"
Feedback just sent!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Zenarmor (Sensei) / Malformed Dns Packet
December 29, 2023, 01:42:16 PM
I'm really liking the 1.16 update thus far. :)
One observation from my network is that a significant chunk of what I believe to be mDNS traffic (port 5353) from mostly Apple devices is being flagged as a threat - Malformed Dns Packet. The good thing is that even with the Malformed Dns Packet advanced security policy enabled, it isn't blocked. But it is throwing the threat numbers to be up significantly, so there are more false positives to filter through.
There does seem to be a pattern. I'm running a mDNS repeater on the OPNsense so that wireless devices can see the wired printer for AirPrint. So, a majority of the wireless devices aren't flagged as Malformed Dns Packet but properly as mDNS as they are connecting with mdns.mcast.net (224.0.0.251) on my network. Occasionally, an Apple TV over wireless is flagged as malformed when it sends port 5353 packets to the gateway on OPNsense. However, what triggers the threat most are the wired devices such as my Macbook (when wired in), my Synology (wired), or my Denon receiver (wired), as they are sending frequent port 5353 packets to the gateway on OPNsense. Conversely, the wired printer, doesn't do this but mostly sends to mdns.mcast.net (224.0.0.251).
Not a big deal, but I'm wondering if there's anyway for this type of mDNS traffic to not be labelled as "Malformed Dns Packets"? I would think all that's needed is to filter out the port 5353 traffic. I'm not aware of that being used for normal DNS.
One observation from my network is that a significant chunk of what I believe to be mDNS traffic (port 5353) from mostly Apple devices is being flagged as a threat - Malformed Dns Packet. The good thing is that even with the Malformed Dns Packet advanced security policy enabled, it isn't blocked. But it is throwing the threat numbers to be up significantly, so there are more false positives to filter through.
There does seem to be a pattern. I'm running a mDNS repeater on the OPNsense so that wireless devices can see the wired printer for AirPrint. So, a majority of the wireless devices aren't flagged as Malformed Dns Packet but properly as mDNS as they are connecting with mdns.mcast.net (224.0.0.251) on my network. Occasionally, an Apple TV over wireless is flagged as malformed when it sends port 5353 packets to the gateway on OPNsense. However, what triggers the threat most are the wired devices such as my Macbook (when wired in), my Synology (wired), or my Denon receiver (wired), as they are sending frequent port 5353 packets to the gateway on OPNsense. Conversely, the wired printer, doesn't do this but mostly sends to mdns.mcast.net (224.0.0.251).
Not a big deal, but I'm wondering if there's anyway for this type of mDNS traffic to not be labelled as "Malformed Dns Packets"? I would think all that's needed is to filter out the port 5353 traffic. I'm not aware of that being used for normal DNS.
#3
Zenarmor (Sensei) / Re: Is Zenarmor looking into the NETMAP bug?
September 21, 2023, 12:40:49 AMQuote from: beki on February 23, 2023, 06:37:28 PM
However, driver incompatibility problems, like igc, are not in the scope of this project.
After the current project is accomplished successfully, they are going to start a new project to improve emulated netmap mode.
The main aim of the second project is to solve incompatibility problems for all drivers. It is intended to be able to provide quick support to the new NICs as well.
Lastly, it is needless to say that the success of these projects mostly depends on community support, and feedback from community members, like you, is priceless.
Best
I'm not sure exactly when this occurred but sometime after I installed 23.7 or zenarmor 1.14 (started with 23.7.3 as I waited awhile and now on 23.7.4 and updated to 1.14/1.15 zenarmor), my issues vanished with the emulated driver. Everything seems to be working as designed with netmap. Performance is great and policies are working as they should. Traffic is actually being blocked now and netmap isn't crashing. Really excited that this is working as it should. I do not currently have vlan tags, so I can't verify if that is an issue. That was something I eliminated earlier in my troubleshooting process.
Running Protectli VP2420 with Intel I225-V 2.5G NICs and igc driver.
#4
23.1 Legacy Series / Re: Update to 23.1.8 got stuck
May 26, 2023, 05:55:25 PM
Exact same issue here, kill -9 of crowdsec-firewall-b resolved the issue for me too. Thank you!
#5
Zenarmor (Sensei) / Re: Is Zenarmor looking into the NETMAP bug?
March 06, 2023, 05:56:47 AMQuote from: beki on March 02, 2023, 02:07:04 PMYes, the issue definitely does occur in emulated mode. I reported my logs in the other testing thread that franco setup.
