Zenarmor set to not block Youtube, but at some point it will

Follow

Nathan

• September 01, 2025 06:34

I’ve got profiles set up the way I want, mainly to block and protect my kids. The default profile blocks a bunch of stuff (but not YouTube), and I also have an “adults” profile for my wife’s and my devices.

To verify things are working, I test with Facebook: it’s correctly blocked for the kids but accessible on my devices.

The problem: after a few hours (sometimes up to a day), YouTube on my phone suddenly stops working. The app opens, but nothing loads. Other services (including Facebook) continue to work fine.

The “adults” profile it’s on doesn’t block any App Controls or Web Controls, it only has security tab blocks set to moderate and "Block TLS Encrpyted Client Hello (ECH)" on. Importantly, YouTube works at first, but eventually stops.

Here’s what I’ve tried when it happens:

• Reboot Pi-hole → no change

• Restart Unbound on OPNSense → no change

• Enable Zenarmor bypass → YouTube instantly starts working

• Disable bypass → YouTube continues working again… until it eventually stops hours or day  later

So basically, toggling Zenarmor bypass fixes it temporarily, but the problem keeps coming back.

Looking at Activity Explorer shows no blocking for my device during tests.

0

• Official comment

  

  SVN Support Team

  • September 02, 2025 04:48

  Hi Nathan,

  Please share the following command output by logging CLI as root

  sysctl -a | grep netmap

   

   

  Comment actions Permalink
• 

  SVN Support Team

  • September 01, 2025 06:38

  Hi Nathan,

  Do you see any block reports related to YouTube in the Live Sessions - Blocks Report?

  0

  Comment actions Permalink
• 

  Nathan

  • September 01, 2025 06:54

  Totally forgot to mention that. I did look. I filter down to my device. I can see it talking to google, but it blocks nothing. In fact there are no blocks on the report for my device. But there is plenty of unblocked traffic. Which makes sense as I block so little on the profile it is on.

  0

  Comment actions Permalink
• 

  SVN Support Team

  • September 01, 2025 09:09

  Hi Nathan,

  Please set Zenarmor engine in bypass mode instead of stooping and check if it occurs again? It could be a netmap issue.

   

   

  0

  Comment actions Permalink
• 

  Nathan

  • September 01, 2025 17:49

  Entering and exiting bypass is my primary way of fixing it. I was rebooting OPNsense entirely and that would fix it but is a bit drastic and impactful to my family.

  What is odd is I tried restarting the engine before bypassing it, and it didnt fix it. Only bypass or rebooting OPNsense did. Although I will make sure that is not an anomaly by stopping the engine itself next time and check again to verify and let you know.

  0

  Comment actions Permalink
• 

  Nathan

  • September 01, 2025 20:48

  OK so it happened agian. Restarting the engine did fix it. So bypass off and back on or restarting engine both fixes the issue temporarily.

  0

  Comment actions Permalink
• 

  Nathan

  • September 01, 2025 22:31

  Its happened again, seems to either be happening faster or, because I am watching, it is just more noticeable. I can literally pull up Youtube on my iPhone and iPad, watch it endlessly try to load my home tab with no success, then enter bypass and within 10 seconds both load almost instantly. Turn off bypass and it keeps working for awhile.

  Still no blocks showing in Live Sessions for either device.

  Youtube Music also stops working btw, but to be expected if Youtube stops.

  0

  Comment actions Permalink
• 

  Nathan

  • September 03, 2025 20:32

  Hey, I troubleshot those full hwcur errors and resolved them. I havent received the error today. However, youtube stopped again, but this time only for my wife's phone. My phone and tablet were fine. I restarted the engine just to see again, and that does NOT resolve it still. I have to enter bypass and exit bypass for it to work, which did fix her and her youtube now works.
  
  This is the netmap output just before the reset:
  
