Zenarmor Dashoard: Local and remote Hosts inverted in graphs

[wstemb]

I had to put the Zenarmor service from Routed mode  to Passive mode due to "DEVD: Ethernet detached event for optx", which was disrupting a important application communication over that interface, at least until I find the real cause of this events (and the solution, if possible). The reconfiguration was without reinstall of entire Zenarmor.

After setting the "Passive mode", the upper  error disappeared from log (and the application is working well), but I found a strange situation in Zenarmor Dashboard.

On graphs: "Top local Hosts" and "Top Remote hosts" the displayed host graphs are inverted: Under Local, I see external hosts, under Remote, I see graph for IP address from my Intranet (RFC1918 subnets). On the "Table of remote hosts" it is the same, I have only local internal IP address in the table. The "Table of local asset" is OK.

The trouble is that "Drill down" is returning empty graphs, until I manually repair the filters from "source" to "destination" (or opposite, depending on which graph I want to drill down). Once updated the filters, the graphs are displayed correctly, so the data in database on which the filtering is made has to be OK (the logic of filters corresponds on searched items ("Source hostname" for local hosts / "Destination hostname" for external-internet hosts).

Until I used Zenarmor in  "Routed mode", all was OK.

It is not the first time I had this behavior (it was on 22.7), but it disappeared in one of reinstall or reconfigurations during the test phase.

The system was working stable and as expected until the needed config change described above, so I cannot tell  this change is the cause or it simply triggered the error. I have to repeat and reproduce the scenario, but I can't do it now not to risk to disrupt the communication of the app sensible to lost conversations. So I will retry it in one of my "maintenance windows" and confirm here.

License:    Free Edition
Engine Version:    1.12.4
UI Version:    23.2.24
Database Version:    1.12.22122618
Reporting Database Backend: MongoDB

[wstemb]

-

[Rootfix]

Hi,

In passive mode, Zenarmor uses the pcap instead of the netmap. It provides to get  a copy of the packets. So Zenarmor classify the traffic according to source and destination address. It can not know which one is local side and remote site. With the upcoming releases a configuration option will be available in passive mode to indicate the LAN and WAN interfaces, So, Zenarmor could be able to determine for local and remote IP addresses.

As for the Routed mode, can you please elaborate on the exact problem you experienced? Can you explain it in more detail?

Regards

[wstemb]

It is described in: https://forum.opnsense.org/index.php?topic=33198.msg160597#msg160597

In passive mode there was no attached/detached igb1 in log, nor complaints from users.

Last WE we had a phishing attack, not dropped by other protections, so I decided to return to Routing mode, to have at least some default protections from default policy, including blacklisting the links from phishing attack).

In between the provider equipment (not under my control, I have just a Ethernet cable and one IP address)  and my firewall, I placed a small VLAN with two ports, to be able to check in logs if the detachment of the interface is provoked by some disconnection from the far side, or by the firewall interface itself (netmap driver). 

No interface igb1  re-initialization until now.   

Walter

[wstemb]

Hi,

In passive mode, Zenarmor uses the pcap instead of the netmap. It provides to get  a copy of the packets. So Zenarmor classify the traffic according to source and destination address. It can not know which one is local side and remote site. With the upcoming releases a configuration option will be available in passive mode to indicate the LAN and WAN interfaces, So, Zenarmor could be able to determine for local and remote IP addresses.

...

But I have the sensation there is no problem in [Source] or [Destination] categorization of address, just in the graph displaying it. If I drill down  on graph Local Hosts or Remote Hosts, it is just using wrong filter, corresponding to the graph, displaying nothing.

If I correct it placing the opposite filter, p.e.  [Source Hostname] filter for real internal (local)  addresses, displayed wrongly in "Remote Hosts" graph, the filter is displaying this local(source) machine  graphs correctly.

To be clear, when in routing mode, Zenarmor is protecting the LAN interface only (igb0). There is no allowed access from outside (WAN)  to hosts on LAN, just from some other isolated segments (DMZ like )

Walter

[sy]

Hi,

Isn't there outbound traffic from your LAN?

[36thchamber]

With the upcoming releases a configuration option will be available in passive mode to indicate the LAN and WAN interfaces, So, Zenarmor could be able to determine for local and remote IP addresses.

Hello
is this the security zone label in the "Configuration"? That is not saved for the interfaces if they're not used. As a result, passive mode still swaps inbound/outbound connections. It also misses most bytes during high throughput, charts show only 1/100th of the volume, while "Interfaces" graph shows more, but still much less than reality. I can't find one tool that can capture traffic on Opnsense. Ntopng can't even handle 100kpps, Ingress also drops data. Iftop drops data too. ZenArmor traffic graph is half empty, so is Reporting\Traffic (iftop). ZenArmor active mode kills 50% bandwith on a 10000 passmark CPU. None of the tools display connections blocked by the firewall.
But all this information is in filterlog, and that one is not displayed anywhere:(