Hi SpinningRust,
Could you confirm that this issue occurs in emulated mode?
Best
#6
Zenarmor (Sensei) / Re: Is Zenarmor looking into the NETMAP bug?
March 01, 2023, 12:52:34 PM
I was trying out the new netmap2 kernel that franco just released. I did not expect it to resolve zenarmor's issues with netmap for my igc(4) driver, and I confirmed it didn't, but this reminded me of another observation...when I do enable zenarmor in L3 routed mode, my upload bandwidth is significantly reduced. In passive mode I consistently get 15-17Mbps but in L3 routed mode upload is reduced to 2-7Mbps. Download bandwidth remains unaffected at around 940Mbps. It's capped by my 1Gbps switch between the firewall and my computer. Just thought I'd throw that observation out there.
#7
Zenarmor (Sensei) / Re: Is Zenarmor looking into the NETMAP bug?
February 28, 2023, 05:52:32 AM
Thanks for opening this thread DoBoY and thank you to beki and mb for the honest feedback. I am using the igc(4) driver with the I225-V interfaces on my Protecli box. My problem is well described in Franco's testing thread so no need to describe further here. I have no intention to hijack another thread. :-)
mb/beki: Feel free to PM me if you ever need a tester in the future. I appreciate the approach you will be taking and that it is on the roadmap. Regards.
mb/beki: Feel free to PM me if you ever need a tester in the future. I appreciate the approach you will be taking and that it is on the roadmap. Regards.
#8
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 23, 2023, 07:50:29 PMQuote from: kintaroju on February 23, 2023, 06:16:13 PM
Today I decided to see if there was a firmware upgrade for my NIC, which there wasn't, but on the odd note, I did let the system fully turn off, and turn on and now it works.
I know when I removed all vlans from my config to see if that was causing my netmap issues, it took a full reboot for the vlan interfaces to disappear from zenarmor. Perhaps it's that way with additions as well. It was removed from OPNsense config right away, but zenarmor continued to see the vlan interfaces until I rebooted.
#9
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 19, 2023, 10:01:26 PMQuote from: SpinningRust on February 18, 2023, 03:33:59 PM
Also...the native netmap driver is working great too. It's like a night and day difference. Having no issues thus far. :-)
Unfortunately I was wrong. User error. My custom policy in Zenarmor showed it was enabled and actively running, but it wasn't, so Netmap hasn't been running at all since the upgrade 2 nights ago. Must have been something with the 23.1.1 update that had the setting toggled incorrectly.
I noticed something was off when the reports didn't show anything blocked or even as a threat in my custom pollcy. Creating a blocklist item for a test domain also wouldn't be blocked and only pass through the default policy. Once I tickled my custom zenarmor policy off and then on again, it began to work as desired...and all my netmap problems returned. Bummer!
Back to passive mode I go.
Here is what I see in dmesg with native netmap:
99.862767 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
499.870971 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
500.600314 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc0: link state changed to DOWN
500.636894 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc2: link state changed to DOWN
igc0: link state changed to UP
igc2: link state changed to UP
igc0: link state changed to DOWN
igc0: link state changed to UP
367.771681 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
367.779815 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc0: link state changed to DOWN
igc0: link state changed to UP
igc2: link state changed to DOWN
igc2: link state changed to UP
480.959262 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
480.967393 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc2: link state changed to DOWN
igc2: link state changed to UP
igc2: link state changed to DOWN
igc2: link state changed to UP
523.403350 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
523.411486 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc2: link state changed to DOWN
igc2: link state changed to UP
igc2: link state changed to DOWN
igc2: link state changed to UP
arp: 192.168.200.22 moved from f2:0f:ab:ac:aa:a9 to 1c:53:f9:aa:b5:65 on igc2
621.436105 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
621.444361 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc2: link state changed to DOWN
igc2: link state changed to UP
igc0: link state changed to DOWN
igc0: link state changed to UP
666.783413 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
666.791593 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc0: link state changed to DOWN
igc0: link state changed to UP
igc0: link state changed to DOWN
igc0: link state changed to UP
684.987780 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
684.996044 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc0: link state changed to DOWN
igc0: link state changed to UP
igc0: link state changed to DOWN
igc0: link state changed to UP
789.998143 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
790.006289 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
igc0: link state changed to DOWN
igc0: link state changed to UP
arp: 192.168.200.22 moved from 1c:53:f9:aa:b5:65 to f2:0f:ab:ac:aa:a9 on igc2
igc2: link state changed to DOWN
igc2: link state changed to UP
arp: 192.168.200.22 moved from 1c:53:f9:aa:b5:65 to f2:0f:ab:ac:aa:a9 on igc2
989.861585 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
989.869836 [ 851] iflib_netmap_config txr 4 rxr 4 txd 1024 rxd 1024 rbufsz 2048
And again for emulated (goes on and on until it eventually flaps wireless off):
012.906533 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
012.915326 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
012.923231 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
012.931527 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
012.940339 [ 320] generic_netmap_register Emulated adapter for igc2 activated
012.963658 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
012.974662 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
