Messages

First time doing a OPNsense major upgrade running ZA.  I want to move from 25.7.11 to 26.1 , what get's upgraded first?

If I'm on the latest ZA version, do I just upgrade OPNsense and all should be well?

A few weeks later and ZA did in fact help me track down the malware. Naturally it as on a mobile device...!

Raise a ticket with Zenarmor, I hit a bug that was causing this and support fixed it. It was happening every 30 minutes for me, like clockwork.

My logs were full of this: Emulated netmap adapter for igb0 destroyed

EDIT2: Turns out this  was a bug. Zenarmor support were fantastic and they released a fix.


EDIT: I was running netmap driver for zenarmor in native mode, I switched to emulated and it's been stable over the last few hours since switching. I suspect there is  more to this, because if the native driver was so broken as to flap a link ever 30 minutes I'm sure it would be a  known issue. For now I have a workaround, but this isn't resolved  really.

LAN interface igb0 flaps every 30 minutes, pretty much to the second. The WAN interface on the same NIC does not flap. It flaps in a tight cluster of 3 or 4 flaps, then is fine for 30 minutes. It's been doing this for at least 1 week.

Additional changes in this timeframe were a Zenarmor install. I don't know if it was doing it prior, it could have been. 

Given the frequency, this doesn't look to be physical, switch port sees no errors of any kind (apart from logging the flaps).

I keep coming across an EEE energy saving feature that may be a cause, but doesn't seem clear (if possible) to disable on 25.x ?

Anything else I can do to troubleshoot this please?
   
igb driver. Dell K9CR1 INTEL I350T4 Quad Port
OPNsense 25.1.9

Thank you. I was always planning to go ZA on this firewall anyway (quad core zeon with 24GB ram and intel i350) and really this has push me towards finally getting it on.

Looks great so far. Not sure I need to protect my WAN nic though, it's detecting ipv6 devices 'on the net'

Keep in mind ZA is proactive not reactive. If there is already a malware somewhere in your network, the reactive part needs to be on you.

Depending on the type of malware, it may not even try to connect to the Internet, or it can be dormant and try to reach to a remote destination later. That remote destination however must be in ZA database if its not it will not identify it.

Regards,
S.

All well and good and I appreciate the input, but I have a *suspicion* of malware. I have no clear indicator.

What I wanted to know which you have answered, thank you, is that Zenarmor *should* if something makes a malicious connection to the internet, flag that. That will at least give me a clue.

Once I track down offending devices I know how to resolve them.

In the time you've waited, you could have scanned every scannable device, start at the beginning and start going, don't wait for some magic tool that will pinpoint the problem. Nobody builds time for these things into their day, we just get down to business and deal with it.

If you get down to devices that can't be scanned, start pulling them off the network one by one to try and isolate what's going on.

Also nothing stopping you from installing the free version of Zenarmor and looking at the Live Connections and doing some simple filtering if you see a device that you want to inspect more deeply. Look at where things are connecting, and use a web search to see if that site is a possible problem.

There are other AV that you could try on some of the other devices, but most of the IOT stuff is just not available to fix like this. If you can reload firmware/OS on these after backing up the config, then that might be worth doing.

Offline bootable scanner on *what*  though? I've checked the PCs. I have 30 devices of various sorts, home assistants, game consoles, etc.  Cellphones.

I was hoping to to get a clue to point me in the right direction as to what device may be compromised (if one is). I appreciate Zenarmor isn't an AV, I'm not expecting it to resolve the problem, but if it could tell me there is potential malicious activity from IP x.y.z on the network that would be huge..

ZA is not an antivirus.

It can identify malware and other malicious thing based on sessions. Meaning if a device in your networks tries to connect to a know domain/IP that is in its DB flagged as malicious like malware, the connection TCP/UDP will be blocked and ZA will prevent that device to connect to such domain.

Regards,
S.

You may want to use an offline (bootable) scanner:

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline

Or maybe this other "online" scanner

https://www.trellix.com/downloads/free-tools/stinger/

These are the two that I've used and I normally run both the bootable Defender and then the Stinger after the reboot. I also run Trellix on my production system at work with their ePolicy Orchestrator which has proven to be "pretty good" at blocking things before they get started. Probably out of scope for you, but their cloud plan might fit if it was cheap enough.

As mentioned, Zenarmor can help block the suspected thing from getting commands from the web or downloading the real payload.

I suspect I have some malware running within my network. Small home office setup. < 30 devices.

Would Zenarmor help me track this down?

Thinking of going to zenarmor home, have an existing Opensense install, do I have to recreate existing rules in zenarmor or does it layer on top  somehow?

I finally got around to swapping in an i350 'igb' card from an 'em' based card

I had a few gotchas that make sense in hindsight.

I expected to swap my previous card for the i350 card. Knowing the drivers and interface names would be different I planned to connect via the servers onboard NIC I have configured for management.

I found that after swapping the em card for the igb card I could not connect to my management interface. On connecting a monitor and keyboard I realized why

Previous interfaces were em0,em1,em2 and em3 on the EM quad card. The management NIC on the motherboard had been assigned em4. However once the quad port nic em interfaces were no longer there, the management nic got allocated as em0.

My plan was to edit the config following the swap and replace mentions  of em in the config with igb. I just had to do this via a monitor and keyboard as the management nic address changing caught me out. 

Also editing the config file and replacing the nic interfaces worked well.

They are both quad port so no change there.
[...]
Would swapping the NICs be a matter of reassigning the ports? (no need to move rules etc?) I have the built in NIC on the board configured as a MGMT port so I can go in and fix things after the swap. 

Whoops! Failed to notice that - I don't think I've seen a quad 82571. The dual is 3.5W - you might save a couple watts with the i350. The higher PCI-e bandwidth shouldn't make any difference. Come to think of it, though, the 8257x had some driver quirks (bad setup parameters) that were patched in Linux (not by Intel), but I don't know that they made it to FreeBSD. Drove me nuts on Windows. But if your links are not flaky, it should be fine.

On a configured system? I think you have it right... but I haven't done it, so don't bet on it on my recommendation.

Sounds like no downsides. I'll swap it out during the next outage window (lol). 

Only if you need/want the additional ports. (I probably would, but that's just me.) 3.5W vs. 5W - not much different there, either.

They are both quad port so no change there. I bought the I350T4 specifically for the build but it never got installed.

Would swapping the NICs be a matter of reassigning the ports? (no need to move rules etc?) I have the built in NIC on the board configured as a MGMT port so I can go in and fix things after the swap. 

Currently running a quad Intel 82571EB nic any benefit to switching it for an  I350T4 I have sitting around?

Thinking of trying Zenarmor

Firewall machine is a dedicated Intel i7 7600U with 24gb.

Supports a small home network on 1000/1000 fiber and around 18 client devices. No VPN.

It went smooth as smooth can be. Thanks team. Amazing work.

Thanks! I'll take the plunge once the demanding user base (family!)  are not around for a few hours.