Post by: mb on August 25, 2018, 03:38:14 am
I'm Murat, founder of Sunny Valley Networks, the company behind Sensei.
Very much pleased to meet the OPNsense community.
I've seen a thread about Sensei in the forum, so I thought it might be a good idea to start a dedicated topic to help people with the software.
Sensei is a plugin for firewalls which complement them with features like Application Filtering, Advanced Network Visibility and Cloud Application Control. Currently, Sensei community edition is available for OPNsense platform.
I've seen that some members have already downloaded and trying Sensei. Many thanks for that. We're grateful.
I've created this topic about Sensei to help you to try it out, and try to solve any problems you guys might have encountered.
Although we reached our target number of beta testers, we always have room for forum members.
If you're interested in trying it, please do not hesitate to contact me privately. I can share the URL to the latest installer.
Very much looking forward to reading your feedback and helping you with the software.
More information about Sensei can be found on the product web page: https://sunnyvalley.io/sensei
All the best
Murat
Post by: marjohn56 on August 26, 2018, 12:05:21 pm
Installation was straight forward as was configuration. Initial configuration left me with zero information, this appears to be because I had selected the LAN as the interface to monitor, however, my LAN is a bridge, changing this to the OPT1,OPT2,OPT3 interfaces solved this and then it all started working well.
Note I am using this on a Qotom i5 with 8Gb RAM. It is recommended that this is the minimum requirement for a 100 user system. On my test system there is minimal extra load on the CPU, but my test system is limited to only two devices attached to the LAN.
My first impressions are that is a very impressive package, it will be interesting to see what the differences will be between the commercial and community editions are when that time arrives.
Post by: mb on August 27, 2018, 07:43:54 am
Glad to hear that installation & configuration went smooth.
Sensei utilizes netmap behind the scenes, which does not play well with bridged interfaces. Netmap in FreeBSD 11.x, which OPNsense is based on is quite old. I think we can also contribute to OPNsense team with an improved netmap support. I believe this will also help resolve some Suricata issues.
We'd love to hear about performance figures with a larger user base if you happen to have access to one. Currently the largest deployment we know of is 200 Mbps sustained WAN throughput with about 850 users. HW is an old HP DL360-g8 (xeon e5-2450L @1.8GHz) and 16GB RAM.
Delighted to see that product is up to the duty.
Enterprise <-> Community edition work is ongoing. For now I'm happy to tell that community edition for OPNsense will always be there and forever free.
Post by: Mundan101 on August 29, 2018, 02:01:30 pm
Post by: marjohn56 on August 29, 2018, 03:10:48 pm
I have sensei up at running and so far so good!
Just in case @mb has not told you, IPv6 is still WIP, so v4 only for now, still cool though :)
Post by: mb on August 30, 2018, 01:18:22 am
@marjohn56, thank you for pointing it out. It's been FAQ'd now :)
To better support the software and help people who are having issues, we've created a Gitlab project.
Please feel free to send any bug-reports & enhancement requests there:
https://gitlab.com/svn-community/opnsense-sensei-plugin
Post by: mimugmail on August 30, 2018, 09:16:18 am
What about TLS 1.3?
Post by: svn on August 31, 2018, 01:10:20 am
I am Hayati from SVN team.
As you probably know that TLS 1.3 has been finalized in this month after 28 drafts. TLS 1.3 will obviously dominate over other versions and most of the Linux/Unix distros and libraries should be giving support for it, sooner or later. This is no different for us.
We've been closely watching its progress and discussions on the TLS working group during our whole product development. So we expected and prepared for it, and Sensei's TLS inspection has been designed by taking TLS 1.3 into account. We'll be able to provide TLS 1.3 inspection without downgrading TLS version.
We expect the transition to TLS 1.3 in the field will start with the popular tls libraries following with the applications that are dependent on them. This will take some time. We target to be among the first network security providers to support TLS 1.3 with its most potential.
I've uploaded a video to SVN youtube channel illustrating TLS Inspection in action: https://www.youtube.com/watch?v=krG_VKt2_qk
Post by: samsonmcnulty on September 01, 2018, 12:12:45 am
Edit I've seen a few people on 200Mb connections but I haven't seen many at 1Gb. Are you planning to add traffic shaping abilities? based on category?
Post by: mb on September 01, 2018, 03:46:59 pm
Thank you for testing & feedback. I'd very much appreciate if you can report any problems and/or issues you encounter.
Just like filtering based on application, shaping will also be there ;) Tentative plans is that we expect it to arrive in 2019.
Post by: sagem2004 on September 01, 2018, 04:37:58 pm
can we block websites can be an integration in opnsense native
Post by: mb on September 01, 2018, 07:58:14 pm
Was your question about Sensei filtering based on web sites?
Post by: sol on September 03, 2018, 10:12:19 am
On my machine running with 8GB RAM and an Intel I5 5250U (2x 1,6GHZ) the WAN throughput is at approx. 85 Mbps using IPS, Proxy + AV and around 8 active users.
Without Sensei my box can use the full 150 Mbps line (Cpu load is around 60 - 70%).
It takes a while to load on the first time and for some reason I cannot disable Sensei.
Due to the reduced internet speed I had to uninstall it and will give it another try once I have a faster router.
Post by: mb on September 03, 2018, 12:54:09 pm
Thank you for trying out Sensei and for the feedback.
A couple of questions:
Is this CPU usage (60-70%) for the configuration Sensei is not running? (e.g. IPS+Proxy+AV) ?
When you launch Sensei, how much did you see it changed? Does it top to 100%?
Post by: krdhtet on September 04, 2018, 09:42:14 am
Could you kindly provide Sensei link for me?
Thanks you.
Post by: mb on September 04, 2018, 07:31:35 pm
You got it in your inbox ;)
Post by: sol on September 05, 2018, 06:02:06 pm
A couple of questions:
Is this CPU usage (60-70%) for the configuration Sensei is not running? (e.g. IPS+Proxy+AV) ?
Yes
When you launch Sensei, how much did you see it changed? Does it top to 100%?
It goes up to 95% and drops to ~50%. It also drops and peaks way more often
Furthermore I couldnt disable Sensei and I was only able to uninstall it right after a reboot.
After a new try to install it again over the current system opnsense crashed and it had to reinstall Opnsense.
I guess some old settings made a clean reinstallation of Sensei impossible.
Lets hope that a new Sensei version will fix the option to stop it.
Looking forward to an update and will give it a try another time.
Post by: mb on September 05, 2018, 07:28:31 pm
Many thanks for reporting this and for the answer. This is very much helpful to understand what's going on.
Looks like a quite loaded system. I would not recommend running with a 60-70% cpu utilization if you're doing some kind of packet processing. Because packet processing requires dedicated resources and if the cpu is highly utilized and also shared with other applications, it's highly possible that you'll start losing packets. This is so, because at some point OS will fail to schedule the packet processing application to a CPU (because the CPU is already busy) and packets will be dropped in this timeframe. As a consequence, this will create congestion, and finally you'll get lower throughput. This was what happened, lowering your throughput from 150 - 85 Mbps.
To remedy this kind of heavy load scenarios, there is one thing you can do, and one thing we can:
For you, as you wrote before, it'd be better if you can run the configuration with a more resourceful HW.
For Sensei, we'll pin it to a dedicated CPU core. This will help if you have a multi-core system.
For not being able to stop Sensei, I'd guess it's related to the above scenario. Though it should stop anyway whatever the load is.
We'll try to reproduce this with your conditions in our lab. I'll let you know about our results.
For the sake of clarity: were you trying to stop it by clicking on the "Stop" action button or by disabling "Start on Boot" option. Latter one controls whether Sensei should be run during boot time. If you disable it, it does not stop the engine, you'll need again to click on Stop. Most probably you clicked on "Stop", but just wanted to be 100% sure.
Post by: krdhtet on September 07, 2018, 10:35:12 am
I'm well received your link, thanks.
Currently, Sensei won't find out wifi interface.
Best regards,
Post by: sol on September 07, 2018, 05:49:57 pm
The system only uses that much cpu power when I'm fully saturating my internet connection (150mbit).
Apart from using sensei I haven't experienced any issues. But this explains the drop in my throughput for sure.
I tried stopping it by using the stop button first. Which didnt work. I was able to stop the elastic search engine using the stop button though. Then I disabled start on boot and rebooted the machine. Unfortunately this didnt disable sensei after the reboot and somehow I was able to stop it and uninstall it after a few tries.
After that I tried the install sensei on the same machine again, which resulted in an crash after the final installation. The PC wasnt accessible via gui or shell anymore and I had to reinstall opnsense.
So it seams that a machine with underpowered resources might not be able to be stoped using sensei 0.6 right now.
Cheers
Post by: nospam on September 07, 2018, 10:47:10 pm
No download links, no source code, no forums
Post by: mb on September 07, 2018, 10:57:45 pm
This is done on purpose. We have an unresolved issue with the wireless adapters, so we filter them out while scanning existing interfaces.
For now, the workaround would be utilizing an external AP which would be connected to one of your ethernet ports.
I'll post an update when we're done with it.
Thank you for pointing this out. Also added to the product FAQ.
Post by: mb on September 07, 2018, 11:58:12 pm
Thank you very much for further information. Yes, under heavy CPU utilization, it looks like we've been able to re-produce the issue. I'll update the thread about the resolution.
Post by: mb on September 08, 2018, 07:14:16 am
Thank you for the straightforward feedback.
Vaporware?
No. Sensei is developed by Sunny Valley Networks. I'm Murat, founder of the company. Sunny Valley is a venture-backed, Delaware/US registered company, located in Sunnyvale, California. Company website is https://sunnyvalley.io. I live in Bay Area. If you are around or will be one day, I'd very much like to meet you in person, grab a coffee and have a chance to get to know each other closer.
No download links?
Currently, we provide the download link for people who register for the BETA early access program. When we are done with the early issues reported by BETA users, we'll release the final community edition, which will be downloadable directly from the website.
No forum?
We're quite new. We've released the BETA version in late July. We thought that it would be most efficient if we used the existing OPNsense forum for that purpose. Because the plugin is available for OPNsense, and this forum is where all the people discuss things around OPNsense.
No source code?
Sensei is closed source. We announce it on the product webpage. On the other hand, apart from Sensei community edition being available for free for the community, we have a list of open source contribution items, which we think will be of value to the whole project and the community.
Password harvester?
No. Sensei follows best practices implemented by Bro/Suricata; explicitly strips out and throws away octets that could be sensitive. For instance, it does not touch HTTP bodies, and spends extra cpu cycles to strip out any parameter passed to GET/POST requests and cookies.
It is about our effort to tackle the increasing utilization of encryption by the recent cyber attacks to avoid detection:
https://www.wired.com/story/phishing-schemes-use-encrypted-sites-to-seem-legit/
https://www.thesslstore.com/blog/lets-encrypt-phishing/
However we also share your concern. We also agree that TLS code should be distributed in a more controlled way. This is why TLS will be part of the Enterprise edition.
Thank you for taking the time and comment.
Post by: mb on September 12, 2018, 05:51:59 pm
It looks like we've fixed the problem which in some cases leads to Sensei not stopping appropriately.
Fix will appear in 0.6.0-release, which will be released today US Pacific time.
Would be more than happy if you can give it a try.
Post by: Nekromantik on September 13, 2018, 12:17:52 am
I only have a 80/20 connection and am using a Celeron dual core mini pc with 4GB RAM.
Will this be too much for my hardware?
Post by: mb on September 13, 2018, 02:12:38 am
Thank you very much for your interest in Sensei.
Yes, unfortunately this hardware configuration will be insufficient for running the software. Sensei installer will refuse to start. You'll need at least 8GB RAM and a more modern CPU.
Please see this blog post to get more information:
https://www.sunnyvalley.io/blog/sensei-hw-requirements
Post by: samsonmcnulty on September 13, 2018, 02:50:10 pm
Code: [Select]
This is Awesome! But I have one small request. I use a system with 12 GB ram now for my opnsense install. Previously, I was using 16 GB since sensei requires it but I never noticed my ram usage go over 8 GB. My environment is only about 4 users with maybe 20 total devices connected at once but rarely being used all at the same time (think SOHO network). Is there any way to add an option for a smaller network like mine or is there some way I can bypass the 16GB minimum requirement?Am I totally tripping here? have they always been 8GB minimum? I could have sworn when I tried to install the last version it stopped me since I only had 12 GB... I'm probably crazy lol
Post by: mb on September 13, 2018, 06:21:44 pm
Great to hear that it worked at your second try :) Yes, the check in the installer was for 8GB minimum RAM. I guess it was something else which went wrong.
Post by: Alphakilo on September 15, 2018, 04:47:59 pm
Why not split it into two packages: The "Firewall" part and then Elasticsearch, Logstash, etc...
Post by: mb on September 15, 2018, 07:24:13 pm
Many thanks for the input.
Currently it runs on the firewall. This was an important decision to make when we first started working on the plugin. All of the first users' feedback was to have it coupled with the firewall. Because the deployments were typical of a SOHO, SME, and they were not able to operate a separate deployment just for reporting.
So instead of starting with a distributed design, we started with this one, suggesting early users to increase the amount of memory they had. They were already using modern CPUs, so CPU was not a problem.
For a reference, with the current architecture, the largest deployment that we are reported is 700+ concurrent users and 500 Mbps/50 Mbps max, 300 Mbps sustained WAN throughput. HW: Dual-Core i5-2400 @3.10 GHz (4 threads) with 10GB RAM - OPNsense + Sensei. No IPS, No AV, No Caching. Use case is firewalling + application control + web security.
Looking forward, it looks like we'll offer this option. Since we see that more and more people want to see Sensei deployed in more large scale environments, with thousands of users.
For the time being, our focus is to have the software make super stable & make it cover the essential network security requirements of SOHO / SME users.
Post by: mb on September 16, 2018, 04:13:32 pm
Sensei 0.6.1 is released. This is a minor reliability release fixing a few issued reported for 0.6 release.
- A check added to Interface Configuration menu, preventing Sensei from being assigned to an interface which is in use by Suricata. User interface now shows a Warning popup recommending a workaround to assign WAN interface to Suricata and Sensei to LAN interface.
- In Proxmox/QEMU/KVM deployments, Sensei UI Configurator filters out virtio based ethernet interfaces. This check is to prevent an underlying problem with netmap-virtio which results in traffic forwarding to stop.
Web Filtering: Unknown sites - sites which Sensei categorization database did not have any information for - were not filtered. A patch has been applied to fix this problem. - Web Filtering: Undecided sites - sites which Sensei categorization database did not have the final decision for - were not filtered. A patch has been applied to fix this problem.
- If filtering was enabled for some applications, you were not able to apply the new configuration. A patch has been applied to fix this problem.
More on how to update to 0.6.1: https://www.sunnyvalley.io/blog/sensei-0-6-1
Post by: bulmaro on September 26, 2018, 12:00:18 am
I'm testing version 0.6.1, my interface is vlan but I do not see Packets IN and Packets OUT, any settings I missed?
Post by: mb on September 26, 2018, 07:16:52 am
@svn is working on your bug report. Hope to update you about this soon.
Post by: bulmaro on September 26, 2018, 03:45:52 pm
Post by: hyralak on September 29, 2018, 07:25:46 pm
Issues I encountered after installing Sensei included web interface locking up, and unable to access opnsesne via ssh. I could still interact with the console. After this occurred i had to uninstall the plugin.
Also, I run a pi-hole for DNS poisoning which logged Sensei as the top domain. I was seeing 25,000-35,000 connection attempts to updates.sunnyvalley.io. I turned off auto updates but it continued to hammer away at updates.sunnyvalley.io. The screenshot below is from the last 24 hours. I uninstalled Sensei about 13 hours ago.
(https://i.imgur.com/nYv8rJw.jpg)
I liked the visibility and functionality that Sensei offered, but the instability was not acceptable. Perhaps my hardware is not adequate for the plugin?
Hopefully the information that the plugin sent back to sunnyvalley will provide insight into my web/ssh issues.
Keep up the great work and thanks for letting me try out the plugin. Perhaps I will try again at a later date.
Post by: mb on October 01, 2018, 08:29:22 pm
Many thanks for taking the time and reporting your issue. If you find value in Sensei, than it's our job to make it super stable.
Your Hardware configuration is just fine. CPU/memory utilization seems to be low & as expected.
Do you remember which Sensei version you installed first? Because the symptoms you're seeing, we had an issue which might be causing them, and was fixed at 0.6.1 release. I'm suspecting an upgrade issue.
Updates.sunnyvalley.io is being used by two purposes:
1. If you enabled Automated health-checks, it collects these info and sends them to the updates server, which we run a monitoring service with alerting capability (It's actually nagios). This way we instantly know that some Sensei instance has a problem, and try to diagnose it. Information that's sent:
a) Check whether the packet engine is currently running
b) Check whether the packet engine crashed and created any core files
c) Check whether the Sensei engine has any issues with packet forwarding
d) Check whether Elastic Search is running & healthy
e) Check whether Sensei is utilizing any SWAP memory
f) Check disk free space has at least 20% free.
g) Check if Sensei is using excessive cpu/memory
h) Check if Elastic Search is using excessive cpu/memory
i) Check if overall load average is within safe limits
j) Check if overall cpu/memory consumption is within safe limits
k) Check if Sensei is put onto bypass mode because of a problem.
System health checks are done once a minute. Instead of collecting the information and sending in batch mode, health script connects to the server for every one of the checks. So this makes 11 connections for a minute. This is why you see some many connections. Yep, this is inefficient & we have an open JIRA issue to address this.
2. Software update checks. If you enable update checks, they are done once an hour.
Though the number seems to be double the number we should be seeing. Our guess is that there is a runaway cron job from previous versions.
I'd love to explore more, I'll be writing to you via a private message. I'd like to find the root cause relating to this. Than fix is the easy part :)
Post by: hyralak on October 01, 2018, 08:39:12 pm
Post by: rhyse on October 02, 2018, 10:55:41 am
I am seeing an issue where the "Sensei Packet Engine" keeps stopping, clicking start makes it come back to life.
Enviro: VMware 6.7, 10GB RAM, 2 x vCPU's (host CPU 2 x E5-2670) , disk space 2.2 gb used out of 18Gb , Sensie deployment size Small (I have just enabled " Enable Generation of Support Data:" ), Sensei version 0.6.1-release (installed from this version)
This is a test infra, so doesn't have much traffic going through it
Any ideas ?
Thanks
Post by: mb on October 02, 2018, 04:00:12 pm
We did not have much users on VMware. Let's debug it together & make Sensei run there. I'm contacting you.
Post by: mb on October 02, 2018, 08:58:01 pm
@rhyse helping us debug his issue, we've spotted a bug with Netflow output formatter. If you're using Sensei with Netflow, better to disable it for now.
For the resolution, we'll issue a fix. Hopefully as 0.6.2.
Many thanks @rhyse !.
Post by: Csykes27 on October 16, 2018, 12:29:16 am
Post by: svn on October 16, 2018, 12:49:50 am
I shall be contacting you soon to resolve the issue.
Post by: jjanzz on October 18, 2018, 10:48:08 am
Code: [Select]
pkg: https://updates.sunnyvalley.io/repo/libXtst-1.2.3.txz: Not Found
FAILED : Unable to install required packages. Please see install.log
Post by: svn on October 18, 2018, 07:11:19 pm
We're currently working with OPNsense for the integration. As a part of this process, OPNsense started providing some of our dependencies. We'll update our installer and package to be compatible with the latest changes on OPNsense package repository, soon.
It seems that some of the dependencies not satisfied (namely, some configuration files of elasticsearch, and some java dependencies). We'll fix this urgently.
Right now, you can register for download and we'll send you a download link as soon as we fix the dependency issue.
Post by: jjanzz on October 22, 2018, 04:10:32 pm
We're currently working with OPNsense for the integration. As a part of this process, OPNsense started providing some of our dependencies. We'll update our installer and package to be compatible with the latest changes on OPNsense package repository, soon.
Thank you for the reply. No problem; I'll gladly help you test it out as soon as it's possible :)
Post by: mb on October 25, 2018, 12:09:10 am
Elasticsearch5 was added to OPNsense packages as part of the 18.7.5 update. There was a problem in the FreeBSD elasticsearch package builds which was inherited by the OPNsense build system.
Because elasticsearch was problematic, Sensei installations were failing.
Today we fixed the problem. In the meantime, OPNsense will be removing the package from its repository in the upcoming release.
Starting 18.7.6, elasticsearch will be provided by Sunny Valley Package repository.
Long story short: We're resuming Sensei downloads. You can now download and install new Sensei version, which is 0.7.0-beta1 as of now.
Post by: mb on October 25, 2018, 12:10:55 am
As part of 0.7 release effort, we've launched Sensei Users' Manual & Documentation.
Please find it here:
https://guide.sunnyvalley.io/sensei/
Post by: wordsmith on October 25, 2018, 07:45:42 am
See, the reason I ask is because to me it seems there is some confusing communication going on. I’m sure, some of it is non-intentional like:
Quote
For now I'm happy to tell that community edition for OPNsense will always be there and forever free.
"For now" and "always" don’t work well together. Basically, now you’re saying that this will always be the case, but later you might change your mind to “it isn’t free anymore”. I suspect that this was unintentional, but I just wanted to get it out of the way.
What rubs me a bit the wrong way is that the community edition is free, but not open source. According to your FAQ:
Quote
The Packet Engine coded in C++, and its source code is not open.
I think the reason there are community editions in the software space is precisely to indicate that a company/developer wants to build a trust model with others and, as a result, gives them the recipe so that they can build a community around it together. In short, it isn’t about getting something for free i.e. without having to pay, but to build trust.
Now, where your approach to marketing proofs to be rather problematic is with statements like this:
Quote
Empower your open source firewall with Next Generation features.
If you plan to keep parts of Sensei closed source, I’d suggest you’d drop the “open source” in your marketing, because it’s confusing at best, misleading at worst. Next, as long Sensei isn’t open source, I’d also reconsider the use of “community edition”: this is a rather well known way to describe the non-commercial version of a product that isn’t just for the community, but also by the community. If the community doesn’t have access to the code, it’s not a community edition, it’s a free edition.
The FLOSS community already suffers from a huge labeling problem (ever tried to explain to a non-technical user the difference between Free Software and Freeware?) so let’s not muddy the waters even more.
I don’t know about your business model, but for people who really care about open source it’s not about getting stuff for free, it’s to be able to verify the claims of company such as yours and, of course, to build a community around a solution that can be build by like-minded people without restrictions regarding code access.
Of course, at the end of the day there’s always the pragmatic side to consider and there will probably be a lot of users who are perfectly fine to run proprietary software on their open source OS, but for people like me who decided to use an open source solution not because it is free of charge, but precisely because it’s source code is available, Sensei won’t be the solution we’re looking for.
Now, with all that being said, I still appreciate your efforts.