  root@OPNsense:~ # sysctl -a | grep netmap
  <6>[1] igc0: netmap queues/slots: TX 4/1024, RX 4/1024
  <6>[1] igc1: netmap queues/slots: TX 4/1024, RX 4/1024
  <6>[1] igc0: netmap queues/slots: TX 4/1024, RX 4/1024
  <6>[1] igc1: netmap queues/slots: TX 4/1024, RX 4/1024
  [29] 040.654193 [1167] generic_netmap_attach     Emulated adapter for wg0 created (prev was NULL)
  [29] 040.654208 [1072] generic_netmap_dtor       Emulated netmap adapter for wg0 destroyed
  [29] 040.654260 [1167] generic_netmap_attach     Emulated adapter for wg0 created (prev was NULL)
  [29] 040.671097 [ 319] generic_netmap_register   Emulated adapter for wg0 activated
  [29] 040.709093 [1167] generic_netmap_attach     Emulated adapter for igc1 created (prev was igc1)
  [29] 040.709108 [1068] generic_netmap_dtor       Native netmap adapter for igc1 restored
  [29] 040.709115 [1072] generic_netmap_dtor       Emulated netmap adapter for igc1 destroyed
  [29] 040.709219 [1167] generic_netmap_attach     Emulated adapter for igc1 created (prev was igc1)
  [29] 040.709645 [ 319] generic_netmap_register   Emulated adapter for igc1 activated
  [152] 162.941417 [ 294] generic_netmap_unregister Emulated adapter for igc1 deactivated
  [152] 162.941803 [1068] generic_netmap_dtor       Native netmap adapter for igc1 restored
  [152] 162.941811 [1072] generic_netmap_dtor       Emulated netmap adapter for igc1 destroyed
  [152] 162.952792 [ 294] generic_netmap_unregister Emulated adapter for wg0 deactivated
  [152] 162.953225 [1072] generic_netmap_dtor       Emulated netmap adapter for wg0 destroyed
  [159] 170.162393 [1167] generic_netmap_attach     Emulated adapter for igc1 created (prev was igc1)
  [159] 170.162429 [1068] generic_netmap_dtor       Native netmap adapter for igc1 restored
  [159] 170.162436 [1072] generic_netmap_dtor       Emulated netmap adapter for igc1 destroyed
  [159] 170.162493 [1167] generic_netmap_attach     Emulated adapter for igc1 created (prev was igc1)
  [159] 170.162583 [ 319] generic_netmap_register   Emulated adapter for igc1 activated
  [159] 170.267442 [1167] generic_netmap_attach     Emulated adapter for wg0 created (prev was NULL)
  [159] 170.267454 [1072] generic_netmap_dtor       Emulated netmap adapter for wg0 destroyed
  [159] 170.267524 [1167] generic_netmap_attach     Emulated adapter for wg0 created (prev was NULL)
  [159] 170.267593 [ 319] generic_netmap_register   Emulated adapter for wg0 activated
  device  netmap
  dev.netmap.iflib_rx_miss_bufs: 0
  dev.netmap.iflib_rx_miss: 0
  dev.netmap.iflib_crcstrip: 1
  dev.netmap.max_bridges: 8
  dev.netmap.bridge_batch: 1024
  dev.netmap.default_pipes: 0
  dev.netmap.port_numa_affinity: 0
  dev.netmap.priv_buf_num: 4098
  dev.netmap.priv_buf_size: 2048
  dev.netmap.buf_curr_num: 32768
  dev.netmap.buf_num: 32768
  dev.netmap.buf_curr_size: 2048
  dev.netmap.buf_size: 2048
  dev.netmap.priv_ring_num: 4
  dev.netmap.priv_ring_size: 20480
  dev.netmap.ring_curr_num: 1024
  dev.netmap.ring_num: 1024
  dev.netmap.ring_curr_size: 36864
  dev.netmap.ring_size: 36864
  dev.netmap.priv_if_num: 2
  dev.netmap.priv_if_size: 1024
  dev.netmap.if_curr_num: 100
  dev.netmap.if_num: 100
  dev.netmap.if_curr_size: 1024
  dev.netmap.if_size: 1024
  dev.netmap.ptnet_vnet_hdr: 1
  dev.netmap.generic_rings: 1
  dev.netmap.generic_ringsize: 1024
  dev.netmap.generic_mit: 100000
  dev.netmap.generic_hwcsum: 0
  dev.netmap.admode: 2
  dev.netmap.fwd: 0
  dev.netmap.txsync_retry: 2
  dev.netmap.no_pendintr: 1
  dev.netmap.no_timestamp: 0
  dev.netmap.verbose: 0
  root@OPNsense:~ #

  0

  Comment actions Permalink
• 

  Nathan

  • September 05, 2025 22:49

  Update: I increased the dev.netmap.buf_size to 4096. However, it still results in youtube stopping. I am hoping to get this fixed before my trial ends as I want to subscribe, but if i can't fix this I will have to uninstall. Thanks.

  0

  Comment actions Permalink
• 

  SVN Support Team

  • September 06, 2025 05:28

  Hi Nathan,

  Please increase log level to DEBUG4 in Settings - Logging - Level. Then when the issue has occurred please share the engine logs located in /usr/local/zenarmor/log/active/worker*.log.

  0

  Comment actions Permalink
• 

  Nathan

  • September 07, 2025 05:00

  Is there an e-mail I can mail a link to? The files total 4.12GB though. And i'd rather not post a link here.

  0

  Comment actions Permalink
• 

  SVN Support Team

  • September 07, 2025 09:35

  Hi Nathan,

  Please send support at sunnyvalley.io

  0

  Comment actions Permalink
• 

  Nathan

  • September 08, 2025 01:46

  I have fixed out the issue. Zenarmor did not like how my DNS was set up. I had my DNS for my network going to Pi-Hole. Pi-Hole would then upstream to unbound on OPNSense as a recursive DNS. As a troubleshooting step, when my issue appeared again, rather than turning on the temporary bypass, I told my devices to go directly to unbound as the primary DNS server. The issue went away. 

  I have since shut down my Pi-Hole and moved everything to unbound as my primary and enabled block lists there instead. I may move to Adguard but I wanted to eliminate as much as possible.

  So for anyone having issues with Zenarmor blocking when it shouldnt over time, it may be your DNS set up. I dont know why Zenarmor specifically doesnt like how I had my network set up, but it didnt. Google gemini suggested it has something to do with Pi-hole caching and the DNS request never actually going through OPNsense and Zenarmor not liking that. Not sure how much validity is there but its the only lead I have.

  0

  Comment actions Permalink

Please sign in to leave a comment.