emulated netmap adapter destroyed

Started by 330flyer, June 12, 2025, 04:29:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 12, 2025, 04:29:02 PM Last Edit: June 12, 2025, 05:29:57 PM by 330flyer
hello
firstly i would like to thank everyone here in advanced for your assistance.
i am a complete novice when it comes to opnsense Linux and zenamor so my apologise for my simple questions.
i been able to install opnsense and zenamor via online tutorials and had been running fine for the last few months, however the other day i did a update on opnsense and zenamor was part of the upgrade package...
i upadate process was finished i did a reboot and everything was running fine for about 15min then i started getting errors. the internet connection breaks every10-15min for about 3-4 min constantly
looking at the console i see the message
"generic_netmap_dtor emulated netmap adapter for em0 destroyed"

i keeps the process until i turn off the zenamor packet engine.

i tried looking on the web for a solution but there are a gazillion solutions but i dont know which one applies to me?
when i look at the notifications i get the message
Syn Flood Detected
source :engine
detial:
QuoteSyn flood has been detected. Top 5 flooder actors {"local_hw":[{"hw":"000c29201120", "count":56921},{"hw":"f875a4cc700b", "count":5340}], "remote_hw":[{"hw":"f875a4cc700b", "count":56921},{"hw":"88c39711a792", "count":1905},{"hw":"5c0214b056dc", "count":1086},{"hw":"9c9d7e91e89d", "count":995},{"hw":"143fa6aa1a01", "count":588}], "local_ip":[{"ip":"192.168.1.222", "count":56921},{"ip":"192.168.1.1", "count":4127},{"ip":"2606:4700::6811:1802", "count":536},{"ip":"2600:1901:0:5736::f800", "count":248},{"ip":"2600:1901:0:aab1::2100", "count":33}], "remote_ip":[{"ip":"192.168.1.207", "count":1905},{"ip":"192.168.1.206", "count":1086},{"ip":"185.128.114.203", "count":1031},{"ip":"192.168.1.191", "count":995},{"ip":"fe80::c69f:44ef:9517:3402", "count":564}]}

now this is jibberish to me :(
after turning of the packet engine the connection is stable
Engine   2.0   Jun 11, 2025 17:08
Database   2.0.25060914   Jun 11, 2025 17:08
Agent   2.0.2   Jun 11, 2025 16:51
UI   2.0.59



i have a subscription but when i try access the sunnyvalley support site i get an error 1034 hence unable to contact directly to the zenamor support page.

any solution to my issue??

June 12, 2025, 05:43:07 PM #1
Hi,

It seems that there is Synflood attach in your network. Zenarmor reports this. Most probably, synflood attack causes to eat up system resources and Zenarmor engine is crashing. Can you check the reported devices?

The devices with MAC Addresses: 00:0c:29:20:11:20 count:56921
f8:75:a4:cc:70:0b count:5340

Local IP: 192.168.1.222 count:56921, 192.168.1.1 count:4127


You can contact to the support team via Have Feedback option in the bottom left corner of UI. For further details please visit the following link.
https://zenarmor.com/docs/support/reporting-bug
June 14, 2025, 12:38:21 AM #2
Are you doing maybe some port scanning?

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
June 14, 2025, 08:21:40 AM #3 Last Edit: June 14, 2025, 08:24:57 AM by 330flyer
thanks for the reply.

Sy
QuoteHi,

It seems that there is Synflood attach in your network. Zenarmor reports this. Most probably, synflood attack causes to eat up system resources and Zenarmor engine is crashing. Can you check the reported devices?

The devices with MAC Addresses: 00:0c:29:20:11:20 count:56921
f8:75:a4:cc:70:0b count:5340

Local IP: 192.168.1.222 count:56921, 192.168.1.1 count:4127


this only occured after the update. the ip in question (192.168.1.222) is a local ubuntu server with docker & portainer running a few containers.


Seimus

QuoteAre you doing maybe some port scanning?

Regards,
S.

not that i am aware of.

this is the reply i got from support.

QuoteHi Ugur,
 
Did you check the local device for synflood issue. The attackers are creating many sessions and doesn't proceed. The system caches are full for a while and can not resource on the machine. Please check the following link to prevent synflood on OPNsense and check the local devices whixh Zenarmor has reported.
 
https://docs.opnsense.org/manual/firewall_settings.html#enable-syncookies
 
 
Best regards

i been reading some user have reported issue with the em0 nic. could it be a driver issue ? i have a spare intel i350 lying around should i use that instead?
June 14, 2025, 03:19:03 PM #4
The problem is as pointed by Sy,

ZA notifies you that there is a potential synflood ongoing. Basically ZA sees a flood of TCP S without fully establishing a handshake. Each TCP S is stored and tracked with ZA. If there is to much of such TCP S it overflows the buffer and starts to eat into resources that can cause ZA to crash.

Those IPs listed by ZA, what are those? What destination they try to reach when you see those flood messages in ZA?
Are those session allowed on OPnsense, or does maybe OPNsense block them?

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions