OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: BeNe on March 21, 2021, 12:51:45 pm

Title: Protect physical interface and child VLANs
Post by: BeNe on March 21, 2021, 12:51:45 pm
Hello,

i want to check out Sensei again. Had some troubles in older version because of a netmap error. Looks like this is still a problem.
-> If i enable Sensei in the bridge mode, then the complete OPNsense is no more access able from the network (including the VLANs)

Interface overview:

IGB0 (Physical) LAN Network
 - VLAN 10
 - VLAN 20
 - VLAN 30
 ...

IGB1 (Physical) WAN Network

Code: [Select]
10_DMZ (igb0_vlan10) -> v4: 172.16.10.254/24
                    v6/t6: 2003:f2:6748:ecf1:6eb3:11ff:fe1b:aede/64
 20_VPN (igb0_vlan20) -> v4: 172.16.20.254/24
 30_Pentest (igb0_vlan30) -> v4: 172.16.30.254/24
                    v6/t6: 2003:f2:6748:ecf3:6eb3:11ff:fe1b:aede/64
 40_WifiGuest (igb0_vlan40) -> v4: 172.16.40.254/24
                    v6/t6: 2003:f2:6748:ecf4:6eb3:11ff:fe1b:aede/64
 50_IoT (igb0_vlan50) -> v4: 172.16.50.254/24
                    v6/t6: 2003:f2:6748:ecf5:6eb3:11ff:fe1b:aede/64
 60_Dev (igb0_vlan60) -> v4: 172.16.60.254/24
                    v6/t6: 2003:f2:6748:ecf6:6eb3:11ff:fe1b:aede/64
 70_WiFi (igb0_vlan70) -> v4: 172.16.70.254/24
                    v6/t6: 2003:f2:6748:ecf7:6eb3:11ff:fe1b:aede/64
 80_Server (igb0_vlan80) -> v4: 172.16.80.254/24
                    v6/t6: 2003:f2:6748:ecf8:6eb3:11ff:fe1b:aede/64
 90_Clients (igb0_vlan90) -> v4: 172.16.90.254/24
                    v6/t6: 2003:f2:6748:ecf9:6eb3:11ff:fe1b:aede/64
 LAN (igb0)      -> v4: 172.16.17.254/24
                    v6/t6: 2003:f2:6748:ecf0:6eb3:11ff:fe1b:aede/64
 PIA_VPN (ovpnc1) -> v4: 10.49.112.204/24
 WAN (igb1)      -> v4: 192.168.217.2/24
                    v6/DHCP6: fe80::6eb3:11ff:fe1b:aedf/64

Here is my Sensei Setup:
(https://i.ibb.co/xSb7mzw/opnsense-interface.png)

Yes, i know that it is experimental. But since i have the setup with VLAN on the same interface as the physical, there is no other option that i can use (so far i know).

I would like to debug the problem. What information can i provide to bring the function up and running ?

OPNsense Information:
- KVM under Proxmox
- Both WAN and LAN are same Intel Network Chips (dual card)
- Sensei Version 1.8
- OPNsense 21.1.3_3-amd64

Thanks for any help!
Cheers BeNe
Title: Re: Protect physical interface and child VLANs
Post by: Thomas on March 21, 2021, 02:20:40 pm
Hi BeNe,

Link Roadmap:

https://help.sunnyvalley.io/hc/en-us/articles/360025101153-Roadmap

I am waiting for LAG-Support :(

Bridge Mode is in Long-term.

Greets,

Thomas
Title: Re: Protect physical interface and child VLANs
Post by: BeNe on March 21, 2021, 07:17:09 pm
I'm just wondering. Cause there was working version "0.8.0.rc1" that fixed the problem (for me).
But that was in 2019.

Maybe i can generated the needed logs or input in this experimental state.
Title: Re: Protect physical interface and child VLANs
Post by: mb on March 21, 2021, 07:56:34 pm
Hi Bene,

When you open an interface in netmap mode, this disconnects that interface from the OS control; which means you cannot access the interface through the operating system network stack.

In L3 hosted mode, we utilize a special netmap capability to connect the interface back to the operating system's host rings so that the interface is also under OS control.

In L2 mode, this is not possible -yet; because bridge(4) interface has problems with this special capability. If you would like to access the firewall, you can utilize another interface for that purpose.

Having said that, we've attempted to improve this behavior (for bridge(4) and lagg(4)) back in November when we did the 2nd round of netmap work. But this did not provide the expected results.

This is still on our table; and we'll get back to this as soon as possible. Most likely around May - June.

One quetion: are you having the VLAN problem with bridge mode or is it L3 mode?
Title: Re: Protect physical interface and child VLANs
Post by: BeNe on March 21, 2021, 08:50:34 pm
Hi Murat!
Thanks for your helpful answer. I understand the problem.

About your question:
Quote
are you having the VLAN problem with bridge mode or is it L3 mode?

I'm unable to set any other Option than because of this error/information  "Bridge Mode (L2 Mode, Reporting + Blocking) (Experimental)"
Code: [Select]
You cannot protect both parent and its child VLAN interface

  (https://imgur.com/SoCpowil.png)
 (https://imgur.com/SoCpowi.png)

So i can't provide you more information in that case.
Title: Re: Protect physical interface and child VLANs
Post by: sy on March 08, 2022, 04:42:29 pm
Hi,

Does he use a kind of proxy?