Topics

1

Zenarmor (Sensei) / So many devices!

« on: June 15, 2024, 08:09:30 am »

I was getting close to deploying my OPNsense & Zenarmor combination as a transparent bridge, but then it started to add a crazy amount of devices. Many of them it seems are not devices, but just IP addresses of sites i've been visiting and testing.

Any idea what's going on? I am going to use the Home licenses and it has a limit of 100. Right now, with minimal testing, it's already hitting 101.

2

General Discussion / Strange issue updating packages

« on: June 13, 2024, 05:40:05 am »

I have the following setup, I followed this guide because I intend to install ZenArmour.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Version: OPNsense 24.1.8-amd64

Two interfaces in bridge mode:
LAN (opt1)   
   device: re0
   link type: none
WAN (opt2)
    device: re1
    link type: none
Bridge (opt3)
    device: bridge0
    link type: static
    IPv4: 192.168.1.2/23
    Routes: 192.168.0.0/23

Network topography is...
Internet > Arris modem > Unifi USG Lite gateway > OPNsense device > Unifi Switch connected to the rest of my local network

Bridge is working great, all traffic from my network is passing over the bridge without issue. Now I wanted to install ZenArmour, but when I go to System > Firmware > Status and Check for updates, it fails with the error "Could not find the repository on the selected mirror."

Updates log shows...

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.1.8 at Thu Jun 13 03:33:08 UTC 2024
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/sets/changelog.txz: Network is unreachable
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/meta.txz: Network is unreachable
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/packagesite.pkg: Network is unreachable
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/packagesite.txz: Network is unreachable
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I figured somehow DNS wasn't working, so I went to Interfaces > Diagnostics > DNS Lookup and entered "pkg.opnsense.org". I got the following reply.

Response
Type   Answer   Server   Query time
A   pkg.opnsense.org. 900 IN A 89.149.222.99   192.168.1.4   28 msec
AAAA   pkg.opnsense.org. 900 IN AAAA 2001:1af8:5300:a010:1::1   192.168.1.4   27 msec

So DNS seems to be working fine, that's my local DNS server that's external to the OPNsense device that forwards requests onto my Cloudflare DNS resolvers.

I resolved "pkg.opnsense.org" to 89.149.222.99 on another device and attempted to ping it from Interfaces > Diagnostics > Ping

All packets failed, with the error "sendto: No route to host".

If I ping any address on my 192.168.1.0 network, those pings do work.

I looked at the "IPv4 gateway rules" option on the Bridge interface, but it just says "Disabled". I don't see a way to specify the default route.

Any ideas what's going on? The bridge is working, but the OS doesn't seem to know a valid route to the internet.