Error about misconfigured interfaces

Started by tigo003, April 27, 2024, 08:20:31 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 27, 2024, 08:20:31 AM
I'm now getting the following error after the recent update of Zenarmor.

Zenarmor -    v.1.17.1
Zenarmor Application DB: 1.17.24042216

I haven't changed anything with my configuration - and Zenarmor is strictly configured for the LAN interfaces across different VLANs.

Is anyone facing a similar problem? 

"Possible deployment misconfiguration: devices with public IP addresses detected"  To correct this, please see the following document: https://www.zenarmor.com/docs/opnsense/installing/web-ui-initial-configuration#3-deployment-mode--interface-selection

April 27, 2024, 03:21:53 PM #1 Last Edit: April 27, 2024, 11:22:36 PM by enduser69
I'm currently experiencing the same issue. I've tried switching between the different deployment modes and removed all vpn interfaces so that there is only a lan interface being probed my zenarmor. all my ports are closed.

edit:
- ok I've disabled ipv6 thinking i don't understand that stuff to well maybe that's the culprit, but no still getting a misconfiguration warning twice a day.
- at some point in my trouble shooting adventures 700+ devices showed up (they appeared to be the endpoints of everything being queried within my network local & wan destinations)
- netmap appears to be installed and functioning nominally

- opnsense healthcheck produces this maybe related entry
Version 24.1.5 is correct.
>>> Check for missing or altered base files
Error 2 occurred.
etc/sysctl.conf:
   size (299, 464)
   sha256digest (0x45f469e7a9b4eef887bab7b55397305043fe101e1d6ce6f7e23d758e72f56dc6, 0x13f0a06a1c6d76492abd3424150cd1f80e55d8837409a6e11a2288a968ff9277)

- zenarmor database health check does not initiate the misconfiguration warning again & produces no warnings or error (only tailed the last 25 lines of mongodb.log file)

opnsense 24.1.6
zenarmor 1.17.1
Zenarmor Application DB: 1.17.24042216
April 28, 2024, 07:15:37 AM #2
Just ran a health check audit, and similarly, had a similar error 2 in regards to sysctl.conf - size issue.

April 28, 2024, 01:48:28 PM #3
I think this is a false positive on zenarmors part. dnsleaktest looks normal...

I'm pretty new to opnsense & freebsd in general so my diagnostics are bit rudimentary. I'd really like to get zenarmor functioning properly or understand why it isn't playing well w/ my setup before my 2 week trail is up.

But cant find any documentation on using zenarmor or os-sensei via cli or instructions on probing zenarmor notifications further. I guess I'm not really even sure what the error in question is trying to indicate. Any links or instruction on achieving this would be much appreciated.

I've simplified my network to defaults now using 8.8.8.8 1.1.1.1 on dns, only 1 lan 1 wan, only using ipv4. I've cycled through all combinations of the deployment modes and interface selection on zenarmors settings tab w/ the same results.

April 29, 2024, 07:47:06 PM #4
Hi,

Please can you share a report by checking Zenarmor logs and config checkboxes via Have Feedback option in UI?
April 29, 2024, 11:25:45 PM #5
Done - just sent the requested feedback.
Thank you,
May 22, 2024, 02:01:42 AM #6 Last Edit: May 22, 2024, 02:11:22 AM by 36thchamber
Can the message mention the interface? I don't know what to do with this message, no clue what could cause it. in ntopng, for example, they would tell me explicitely, and i would see it visually in the GUI, but this message is mysterious and there's no clue in the GUI.
May 22, 2024, 04:15:05 AM #7
The recent update that was rolled out a couple of days ago - solves the issue. All is working correctly now.
May 24, 2024, 04:53:23 AM #8
the message pops  up when it accumulates 10000+ devices so need to wait. Running health check on CLI won't make it appear asap.
So it still pops up on the new version. In subscription page, number of devices: 2500. I have only few devices. I track WG marked as WAN (as there's no "VPN" predefined => won't be treated as WAN). One of them is forward for few VPN clients.
May 24, 2024, 11:09:51 PM #9
so i investigated how to trigger the message in v1.17.3, here's how:
* configctl zenarmor notice-public-ip-devices
* in browser you do have to refresh the Dashboard view manually
then you get the popup instantly.
now with this procedure, i've checked interfaces, and the popup appears for ANY interface.
-> ignore the popup. just like "local", "remote" hosts, it doesnt' work.
June 03, 2024, 12:49:21 PM #10
Hi,

Do you see the device(s) with public IP address in device list?

June 18, 2024, 12:49:53 AM #11
I am also seeing this error, as a banner on the dashboard:

> Possible deployment misconfiguration: devices with public IP addresses detected
> Zenarmor's health check system detected 7195 devices with public ip addresses associated with them.

Under "Live Sessions" I see connections with correct internal src and external dst addresses, but where the "Device" is listed as the IP of the destination address. For example, I see a connection from a local Macbook to iCloud on VLAN1, where the device shows up as a public iCloud IP "Device (ip4:#.#.#.#)" instead of the private Macbook IP.

This started in May, but I just upgraded to 1.17.4 and opnsense 24.1.8 with no change. After rebooting, I still see the warning and incorrect Device names for new connections.

I currently have Zenarmor running in passive mode, monitoring 7 VLANs on a LAGG. (Zenarmor is configured to monitor each VLAN individually, as having it monitor the underlying LAGG interfaces separately resulted in packet loss in the past, due to some connections using both interfaces.)

I have multi-wan setup, but only internal VLANs are configured.
June 20, 2024, 12:51:13 PM #12
Hi,

Zenarmor uses pcap technology, which gives the engine very limited capability over packets when used in Passive Mode. As a result, the Zenarmor packet engine may not correctly determine the packet direction, resulting in mixed reporting. For more accurate reporting results, it is recommended to use Zenarmor in Directed mode. In addition, Device identification therefore enables IP detection on the WAN side
July 16, 2024, 06:32:54 PM #13
Just change your IP local to a local IP address, you are using a IP public on your LAN here's the private IP address

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

If your LAN IP is out this range is considered IP public and Zenarmor will show you this problem.
July 27, 2024, 07:32:11 AM #14
Quote from: IHK on June 20, 2024, 12:51:13 PM
For more accurate reporting results, it is recommended to use Zenarmor in Directed mode.
Is this theoretically possible to have a hybrid mode, not filtering connection which has high throughput? I have too many dropped packets during downloads (~1gbps), so i stick to passive mode. During that time every component misreports size, and the slow connections which are the most dangerous are skipped.
Print
Go Up Pages1 2
User actions