[RESOLVED] Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

[JonStuart]

I just updated several OPNsense boxes to 23.7 from 23.1.11_1 and with that update came the Zenarmor Engine 1.14.1 update. The previous version (1.13...) worked just fine. Suddenly I'm only able to Allow based on Categories. Anytime I try to block any one item in a category.....the entire category is blocked. I have tried uninstalling Zenarmor completely and rebooting and re-installing with no luck. This is happening on 3 boxes. The only way to allow anything is to add it to the white-list.

Example:
(Tried with all available database options. None made a difference
1. Fresh vanilla install of Zenarmor
2. Edit the default policy category "Search" by blocking say "Bing"
3. All other search engines in category list are also blocked

This message is in the "Notifications" section of Zenarmor:
Engine configuration error
Cannot read any worker configuration from workers.map
Source: engine

Any ideas on what I'm doing wrong or did I miss something. Anyone Else Having this issue?

EDIT: None of the boxes are using the default HTTPS port 443 for the WebGUI and all of them forward to the modified HTTPS port via the OPNsense GUI settings interface. Don't know if that makes a difference or not but they can't use port 443 anyway as there are other services on that port.

[fightingmasta]

Same issue here, I switched to Passive mode (reporting only).

[JonStuart]

I've had to just block whole categories I want nothing from and leave the rest open. At least this way something is better than nothing. I'm just hoping someone at Sunny Valley reads these forums. This is a pretty huge break in their plugin. I would take many hours to configure what the categorization would take care of easily. Is there some place to go and notify Sunny Valley about it?

[dinguz]

Just use the Feedback button within the OPNsense GUI; it sends a mail to them including relevant system info and config files. They reply usually withing a working day or so.

[deuch]

Same thing here :

I've only Blocked in Network Management
DNS over TLS
DNS over HTTPS

and now DNS and NTP is not working (they are in allow mode like the rest ...)

[sy]

Hi,

A new bugfix will be shipped today.

[dotlike]

Same here. Worst upgrade experience so far...
I am lucky that this only affects my homelab... This would escalate quickly at a customer site!

[JonStuart]

 :)!!!!SUCCESS!!!! :)

I have installed and tested the new update to 1.14.2 from 1.14.1 and can confirm this fixed the issue. I have tested with and without VLans and all looks good. It's a shame this wasn't caught before release but I am glad there was such a fast response to get it fixed and the fix was done right. Thank you for your efforts and the new interface looks very good!

To the person with the home lab @dotlike . Generally you should always test an update in a lab environment before deployment to a client. In the open source world it's a pretty well known law as well as backup EVERYTHING before you deploy regardless. I simply put a little too much trust in this plugin without testing and shouldn't have. I will now for the future. You have to understand that beta testing is for paid products because it cost time and time is money. Anyway, hope my advise helps....you can always test with a vm like virtual box. It provides snapshots and works with just about any modern pc. In contrast to that being said, and I don't really know, if this issue found itself into the paid version I would be VERY upset as that is exactly why I would pay for it so I wouldn't have that headache. If it did, then shame on Sunny Valley....they should 100% know better and they are killing their brand for no reason if it did.

[dotlike]

My issues were also resolved by the new update  :)

@JonStuart: I had Veeam-backups and configuration backups for the Opnsense-VM. So I could step back easily. I have a Zenarmor Home Edition subscription (so a paid version) and was a bit disappointed, that the QA-team of Sunny Valley haven´t tested the upgrade in more detail.
But as I am working in the IT industry I get in contact with software/firmware-bugs quite a lot - so no suprise  ;D

That being said I am still a big fan of Zenarmor and it´s features.
BR

[JonStuart]

@dotlike I'm sorry to hear it made it to any of the paid versions. That really isn't good. I'm also in the IT industry and have been considering using Opnsense with Zenarmor as a replacement for some of my clients Sonic Walls. I have a pretty well built home firewall that I have been test driving for some time now and I too love Zenarmor's features. As I already said, I'm not willing to pay subscriptions to software developers that are not properly testing before releases to PAYING customers. That is just simply a paywall for features but has the same headaches as the free versions. I'm also in the software industry as well an I can for sure tell you. You never let your paying customers suffer and you use your beta tests on the freeware. That's why it's free ;D. Anyway, enough ranting, seriously I love the product but I'm not gonna make my clients pay for it just get a bunch of headaches. They need to get their development tracks setup and streamlined to prevent this from happening in the future. This is my 4th bout with this since the plugin was first released.

[athurdent]

I just noticed that for my Home subscription, sub-categories were also reset. I only blocked DoT and DoH, now the complete parent category is blocked.
And on top of that, posted a separate topic here for this, that policy disabled itself. Twice now, after Zenarmor got updated I think.

Oh boy, I used to be a big fan of Zenarmor. Now I'm actually considering cancelling my subscription.

Resetting policies, partly or disabling subcategories, that cannot happen on a firewall software I pay for.

[sorano]

Oh boy, I used to be a big fan of Zenarmor. Now I'm actually considering cancelling my subscription.

Yeah, I canceled my home subscription. Not really worth it anymore, poor QA along with nerfing features was enough for me.

Who cares about a fancy webui when the core features gets broken.

[yeraycito]

Oh boy, I used to be a big fan of Zenarmor. Now I'm actually considering cancelling my subscription.

Yeah, I canceled my home subscription. Not really worth it anymore, poor QA along with nerfing features was enough for me.

Who cares about a fancy webui when the core features gets broken.

I totally agree, Zenarmor has not only never worked well, but over time it has not worked well either in the free version or in the paid version, which no one in their right mind should pay for. As for the free version, it is just a visually appealing software without any functionality and there are better alternatives such as Adguard.

[yeraycito]

Over the centuries Opnsense will be remembered as an excellent firewall capable of giving incredible control of local network devices with powerful add-ons such as Suricata, Adguard or Wireguard but it will never be remembered for Zenarmor unless we wanted to recommend it to our worst enemy.

[athurdent]

Over the centuries Opnsense will be remembered as an excellent firewall capable of giving incredible control of local network devices with powerful add-ons such as Suricata, Adguard or Wireguard but it will never be remembered for Zenarmor unless we wanted to recommend it to our worst enemy.

I have to disagree there, Zenarmor works pretty well most of the time and protects my kids and guest network perfectly. A lot of stuff has been blocked in the past.
Suricata is old-fashioned IPS/IDS, definitely not the way to got to really protect anybody nowadays. Adguard only relies on DNS, and with DoH and DoT circumventing it, will be less useful in the future. I am blocking a lot of DoH/DoT ATM, without having it configured anywhere, the opposite is the case actually. Getting rid of it whereever I see it. But apps as well as macOS/iOS have it build in and will use it under certain circumstances.

Zenarmor's DPI is awesome, and does way more than just AD Blocking. E.g. it can block DoH/DoT which is very important to prohibit if you want to keep controling DNS. I have not cancelled my subscription yet BTW, Zenarmor support is looking into my problems ATM. They have great and very responsive support.