Messages

Are you all using Suricata?

FWIW as another data point, have been updated for a few hours now and no issues. Not using Suricata.

So is the answer 1024 or 2048, and what's the downside of either? (Particularly the higher value).

Hello, I have a genuine question regarding Zenarmor's development. I've noticed there haven't been any updates since February, and the roadmap seems to be on hold. Additionally, the UI hasn't yet been updated to align with the new OPNsense interface. Like many others, I'm really hoping the promised multicore support will be released in July and made accessible beyond just premium users. I sincerely hope the team is doing well and continuing their great work. Thank you for all your efforts!

Yeah, I'm not sure. It does appear that ZA might be in some trouble? No official response to the feedback provided in this thread and the last release in February with no clear indication as to what's being worked on might indicate an issue. Although someone mentioned that the next release is sometime in July.

Version 2.0 releases tomorrow...

Turned out to be a hardware issue, but thanks for your reply!

What was the hardware issue, and did you solve it? I have suddenly started seeing the same.

@Taunt9930 - where did you see that mentioned in the docs?

Second Paragraph of the DHCP Reservations section. But, as indicated above by Cedrik, not considered a contributing factor so a red herring perhaps!

Please create separate threads for separate issues, this one is about tracking the weird dns forwarding issues of the OP.

Understood - not an issue, as such, was just seeking to understand if it might be contributing to this issue as the OP indicated that this is one area where they have deviated from the docs direction- hence asking the question in this thread. Your reply suggests it is not a factor, so noted - thanks.

@meyergru could you quickly provide some clarity on ranges?

If we set a DHCP range as per the docs of, say, 192.168.1.10 - 192.168.1.100 for dynamic leases, and then set a reservation up for 'Host A' at address 192.168.1.200 - do we need to set up a separate range but with mode 'static' that incorporates the desired reserved addresses?

The docs suggest we need to for DHCP v4, but the OP suggests they haven't done so and addresses are being set/reserved - what are the side effects of not doing so / why do we need a range set?

Just asking as this is contrary to what people are used to with Kea etc - the direction there was to ensure any reservations were explitly OUTSIDE of any defined ranges on the DHCP server...

Thanks.

Although it doesn't help with the DNS resolution issue, there is something strange going on with static reservations.

My desktop PC has 2 NICs (one of them is kept disabled).  Until now I was using the first NIC with a static reservation in Dnsmasq.  In this case, the DNS suffix was always coming as "h1.home.arpa" even though that client is not part of that DHCP range:

Code Select Expand

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : h1.home.arpa
   Description . . . . . . . . . . . : Intel(R) Ethernet Controller (2) I225-V
   Physical Address. . . . . . . . . : 24-xx-xx-xx-xx-CD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxxx:xxxx:xxx:f69(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:3a21(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:9cb5:6288:f91:c4c6(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:9cb5:6288:f91:c4c6(Preferred)
   Link-local IPv6 Address . . . . . : fe80::52cc:xxxx:xxxx:c813%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 3:58:47 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 3:58:44 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%11
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Switching over to the second NIC, this time I get a DHCP dynamic lease in the same range (192.168.30.x), but now the DNS suffix comes as "home.internal" (as configured in the pool):

Code Select Expand

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : home.internal
   Description . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   Physical Address. . . . . . . . . : 78-xx-xx-xx-xx-55
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxx:xxxx:2631:c6ff(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:e66b(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:1de4:e57c:4ae3:f9dd(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:1de4:e57c:4ae3:f9dd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ec8a:xxxx:xxxx:454c%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 4:02:00 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 4:01:59 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%8
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Why should static leases not get the same DNS suffix as the DHCP range configured?

Does the static address sit within a configured DHCP range (set as mode static) in DNSMASQ for that interface? E.g. an additional range for your reservations?

Per the Docs:

"DHCP reservations
A DHCP reservation will always assign the same IPv4 and IPv6 addresses to a client.

For an IPv4 reservation, a DHCPv4 range should exist. If this DHCPv4 range should only serve reservations, set it to static"

Hi,

Good news regarding multicore support. We have released a test binary. Kindly contact the support team via the "Have Feedback" option located in the bottom right corner of the UI if you wish to try it out.

Thank you, I will do this now.

Has it made a difference in your use-case?

It is literally in the docs.

Wow, completely missed that! Thank you.

Is there a recommended setting for percentage of RAM for both?

Are there any guides on how to do so / best practice? I had a quick scan of the Docs and couldn't find anything about moving items to a Ram disk. Thanks.

Since the feature isn't out yet, can we be certain this is going to be a paid feature?

Seems like a lot of work to create two different versions of the software to split the feature. Not trying to defend them, but this just doesn't seem logical unless they are going to turn off the free version.

That is what their roadmap seems to suggest - SSE, ZTNA, SASE, Business plans only...rather than 'All Plans' which includes free and home, or 'All paid plans' which would include home but not free.

Of course, easily clarified by a member of the Sunny Valley team that contribute to the forum.

https://www.zenarmor.com/roadmap

Hi,

I believe you have an ad blocker plugin installed in your browser. Websites can detect them because they operate through a proxy. Zenarmor prevents ads while a session is active, making it unnoticeable to websites.

it doesnt seem to.  i went into chrome setting on my android phone and i cant find any adblock setting.
i dont have any adblock installed.  and it seems to happen mostly on the mobile chrome app. 

Does it happen on your Laptop/PC for the same site?

That would indicate, as Sy said, it is being blocked at device level on your mobile and not OPNsense/Zenarmor.

Hi,

I believe you have an ad blocker plugin installed in your browser. Websites can detect them because they operate through a proxy. Zenarmor prevents ads while a session is active, making it unnoticeable to websites.

i dont have any adblock installed.  and it seems to happen mostly on the mobile chrome app. 

Does it happen on your Laptop/PC for the same site?

Stateless DHCPv6 shouldn't cause loss of connectivity. What's the actual issue? DNS? Invalid interface address? Routing?

Thanks Maurice - I'll investigate.

Before I went down a potential rabbit hole trying to see what the issue is, I thought I'd double check there wasn't any obvious addition such as 'but if you do this, then you must also...' etc. The way I read it was from the working configuration above, change RA from unmanaged to stateless, tick DHCPv6 Server for the Interface, make sure range is empty, and all should work.

I'll investigate what aspect has broken. Initial view was unable to reach ipv6 only sites, fails all the IPv6 test sites available etc but I haven't looked into the actual cause.