Post by: mb on October 26, 2018, 08:33:09 pm
Many thanks for taking the time and provide this valuable feedback. Now we become aware of a communication problem.
To clarify things:
- Either Community or Enterprise Edition, Sensei core packet engine is not open source. Speaking of today, there are no plans to make it open source. We’re like Oracle running on Linux.
- Community Edition (or may be we should call it freemium edition) is and will be free of charge for the open source community. - Free as in “free beer” ;)
As you’ve correctly pointed out, if there is any misunderstanding, it’s unintentional. Your comments shed a lot of light as to what needs to be adjusted in the messaging. We’ll be working on that.
Taking this chance, I’d like to give a little bit of background why we started with “open source firewalls”.
As Sensei team, we believe that we’ve created a powerful packet processing technology. We believe that better packet visibility means better decision making. Better decision making means better success rates in detecting malign traffic.
Sensei is the first of two products that we’re going to create for a large market.
We hope to make Sensei available for any network security equipment / product which needs application classification & web security features. L3-L4 firewalls, UTMs all fall into this category.
The thing we started with open source firewall space is that, it was a request by an MSP who was deploying open source firewalls onto customers and providing support services. Very happy with their current firewalls, they needed several features that we could provide. We quickly did an integration and voila! The resulting solution (OPNsense + Sensei) was found to be better than many of the current players in the UTM market.
This sparked a light for us. Why not deliver the product as a plugin instead of yet another full-blown firewall appliance? It’d be cost effective for us and we would than be able to relay this cost advantage for the benefit of our prospective users.
In this regard, open source firewalls is a delivery channel for us, though it’s not the complete target market. Via this initial channel, we learn very much from our users and improve Sensei. You can’t believe how much Sensei improved from the day we announced first beta up until this day. Then of course, we are looking for market visibility. It’s great to see people loving the solution and spreading the word.
A free of charge Sensei edition (maybe we should call this freemium edition) is a way of our giving back to the OPNsense community.
Having founded a local open source community (enderunix.org) and published some open source tools, I truly understand, appreciate and respect your stance.
Though we cannot make Sensei fully open source, I think the best we can do right now is to communicate what Sensei is and what it is not in a straight and open way. This way people would know what they will have and what they won’t; and will make an informed decision about using / not using it.
It's somewhat hard to figure out a way to communicate people that the current product is for “open source firewalls” without using the words “open source”. Because marketing wise, we would like to be as precise as possible so that people would know what it is for.
However I also see that it’s creating confusion. We’ll spend more time on this. I’d also like to consult you if you wouldn’t mind.
Again, many thanks for bringing this up to our attention.
Post by: mb on November 08, 2018, 02:24:10 pm
0.7.0-beta1 update is out for those who are on 0.6.x releases:
https://www.sunnyvalley.io/blog/0-7-beta1-update-available-for-0-6-x-users
0.7 Beta1 comes with the following functionality:
1. New Report - Blocked Connections Sessions Explorer and drill-down reporting
2. Reports enhancement: Daily executive reports. Selected reports delivered via a daily
e-mail.
3. Customizable Landing Page for Blocked connections
4. Reports data retiring: disk space consumed by Elastic Search (Reports) is now
configurable
5. Release Changelog is now displayed during Sensei updates
6. Shortcut to add Block/Allow rules based on fields (IP Address, Application, App
Category etc.) via Session Explorer Reports.
7. 350+ new applications identified.
8. Documentation: Sensei Users' Manual
9. Sensei speaks your language now, we added i18n support to match your OPNsense
UI language. English & German are the two for now, more coming soon.
10. More performance & stability improvements
If you've downloaded & installed Sensei later than October 15, you should already be using 0.7.0 beta1. This is an update package for older versions.
Post by: shrdlu on November 13, 2018, 06:15:37 pm
I have noticed with Sensei (BTW, it is working fine) that when I run a health audit in OPNsense I get the following (see attached screenshot) checksum mismatch for the nodes.csv file and was curious if this is normal or something is wrong. Things appear to work fine and no matter what Cloud Threat Intel selections I make (not sure that is related but it might be) I get the mismatch and the Cloud Threat Intel is working fine regardless, or at least shows up and running.
And, on another note, in terms of processing when do the Sensei components process information in terms of order? For example, I use the web proxy (squid) in OPNsense and was curious if Sensei process the packets before the proxy or after or somehow during, or frankly something completely different if I am misunderstanding the order of operations.
Thanks in advance.
Post by: mb on November 13, 2018, 06:27:42 pm
You're in the correct place :) We're receiving feedback & comments and help requests here. You can also shoot a ticket if you think you've found an issue with the software:
https://gitlab.com/svn-community/opnsense-sensei-plugin/issues
The thing with Node.csv is not an issue. Web UI updates the contents of this file with the best servers available. I guess this creates a mismatch with the OPNsense File Integrity Checker. We'll handle that.
With regard to processing order: Sensei receives packets while they traverse from Network Adapter to the FreeBSD networking stack; which means it receives them before Squid and even before L3/L4 Filtering.
You're all welcome, and thanks for sharing your experience.
Post by: theq86 on November 15, 2018, 03:56:00 pm
current version as of writing (0.7.0-beta1)
Post by: mimugmail on November 15, 2018, 04:11:55 pm
Post by: theq86 on November 15, 2018, 06:23:50 pm
Post by: mb on November 15, 2018, 06:33:28 pm
Any chances your LAN interface is virtio?
https://guide.sunnyvalley.io/sensei/support/faq#no-ethernet-interface-is-being-shown-in-the-interface-configuration
As quick workaround, select Intel E1000 as the adapter type.
As the final solution we're sponsoring a development which will ship the latest upstream netmap code into FreeBSD.
This will also fix lots of issues that you might be encountering with Suricata as well.
https://svnweb.freebsd.org/base?view=revision&revision=340436
It's us. Commit is done to HEAD, will be MFC'd to 11-STABLE in the following timeframe.
Post by: mimugmail on November 15, 2018, 06:36:53 pm
https://svnweb.freebsd.org/base?view=revision&revision=340436
It's us. Commit is done to HEAD, will be MFC'd to 11-STABLE in the following timeframe.
Really nice contribution Murat, thanks! :)
Post by: mb on November 15, 2018, 06:44:59 pm
Our pleasure. All welcome :) Super excited to see the changes land in 19.1.
Post by: franco on November 16, 2018, 08:40:19 am
for the csv, it's considered bad style to manipulate files shipped with the package. for that reason FreeBSD has the "sample" trick which creates a copy of the file and only checks in the unmodified file (suffix ".sample"). We use it in core in some places, too. Plugins don't support it yet, but they should eventually.
Cheers,
Franco
Post by: mb on November 16, 2018, 05:24:23 pm
We're still testing the code in HEAD. After we're confident, it's going to be MFC'd to 11-STABLE. I'll be pinging you once we're done with that.
I've been informed that we actually have the unmodified file (.default) with the package. Engine reads a "processed" version of that file, which -indeed- do not need to be included with the package. We're removing it. I guess we're done then.
Post by: franco on November 16, 2018, 06:33:35 pm
Post by: therec on November 18, 2018, 05:13:56 pm
I had a question around blocking. (i.e. adds, trackers, etc.). is there a way to allow a specific site? if i go to neweggs web site, the site is unreadable. if i disable the blocking, its ok again. i see the option to the right to unblock, but it wants to unblock the group (ad category) and not the site. forgive me if I've missed something simple. and thanks for the work, this is a wonderful product, I cant wait to see where you take it.
Thanks
Robert
If i posted this in the wrong place, let me know and ill move it
Post by: mb on November 19, 2018, 02:51:31 pm
Thank you very much for your feedback. Awesome to see you've found the plugin useful.
When you browse Reports -> Security->Session Explorer, see if the site is being blocked via Application filtering or Web filtering. You can differentiate it by looking at the "Block category" information. If by Application filter, it says "Application category", if via Web filtering, it reads "Web category".
To allow a specific "Application", just go to Application Control, find and expand the related category, find your specific application, and unblock it.
If the filtering is done via Web filtering, browse to Web Controls->User defined categories. Create a new category i.e. Whitelist, and put your websites which you want whitelisted here.
Click "Save Changes" and that should be it.
Thanks,
Murat
Post by: therec on November 20, 2018, 01:45:51 pm
- https://www.newegg.com/
- secure.newegg.com/
- www.newegg.com/
- www.neweggbusiness.com/
- https://newegg.com
Maybe ive misses something?
as an alternate test i confirmed http://static.hotjar.com/ was blocked (webtracking site).
I added this to the web controls as requested (user defined group) and is had the green check (allow),
This site also remains blocked after whitelisting via web address.
I suspect im missing something, I have amatuer firewall skills at best. but i love this product and hope its a long term solution for me. thank you for the help
P.S. i just noticed https://flash.newegg.com works just fine.
Post by: mb on November 20, 2018, 09:42:23 pm
Let's dig a little deeper together. I'll be writing to you privately. I might need some logs. Let's see if there's something wrong or there is a configuration problem.
Post by: manjeet on November 21, 2018, 08:04:50 am
1. Is there any live view to know which IPs are using the most bandwidth and then drill down to specific IP to check what sites / services it is using and which site / service is consuming the most. (I use ntopng and it has very nice view to tell which devices are consuming most bandwidth only)
2. I do not know why but when i check the "Table of Local / Remote hosts, it shows bytes in / out which is very low as compared to ntopng. and i have avg 25-30 devices running all the time out of 50 devices but it only show few so how can i list all of them.
3. Is there any way to get all the web history of a user or users ?
4. Is there any way to bind names to IP (local / LAN IP) as squid does in web proxy ?
5. It filter web traffic and works as transparent web proxy so is there any way to use it as cache server as well or if you are planning for it in future.
Post by: mb on November 21, 2018, 11:24:45 pm
Thank you for sharing your experience with Sensei. We very much appreciate that. Find the answer below:
Quote
Is there any live view to know which IPs are using the most bandwidth and then drill down to specific IP to check what sites - services it is using and which site - service is consuming the most
Yep. Navigate to Sensei -> Reports -> Connections. Look for the Chart named Top Local / Remote Hosts. But make sure to select the reporting criteria as "Volume" from the upper right hand corner of the reports page. Default is by sessions. You can do "Session based", "Packet based" or "Volume based" reporting.
When you left click on any IP, a submenu appears. Click "Drill-down" and all reports will be automagically filtered according to this IP address you've selected.
Quote
I do not know why but when i check the "Table of Local / Remote hosts, it shows bytes in / out which is very low as compared to ntopng. and i have avg 25-30 devices running all the time out of 50 devices but it only show few so how can i list all of them.
My guess is that you might be viewing the "Session" reports. Make sure you've selected "Volume" as the reporting criteria.
All devices currently active should be listed though. My guess would be that you might be viewing reports for the last 15 minutes. Make sure you've selected a longer time frame from the right hand corner.
Quote
Is there any way to get all the web history of a user or users ?
Yes. You can do that from the Web / TLS reports. You have the drill-down capability for every report type.
Quote
Is there any way to bind names to IP (local / LAN IP) as squid does in web proxy ?
Actually, packet engine automatically maps DNS names to IP addresses if it can find a matching DNS transaction. Soon there will be Active Directory / LDAP integration which you'll be able to see the user / group names.
Quote
It filter web traffic and works as transparent web proxy so is there any way to use it as cache server as well or if you are planning for it in future.
In theory, packet engine is capable of doing that. But we chose to focus on complementing features that are currently not existing. Squid is a great caching proxy. Indeed caching is its original reason of existence. That being said, Sensei roadmap does not have "caching" as a feature.
