Troubleshooting for Configuration
Most frequently seen Zenarmor configuration issues and their solutions are given below.
Changing debug level
"How to change debug level without restarting the Zenarmor engine?"
You need to connect to the socket of each running process and do the same thing. Here is mgmt.sock.4343 first worker process.
root@testfw_i5:~ # nc -U /usr/local/zenarmor/run/mgmt.sock.4343
eastpect> set debug DEBUG2
eastpect> +OK
eastpect> set debug INFO
eastpect> +OK
eastpect> q
eastpect> +OK Logging out...
eastpect> root@testfw_i5:~ #
You may also set log level of Zenarmor via web UI easily.
Finding Root cause of throughput issues
"What is the root cause of throughput issues on your OPNsense firewall?"
In some cases, you may encounter throughput issues on your OPNsense firewall. For example, upload / download speeds may be too low and downloading/uploading even a small file takes too long. In such cases, the first thing you should check is whether the netmap is the root cause or not.
To check it, you should run the engine in bypass mode. You may easily enter the engine bypass mode by following the next steps:
-
Navigate to
Zenarmor→Status -
Click on
Enter Bypass Mode
Figure 1. Entering Bypass Mode
If you are experiencing the same performance issues(low upload/download speeds) in bypass mode, you most probably have Netmap compatibility issues. To solve this compatibility problem you should check if your NIC is compatible with netmap and update your system to the latest version. To see netmap compatible NIC, please visit the following link:
https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4#SUPPORTED_DEVICES
High disk usage problem
"Zenarmor stops running due to an error about high disk usage, and I do not see any local drives that are filling up. I am not sure how to fix this problem."
Figure 2. High Disk Usage Error Message
Problem Overview
Since the packet engine's temp area is filling up, the Zenarmor services stop running to prevent a network outage. You can see the warning messages in your system log file located at /var/log/system.log:
May 9 14:59:32 fw kernel: pid 29015 (eastpect), uid 0 inumber 4 on /usr/local/sensei/output/active/temp: filesystem full
/usr/local/sensei/output/active/temp is the temp memdisk where Zenarmor saves IPDR files. After the required information is inserted into the database (Elasticsearch or MongoDB), it is removed from the temp area. A large number of connections during peak times or a slow connection may cause the temp area to become full.
Solution
To solve the high disk usage problem, try to increase the size of the temporary memory disk on the Configuration → Reporting & Data page in the Size of the Fast Temporary Memory Disk (in Megabytes / Capacity) pane. It is set to 50 MB by default. You may set it up to 500MB. For more information about how to increase the size of this disk area, please refer to Changing the Size of the Temporary Disk
Figure 3. Changing Size of the Fast Temporary Memory Disk
No NIC is being shown
"No Ethernet Interface is being shown in the Interface Configuration"
If you cannot see any Ethernet Interfaces being reported in the Configuration → Interface Selection menu, chances are high that you're using an ethernet adapter for which netmap, the raw packet I/O interface in FreeBSD, does not have a proper driver support. We're sponsoring the driver support on the netmap project, so there are lots of improvements on this.
Make sure that you're using the latest firewall version and the latest Zenarmor version.
Realtek incompatibility
Zenarmor uses netmap which is an Operating System subsystem to grab packets off the wire. And our experience is that netmap doesn't play well with Realtek drivers. It has an updated driver to play well with netmap.
You should use the most recent OPNsense release to resolve the netmap/network disconnection issue on your OPNsense firewall because of the Realtek driver incompatibility. If not, you must upgrade your OPNsense node first.
Then, run the following command on your OPNsense terminal with a root privileged user.
pkg install realtek-re-kmod
During the packet installation process, pay attention to the messages on the screen.
Lastly, reboot your OPNsense firewall.
This solution is applicable to other FreeBSD operating systems, such as pfSense software.
Reseting to factory defaults
"How do I reset to factory defaults?"
-
Navigate to
Zenarmor→Configuration -
Click on
Uninstalltab -
Click on
Reset to factory defaultsbutton.
When you click on any Zenarmor submenu, you'll be redirected to the Initial Configuration Wizard to start over.
Unseen NIC Interfaces
"Why am I unable to view all NIC interfaces?"
WAN interface not detected
"Zenarmor did not detect my WAN interface during interface configuration"
On the Zenarmor Configuration page, some users are not able to see all NIC interfaces and select them to be protected, causing them to lodge complaints.
On BSD-based systems, such as OPNsense and pfSense, the WAN interface or default gateway interface of the firewall are not displayed by default on the Zenarmor configuration page, so you cannot choose to secure them.
The primary reason for this circumstance is that both Suricata and Zenarmor utilize the same packet I/O interface (netmap), which only permits one application to be active at any given moment.
Another reason for deploying Zenarmor on inner-facing interfaces is that you'll lose internal IP information if you operate on the WAN interface due to NAT being applied.
We suggest employing Zenarmor on the LAN interface and enabling Suricata on the WAN interface. Consequently, the WAN or default gateway interface is not displayed during Zenarmor configuration.
Wireguard/OpenVPN interface not seen
"I cannot find my Wireguard or OpenVPN interface in the Interface Configuration"
Zenarmor can run on any ethernet interface which is netmap compatible. However Wireguard and OpenVPN utilize tunnel (tun) interfaces, which we do not have support for the time being.
We're currently sponsoring a development on netmap(4) project and we hope to make this feature soon.