bridge in OPNs. Should the interfaces that will be part of the Zenarmor bridge be enabled or disabled in OPNs?