OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: ArminF on November 24, 2020, 04:25:00 pm
-
Hei,
i have to bother you again but this drives me mad.
We do use most of the google offered services.
Mail, meet, hangout, photos, translate, maps, youtube.. etc...
BUT we do not want analytics or ads from them.
So i configured Sensei as follow:
App Control -> allow all needed Google services BUT block Ads and Analytics
Web Control -> whitelist google.com, youtube and all of the known subdomains.
But still Sensei does block me translate.google.com and you see it in the report blocked as Ads.
As soon i allow Google ADS the translate.google.com page does load.
If not allowed ads the page is blocked even when entered in the Web Control Whitelist.
Anything i do wrong?
I also had to add e1000e.net domain to the whitelist to get deeper into googles jungle and be able to load pictured or files.
Btw. the domain google.com does not seem to be sufficient on the Web control whitelist so i had to add all subs as well.
Anything i miss? do i really have to allow ads to be able to access all sites and services from google?
thanks
armin
-
Hi @ArminF
What is your AppDB version (Status - App & Rules DB Version)?
-
Hi Sy,
App & Rules DB Version: 1.6.20201006130256 Last Update: 10/07/2020 13:01
Engine Version: 1.6.1 Last Update: 10/07/2020 13:01
thanks
armin
-
Hi @ArminF,
There is a newer version and it solves the problem. Status - App & Rules DB Version - View Versions - 1.6.20201123073659 - Install.
-
Hi Sy,
thank you very much. Will do the installation.
And with the new version would i be able to use the master domain "google.com" and get rid of the subs?
Also may i get rid of the e1000e.domains as well?
Thank you very much for your help! Much appreciated.
armin
-
Hi Sy,
so far good news! Could reduce my Whitelist and "still" all is running as it should.
will monitor the blocking in the upcoming days.
thanks!
armin
-
Updating the app DB is really important.
Would be cool to have this as "auto" task in cron.
-
Updating the app DB is really important.
Would be cool to have this as "auto" task in cron.
Isn't it working for you: "It updates automatically every hours and you can do it manually from Status page."
-
The installation of the new DB looks like to be triggered manually.
The update from the running DB is automatically.
-
The installation of the new DB looks like to be triggered manually.
The update from the running DB is automatically.
@sy https://forum.opnsense.org/index.php?action=profile;u=23640 (https://forum.opnsense.org/index.php?action=profile;u=23640)
Yes, maybe broken? Anyone can confirm? Would be an big issue, not having the fully AUTO-UPDATE Feature working for such signatures DBs.
My state is this and have not clicked on Check Updates and Reload...
Engine Version: 1.6.1
Last Update: 10/27/2020 19:07
App & Rules DB Version: 1.6.20201021092213
Last Update: 10/27/2020 19:07
-
Addition: My Testsystem is configured:
Updates and Support
Check For Updates Automatically ON
But i have this Last Update Check: 11/07/2020 12:35
Automatically update Databases And Threat Intelligence Data: ON
But i have this: Last Updated: 01/01/1970 01:33
Enable Engine "Core File" Generation: OFF
Cited from doc: https://docs.opnsense.org/vendor/sunnyvalley/sensei_install.html#updates-health-check
Check for Updates Automatically: Checks automatically for the updates and creates a notification on the Sensei “Status” page.
Automatically Update Databases and Threat Intelligence Data: Checks automatically for the updates and creates a notification on the Sensei “Status” page.
So it seems there is not full AUTO-INSTALL which have to be initied after an auto-update detected for the signatures DBs, yet? Any reasons for it, why this option seems to lack?
-
Hi,
Sensei warns when detected an update like in the attached screenshot1 then if it isn't installed manually, it updates automatically and shows info like attached screenshot2.
-
Thanks Sy!
I will keep an eye on it. I cannot remember seeing this detail.
I had to install the App DB manually.
cheers armin
-
Hi,
Sensei warns when detected an update like in the attached screenshot1 then if it isn't installed manually, it updates automatically and shows info like attached screenshot2.
And is my Version the latest, see my above Posts.
-
Well, this is getting weird...
Did update to latest Version of the App DB cleaned out my whitelist.
And right today it started again.
No meet.google.com, No drive.google.com and so on...
So i had to reenable all the sub domains back to the whitelist.
The thing is that my wife is in home office and she has to rely on working connections.
I must consider to allow google ads in my config sooner or later.
I know there are tons of Ips for google and they do use or offer the same services including the ads.
So its pretty difficult to distinguish between what is green and what red...
.. ... armin
-
Hi @ArminF,
Do you see Youtube Ads in block reports?
-
Dear Sy,
i did saw a block for Google Ads while triggering a meet.google.com link.
Actually my wife triggered her meeting and got blocked by sensei as meet was not in the whitelist anymore.
So i went back and re-added all the sub domains she is using to the auto whitelist and after a few minutes she was able to access meet.google.com again.
What i can imagine is that her company has some dedicated ip ranges or reservations from google which maybe get blocked or seen as ads.
Not quite sure how i could drill down these DNS addresses as i see the Ips on the reports.
thanks Sy and sorry for bothering about this.
On the other hand i could "just" allow the ads...
armin
-
Here is my Auto Whitelist so far
1 connectivitycheck.gstatic.com -> youtube needs this otherwise it loads forever....
2 drive.google.com
3 fotos.google.com
4 google.com
5 googleapis.com
6 googlevideo.com
7 hangouts.googleapis.com -> not sure if i still need the subdomain as the main is above
8 mail.google.com
9 meet.google.com
10 youtu.be -> did not work without it. Youtube app is allowed but short links failed.
11 youtube.com
So as you see i had to add the subdomains as well as the master domains for google to get it to work.
the auto whitelist settings are not set as global allow as i do have just one policy in freeware mode.
armin
-
Hi @ArminF,
It is strange because there is no Google Ads IP in the last DB. Can you restart the Packet Engine and try to block Google Ads again?
-
Hi Sy,
thanks. Google Ads is still blocked as i did add most of the needed stuff in the auto whitelist.
Shall i do/test something?
thanks
armin
-
Hi Sy,
ok i removed all domains from the auto whitelist and restarted the packet engine.
Lets see tomorrow. I will report.
thanks for your help and support Sy!!
-
Hi Sy,
so today a normal day like all the other working days.
For me it looks like the reload of the service engine did help to bring back to normal.
Most probably i have to to this after each change or update to get a clean state.
Auto Whitelist is reduced to
1 google.com
2 lbryplayer.xyz
3 youtu.be
And my wife is still happy :)
I will monitor further.
thanks for your help and support Sy!
armin
-
Ok, i had to give up.
Had to enable google ADS and youtube ADS to get all the google services running proper.
Drive does not load content. Google Meet is not loading the meeting. Mail does not load background... etc.
Without these two options enabled in the App List the google services do fail on my network.
Reports show all actions as Youtube ADS or Google ADS blocked.
-
Updated to latest DB.
Removed all allowance for Youtube and Google ADS and set them back to blocking.
I do keep fingers crossed :)
Will report...
-
With latest update DB it does look much better.
No trouble yesterday. Lets see next days.
Thank you very much for your effort and support!
- Updated to latest DB
Removed Auto Whitelist entries
Activated blocking on Apps again
Restarted the Engine
Thanks
armin
-
Case closed...
Last DB and App Update fixed all of the issues.
@Sy -> thank you very much for your support!