Messages

Instead of checking the update in a month's time, I recommend you to do it in a couple of centuries and see if it works well by then, in the meantime use Adguard:

https://forum.opnsense.org/index.php?topic=22162.225

Zenarmor is not just an ad block tool like adguard or pihole. It's a combination of that PLUS packet inspection which is the only REAL ad block. It combines two technologies together for a single purpose eliminating the need to have two separate programs (consuming more resources) to accomplish the task. This is especially useful when ransomware and malware try to reach out to control servers that don't use DNS because hackers have gotten smart. Instead they have hard coded IP's which completely bypass DNS. Even more....ad networks have also figured this out and are now hard-coding IP's into their ad code to bypass ad blockers such as adguard or pihole or even web browser plugins to stop ads. It is wreak-less to hand out advice about such things without understanding what each thing does and how it does it. For a simple ad block tool what you are suggesting might be fine.....but if anyone needs intrusion prevention (IPS) it is absolutely NOT ok. I should also note that the default rules for OPNsense Suracata are for basic protection ONLY. They are in no way useful for advanced protection nor are they the latest up to date rules. In fact they are NEVER newer than 30 days and most are 60 to 90 days old. If you want better rules you must pay for them.

In short I understand if you don't like this product and that is fine. Everyone has their preference....but please stop going from thread to thread bashing it. Just stop using it and let it be. People who are in here are trying to be productive and give valuable feedback.....you are not helping.

Instead of checking the update in a month's time, I recommend you to do it in a couple of centuries and see if it works well by then, in the meantime use Adguard:

https://forum.opnsense.org/index.php?topic=22162.225

I take it you don't like Zenarmor...
Over the years I've only had 1 other issue on another deployment before.  After month or two it would crash restarting protected LAN interface which would down network for 5 min but would recover.  Believe it was an update that later repaired.  Also believe it was shortly after a new Opnsense release.  Just like now, but they've completely re-done UI too.

Zenarmor does more than ad blocking.
My main complaint with Zenarmor is their business / license model.  I have a Fortigate 60F in transparent mode downstream this Opnsense I'm having issues with now.  The Fortigate is a real NGFW.  Zenarmor is not.  The yearly pricing plans for business edition simply don't compete against a Fortigate UTP subscription .  Having said that I still value the ads + app blocking + traffic analysis Zenarmor provides. 
Briefly reviewing their 1.14 new version bit bummed that custom port applications require license.  As does the https blocking page.  Active directory agent now requires Enterprise.
Summary.  Decent tool.  Bad license model for provided value.

Have you tried to run a system audit and seeing what the results are? That looks like its related to php and/or python.

Goto System >> Firmware >> Status

Then choose "Health" from the "Run An Audit" button next to the  "Check for updates" button. You may also want to look at the "Upgrade" audit as well. Something isn't right though. An audit should help you find it.

I have the latest version of OPNsense and Zenarmor and it's working fine but on one older firewall (Been through many OPNsense updates) I had to manually fix some upgrade issues with OPNsense for a proper install of dependencies for Zenarmor. So you are probably looking for dependency issues in the audit.

So I originally started this thread and I need to make a few things clear for me. It is NOT that Zenarmor is a bad product. When it works it works very well at not only blocking by DNS but IP's as well and at the same time. Some of you here are not really familiar with it's capabilities. This is a very capable product for controlling local network traffic when it is outbound to the internet. It is VERY effective if you take the time to learn how to configure it. That is not the issue I have.....The sole problem I have is that they need to do better at testing before release to a paid audience. There is a standard practice for this and I feel like they have a poor implementation of it. That makes it unreliable to deploy for businesses or business clients if you are an MSP (Managed Service Provider). They could GREATLY increase it's use and sale by making it's releases more reliable for working on deployments. Some of you really like to argue for your favorite product in true Linux Tradition. I have tested this plugin in many critical situations and it performs exceptionally well even in free mode. I can't deploy it in critical situations because of this upgrade issue which sometimes seems to break.....when it works it works well.

Sunny Valley....if you are still paying attention to this thread.....PLEASE TAKE THIS TO HEART. You have got to get a better update track in place. I love your product and I want to, and can, sell this to clients I have. I can't do that in good conscience knowing that somewhere one of your updates will break it's functionality and they will have to deal with it. Please take a look at this and let us know here in the public realm know what your plan on this is. 

@dotlike I'm sorry to hear it made it to any of the paid versions. That really isn't good. I'm also in the IT industry and have been considering using Opnsense with Zenarmor as a replacement for some of my clients Sonic Walls. I have a pretty well built home firewall that I have been test driving for some time now and I too love Zenarmor's features. As I already said, I'm not willing to pay subscriptions to software developers that are not properly testing before releases to PAYING customers. That is just simply a paywall for features but has the same headaches as the free versions. I'm also in the software industry as well an I can for sure tell you. You never let your paying customers suffer and you use your beta tests on the freeware. That's why it's free ;D. Anyway, enough ranting, seriously I love the product but I'm not gonna make my clients pay for it just get a bunch of headaches. They need to get their development tracks setup and streamlined to prevent this from happening in the future. This is my 4th bout with this since the plugin was first released.

 :)!!!!SUCCESS!!!! :)

I have installed and tested the new update to 1.14.2 from 1.14.1 and can confirm this fixed the issue. I have tested with and without VLans and all looks good. It's a shame this wasn't caught before release but I am glad there was such a fast response to get it fixed and the fix was done right. Thank you for your efforts and the new interface looks very good!

To the person with the home lab @dotlike . Generally you should always test an update in a lab environment before deployment to a client. In the open source world it's a pretty well known law as well as backup EVERYTHING before you deploy regardless. I simply put a little too much trust in this plugin without testing and shouldn't have. I will now for the future. You have to understand that beta testing is for paid products because it cost time and time is money. Anyway, hope my advise helps....you can always test with a vm like virtual box. It provides snapshots and works with just about any modern pc. In contrast to that being said, and I don't really know, if this issue found itself into the paid version I would be VERY upset as that is exactly why I would pay for it so I wouldn't have that headache. If it did, then shame on Sunny Valley....they should 100% know better and they are killing their brand for no reason if it did.

I've had to just block whole categories I want nothing from and leave the rest open. At least this way something is better than nothing. I'm just hoping someone at Sunny Valley reads these forums. This is a pretty huge break in their plugin. I would take many hours to configure what the categorization would take care of easily. Is there some place to go and notify Sunny Valley about it?

I just updated several OPNsense boxes to 23.7 from 23.1.11_1 and with that update came the Zenarmor Engine 1.14.1 update. The previous version (1.13...) worked just fine. Suddenly I'm only able to Allow based on Categories. Anytime I try to block any one item in a category.....the entire category is blocked. I have tried uninstalling Zenarmor completely and rebooting and re-installing with no luck. This is happening on 3 boxes. The only way to allow anything is to add it to the white-list.

Example:
(Tried with all available database options. None made a difference
1. Fresh vanilla install of Zenarmor
2. Edit the default policy category "Search" by blocking say "Bing"
3. All other search engines in category list are also blocked

This message is in the "Notifications" section of Zenarmor:
Engine configuration error
Cannot read any worker configuration from workers.map
Source: engine

Any ideas on what I'm doing wrong or did I miss something. Anyone Else Having this issue?

EDIT: None of the boxes are using the default HTTPS port 443 for the WebGUI and all of them forward to the modified HTTPS port via the OPNsense GUI settings interface. Don't know if that makes a difference or not but they can't use port 443 anyway as there are other services on that port.