012.982483 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
021.006448 [1137] generic_netmap_attach Emulated adapter for igc0 created (prev was igc0)
021.015312 [1034] generic_netmap_dtor Native netmap adapter for igc0 restored
021.023196 [1042] generic_netmap_dtor Emulated netmap adapter for igc0 destroyed
021.031676 [1137] generic_netmap_attach Emulated adapter for igc0 created (prev was igc0)
021.040581 [ 320] generic_netmap_register Emulated adapter for igc0 activated
021.083370 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
021.092225 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
021.100132 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
021.108489 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
021.117381 [ 320] generic_netmap_register Emulated adapter for igc2 activated
igc0: link state changed to UP
024.274716 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
024.282425 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
024.290272 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
038.032110 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
038.040849 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
038.048749 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
038.057062 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
038.065931 [ 320] generic_netmap_register Emulated adapter for igc2 activated
039.777730 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
039.785589 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
039.793627 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
053.197044 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
053.205799 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
053.213707 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
053.222033 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
053.230856 [ 320] generic_netmap_register Emulated adapter for igc2 activated
068.242712 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
068.250438 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
068.258245 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
081.388358 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
081.397402 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
081.405610 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
081.414240 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
081.423429 [ 320] generic_netmap_register Emulated adapter for igc2 activated
088.474600 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
088.482314 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
088.490121 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
102.524921 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
102.533710 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
102.541601 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
102.549912 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
102.558763 [ 320] generic_netmap_register Emulated adapter for igc2 activated
142.291684 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
142.301275 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
142.309289 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
155.734586 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
155.743387 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
155.751244 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
155.759608 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
155.768493 [ 320] generic_netmap_register Emulated adapter for igc2 activated
327.084679 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
327.092373 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
327.100229 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
341.229386 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
341.239156 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
341.247428 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
341.256522 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
341.266272 [ 320] generic_netmap_register Emulated adapter for igc2 activated
365.673498 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
365.681226 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
365.689054 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
379.343039 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
379.351809 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
379.359675 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
379.367996 [1137] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
379.376820 [ 320] generic_netmap_register Emulated adapter for igc2 activated
667.362913 [ 295] generic_netmap_unregister Emulated adapter for igc0 deactivated
667.370615 [1034] generic_netmap_dtor Native netmap adapter for igc0 restored
667.378426 [1042] generic_netmap_dtor Emulated netmap adapter for igc0 destroyed
667.464266 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
667.475151 [1034] generic_netmap_dtor Native netmap adapter for igc2 restored
667.482963 [1042] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
#10
General Discussion / Re: Please Make a Donation to OPNsense
February 18, 2023, 03:45:16 PM
Donated.
Thank you, thank you, thank you. Very grateful!
Thank you, thank you, thank you. Very grateful!
#11
23.1 Legacy Series / Re: Migrating to a new OPNsense appliance
February 18, 2023, 03:38:10 PM
The instructions in this article worked perfectly for me. I moved to different hardware and switching from 1Gbps to 2.5Gbps interfaces with different names as well as locations for WAN, etc. This article lays out what to look for when making changes. Highly recommend reviewing it.
https://homenetworkguy.com/how-to/migrate-opnsense-to-new-hardware/
https://homenetworkguy.com/how-to/migrate-opnsense-to-new-hardware/
#12
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 18, 2023, 03:33:59 PM
Also...the native netmap driver is working great too. It's like a night and day difference. Having no issues thus far. :-)
#13
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 17, 2023, 01:04:31 AM
So far so good. I've been running on the 23.1.1 build with no netmap issues. Even when netmap worked for me before,dmesg would show lots of dtor, attach, register, unregister entries. None of that since in the last 9 hours or so for me with no interface flaps.