Many thanks for reporting your experience with us.
Post by: maekar on November 22, 2018, 02:09:46 pm
The maximum of 1000 concurrent users is an approximation for better hardware performance or an strict software limit?
thanks
Post by: mb on November 23, 2018, 02:02:50 am
This is the current field-tested maximum. Software arranges several tunables (e.g. cache sizes, connection table sizes etc.) according to the user size.
Current focus is to make the software super stable for SME use cases (which generally means user populations below 1000)
Looking forward, engine is able to scale to hardware resources, which makes it possible to secure thousands of users.
Hope this answers your question.
Post by: johjoh on November 23, 2018, 11:57:10 am
For example an Atom CPU or a Celeron with 4GB or 8GB of ram?
Post by: mb on November 23, 2018, 02:47:31 pm
Yes :)
A big portion of the resource requirement come from the Reporting engine (Elasticsearch). The core packet engine has been tested to run on low resource systems: e.g. Celeron < 1GB RAM.
A roadmap feature - remote reporting - allows to run packet engine on the firewall itself, and reporting on another more powerful server.
Post by: bobbythomas on November 24, 2018, 07:19:02 am
Couple of questions? Is there anyway to find the current installation or patch status? Where are the Sensei logs installation logs stored and how can we view that? I received an rc1 update and it's about 36MB, but it's been more than an hour since I started the installation, I would like to know the status. While installing Sensei some packages took a lot of time to get downloaded and I suspect something like that. I believe there is some latency reaching some of the repositories. Could you help me troubleshoot this issue?
Thank you,
Regards,
Bobby Thomas
Post by: shrdlu on November 24, 2018, 07:35:55 am
So, #1, is it just me?
and #2, assuming it is not me and before I simply try to uninstall/reinstall, any ideas?
Thanks
*Is it normal for an OPNsense upgrade to reset my Sensei configuration? If the answer is yes, that is fine but also if there is a way to backup a config and restore it that would help me retain settings. Either way, love the solution and reconfiguration is actually a minor thing in the grand scheme of things so if the answer is no here then that is fine as I still find huge value in the software.
Thanks
Post by: mb on November 24, 2018, 09:02:07 am
/tmp/sensei_update.progress should have more detail regarding the update process. 36MB download shouldn't take that long.
We rolled back rc1 update in case there is something we miss with the update process.
Post by: mb on November 24, 2018, 09:12:40 am
It was unfortunate that both OPNsense & Sensei got updated at the same time. Looks like while OPNsense was upgrading, we shipped 0.7.0-rc1. OPNsense update manager also updated Sensei, a case which we did not handle.
Sorry for the inconvenience. We rolled back 0.7.0-rc1.
A final fix will be out shortly.
For a workaround, I'll be contacting you. We'll try to recover the old configuration.
Post by: mb on November 24, 2018, 11:26:30 pm
0.7.0-rc1 upgrade is back.
A quick update on 0.7.0-rc1 upgrade:
If you encountered any Sensei issues while upgrading your OPNsense to 18.7.8, this was due an unhandled case in our package updater when the upgrade process is triggered from the OPNsense firmware updater, not from the Sensei Status Page. This is fixed now in the upcoming 0.7.0-rc1.
But the fix will be in effect starting from 0.7.0-rc1.
So, If you’re on 0.7.0-beta1, and do NOT want to upgrade to 0.7.0-rc1 immediately we strongly recommend running the following command to avoid any issues with the OPNsense system updater.
pkg upgrade os-sensei-updater && pkg lock os-sensei
The command will upgrade your Sensei updater to the latest version and also put a lock on os-sensei package so that OPNsense package update utility will not try to update Sensei.
If you also want to upgrade to 0.7.0-rc1: Navigate to Sensei -> Status -> Check Updates, and you’ll be guided to upgrade to 0.7.0-rc1.
pS: 0.7.0-rc1 introduces several minor bug-fixes both on the updater and the UI. If we do not hear any issues, we’ll hopefully release 0.7.0 in the coming week.
ppS: Thanks to increasing number of Sensei beta users, it looks like we need to increase bandwidth for Sensei Updates server (updates.sunnyvalley.io). Cool indeed ;) This will be done in the following weeks. In the meantime, if you encounter slowdowns while installing / upgrading, we’d very much appreciate your understanding.
Post by: samsonmcnulty on November 25, 2018, 08:54:10 am
***ERROR: Indices could not be created! Reporting may not work***
Is there a temp workaround? I assume uninstalling the package and reinstalling would work?
Post by: mb on November 25, 2018, 05:59:44 pm
Yep, that would work.
Can you run the following commands. Basically it'll uninstall & install sensei
service eastpect onestop
service elasticsearch onestop
pkg delete elasticsearch5
pkg delete os-sensei
rm -rf /var/db/elasticsearch/nodes/*
You can also do that by selecting "Uninstall elasticsearch & Remove elasticsearch data" options while uninstalling from Web UI.
then to re-install it:
pkg install os-sensei
Sorry for the inconvenience.
One question: did that happen after you've done an OPNsense 18.7.8 upgrade? We're aware of this problem & hopefully fixed.
I wonder if there are other cases.
Post by: dragon2611 on November 25, 2018, 10:05:50 pm
I'm wondering if I'd be better off starting another virtual firewall and stuffing it in the traffic path for the machines i'd want to put behind sensei.
Post by: mb on November 26, 2018, 02:38:53 pm
Good idea :) Let us know if you encounter any issues. On the virtual FW, you can use E1000 as network the adapter type:
https://guide.sunnyvalley.io/sensei/support/faq#can-i-run-sensei-on-a-virtualized-environment-like-proxmox-virtualbox-kvm
Post by: Antaris on November 27, 2018, 07:42:10 pm
The first hit and miss: try to block youtube used via google chrome...
Post by: mb on November 28, 2018, 05:56:32 am
Thanks for reporting this.
It's because of QUIC: Google's new protocol suite, a replacement for TCP + TLS + HTTP/2. Chrome defaults to QUIC when you browse Google services. Other browsers use TCP so Sensei is be able to identify & block.
Sensei is able to identify QUIC, though its detailed protocol parser is under development. When we're done with it, it'll be able to identify protocols which are transported through QUIC. We hope to have it with 0.8.0 release.
Post by: mb on November 29, 2018, 04:03:49 pm
An update to: https://forum.opnsense.org/index.php?topic=9521.msg47488#msg47488 :
If you got stuck in Sensei Configuration Wizard, here is a quick fix for you:
open /usr/local/sensei/scripts/installers/opnsense/18.1/sensei-init.sh file with an editor, and locate this part. It should be line 64.
if [ "$INDICES_COUNT" -lt 6 ]; then
Update this line to read like:
if [ "$INDICES_COUNT" -lt 5 ]; then
Save the file and re-run the configuration wizard.
0.7.0-rc2 will come with a more intelligent provisioning script which will try to diagnose any inconsistencies with the backend database and try to fix them automatically.
Post by: mb on November 30, 2018, 02:22:27 am
An update to: https://forum.opnsense.org/index.php?topic=9521.msg47653#msg47653
We've decided to merge some of the code from the QUIC branch to 0.7.0.
Looks like we have a working app identification & filtering for applications running through QUIC :) e.g. Google Services + Chrome browser.
Update will be introduced with 0.7.0-rc2.
Post by: Antaris on December 01, 2018, 11:16:31 am
Dear Sensei users,
An update to: https://forum.opnsense.org/index.php?topic=9521.msg47653#msg47653
We've decided to merge some of the code from the QUIC branch to 0.7.0.
Looks like we have a working app identification & filtering for applications running through QUIC :) e.g. Google Services + Chrome browser.
Update will be introduced with 0.7.0-rc2.
Thanks guys, looking forward to it. Can we hope for an optimisation to reduce hardware requirements, especially about RAM?
Post by: mb on December 01, 2018, 10:36:03 pm
Many thanks for bringing this into our attention. Looks like with 0.7.0-rc2, Sensei is one of the first in the industry to offer granular control for QUIC based applications.
Currently, big vendors are advising to completely block QUIC protocol, thus forcing browsers to fall back to TCP+TLS. This is slower.
As for memory requirements, actually yes. We're planning a limited reporting option, which will require way less memory than we require today. This will still provide reporting but most probably will lack some advanced features like Drill-down and per-connection details. Other than reporting, all features will be there.
Post by: opnsenseuser on December 02, 2018, 08:13:37 am
which hardware requirement is necessary?
Is the latest generation Atom processor (c3558) with 8 gb of ram sufficient for sensei?
thx
Post by: Antaris on December 02, 2018, 03:15:16 pm
There are no updates available for you. You are using the latest version. " and stays on 0.7.0-rc1
Post by: mb on December 03, 2018, 05:04:26 am
when will sensei appear in opnsense as a plugin?
which hardware requirement is necessary?
Is the latest generation Atom processor (c3558) with 8 gb of ram sufficient for sensei?
thx
We have a few small items left for the final OPNsense integration. Then Sensei will be an OPNsense plugin which can installed from the OPNsense Plugins menu. If anything big does not come up, I guess we'll all be finished with them by the end of this month.
I'd expect that latest generation Atom would be ok. Might be a little bit slow to start Elasticsearch but when it warms up, it should be all fine. Crucial thing is RAM and 8GB is perfectly fine.
Post by: mb on December 03, 2018, 05:08:21 am
There is a small blog post coming related to that. We'll need to use the command-line updater for the rc2 update. GUI code is missing a "pkg update -f".
Can you try to update via command line?
As the root user, just run:
sensei-updater
Post by: mb on December 03, 2018, 07:32:42 pm
After testing 0.7.0-rc2 update with a few of Sensei users, it looks like 0.7.0-rc2 is ready to go.
We'll need to use the command-line updater for this update. GUI code is missing a "pkg update -f".
Login to the firewall console as the root user; and run:
sensei-updater
It'll take care of the rest, and you'll be updated to 0.7.0-rc2. You'll need to manually start the Sensei engine from Sensei->Status.
0.7.0-rc2 introduces fine grained application identification & filtering for Google Services through Chrome browser (QUIC protocol update); as well as several other reliability fixes for the sensei-updater.
If we do not see any issues reported; 0.7.0 will be finally released Thursday this week :)
Post by: Antaris on December 03, 2018, 07:33:50 pm
"Sensei has been updated successfully."
Just have to start Sensei Packet Engine manually...
It's runnig as guest on Proxmox btw...
Post by: mb on December 03, 2018, 07:38:10 pm
Glad that it went well. Thanks for the notice about starting Sensei. I've updated the message accordingly.
Post by: Antaris on December 04, 2018, 06:25:33 pm
Post by: mb on December 05, 2018, 03:12:55 am
Web 2.0 Controls / Cloud Application Controls depend on port agnostic TLS Inspection functionality. TLS Inspection will be made available with Sensei Premium Edition.
Should you like to give an early try, I'll be happy to provide a trial license for you.
Post by: Antaris on December 05, 2018, 05:19:01 pm
Post by: mb on December 06, 2018, 03:31:44 pm
Sounds great. Will get back to you when we have more progress with that.
Post by: manjeet on December 07, 2018, 01:21:42 pm
Post by: mb on December 07, 2018, 03:22:29 pm
Update server is operational again.
Make sure you're following the latest install instructions:
https://guide.sunnyvalley.io/sensei/getting-started/setup
Post by: manjeet on December 10, 2018, 08:10:17 am
I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??
Post by: sagem2004 on December 10, 2018, 04:02:06 pm
we can filter the site in safesearch " picture "
Post by: mb on December 10, 2018, 06:15:16 pm
Glad that installation went smooth.
