Messages

Hi @Nekromantik,

Thank you very much for your interest in Sensei.

Yes, unfortunately this hardware configuration will be insufficient for running the software. Sensei installer will refuse to start. You'll need at least 8GB RAM and a more modern CPU.

Please see this blog post to get more information:

https://www.sunnyvalley.io/blog/sensei-hw-requirements

Hi @sol,

It looks like we've fixed the problem which in some cases leads to Sensei not stopping appropriately.

Fix will appear in 0.6.0-release, which will be released today US Pacific time.

Would be more than happy if you can give it a try.

Hi,

Thank you for the straightforward feedback.

Vaporware?

No. Sensei is developed by Sunny Valley Networks. I'm Murat, founder of the company. Sunny Valley is a venture-backed, Delaware/US registered company, located in Sunnyvale,  California. Company website is https://sunnyvalley.io. I live in Bay Area. If you are around or will be one day, I'd very much like to meet you in person, grab a coffee and have a chance to get to know each other closer.

No download links?

Currently, we provide the download link for people who register for the BETA early access program. When we are done with the early issues reported by BETA users,  we'll release the final community edition, which will be downloadable directly from the website.

No forum?

We're quite new. We've released the BETA version in late July. We thought that it would be most efficient if we used the existing OPNsense forum for that purpose. Because the plugin is available for OPNsense, and this forum is where all the people discuss things around OPNsense.

No source code?

Sensei is closed source. We announce it on the product webpage. On the other hand, apart from Sensei community edition being available for free for the community, we have a list of open source contribution items, which we think will be of value to the whole project and the community.


Password harvester?

No. Sensei follows best practices implemented by Bro/Suricata; explicitly strips out and throws away octets that could be sensitive. For instance, it does not touch HTTP bodies,  and spends extra cpu cycles to strip out any parameter passed to GET/POST requests and cookies.

It is about our effort to tackle the increasing utilization of encryption by the recent cyber attacks to avoid detection:

https://www.wired.com/story/phishing-schemes-use-encrypted-sites-to-seem-legit/
https://www.thesslstore.com/blog/lets-encrypt-phishing/

However we also share your concern. We also agree that TLS code should be distributed in a more controlled way. This is why TLS will be part of the Enterprise edition.

Thank you for taking the time and comment.

Hi @sol,

Thank you very much for further information. Yes, under heavy CPU utilization, it looks like we've been able to re-produce the issue. I'll update the thread about the resolution.

Hi @krdhtet,

This is done on purpose. We have an unresolved issue with the wireless adapters, so we filter them out while scanning existing interfaces.

For now, the workaround would be utilizing an external AP which would be connected to one of your ethernet ports.

I'll post an update when we're done with it.

Thank you for pointing this out. Also added to the product FAQ.

Hi @sol,

Many thanks for reporting this and for the answer. This is very much helpful to understand what's going on.

Looks like a quite loaded system. I would not recommend running with a 60-70% cpu utilization if you're doing some kind of packet processing. Because packet processing requires dedicated resources and if the cpu is highly utilized and also shared with other applications, it's highly possible that you'll start losing packets. This is so, because at some point OS will fail to schedule the packet processing application to a CPU (because the CPU is already busy) and packets will be dropped in this timeframe. As a consequence,  this will create congestion, and finally you'll get lower throughput. This was what happened, lowering your throughput from 150 - 85 Mbps.

To remedy this kind of heavy load scenarios, there is one thing you can do, and one thing we can:

For you, as you wrote before, it'd be better if you can run the configuration with a more resourceful HW.
For Sensei, we'll pin it to a dedicated CPU core. This will help if you have a multi-core system. 

For not being able to stop Sensei, I'd guess it's related to the above scenario. Though it should stop anyway whatever the load is.

We'll try to reproduce this with your conditions in our lab. I'll let you know about our results.

For the sake of clarity: were you trying to stop it by clicking on the  "Stop" action button or by disabling "Start on Boot" option. Latter one controls whether Sensei should be run during boot time. If you disable it, it does not stop the engine, you'll need again to click on Stop. Most probably you clicked on "Stop", but just wanted to be 100% sure.

Hi @krdhtet,

You got it in your inbox ;)

Hi @sol,

Thank you for trying out Sensei and for the feedback.

A couple of questions:

Is this CPU usage (60-70%) for the configuration Sensei is not running? (e.g. IPS+Proxy+AV) ?

When you launch Sensei, how much did you see it changed? Does it top to 100%?

Hi @sagem2004,

Was your question about Sensei filtering based on web sites?

Hi @samsonmcnulty,

Thank you for testing & feedback. I'd very much appreciate if you can report any problems and/or issues you encounter.

Just like filtering based on application, shaping will also be there ;) Tentative plans is that we expect it to arrive in 2019.

@Mundan101, thank you for testing and giving feedback.

@marjohn56, thank you for pointing it out. It's been FAQ'd now :)

To better support the software and help people who are having issues, we've created a Gitlab project.

Please feel free to send any bug-reports & enhancement requests there:

https://gitlab.com/svn-community/opnsense-sensei-plugin

@marjohn56, many thanks for giving Sensei a try and providing feedback. This is very valuable for us.

Glad to hear that installation & configuration went smooth.

Sensei utilizes netmap behind the scenes, which does not play well with bridged interfaces. Netmap in FreeBSD 11.x, which OPNsense is based on is quite old.  I think we can also contribute to OPNsense team with an improved netmap support. I believe this will also help resolve some Suricata issues.

We'd love to hear about performance figures with a larger user base if you happen to have access to one. Currently the largest deployment we know of is 200 Mbps sustained WAN throughput with about 850 users. HW is an old HP DL360-g8 (xeon e5-2450L @1.8GHz) and 16GB RAM.

Delighted to see that product is up to the duty.

Enterprise <-> Community edition work is ongoing. For now I'm happy to tell that community edition for OPNsense will always be there and forever free.

Hello,

I'm Murat, founder of Sunny Valley Networks, the company behind Sensei.

Very much pleased to meet the OPNsense community.

I've seen a thread about Sensei in the forum, so I thought it might be a good idea to start a dedicated topic to help people with the software.

Sensei is a plugin for firewalls which complement them with features like Application Filtering, Advanced Network Visibility and Cloud Application Control. Currently, Sensei community edition is available for OPNsense platform.

I've seen that some members have already downloaded and trying Sensei. Many thanks for that. We're grateful.

I've created this topic about Sensei to help you to try it out, and try to solve any problems you guys might have encountered.

Although we reached our target number of beta testers, we always have room for forum members.
If you're interested in trying it, please do not hesitate to contact me privately. I can share the URL to the latest installer.

Very much looking forward to reading your feedback and helping you with the software.

More information about Sensei can be found on the product web page: https://sunnyvalley.io/sensei

All the best
Murat

Hallo,

"Google translate" hat das für mich ins Deutsche übersetzt, also verzeiht bitte meine Deutschkenntnisse  ;D 8)

Ich bin Murat, der Gründer der Firma hinter Sensei. Sehr erfreut, Sie und die OPNsense Community zu treffen.

Vielen Dank für den Versuch, Sensei zu probieren. Es tut mir leid, dass wir lange gebraucht haben, um diesen Thread zu finden.

Ich werde versuchen, ein neues Thema über Sensei im "Development and Code Review" Forum zu erstellen. Auf diese Weise hoffen wir, Leuten zu helfen, die es versuchen, und alle Fragen zu beantworten, die ihr vielleicht habt.

Ich freue mich sehr auf dein Feedback.

Beste
Murat