Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Error about misconfigured interfaces
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Error about misconfigured interfaces (Read 4249 times)
tigo003
Newbie
Posts: 4
Karma: 1
Error about misconfigured interfaces
«
on:
April 27, 2024, 08:20:31 am »
I'm now getting the following error after the recent update of Zenarmor.
Zenarmor - v.1.17.1
Zenarmor Application DB: 1.17.24042216
I haven't changed anything with my configuration - and Zenarmor is strictly configured for the LAN interfaces across different VLANs.
Is anyone facing a similar problem?
"Possible deployment misconfiguration: devices with public IP addresses detected" To correct this, please see the following document:
https://www.zenarmor.com/docs/opnsense/installing/web-ui-initial-configuration#3-deployment-mode--interface-selection
Logged
enduser69
Newbie
Posts: 2
Karma: 0
Re: Error about misconfigured interfaces
«
Reply #1 on:
April 27, 2024, 03:21:53 pm »
I'm currently experiencing the same issue. I've tried switching between the different deployment modes and removed all vpn interfaces so that there is only a lan interface being probed my zenarmor. all my ports are closed.
edit:
- ok I've disabled ipv6 thinking i don't understand that stuff to well maybe that's the culprit, but no still getting a misconfiguration warning twice a day.
- at some point in my trouble shooting adventures 700+ devices showed up (they appeared to be the endpoints of everything being queried within my network local & wan destinations)
- netmap appears to be installed and functioning nominally
- opnsense healthcheck produces this maybe related entry
Version 24.1.5 is correct.
>>> Check for missing or altered base files
Error 2 occurred.
etc/sysctl.conf:
size (299, 464)
sha256digest (0x45f469e7a9b4eef887bab7b55397305043fe101e1d6ce6f7e23d758e72f56dc6, 0x13f0a06a1c6d76492abd3424150cd1f80e55d8837409a6e11a2288a968ff9277)
- zenarmor database health check does not initiate the misconfiguration warning again & produces no warnings or error (only tailed the last 25 lines of mongodb.log file)
opnsense 24.1.6
zenarmor 1.17.1
Zenarmor Application DB: 1.17.24042216
«
Last Edit: April 27, 2024, 11:22:36 pm by enduser69
»
Logged
tigo003
Newbie
Posts: 4
Karma: 1
Re: Error about misconfigured interfaces
«
Reply #2 on:
April 28, 2024, 07:15:37 am »
Just ran a health check audit, and similarly, had a similar error 2 in regards to sysctl.conf - size issue.
Logged
enduser69
Newbie
Posts: 2
Karma: 0
Re: Error about misconfigured interfaces
«
Reply #3 on:
April 28, 2024, 01:48:28 pm »
I think this is a false positive on zenarmors part. dnsleaktest looks normal...
I'm pretty new to opnsense & freebsd in general so my diagnostics are bit rudimentary. I'd really like to get zenarmor functioning properly or understand why it isn't playing well w/ my setup before my 2 week trail is up.
But cant find any documentation on using zenarmor or os-sensei via cli or instructions on probing zenarmor notifications further. I guess I'm not really even sure what the error in question is trying to indicate. Any links or instruction on achieving this would be much appreciated.
I've simplified my network to defaults now using 8.8.8.8 1.1.1.1 on dns, only 1 lan 1 wan, only using ipv4. I've cycled through all combinations of the deployment modes and interface selection on zenarmors settings tab w/ the same results.
Logged
sy
Hero Member
Posts: 595
Karma: 44
Re: Error about misconfigured interfaces
«
Reply #4 on:
April 29, 2024, 07:47:06 pm »
Hi,
Please can you share a report by checking Zenarmor logs and config checkboxes via Have Feedback option in UI?
Logged
tigo003
Newbie
Posts: 4
Karma: 1
Re: Error about misconfigured interfaces
«
Reply #5 on:
April 29, 2024, 11:25:45 pm »
Done - just sent the requested feedback.
Thank you,
Logged
36thchamber
Jr. Member
Posts: 57
Karma: 2
Re: Error about misconfigured interfaces
«
Reply #6 on:
May 22, 2024, 02:01:42 am »
Can the message mention the interface? I don't know what to do with this message, no clue what could cause it. in ntopng, for example, they would tell me explicitely, and i would see it visually in the GUI, but this message is mysterious and there's no clue in the GUI.
