Installation done, but Interfaces misconfig and zones not save?

Started by casi-online, August 24, 2024, 04:17:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2024, 04:17:36 PM
Hi, after installing zenarmor  and config, next day i got the errormessage
"Possible deployment misconfiguration: devices with public IP addresses detected
Zenarmor's health check system detected 237 devices with public ip addresses associated with them. Usually this happens because of a interface tag misconfiguration in deployment settings. "

in my  thinclient opnsense, theres 1 onboard lan and 4 on a risercard.
So from my internet modem to opnsense internet is coming in on the onboard lan, outgoing to wifi hotspot and lan switch on 2 of the 4 ports on the card...

wan is chosen onboard automatically correct by zenarmor.
i switched to "lan" as security zone on the 4 card ports, applied and restartet, when refreshing page, the scurity zones selection is gone again...

im not sure what to do or if i have done until here?
a bridge is configuered in opnsense for the 4 card ports, this should not be a problem?
i cant post attachments, baceuse theyre too big !? looks like were back in 2010....  :=)

thanks for any help!

casi
August 25, 2024, 09:52:25 PM #1
Hi,

Zenarmor tags an interface as WAN if it is a default GW in route table. Is this match to your case?
August 26, 2024, 11:00:30 PM #2 Last Edit: August 27, 2024, 08:21:54 AM by casi-online
Hi, im not sure how to understand or check this.. Default Gateway in Routetable? The wan-interface is my onboard lan ,incoming from the internetmodem. I attach a picture, i think its as you asked for?
September 05, 2024, 05:53:39 PM #3
And by the way... i only see 1 device (ever) connect(ed) , my mobilephone... No other devices... WTF?
September 11, 2024, 10:40:17 AM #4
What you showed are routes that OPNsense knows. It will not show connected devices.

If you want to see what is connected to your OPNsense, If OPNsense is a GW for that device / subnet go and check the ARP table.


The TAGs in Zenarmor aka "ZONEs" are there to identify specific ZONEs like WAN, LAN, VPN etc. BY default you need  two TAGs>

wan - which should be on your WAN interface
lan - which should be on your LAN interfaces or parent interface for the LAN

You can not misplace these, if you assign lan TAG on interface that carries WAN traffic you will get wrongly discovered endpoints and you will most likely see what you see.

You can not have LAN and WAN traffic on the same port or the same Parent port.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions