During the installation of latest Sensei version on the latest stable OPNsense 20.7 version (20.7.1) it is crashing after doing all the steps and hitting the finish button. Box crashes and reboots.
Setup:
SYS-1019D-4C-FHN13TP w/2x8GB ECC RAM
Dual GEOM hard drives
5 interfaces in use; ixl0 - GUEST, ixl1 - DMZ, ixl2 - IoT, ixl3 - LAN, and igb0 using NetGraph for AT&T bypass
No VLANs
Have Suricata running right now but disabled it on second try and failed.
Any thing to troubleshoot or provide additional context around?
Hi @pyrodex,
This is a netmap bug. Netmap is an Operating System module that Sensei uses to grab packets off the wire.
We have a test kernel available which fixes this crash and some other crashes/problems. OPNsense will soon provide an official one.
Follow these steps to try the test kernel:
[root@20gw /root]# cd /boot/
[root@20gw:/boot # fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/kernel-12.1-0826-1.tar.gz
kernel-12.1-0826-1.tar.gz 45 MB 4980 kBps 10s
[root@20gw /boot]# mv kernel kernel.stock.save
[root@20gw /boot]# tar zxf kernel-12.1-0826-1.tar.gz
[root@20gw /boot]# reboot
After the reboot, you should be able to see this kernel information:
root@20gw:~ # uname -a
FreeBSD 20gw.local 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #2 cfea49ed4(master)-dirty: Wed Aug 26 16:12:21 PDT 2020 root@igbopnsense.localdomain:/usr/obj/usr/src.compile/amd64.amd64/sys/SMP amd64
root@20gw:~ #
To restore stock OPNsense kernel:
# cd /boot
# rm -rf kernel
# mv kernel.stock.save kernel
# reboot
Please test and let us know how it goes...
Looks good now!
Now to play with it!
So I've got it collecting data... I don't see my WAN link in the list of interfaces to protect, not sure if I should since I use netgraph for something and see igb0 (the physical WAN link) but not ngeth0.
I also setup a reverse DNS query server to my firewall (192.168.14.1) but don't see those IPs getting resolved. Am I missing something?
@pyrodex, thanks for the update. Glad to hear that this kernel fixed your problem.
Sensei is meant to be deployed on inner-facing interfaces. Reason is that you'll lose internal IP information if you operate on the WAN interface - due to NAT being applied.
See: https://help.sunnyvalley.io/hc/en-us/articles/360025100613#h_2782cb49-feca-4514-a99b-48001d4c750c
What happens if you do a forward query?