Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
« previous
next »
Print
Pages: [
1
]
Author
Topic: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355 (Read 1920 times)
jkemp
Jr. Member
Posts: 56
Karma: 2
Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
on:
October 07, 2022, 05:22:51 pm »
Hello,
I have a question about why Zenamour is using my WAN interface to contact Google user content servers when my default gateway is on a VPN? When I disable Cloud Threat it stops logging those connections on port :5355, but as one would guess I need it enable to get up-to-date info. That's okay, but why bypass my VPN to do that?
I'm I wrong here? Can someone help me understand why or how is this package is able to do that?
Use my ISP WAN connection, instead of my VPN?
James
«
Last Edit: October 07, 2022, 05:29:02 pm by jkemp
»
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #1 on:
October 07, 2022, 05:43:04 pm »
Hi @jkemp,
Cloud queries should be routed through according to the FW's routing table. Zenarmor does not modify routing entries.
Maybe the VPN route is not in effect for FW originated connections?
Logged
jkemp
Jr. Member
Posts: 56
Karma: 2
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #2 on:
October 07, 2022, 05:54:20 pm »
All of my other traffic goes through the VPN interface. If the VPN fails, I have no internet. Kind of a kill switch. This is why I am asking how is Zenamour able to go directly through my WAN interface? I have seen OPNsense timeservers do this also.
Thanks for the quick response, also I really like the Zenamour filtering and reporting capabilities, So I really want to find out why this is happening.
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #3 on:
October 07, 2022, 06:07:30 pm »
Got it, thanks. Any chance you run a traceroute to 1.1.1.1 from the firewall console? Does that use the expected route?
Logged
jkemp
Jr. Member
Posts: 56
Karma: 2
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #4 on:
October 07, 2022, 06:18:02 pm »
No it doesn't. It also passes right through on the WAN interface. Can you point me to where I can close this bypass? Maybe do a little more studying on the situation?
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #5 on:
October 07, 2022, 10:57:21 pm »
Hi @jkemp,
Got it. This means the firewall itself does not use the VPN route.
It's a bit tricky and also very hard to provide guidance without having a look at the whole configuration.
But in a nutshell, you'd want to route everything (0.0.0.0/0) through the VPN gateway, with the exception of the VPN server. The communications to the VPN server should use the existing ISP route; since otherwise you'd lose VPN connection.
Logged
jkemp
Jr. Member
Posts: 56
Karma: 2
Re: Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355
«
Reply #6 on:
October 08, 2022, 01:33:46 am »
I agree, I mention the time-servers are also bypassing. Thank you for all the quick responses. Got a little digging to do. I suspect it may be a race going on. 99% of the traffic does use the VPN. Seems to be what's built into OPNsense that's on the move.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355