«
Last Edit: May 22, 2024, 02:11:22 am by 36thchamber
»
Logged
tigo003
Newbie
Posts: 4
Karma: 1
Re: Error about misconfigured interfaces
«
Reply #7 on:
May 22, 2024, 04:15:05 am »
The recent update that was rolled out a couple of days ago - solves the issue. All is working correctly now.
Logged
36thchamber
Jr. Member
Posts: 57
Karma: 2
Re: Error about misconfigured interfaces
«
Reply #8 on:
May 24, 2024, 04:53:23 am »
the message pops up when it accumulates 10000+ devices so need to wait. Running health check on CLI won't make it appear asap.
So it still pops up on the new version. In subscription page, number of devices: 2500. I have only few devices. I track WG marked as WAN (as there's no "VPN" predefined => won't be treated as WAN). One of them is forward for few VPN clients.
Logged
36thchamber
Jr. Member
Posts: 57
Karma: 2
Re: Error about misconfigured interfaces
«
Reply #9 on:
May 24, 2024, 11:09:51 pm »
so i investigated how to trigger the message in v1.17.3, here's how:
* configctl zenarmor notice-public-ip-devices
* in browser you do have to refresh the Dashboard view manually
then you get the popup instantly.
now with this procedure, i've checked interfaces, and the popup appears for ANY interface.
-> ignore the popup. just like "local", "remote" hosts, it doesnt' work.
Logged
sy
Hero Member
Posts: 595
Karma: 44
Re: Error about misconfigured interfaces
«
Reply #10 on:
June 03, 2024, 12:49:21 pm »
Hi,
Do you see the device(s) with public IP address in device list?
Logged
sclevine
Newbie
Posts: 4
Karma: 1
Re: Error about misconfigured interfaces
«
Reply #11 on:
June 18, 2024, 12:49:53 am »
I am also seeing this error, as a banner on the dashboard:
> Possible deployment misconfiguration: devices with public IP addresses detected
> Zenarmor's health check system detected 7195 devices with public ip addresses associated with them.
Under “Live Sessions” I see connections with correct internal src and external dst addresses, but where the “Device” is listed as the IP of the destination address. For example, I see a connection from a local Macbook to iCloud on VLAN1, where the device shows up as a public iCloud IP “Device (ip4:#.#.#.#)” instead of the private Macbook IP.
This started in May, but I just upgraded to 1.17.4 and opnsense 24.1.8 with no change. After rebooting, I still see the warning and incorrect Device names for new connections.
I currently have Zenarmor running in passive mode, monitoring 7 VLANs on a LAGG. (Zenarmor is configured to monitor each VLAN individually, as having it monitor the underlying LAGG interfaces separately resulted in packet loss in the past, due to some connections using both interfaces.)
I have multi-wan setup, but only internal VLANs are configured.
Logged
IHK
Full Member
Posts: 105
Karma: 5
Re: Error about misconfigured interfaces
«
Reply #12 on:
June 20, 2024, 12:51:13 pm »
Hi,
Zenarmor uses pcap technology, which gives the engine very limited capability over packets when used in Passive Mode. As a result, the Zenarmor packet engine may not correctly determine the packet direction, resulting in mixed reporting. For more accurate reporting results, it is recommended to use Zenarmor in Directed mode. In addition, Device identification therefore enables IP detection on the WAN side
Logged
24raul
Newbie
Posts: 1
Karma: 0
Re: Error about misconfigured interfaces
«
Reply #13 on:
July 16, 2024, 06:32:54 pm »
Just change your IP local to a local IP address, you are using a IP public on your LAN here's the private IP address
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
If your LAN IP is out this range is considered IP public and Zenarmor will show you this problem.
Logged
36thchamber
Jr. Member
Posts: 57
Karma: 2
Re: Error about misconfigured interfaces
«
Reply #14 on:
July 27, 2024, 07:32:11 am »
Quote from: IHK on June 20, 2024, 12:51:13 pm
For more accurate reporting results, it is recommended to use Zenarmor in Directed mode.
Is this theoretically possible to have a hybrid mode, not filtering connection which has high throughput? I have too many dropped packets during downloads (~1gbps), so i stick to passive mode. During that time every component misreports size, and the slow connections which are the most dangerous are skipped.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Error about misconfigured interfaces