Messages

A user on Reddit suggested restarting the Packet Engine after disabling Cloud Threat Intelligence and that did the trick to get speed and latency back under control until CTI is working again.

This seems like a critical data flow path failure that needs to be addressed promptly in a Zenarmor software update. I have no problem if Zenarmot uses the cloud for added functionality, but a local firewall should never DEPEND on a cloud service for basic functionality.

That's my feeling as well.

I can work with outdated signatures in the case of a Cloudflare outage, however, a 90% reduction in bandwidth as well as 500ms+ latency is a no go for me.

I've disabled Zenarmor and gone back to Unbound DNS Blocklists for now.

I can only get 5% of my internet speeds currently with Zenarmor enabled.  I had hoped that disabling Cloud Protection would fix that for now, however, it doesn't appear to.  In order to get my speed back I had to enter bypass mode.

Is there another option to avoid 3rd party reliance that I'm missing for a temporary fix that would all me to have at least some protection when Cloudflare goes down?

Hi,

Thanks for the details. I will forward your feedback to the product team.

No problem and thanks!

If you need anything else let me know as I left the VM running after moving to OPNsense as I still have 4.5 years left on my license.

This ability would make me completely forget about Untangle as it'd make OPNsense equal to or better than Untangle in every meaningful way plus Arista is a horrible company.

ZA is a NGFW/IPS/IDS, its function is to inspect and understand traffic and/or patterns. Routing as such is done on OPNsense.

what do you mean by tagging? How to you TAG the traffic? Where do you TAG it?

Regards,
S.

In Untangle it's under the Events application that you can tag hosts when the traffic matches a specific criteria:



Then you go over to the Tunnel VPN application and create a rule to route that traffic over a specific tunnel (or any available tunnel) based off of the tag that was assigned in the above step.


You can route/block traffic in OPNsense using tags as well as I use that for the WireGuard Killswitch with a firewall rule that tells the traffic to go over the WireGuard tunnel (based on IP) sets a local tag of NO_WAN_EGRESS and then the KillSwitch rule checks for that tag and blocks the traffic if the Destination is the WAN rather than a tunnel.

I just don't see a way to have something like Zenarmor set a tag so that I can do something like Untangle does.

Is this possible as it's something I used a lot in Untangle so that I could send say BitTorrent traffic out over a VPN without having to know the clients IP beforehand?

I'd tag the traffic and then Tunnel VPN would look for that tag and send the traffic out over an established tunnel.

I just updated on my Home subscription instance and it doesn't appear that multi-threading is available so that's a huge bummer.

I'll see what they have to say but I'm not too interested in SASE so I'll just keep going as is or disable IPS/IDS I guess.

Even 2 or 4 cores would be a huge improvement.

I'm going to be very disappointed if they don't give paid home users something.

Even raising the price or having a higher tier home plan would be fine with me.

I'm not happy at all about not getting multi-core support as a paid home license user.

I run on older hardware and have been looking forward to this feature for years now not knowing it'd be locked behind a paywall.

I guess I'll see if I keep my subscription or not depending on what they do when it's finally ready.

I left Untangle for this kind of stuff so dumping Zenarmor is an option as well.

I didn't realize the policy count had increased....awesome!

I also wish that multi-threading was available since I don't have the fastest single core speeds but I have lots of cores to throw at the processing.

Example

Thanks!  I must have missed that somehow in the documentation as I thought it was IP only.

I'm trying to figure out how to add FQDN's as aliases but thus far am striking out.

Is this possible?

Specifically, I'm using this to allow people with DDNS to connect to my servers when they sign up for No-IP and get a FQDN.

Yeah they do that on occasion.

https://forum.opnsense.org/index.php?topic=45472.0