Looking promising...
Looking promising...
#14
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 15, 2023, 02:52:52 PM
I agree, and this is my last follow-up as my issue is different. My issue is almost certainly due to the hardware I have, specfically: Intel I225-V 2.5G interfaces with igc drivers. And it's definitely netmap related as the same issues pop up whether I use Suricata in IPS mode or Zenarmor in L3 mode, with native or emulated netmap driver (using either version of the emulated netmap driver). All other OPNsense plug-ins and policies I'm using work without issue.
I will be getting a different wireless access point in the future with a 2.5Gbps WAN port to connect to this OPNsense box and will try this again in the future to see if that makes a difference.
When in netmap emulated mode, I get lots and lots of the below in dmesg but when in native mode, it's very different with complete interface drops happening very frequently.
igc2 is the interface to the wireless access point (1Gbps)
igc0 is the interface to my unmanaged 1Gbps LAN switches
549.798697 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
549.806464 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
549.814383 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
563.897088 [1142] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
563.905859 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
563.913758 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
563.922093 [1142] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
563.930994 [ 320] generic_netmap_register Emulated adapter for igc2 activated
672.439061 [ 295] generic_netmap_unregister Emulated adapter for igc0 deactivated
672.446788 [1039] generic_netmap_dtor Native netmap adapter for igc0 restored
672.454630 [1047] generic_netmap_dtor Emulated netmap adapter for igc0 destroyed
672.519959 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
672.530783 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
672.538635 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
Eventually I get an error message that the interface (igc2 usually) went down. I don't have any of those errors handy at the moment (as they're older than dmesg.yesterday in my log files).
Thanks for all your work on this! I will give this another try next time there are updates to netmap.
I will be getting a different wireless access point in the future with a 2.5Gbps WAN port to connect to this OPNsense box and will try this again in the future to see if that makes a difference.
When in netmap emulated mode, I get lots and lots of the below in dmesg but when in native mode, it's very different with complete interface drops happening very frequently.
igc2 is the interface to the wireless access point (1Gbps)
igc0 is the interface to my unmanaged 1Gbps LAN switches
549.798697 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
549.806464 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
549.814383 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
563.897088 [1142] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
563.905859 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
563.913758 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
563.922093 [1142] generic_netmap_attach Emulated adapter for igc2 created (prev was igc2)
563.930994 [ 320] generic_netmap_register Emulated adapter for igc2 activated
672.439061 [ 295] generic_netmap_unregister Emulated adapter for igc0 deactivated
672.446788 [1039] generic_netmap_dtor Native netmap adapter for igc0 restored
672.454630 [1047] generic_netmap_dtor Emulated netmap adapter for igc0 destroyed
672.519959 [ 295] generic_netmap_unregister Emulated adapter for igc2 deactivated
672.530783 [1039] generic_netmap_dtor Native netmap adapter for igc2 restored
672.538635 [1047] generic_netmap_dtor Emulated netmap adapter for igc2 destroyed
Eventually I get an error message that the interface (igc2 usually) went down. I don't have any of those errors handy at the moment (as they're older than dmesg.yesterday in my log files).
Thanks for all your work on this! I will give this another try next time there are updates to netmap.
#15
23.1 Legacy Series / Re: [CALL FOR TESTING] Netmap generic mode queue stall fixes
February 15, 2023, 03:36:45 AM
I can't get netmap to work without issues for more than a day. Native netmap doesn't even work beyond 10 minutes or so, but it does make sense as the netmap documentation doesn't state that it supports the igc driver. My previous box with igb drivers (supported) didn't have the same issues, but it was underpowered.
Emulated mode works up to a day or so, but it doesn't take much to cause the interfaces being protected by Zenarmor (or, separately, Suricata when in IPS mode) to flap. Just changing a setting in the profile such as adding or removing blocking of ad tracking in the web content filter can cause issues.
I eliminated vlans, as I didn't need them (yet), but that didn't make a difference.
I'm going back to running in passive mode.
Emulated mode works up to a day or so, but it doesn't take much to cause the interfaces being protected by Zenarmor (or, separately, Suricata when in IPS mode) to flap. Just changing a setting in the profile such as adding or removing blocking of ad tracking in the web content filter can cause issues.
I eliminated vlans, as I didn't need them (yet), but that didn't make a difference.
I'm going back to running in passive mode.