Thanks. It is installed and working.
I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??
Ah, now I see what you're trying to accomplish. All charts on the report tabs will show top 10 records. For table reports, I guess we can put an option to provide the full list.
Stay tuned. We'll pass an update.
Post by: mb on December 10, 2018, 06:19:32 pm
Good evening,
we can filter the site in safesearch " picture "
Hi @sagem2004,
I don't think I was able to fully understand the question. Can I request that you rephrase it?
Post by: sagem2004 on December 10, 2018, 06:41:06 pm
exemple : https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing
Merci.
Post by: Misant on December 10, 2018, 07:27:49 pm
Post by: mb on December 10, 2018, 09:15:03 pm
Thank you for the clarification.
Google Safesearch enforcement is in Sensei's short-term roadmap. Should arrive with Sensei 1.0, which is the first production release for Sensei (ETA Q1 2019).
Post by: mb on December 10, 2018, 09:16:33 pm
Post by: sagem2004 on December 10, 2018, 09:34:59 pm
Hi @sagem2004,
Thank you for the clarification.
Google Safesearch enforcement is in Sensei's short-term roadmap. Should arrive with Sensei 1.0, which is the first production release for Sensei (ETA Q1 2019).
very Good news thank you :) :) :) :) :)
Post by: manjeet on December 11, 2018, 11:12:54 am
Hi @manjeet,
Glad that installation went smooth.Thanks. It is installed and working.
I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??
Ah, now I see what you're trying to accomplish. All charts on the report tabs will show top 10 records. For table reports, I guess we can put an option to provide the full list.
Stay tuned. We'll pass an update.
I do not how it calculate the top 10 but i think you have an issue here.. I was looking at "Insight" for current network usage and find out that one of the system has consumed 4GB of data since morning. I checked it in Sensei and it showed the same 4GB data usage for that IP.
But when i checked the top 10 list in "dashboard" and in "reports" (No filters, cross-checked) (it showed me that same report), this IP with 4GB usage was not there. Even some other IPs which Insight showed were not also there.
It showed me list of top 10 which i think is better match with the last night usage but not since this morning. Its been 6 hours and i do not see those IP in this list.
Post by: mb on December 11, 2018, 03:58:09 pm
I see. Let's dig deeper. Can you reach us through sensei -at- sunnyvalley.io?
Post by: cgwork on December 11, 2018, 04:17:14 pm
Is there a way to clear all the logs in Sensei?
Post by: mb on December 11, 2018, 08:52:23 pm
Use the following two scripts to delete and re-create all reporting indices:
/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
This will be also a Web UI menu item with the upcoming Sensei update (0.7.0-rc3).
Post by: cgwork on December 12, 2018, 04:35:05 pm
Hi @cgwork,
Use the following two scripts to delete and re-create all reporting indices:
/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
This will be also a Web UI menu item with the upcoming Sensei update (0.7.0-rc3).
Awesome Thank you ... also have you thought of getting the reports to be printed or converted to .pdf format? i also noticed when i get the emails and "click to download and view the detailed reports" are blank see attachment. Did i miss an check in the box so i get them? I'm currently selected only Sessions but it would be nice if i could get all of them or select the once i would like to have.
Thank you again for the hard work.
Post by: mb on December 13, 2018, 02:37:55 am
You're all welcome. We had introduced PDF export previously. It's being re-worked and will be available shortly.
You shouldn't receive an empty html file. Looks like a problem. Can you share which e-mail provider you are using? It's been tested with major ones like Gmail & Outlook. Let's try with yours.
Post by: cgwork on December 13, 2018, 01:53:12 pm
Post by: kagou on December 13, 2018, 02:06:17 pm
I'v tried first with my system but after some problems i'v rebuilt my interface assignments, removing bridge system.
Now i'v a WAN/DMZ/WIFI/LAN on my 4 ethernet ports.
I'v stoped and used the "You can restore all Sensei packet engine configuration to their original defaults by clicking 'Reset' button."
Set just ma LAN to be supervised, but look at the picture
Post by: mb on December 14, 2018, 05:51:11 pm
Looks like a problem with the backend indexes.
Can you try these if they fix the problem?
/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
It it does not, can you share your /var/log/elasticsearch/elasticsearch-2018-12-13.log log file to sensei - at - sunnyvalley.io ?
Post by: mb on December 14, 2018, 06:45:57 pm
sure i'm using gmail for this setup
Gmail should be fine. Can you forward the email to sensei - at - sunnyvalley.io ? If you can forward as an attachment, that'd be perfect.
Are you using Gmail through a browser, or through an email client?
Post by: mb on December 14, 2018, 06:53:21 pm
Spotted the problem. A typo avoided reporting criteria to be reflected for some reports.
Fix should arrive with 0.7.0 release.
Post by: mb on December 14, 2018, 07:15:33 pm
We know you’re looking forward to seeing 0.7.0 release. We also do indeed.
Yet, we decided to ship another release candidate before the actual release because some updates to the code base might have more impact than we originally planned. These code updates are preliminary work related to an effort to minimize external library dependencies and compiling Sensei engine as a Position Independent Executable (PIE).
Minimizing external library dependencies will allow Sensei to be able to run on embedded platforms which run on very low resources.
PIE is a nice feature which will be default for OPNsense@HardenedBSD and will provide mitigation capabilities against exploit attempts to the packet engine. (Note: PIE is not enabled yet)
So there we have 0.7.0-rc3 publicly available for you to test. This is the Changelog from rc2 to rc3:
New features (from 0.7.0-rc2 to 0.7.0-rc3).
* More lightweight core packet engine
* Option to delete all reporting data
* Mobile web browsers compatibility. You’ll be able to view Sensei reports through a mobile device.
* Prevented scheduled jobs from submitting unnecessary emails.
* HW requirements check has been made available for the UI initial configuration wizard.
* Some stability improvements.
0.7.0-rc3 has been under testing for about a week now, but if you’re running Sensei on a more production like environment, you might want to wait till we ship 0.7.0 final release, which should arrive in a week if we do not see any issues with 0.7.0-rc3.
To update to 0.7.0-rc3, login to OPNsense UI, navigate to Sensei -> Status and click Check for Updates. You should see an update reported. Click Update to proceed with the update. Sensei updater should take care of the rest.
Best
Sensei team
Post by: cgwork on December 18, 2018, 02:12:03 pm
In my personal opinion RC (Release Candidate) are like the actual gold image, as it progress and other clients testing it will become better with the final release.
Post by: manjeet on December 19, 2018, 08:08:22 am
Post by: Antaris on December 19, 2018, 02:55:22 pm
Post by: mb on December 19, 2018, 07:17:09 pm
Many thanks for the suggestions. Feature requests have been added to 0.8 workload. We'll do a more general re-visit to table reports. Please feel free to reach out for more ideas.
Post by: the-mk on December 19, 2018, 08:01:51 pm
since this elastic search module needs a lot of diskspace and sure does a lot of writing - is there a possibility to divide the installation into an "OS"-disk (binaries; usually on a SSD) and a "data"-disk (storage intensive data, lots of writes; usually on a HDD)?
Post by: nikkon on December 20, 2018, 12:13:10 am
After upgrading to version 0.7.0-rc3 none of my dashboards or reports are loading anymore
That's an error example:
{
"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "conn_all",
"index_uuid": "_na_",
"index": "conn_all"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "conn_all",
"index_uuid": "_na_",
"index": "conn_all"
},
"status": 404
}
Any clue?
Post by: manjeet on December 20, 2018, 06:23:27 am
I have an another thing to ask. I am not if that is 100% possible or is it already implemented because i did not find it in any details.
In report we can see the source address, destination address or host, app category and protocol it is used. It gives us huge information about who has download / uploaded to where and how much data, also time stamp of session etc. But i do not see any ways to check what exactly the user has downloaded. For e.g one of my user used 5GB data in one day which is used by google services and it gives us the list of when and where, but no info about what exactly which for now we have to ask the user. This could be useful because if user is downloading / uploading something not allowed to server / account which they are allowed to access then they probably will deny it.
Also can you add option to export reports (excel or pdf) including custom / filtered reports so that we can provide report to management whenever needed rather then filling mail box with auto reporting.
Post by: maekar on December 20, 2018, 02:25:15 pm
Is there anything special to do with VLAN?
We have interfaces tagged and untagged. When I activated Sensei and configured just a few web categories to test, everything worked well with the untagged interface but all VLAN networks lost connectivity, devices in all VLAN not even get IP address by DHCP. And the problem persisted even when I deselected those interfaces to get managed by Sensei, I had to stop it and uninstall it to get VLAN networks working again.
Thanks!
Post by: mb on December 20, 2018, 05:38:55 pm
Thank you very much for the suggestion: We get this request quite many times. People who’d like to see this functionality seem to be either running on the low end - the device is very weak and lack the resources to run reporting on the device itself, or they run on the high end - throughput & number of users are quite high (>1K users) and it makes sense to put reporting on a separate device.
In addressing this requirement, we’ll offer an option - in the initial configuration wizard - asking the user whether s/he wants the reporting on the device itself, or on a remote server.
Post by: mb on December 20, 2018, 05:44:05 pm
Looks like alias indexes are messed up. By any chance, did you do any "reset to factory defaults" ?
We'd like to dig deeper. Can you share your /var/log/elasticsearch/elasticsearch-2018-12-19.log through sensei - at - sunnyvalley.io ?
For a workaround, you can run these two commands to reset the indexes: (beware: this will erase your reporting history)
/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
Let us know if this does not fix the problem.
Post by: mb on December 20, 2018, 05:53:57 pm
If the connection is clear-text (e.g. HTTP), you can see the individual downloaded files from Web Reports: Web - Table of URIs. For the TLS encrypted sessions (e.g. HTTPS), this will be possible with the all ports TLS Inspection feature - though it’s going to be available for Premium Subscriptions.
For the Table reports, development & tests have been completed, and it’s ready to ship with 0.7.0 release.
I’ve sent you a link today to try it and see if there are any more issues.
Reports - PDF export - its’ on the short term roadmap. Probably it will ship with 0.8.
Post by: mb on December 20, 2018, 06:07:27 pm
Thanks for reporting this. Yes, we’re aware of this problem. Unfortunately part of the solution required some development on the Operating System itself (FreeBSD netmap implementation).
Good news is that hopefully it’ll be fixed with OPNsense 19.1. On the FreeBSD side, we’ve sponsored a development which fixes this and some other issues with the netmap implementation on FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=340436)
We’ve been testing the 11.2-STABLE MFC code for some time and it looks good to be finally integrated with OPNsense.
We’re working very closely with the OPNsense team on this. I’ll be posting an ETA after we sync with @franco.
Post by: nikkon on December 21, 2018, 02:57:34 pm
I did execute the 2 scripts.
please check the log below:
cat /var/log/elasticsearch/elasticsearch-2018-12-
elasticsearch-2018-12-16.log elasticsearch-2018-12-20.log
root@Skynet:~ # cat /var/log/elasticsearch/elasticsearch-2018-12-20.log
[2018-12-20T01:05:36,849][INFO ][o.e.n.Node ] [yCObJMR] stopping ...
[2018-12-20T01:05:36,889][INFO ][o.e.n.Node ] [yCObJMR] stopped
[2018-12-20T01:05:36,889][INFO ][o.e.n.Node ] [yCObJMR] closing ...
[2018-12-20T01:05:36,911][INFO ][o.e.n.Node ] [yCObJMR] closed
[2018-12-20T01:07:19,550][INFO ][o.e.n.Node ] [] initializing ...
[2018-12-20T01:07:19,707][INFO ][o.e.e.NodeEnvironment ] [yCObJMR] using [1] data paths, mounts [[/var (tmpfs)]], net usable_space [1.9gb], net total_space [2.4gb], spins? [unknown], types [tmpfs]
[2018-12-20T01:07:19,707][INFO ][o.e.e.NodeEnvironment ] [yCObJMR] heap size [1.9gb], compressed ordinary object pointers [true]
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node ] node name [yCObJMR] derived from node ID [yCObJMRsQcSMKeQy7KNhyA]; set [node.name] to override
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node ] version[5.6.8], pid[32322], build[688ecce/2018-02-16T16:46:30.010Z], OS[FreeBSD/11.1-RELEASE-p17/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_172/25.172-b11]
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node ] JVM arguments [-Xms2g, -Xmx2g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/local/lib/elasticsearch]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [aggs-matrix-stats]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [ingest-common]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [lang-expression]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [lang-groovy]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [lang-mustache]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [lang-painless]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [parent-join]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [percolator]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [reindex]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [transport-netty3]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService ] [yCObJMR] loaded module [transport-netty4]
[2018-12-20T01:07:21,819][INFO ][o.e.p.PluginsService ] [yCObJMR] no plugins loaded
[2018-12-20T01:07:25,240][INFO ][o.e.d.DiscoveryModule ] [yCObJMR] using discovery type [zen]
[2018-12-20T01:07:26,419][INFO ][o.e.n.Node ] initialized
[2018-12-20T01:07:26,420][INFO ][o.e.n.Node ] [yCObJMR] starting ...
[2018-12-20T01:07:26,927][INFO ][o.e.t.TransportService ] [yCObJMR] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2018-12-20T01:07:30,078][INFO ][o.e.c.s.ClusterService ] [yCObJMR] new_master {yCObJMR}{yCObJMRsQcSMKeQy7KNhyA}{QHCtod64RcOkM74GkkvW-g}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2018-12-20T01:07:30,120][INFO ][o.e.h.n.Netty4HttpServerTransport] [yCObJMR] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2018-12-20T01:07:30,121][INFO ][o.e.n.Node ] [yCObJMR] started
[2018-12-20T01:07:30,140][INFO ][o.e.g.GatewayService ] [yCObJMR] recovered
- indices into cluster_state
in Gui i got this:
Error at /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php:74 - fsockopen(): unable to connect to 127.0.0.1:4343 (Operation timed out) (errno=2)
Post by: mb on December 21, 2018, 03:01:24 pm
Is this the log after you executed the delete/create scripts, or the one with the errors?
Looks like the former? Did the scripts resolve the problem?
Post by: nikkon on December 21, 2018, 03:16:43 pm
it's not solved.
Post by: mb on December 21, 2018, 05:06:43 pm
Post by: Antaris on December 23, 2018, 06:02:32 pm
And sometimes i see comunication between two local ip addresses and one of them is marked as remote...
Post by: mb on December 23, 2018, 08:03:06 pm
Do you have multiple interfaces configured for Sensei? Are these IP addresses multicast / broadcast addresses?
Post by: Antaris on December 23, 2018, 10:53:34 pm
Post by: mb on December 26, 2018, 09:56:25 pm
Happy new year to all. Here is a humble new year present from Sensei team.
We're happy to announce the availability of Sensei 0.7.0 release. It was ready since last Friday, but we wanted to make sure everyone had a calm Christmas holiday, spending time with friends and family instead of doing Sensei deployments :)
This is the full list of features that this release brings (from 0.6.x):
1. 350+ new applications identified.
2. Google applications browsed via Chrome are now being identified (QUIC over UDP protocol support).
3. Mobile browser compatibility: you can view reports from your mobile browser
4. Reports enhancement: Data retirement option introduced. With this option you can define how long to keep your reports (days)
5. Reports enhancement: Option to erase all reporting data
6. Reports enhancement: Drill-down in Security reports is now available
7. Reports enhancement: Daily executive reports. Selected reports delivered via a daily e-mail.
8. You can easily add block/allow rules within Session Explorer based on Application and Application Category or SNI / hostname
9. User's Manual in English.
10. More deployment options for Home and Large scale users
11. Changelog between updates
12. Fixed Rebellion Theme compatibility issues.
13. Better Cloud Nodes availability
14. Better & smoother updates
15. We speak your language now, we added i18n support to match your OPNsense UI language. English and German are there for now, more coming soon.
16. Removed some large dependencies in preparation for embedded devices & PIE (Position Independent Executable) support.More performance & stability improvements.
To update your installation, simply navigate to Sensei -> Status and you should see 0.7.0 update being reported and an option to install it. If you do not see the update notification, just click "Check for updates" and you'll be guided through the update process.
A quick note: Although this is marked "release", Sensei is still under BETA development. We strongly advise to test the software on one of your test-beds to see if it fits your requirements. When we finally release Sensei 1.0, the BETA program will cease and the software will be publicly available for all users. We expect to release Sensei 1.0 in Q1 2019.
If you find any issues or you want to reach out for comments and feedback, please do not hesitate to contact us through sensei -at- sunnyvalley.io or through this forum thread.
Happy new year to all
Sensei team
Post by: manjeet on December 27, 2018, 07:18:12 am
For Table Reports update is working as expected.
As @Antaris mentioned, i also see remote host in local table but no local host in remote table except OPNsense LAN IP which i think, in one way, is not an issue because firewall itself generates traffic for interface access etc..
Post by: Antaris on December 27, 2018, 09:04:14 pm
"12. Fixed Rebellion Theme compatibility issues."
In session details the headers of the columns are still with white text on white background:
https://www.dropbox.com/s/0v72em2bch0rk0q/Reb.jpg?dl=0 (https://www.dropbox.com/s/0v72em2bch0rk0q/Reb.jpg?dl=0)
Post by: donatom3 on December 28, 2018, 01:02:32 am
My nslookup results show "UnKnown" in the server spot and are forwarding my overrides to public servers.
As soon as I stop packet engine this works again.
I was able to add my root domain to the "local domain to override" section and it fixed that one issue there but I have overrides for other hosts. Am I missing a setting where Sensei is overriding DNS?
Post by: mb on December 28, 2018, 03:18:43 am
Thanks for the update @MB.
For Table Reports update is working as expected.
As @Antaris mentioned, i also see remote host in local table but no local host in remote table except OPNsense LAN IP which i think, in one way, is not an issue because firewall itself generates traffic for interface access etc..
Hi @manjeet, you're very welcome. Can you share with me a screenshot of the remote hosts table (you know my email). Would like to see how they look like. Normally you should only see local hosts behind the firewall there.
Post by: mb on December 28, 2018, 03:20:06 am
You're all welcome & thx for the pointer. We'll fix it.
Post by: mb on December 28, 2018, 03:32:44 am
Actually this is an expected behavior. We're utilizing DNS override for Web Reputation & Threat Intel. Since DNS occurs before the actual connection attempt, we gather prior threat intelligence & reputation about the remote IP & host.
For a quick workaround you can disable Cloud Reputation & Web Categorization from Sensei -> Configuration. Then you'll still have reputation data for the top 1Million domains from the local database, but not for +140M :(.
We're exploring ideas to do this in parallel. This way you'll still be able to do your DNS through your DNS server and Sensei will do a parallel query for its intelligence.
Post by: donatom3 on December 28, 2018, 05:04:55 am
So if I'm in an environment where I'm using Windows domain controllers for DNS to get the full effect of Sensei would I need to have the opnsense router be the DNS forwarder?
Also does this mean if I just hand out public DNS servers via DNS am I not getting the full advantage of Sensei?
P.S. I do want to add that I am liking Sensei so far.
I am still able to download at 1gbps on my i5-5250u but thinking of picking up a box that has an i5-6500.
Post by: mb on December 29, 2018, 07:29:00 am
For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.
For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.
If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.
That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.
We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.
Very happy to hear that you've attained gigabit speeds and happy with the software ;)
Post by: jinn on January 02, 2019, 09:17:50 am
In addition, I wanted to ask whether it is even possible, what I want to achieve: I would like an evaluation for special services (social media, online gaming, ...). Is sensei able to give me an evaluation of how much time / data was used for special services?
Post by: manjeet on January 02, 2019, 12:03:23 pm
Can you please work with OPNsense team to add an option for Sensei "Dashboard" and "Reports" in "Assigned Privileges" for users/groups. Well, I need to create few users/group so that they can only check the reports of team assigned to them. I do not want to provide root user access level to them to avoid them poking around and change my configuration or delete any logs or data..
Post by: the-mk on January 02, 2019, 07:45:19 pm
I also have some servers running at those interfaces where I configured different hostname suffixes (configured with dhcp reservations and the checkbox to register the names in unbound dns). i.e. server1.lan, server2.home, server3.iot,...
before running sensei I was able to resolve all hostnames fine.
I guess the setting "local domain name to exclude" in the cloud threat intel tab has something todo with it? tried to enter here one servername for testing - did not work for me... is saving the setting enough or do I need to restart something?
how to tell sensei to honor local servernames when tried to resolve local hostnames?
EDIT: after reading the post of donatom3 and the suggestion of mb to turn off cloud threat intel I can resolve my local hostnames again!
Post by: donatom3 on January 03, 2019, 06:54:05 am
In my case I left that feature turned on. All I did is put my domain in the local domain section of the cloud threat intel section.
Now my local domain is ad.xxxx.com, but I have entries for domain xxxx.com, so I put in xxxx.com into the local domain and all subdomains are passed through correctly to my custom names in unbound.
Post by: mb on January 03, 2019, 07:21:25 am
This is a cool feature request. Thanks. Added to roadmap.
A quick note on remote IP addresses on "local assets table": We've had a look at the screenshots. 169.254.x.x is actually a local ip address. Your PC is automatically assigned an IP address, if it cannot get an IP address from a DHCP server. More on this: https://www.techrepublic.com/forums/discussions/where-did-ip-16925451183-come-from/
Screenshots show that some PCs (or a PC) wanted to communicate with the outside world, but it did not get any replies (Incoming packets all zero).
Post by: manjeet on January 03, 2019, 11:00:29 am
Can you also add one option in reports for looking a live reports without manually refresh time. When in Dashboard / Reports -> Filter (Reports Interval) -> When selecting Custom interval there is "Start time" and "End time".
It will be great if you can add another option or select box there to select "End time" as ongoing.
For e.g: If i want to see current reports from a specific time let says since morning and wants to check the reports after every 10 or 15 min gap then every time i have to select the option "Go to today" in End time. It would be better if there is an option as ongoing which will automatically change time in some specific interval of time or select "refresh interval" as time to refresh and update the time in 'Reports Interval"
Post by: dp on January 03, 2019, 08:02:06 pm
Also I have several ideas that I would like to see implemented as I have used application shapers for over 10 years in our environment.
Post by: mb on January 04, 2019, 06:09:15 am
Hi @dp, correct. Shaping is on the roadmap. Our plan is to feed the currently existing shaping infrastructure on OPNsense. Sensei development is quite booked with IPv6 support nowadays. Though, you should see it implemented like Q2 or Q3 2019. We'd like to keep in touch about ideas on that ;)
Post by: lmwalker71 on January 04, 2019, 07:44:40 pm
Post by: mb on January 04, 2019, 08:01:18 pm
Not quite ;)
If you're based in USA, make sure you have the "US - Central" Cloud nodes checked & in green color (Sensei -> Configuration -> Cloud Threat Intelligence). (If in Europe, Europe nodes should be active)
If that's already the case, can you reach out to us through sensei - at - sunnyvalley.io so that we can dig deeper together?
Post by: hbc on January 09, 2019, 09:26:35 am
I read somewhere that services will stop, when there is less performance, to save power for opnsense native tasks, but I run Sensei on a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (8 cores) with 24 GB ram which should be quite enough power.
Since I have lacp interfaces for lan (lagg0) and wan (lagg1), each with 2x1g and vlans on lan interface and due to some remarks in this thread that vlans are not supported yet (due to FreeBSD netmap) and will be fixed with OPNsense 19.1, I added an additional, plain interface and just connected 1 pc.
Then I added this single interface with 1 pc as protected interface in Sensei. I even reduced the deployment size from x-large (what I would need if vlans would work) to small in hope that memory footprint will be reduced (actually just 1 user/pc is connected).
But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.
Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.
Any hints what could be the reason for the stopping services.
The service crashes pretty soon. 1-2 minutes after starting up.
Post by: jinn on January 09, 2019, 09:52:04 am
Quote
I tested sensei last week. after I activated it, however, access to the internet was barely possible (eg google was not available at all). since it was a productive system, I deactivated sensei for now and did not continue to use it. Nevertheless, I would like to know why it was located, how should I proceed best for analysis here?
In addition, I wanted to ask whether it is even possible, what I want to achieve: I would like an evaluation for special services (social media, online gaming, ...). Is sensei able to give me an evaluation of how much time / data was used for special services?
currently sensei works with deactivated cloud threat intel.
Unfortunately, "Egress New Connections by APP Over Time" and "Egress New Connections by Source Over Time" show no data:"no egress new connection" what do I have to configure to make it work?
Post by: mb on January 09, 2019, 03:56:00 pm
Thank you for giving Sensei a try. I see your quoted message did not get response. Sorry for that. I looks like we missed it.
I guess you've been able to figure out the first part yourself. But I wonder why Cloud Threat Intel did not work for you. I'll write to you about this.
For reporting about application categories, yes you can do it. I guess you've started using it.
As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.
Post by: mb on January 09, 2019, 04:34:43 pm
But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.
Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.
Any hints what could be the reason for the stopping services.
The service crashes pretty soon. 1-2 minutes after starting up.
Hi @hbc,
Thanks for reporting this. After services stop, and when you look at Status-> Services page, do you also see that both services are disabled at boot time?
If yes, most probably this is because Sensei's Health Check subsystem. Because Sensei is in BETA now, checks are more sensitive to problems. Even if it finds a small problem it disables both services in an effort to keep network connectivity up & running.
Can you try disabling Health Check and see if services are running persistently?
If they do and it turns out because of Health checks, I'd still recommend investigating this. While running Sensei & ES, can you do 'top' on OPNsense console and see if any processes (not necessarily Sensei (eastpect) processes) are consuming much CPU/Memory?
Performance-wise, your system looks pretty decent. We've been reported a similar system handling 700 concurrent users.
Post by: hbc on January 10, 2019, 07:52:01 am
you are right, I just set ElasticSearch to start on boot and left packet engine disabled for auto-start. I'll try to set both to start on boot.
But I already had try with health check disabled and after a while, no traffic passed at all. But I'll re-check it again.
First with both starting on boot and then with health check disabled.
Update:
The start on boot was not the reason. Whenever packet engine stopped for unknown reason, the option was automatically disabled. I tried it 3 times and reenabled start on boot. But within 5 minutes service stopped again.
As next option I disabled Health Check. Currently the service runs for 20 minutes which is 4 times longer then ever before. I'll keep an eye on it.
Post by: mb on January 11, 2019, 02:38:11 am
Thank you for further information. Let us know if anything weird comes up.
Post by: manjeet on January 11, 2019, 07:50:52 am
I only faced this issue after updated OPNsense to 18.7.10.
Post by: jinn on January 11, 2019, 01:47:37 pm
Quote
For reporting about application categories, yes you can do it. I guess you've started using it.
Not yet. At least not as detailed as I would like (facebook, online shopping, ...)
Quote
As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.
in fact, several do not work: Egress New Connections by App Over Time, Egress New Connections by Source Over Time, Egress New Connections Heatmap, Top Destination Locations Heatmap, Table of Apps (maybe this one is what im really looking for?), Table of Local Assets, Table of Remote Hosts
Post by: cgwork on January 11, 2019, 02:59:16 pm
is it possible to incorporate and additional "TAP" for Hostname in your tab-bar see picture attachment
Post by: l0rdraiden on January 13, 2019, 10:25:38 pm
Post by: mb on January 14, 2019, 06:09:04 am
@cgwork, how about this: likewise destination hostnames, the default will be hostnames for source addresses, and when you move the mouse over the src hostname field, IP address is displayed as a tooltip. Adding another column would make the table more crowded. We'd like to use the space allowance for the new-coming "username" column.
@jinn, are you running Sensei on your LAN? Any chances that it might be on your WAN interface?
Post by: mb on January 14, 2019, 06:13:58 am
What are the plans between sensei and opensense? it will be embedded in opnsense or it will be available as a pluging at some point?
Hi @l0rdraiden,
It'll be a plugin.
Currently, we're working together to address some issues related to netmap (e.g. virtio). Once it's done, whole integration will be completed, and you'll be able to install it from OPNsense plugin manager.
Post by: cgwork on January 14, 2019, 07:17:53 pm
Quote
@cgwork, how about this: likewise destination hostnames, the default will be hostnames for source addresses, and when you move the mouse over the src hostname field, IP address is displayed as a tooltip. Adding another column would make the table more crowded. We'd like to use the space allowance for the new-coming "username" column.
That sound even better thank you
Post by: 8ulletproof on January 15, 2019, 09:36:30 am
Shortly I've registered on the beta program to obtain the required Downloadlink but ssh is rejecting the provided download link after I login into opnsense. The link is slithly different than in the tutorial.
Could you update the Installer-URL please. Many thanks.
Post by: jinn on January 15, 2019, 09:39:33 am
@jinn, are you running Sensei on your LAN? Any chances that it might be on your WAN interface?
it is currently on LAN. The WAN interface is not displayed to me under available interfaces.
Post by: mb on January 15, 2019, 02:45:44 pm
The command to install Sensei is:
curl https://updates.sunnyvalley.io/getsensei | sh
I checked again. It should be the same both Users' guide (https://guide.sunnyvalley.io/sensei/getting-started/setup) and Website.
Can you copy/paste the error message you get when you run the command on the OPNsense console?
Post by: mb on January 15, 2019, 02:46:48 pm
Got it. Will send you a few commands to diagnose the issue.
Post by: 8ulletproof on January 16, 2019, 02:04:57 pm
Thanks for your respnose. This time the firewall comes with the message of not having enough memory (8GB required, I have only 4 GB). Yesterday it said something different. I'll come back to you when I can replicate the previous error.
Post by: donatom3 on January 17, 2019, 06:45:10 am
Hi mb,
Thanks for your respnose. This time the firewall comes with the message of not having enough memory (8GB required, I have only 4 GB). Yesterday it said something different. I'll come back to you when I can replicate the previous error.
8GB is currently required to run Sensei. It checks for that when you first initialize it.
Post by: xames on January 17, 2019, 02:18:41 pm
I attach
Post by: mb on January 17, 2019, 06:33:08 pm
ssl_error_syscall
I attach
Hi @xames,
Looks like everything is ok on the server side. Can you try with fetch:
# fetch https://updates.sunnyvalley.io/getsensei
# sh getsensei
Post by: Space on January 27, 2019, 10:18:35 pm
I have Sensei running on my OPNsense and I wondered why big part of the traffic did not show up and I see in the FAQ that IPv6 support is still work in progress.
Do you have an ETA for that feature already?
Thanks and looks great so far!
Space
Post by: mb on January 28, 2019, 09:16:05 pm
Many thanks for trying Sensei. Yep, 0.7 is IPv4 only.
Good news is that IPv6 will be coming very shortly with 0.8. It's been under testing for the past months. Looks like it's good to go for a test ride by BETA users.
We'll ship 0.8-beta1 this week or early next week :)
Post by: Antaris on February 02, 2019, 10:20:23 am
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520 (https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520)
Post by: mb on February 02, 2019, 10:27:54 am
Thanks for reporting this. Looking into it now.
Post by: mb on February 02, 2019, 11:24:53 am
19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520 (https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520)
Looks like there was a typo in that command. Correct command should be: (from https://forum.opnsense.org/index.php?topic=11400.msg51521#msg51521)
For OpenSSL:
# opnsense-update -fp -n "19.1\/latest"
Or LibreSSL:
# opnsense-update -fp -n "19.1\/libressl"
Just did an OPNsense 19.1 upgrade on two of our firewalls. Looked good.
Anyone who had any other issues upgrading to 19.1 ?
Post by: hbc on February 04, 2019, 09:08:21 am
Quote
Anyone who had any other issues upgrading to 19.1 ?
Update did not work with sensei nor without. Update started and just installed two kernel/base files, then restarted with 18.7.10. Even when sensei was uninstalled, update did not work. I tried GUI and console.
So I saved config, installed 19.1 clean from image and restored backup and reinstalled sensei.
Now with 19.1, sensei finally works with tagged vlan interfaces 8)
Post by: mb on February 06, 2019, 02:55:31 am
Thanks for sharing you experience. We're looking into the upgrade problem if it's something related to Sensei repository.
Glad to see that you're enjoying it now :)
Post by: hbc on February 06, 2019, 02:23:14 pm
One hint:
Traffic to local squid proxy on port 3128 is categorized as "Generic TCPIP". I think it is intention that not labeled as 'Proxy' which would properly cause problems when blocking 'Proxy' category.
But maybe you can label it category 'Web Browsing', application 'Squid Proxy'
Post by: mb on February 07, 2019, 02:43:32 am
Thank you very much for the feedback. With regard to Cloud servers, we have a fix for that in 0.8.
Thanks for the suggestion. You're right, and suggestion sounds good ;)
Post by: mb on February 07, 2019, 05:48:33 pm
Regarding https://forum.opnsense.org/index.php?topic=11477.0;
To be able to utilize the new functionality that comes with the new netmap - enabled kernel, we'll need to ship Sensei 0.8-beta1 which will re-enable virtio interfaces.
Actual ETA was this week. Still working on a few issues reported. Stay tuned for updates.
Post by: hbc on February 12, 2019, 10:28:26 am
Quote
utilize the new functionality that comes with the new netmap - enabled kernel
One question. I had opnsense 19.1 (fresh install) active with shipped kernel and tagged vlans already worked in sensei (what they did not with 18.7). I assume the new c4ec367c3d9(master) kernel is just for virtio interfaces?
Well, I updated kernel and it still works.
Will there ever be the possibility to set different policies for different interfaces? I have interfaces where I would like to be more restrictive and just allow productive things and interfaces where social media, gaming, etc. would be ok.
Post by: mb on February 13, 2019, 02:38:07 am
Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.
Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.
Post by: Antaris on February 13, 2019, 09:42:35 pm
Hi hbc,
Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.
Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.
My advice is to consider exchange "Source Interface/Network Address/IP Address/VLAN/" for volume of users above 1000 or so... It's vital for usability and development at all IMHO.
Post by: mb on February 14, 2019, 03:22:24 am
Post by: Kruemel on March 01, 2019, 11:39:29 am
greetings from germany. :)
Great so see such a powerful addon for OPNSense. It was the reason to migrate my APU2C4 to VMWare on HPE ProLiant Xeon CPU, to fulfill the Sensei requirements.
