Skip to main content

Zenarmor (Sensei) Deployment Modes

Deployment Modes on Cloud Management Portal

Figure 1. Deployment Modes on Cloud Management Portal

Zenarmor can be deployed in three different deployment modes:

  1. Passive Mode (Reporting only, no blocking)
  2. Routed Mode (L3 Mode, Reporting and Blocking available)
  • With native netmap driver
  • With emulated netmap driver
  1. Bridge Mode (L2 Mode, Reporting and Blocking available)

Bridge Mode is only available on OPNsense GUI for experimental purposes.

Deployment Modes Configuration on OPNsense

Figure 2. Deployment Modes Configuration on OPNsense

Default mode is the second option: Routed (L3 Mode) and with native netmap driver. If you don't know what you're doing; or do not understand the stuff here, we suggest you leave it on the default option.

See below for the detailed explanations for each of the deployment modes.

1. Passive Mode (Reporting only mode)#

Passive Mode is like Suricata's IDS mode. Zenarmor grabs a copy of packets from the configured interfaces and provides you with a wealth of information through its reporting.

In this mode, it's not possible to do blocking.

If you're having trouble with the netmap subsystem and still want to make use of Zenarmor's advanced reporting capabilities, this is the best option.

2. Routed Mode (L3 Mode, Reporting + Blocking)#

Routed Mode is the option where you deploy Zenarmor on top of the firewall and you still make use of firewall's other services like L3/L4 filtering, routing, VPN and other plug-ins that are available.

In this mode, you can both do reporting and enjoy all of the filtering functionalities of the software.

This mode utilizes netmap(4), the underlying packet processing subsystem of the FreeBSD operating system.


On Linux, netmap is not installed by default. To be able to run the Zenarmor in routed mode on Linux, you must install and enable the netmap on your Linux system. For more information about how to install netmap on Linux, please refer to netmap installation guide.

You have two options for routed mode of the Zenarmor:

a. With Native Netmap Driver#

Being the default deployment option, this option allows you to be able to make use of native netmap performance with regard to Ethernet drivers.

Netmap can be picky when it comes to driver compatibility. If you suspect that your ethernet drivers does not play well with netmap, than your best bet is using L3 mode with the emulated netmap driver. See below for details.

b. With Emulated Netmap Driver#

As discussed above, if you suspect your Ethernet driver does not play well with netmap, you can use this option to be able to continue using Zenarmor with all of the functionality.

Be noted that emulated driver is not as performant as the native netmap driver.

3. Bridge Mode (L2 Bridge Mode, Reporting + Blocking)#

This experimental deployment mode allows you to be able to deploy Zenarmor like an Inline Web Secure Gateway.

In this mode, it's not possible to make use of other existing OPNsense functionality like firewalling, VPN and other plug-ins; since Zenarmor will bypass the Operating System and your device will act like a transparent filtering appliance.

This mode supports Hardware Assisted Bypass technologies. Currently only Silicom Bypass Adapters are supported.

With Hardware Assistent Bypass adapters, your device can act like a simple cable when there's a sofrware/hardware problem, when Zenarmor is shut down or even when the machine is powered off.