Messages

Same here. It started happening when my paid subscription ended a few days ago.

[So maybe it is not related to Zenarmor?]

I think I had this problem, too. Right after 24.7.7 update WG stops to work. I always saw a 124kb received from WG/OPNsense (e.g. on my iPhone), then it stops.

However, after some restarts this problem is just gone. WG works as expected and I haven't touched anything. Strange.

See here: https://forum.opnsense.org/index.php?topic=43653.0
So maybe it is not related to Zenarmor?

In this case it must be connected to Zenarmor because it started when ZA updated to 1.18. And the problem goes away when the WG interface is removed from ZA settings.

Pros for ZA support for being active also during the weekend. I was contacted and their proposal was a remote session for investigating the problem but I'm not willing to do that. As a home user this issue is not critical to me since the WG connection works when it's removed from ZA settings.

I hope someone from this thread will be able to work further with ZA to reproduce the issue.

Did you send feedback/logs to Sunneyvalley through the UI? Have you had any feedback from them?

I did but haven't heard back yet. I added a link to this thread in my message so hopefully they come here for the comments.

Same problem here. I removed the wireguard interface from my zenarmor settings and now I'm able to connect again. Hopefully they get it fixed soon.

[and]

On a side note.  Any reason to run CrowdSec and zenarmor together? I always thought they did the same thing.  (still learning some of this as it is a hobby).

I'm doing it and it works without any issues. It does give extra layer of security especially if you run servers.

Do you run it to protect the lan or wan side?  I have not really looked into it much as i though that zenarmor covered it.  But if it helps the wan side as i use quite a bit of port forwarding that would be great.  And if it does not mess with zenarmor that is a must.  Which sounds like it doesn't based on your comment.

CrodwSec is most useful for protecting the servers on wan side but you can configure the firewall to block all incoming and outgoing connections to the IPs in CrowdSec's blocklist. That's how i've done it so basically it inspects all the connections from WAN and also from LAN.  There is no performance penalty on modern hardware since CS is not doing any deep packet inspection but only checks if any of the IP's in the connection is included in the blocklist.

On a side note.  Any reason to run CrowdSec and zenarmor together? I always thought they did the same thing.  (still learning some of this as it is a hobby).

I'm doing it and it works without any issues. It does give extra layer of security especially if you run servers.

HP thin client with a CPU that was introduced a decade ago? I'm confused and curious.

I would assume an organisation with 2500 clients would be running very high-end hardware for their internet gateway/firewall. Something like DEC3862 or maybe even two for high availability. These cost something like 2k$ per unit, which is nothing compared to a situation when your decade old HP decides to quit and 2500 clients lose their internet.

First impression of the new UI is modern and easier for the eye. But usability has gone down the drain. What the heck happened to the "drill down" functionality? How do I get to see the details of a blocked threat or anything else?

Check in suricata administration -> settings -> advanced mode -> home networks that your WAN IP is mentioned in the network ip adresses.

Maybe your WAN ip address has changed at some point and is now missing.

why would anyone want to run an IDS on the WAN interface? beside for documenting who wanted to get into your network.

Because you can't run zenarmor and suricata on the same interface, that's why. Maybe in the future it's possible but not today.

the reason for having a FW is to stop attacks and for IDS/IPS to tell you who made it through so you can do something about it.

FW only checks what ports are allowed to transmit/receive traffic. IPS is there to stop the actual attack on those ports. It can do this while running on either LAN or WAN interface.

I have no doubt that there are 1000s of 1000s of attach on the other side of the fw. if you ran an IDS on the WAN side you would be overwhelmed by alerts.

my 2 cents.

I'm running suricata on WAN and Zenarmor on LAN. Without ZA I would run suricata on LAN of course. With this configuration I see maybe 5-10 IPS alerts a day. Most of the background noise is blocked by a FW before the packets are processed by suricata.

I might have figured it out. I am running Zenarmor which binds to the same interface. I "believe" that Zenarmor is receiving the packets and does not forward it to the next module, Suricata. I suspect that if I uninstall Zenarmor then Suricata would start working. I say suspect, because I decided I rather keep Zenarmor and use that and did not want to go through uninstalling it to test the hypothesis. So, if you have other solutions that bid to your interface, try removing them and see if Suricata can work as a standalone module that has control of the interface.
good luck.

You shouldn't run Zenarmor and suricata on same interface. You need to bind suricata to WAN interface when Zenarmor is running on LAN. Then you need to configure suricata to also listen to IP adress of your WAN.

Anyone else experiencing this? Normally I get around 20k blocked IPs from the community but now it has been like this for several days. I have all available updates installed and haven't changed anything in the configuration.


crowdsecurity/community-blocklist   update : +32/-1 IPs         ban:32   
15 minutes ago
crowdsecurity/community-blocklist   update : +32/-1 IPs         ban:27   
2 hours ago
crowdsecurity/community-blocklist   update : +32/-0 IPs         ban:22   
4 hours ago
crowdsecurity/community-blocklist   update : +32/-1 IPs         ban:11   
6 hours ago

etc...

[Engine stopped:]

Engine stopped:

Ping statistics for 35.198.172.108:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 52ms, Maximum = 52ms, Average = 52ms

Ping statistics for 34.65.117.157:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 55ms, Maximum = 59ms, Average = 56ms

When the engine is running I get similar pings, which I assume is how it should be.

Now I noticed that the Zenarmor status page reports ping times of ~25ms even when the ping time from the firewall CLI is 50+ ms.

Hi,

When the packet engine starts, I usually get around 20-30ms response time to cloud node. However when the packet engine has been running for a few days, the response time doubles at some point and newer returns back to normal until the packet engine is restarted. I'm using Europe and Europe2 nodes.

This is not new behavior in my installation. I remember seeing this already long time ago but I hadn't had time to raise a question about it. Anyone else experiencing this?