However, it's working great. But I miss a feature: If something is blocked, it's just not loading, right? But the user is not aware, if it's a not working webpage (or parts on it) or if it's blocked. It would be great, if Sensei delivers some kind of block page, something like "This page has been blocked - block category is xxx. Please contact abc@def.de for further information".
Did I miss something in the settings or this feature currently missing?
Keep on the good work!
Cheers
Marco
Post by: mb on March 02, 2019, 02:38:46 pm
From Sunnyvale, California, greetings to you too :) Glad to hear that Sensei is of value to your OPNsense installation. Many thanks for sharing your experience.
We hope to bring some news with regard to less demanding hardware requirements. We're planning to employ an alternative less resource-intensive database engine for reporting.
Quote
But I miss a feature: If something is blocked, it's just not loading, right?
Yep. This is so because, your Sensei policy configuration hits a TLS SNI or application rule. TLS and some app detection jump into the scene way too early before the HTTP protocol starts being conversed back and forth between your browser and the server.
So when we decide that we need to apply filtering, neither server nor client does not yet know how to talk HTTP. They just know how to talk TCP. This is why we just do a TCP RST, and you see a blank page in your browser.
We'll have a feature called "delayed action" (requires TLS inspection) where we'll flag a particular connection as being blocked and will let them talk a little bit more so that they can handle a HTTP response. As soon as we get a HTTP request from the client, we'll send the landing page and just close the connection at that particular time.
Post by: astoklas on March 03, 2019, 10:27:51 am
I just installed Sensei on my OPNsense and I think it's working great.
I found in the dashboard an interesting "HotSpot" I'd like to investigate further. However, the "Top Destinations Locations Heatmap" does not allow for a Drill Down, nor is there a geo location filter available.
Can you please advise on how to investigate on such hotspots?
Is it possible to retrieve DNS/IP for a certain geo location hotspot?
Regards
Alexander
Post by: mb on March 04, 2019, 06:46:19 am
Many thanks for the feedback. Currently, drill-down is not possible with the map. We'll take this as a feature request. Will get you updated.
Post by: mb on March 04, 2019, 06:56:07 am
After several months of field testing, we are super happy to announce the availability of Sensei 0.8.0 Beta.
Release 0.8 introduces long awaited support for IPv6 and virtual ethernet adapters. Below is the full list of features that are coming along with this release (from 0.7.0)
- IPv6 Support
- Virtio ethernet support *with OPNsense 19.1 new netmap kernel
- Wireless ethernet support *with OPNsense 19.1.x
- VLAN child interfaces support *with OPNsense 19.1.x
- Better Cloud infrastructure support
- Better reporting
For more information: https://www.sunnyvalley.io/blog/sensei-0-8-beta1-is-released
Currently we're shipping 0.8.0 beta1 from a separate package repository. So, if you are on 0.7, you'll not be able to see the software update as of now. When 0.8.0 rc1 is released, we'll move the packages to the main repository and you'll then be able to update to 0.8.0.
The reason behind this is that we want to allow 0.8.0 a bit more field testing before we make it an update for 0.7 stable users.
ETA for 0.8.0.rc1 is March 18, 2019.
If you don't want wait and want to see 0.8 in effect now, just uninstall Sensei from the UI and use the following one-liner command to re-install:
# curl https://updates.sunnyvalley.io/getsensei8 | sh
Post by: Antaris on March 04, 2019, 08:46:19 pm
Is "VLAN child interfaces support *with OPNsense 19.1.x" means that filtering on VLANs work without netmap kernel?
Post by: mb on March 04, 2019, 09:15:24 pm
Many thanks. You're correct. It looks like FreeBSD 11.2 default kernel had some fixes with regard to that.
Post by: donatom3 on March 06, 2019, 06:45:49 am
Just seeing the below in the general log.
Code: [Select]
root: /usr/local/etc/rc.d/elasticsearch: WARNING: failed to start elasticsearchThis is in the backend log and it keeps adding to it.
Code: [Select]
Mar 5 21:44:55 configd.py: [7d62e2b1-bcce-48d3-a80b-4b665aed6cb4] read sensei stats
Mar 5 21:44:54 configd.py: [a4351d00-f929-466b-a18d-1752f72e0a8c] read sensei stats
Mar 5 21:44:53 configd.py: [40ea2e8d-6574-4662-a135-a4c817bf7f0c] read sensei stats
Mar 5 21:44:52 configd.py: [86399ab0-e991-4493-b62f-d6a2b29d88b3] read sensei stats
Mar 5 21:44:51 configd.py: [b8bfc148-83a2-407f-91d3-7091c77b7832] read sensei stats
Mar 5 21:44:50 configd.py: [baf1dddc-39c6-49e4-aad3-f6d87d29a0da] read sensei stats
Mar 5 21:44:49 configd.py: [f08d4d14-f236-4d25-8011-8b25a848eeec] read sensei stats
Mar 5 21:44:48 configd.py: [571d2e9b-d0cb-402c-b5ac-8bf7ff72d811] read sensei stats
Mar 5 21:44:47 configd.py: [e77883ce-8f8b-4a2b-aebb-7c4125ed7e17] read sensei stats
Mar 5 21:44:46 configd.py: [18dd5adf-9437-4e15-90ba-1ee6e08c4bff] read sensei stats
Mar 5 21:44:45 configd.py: [105c9ddc-960b-4bff-98fa-3e202c9ac49e] read sensei stats
Mar 5 21:44:44 configd.py: [87cb6f2f-e3ca-42b0-8040-4cfacd647de8] read sensei stats
Mar 5 21:44:43 configd.py: [4228579b-7e43-4138-8ea8-414fc9ec1c1a] read sensei stats
Mar 5 21:44:42 configd.py: [a755740c-45d8-438c-99e4-a232bd02c661] read sensei stats
Mar 5 21:44:41 configd.py: [024f64e4-2fa6-4558-8482-d8330cbc7742] read sensei stats
Mar 5 21:44:40 configd.py: [327c339b-b0b2-484c-92f9-3c9e9364820e] read sensei stats
Mar 5 21:44:39 configd.py: [396bb45c-c1f1-4728-91d0-e33bbcaea1f5] read sensei stats
Mar 5 21:44:38 configd.py: [d6b674d1-dd2f-494b-927d-ad55791063e4] read sensei stats
Mar 5 21:44:37 configd.py: [40338097-db55-4b60-b45f-877a1ae76b7c] read sensei stats
Mar 5 21:44:36 configd.py: [304857d4-7d26-45aa-ae75-6c520958fba9] read sensei stats
Mar 5 21:44:35 configd.py: [13675e7f-5dc6-4457-b5c9-c4b4c21e8a58] read sensei stats
Mar 5 21:44:34 configd.py: [4f0f6ae9-f39f-48ae-a799-876c86cb3164] read sensei stats
Mar 5 21:44:33 configd.py: [f4a1bb7f-8d12-47bd-b7d3-403d159450b4] read sensei stats
Mar 5 21:44:32 configd.py: [9c67445c-4ffe-444e-ba3c-a5f444ffbf21] read sensei stats
Mar 5 21:44:31 configd.py: [1cfc4b5a-c263-4240-b627-938197d72afe] read sensei stats
Mar 5 21:44:30 configd.py: [adbefd78-9c10-45e9-9cad-8d6495388773] read sensei stats
Mar 5 21:44:29 configd.py: [ad4176d3-1c8a-4890-a90c-c9b734979673] read sensei stats
Mar 5 21:44:28 configd.py: [22ff41e4-fc8f-4ba7-9f27-63d6c2b23b7e] read sensei stats
Mar 5 21:44:27 configd.py: [1fe553d1-06c5-4db6-b950-7a71e5af7bd4] read sensei stats
Mar 5 21:44:26 configd.py: [c3252f98-b238-448a-af02-d311a6f75e49] read sensei stats
Mar 5 21:44:25 configd.py: [09153632-0bff-46ad-ad98-c45319cd5ff8] read sensei stats
Mar 5 21:44:24 configd.py: [0bbec0b1-6e86-4930-a57c-f57be9e83008] read sensei stats
Mar 5 21:44:23 configd.py: [dcf30e51-763b-4df9-9f53-239615912384] read sensei stats
Mar 5 21:44:22 configd.py: [49c214e7-9b60-44c8-9ded-b22ac257f02c] read sensei stats
Mar 5 21:44:21 configd.py: [463b3e7f-c8d6-48ae-8064-08a414fa7e5d] read sensei stats
Mar 5 21:44:20 configd.py: [6ead17e8-53b9-48aa-a6b7-a644d5f170d2] read sensei stats
Mar 5 21:44:19 configd.py: [12378048-9b6d-4c5c-852d-6575fab78706] read sensei stats
Mar 5 21:44:18 configd.py: [bc415b0c-fe6c-404e-a5fb-a99e6b2646bc] read sensei stats
Mar 5 21:44:17 configd.py: [2b46da7d-1325-4e1c-aba0-20bc12e7e4b3] read sensei stats
Mar 5 21:44:16 configd.py: [720bebee-2387-4735-b794-085b94f5b505] read sensei stats
Mar 5 21:44:15 configd.py: [829b4c54-6629-4ae1-81fc-5a3255ba1c91] read sensei stats
Mar 5 21:44:14 configd.py: [80d84ec1-5cee-4f60-9290-bcaba50a351d] read sensei stats
Mar 5 21:44:13 configd.py: [6b233cd4-81d2-4569-99f6-2989332cb14b] read sensei stats
Mar 5 21:44:12 configd.py: [31706105-d805-41bf-b201-8f75e72fe5b3] read sensei stats
Mar 5 21:44:11 configd.py: [e0f1c395-db7e-4ee1-bdd7-e20ee8ff1dfa] read sensei stats
Mar 5 21:44:10 configd.py: [3f704530-859b-4e1f-95dd-136f85219d4b] read sensei stats
Mar 5 21:44:09 configd.py: [ab29e24e-2146-49e3-9bb6-fb6064233ff2] read sensei stats
Mar 5 21:44:08 configd.py: [645ca172-5629-4ea5-ad1f-8538c1b1ea06] read sensei stats
Mar 5 21:44:07 configd.py: [f8b70f86-0bee-4880-9306-bb4450d7db4d] read sensei stats
Mar 5 21:44:06 configd.py: [8bd95d71-bd13-4ec0-8f27-ed3932579bd3] read sensei stats
Mar 5 21:44:05 configd.py: [be4feb64-ef8e-4756-9e0c-0bbe00f5d4d0] read sensei stats
Mar 5 21:44:04 configd.py: [1aa6cf3a-da0e-473c-b710-553aa1287d69] read sensei stats
Mar 5 21:44:03 configd.py: [12d70d27-8724-477b-a274-99e795bcac42] read sensei stats
Mar 5 21:44:02 configd.py: [91adebc2-e1ee-4cf8-87c2-e1d8a5e8eee1] read sensei stats
Mar 5 21:44:01 configd.py: [ac505fe1-4ebb-4c68-99a7-a684c7f43a99] read sensei stats
Mar 5 21:44:00 configd.py: [7acfc145-9a17-40eb-be37-841d034621e7] read sensei stats
Mar 5 21:44:00 configd.py: [92b767af-81f1-4a5e-9e00-25219f89c715] check sensei engine health
Mar 5 21:43:59 configd.py: [d32f3278-e509-4969-b4a8-7ae7c79c700c] read sensei stats
Mar 5 21:43:58 configd.py: [ad2a102f-b1e0-4bb5-a593-09df77d04bac] read sensei stats
Mar 5 21:43:57 configd.py: [b92813e9-1cef-4b7f-8480-87b49d02d4f6] read sensei stats
Mar 5 21:43:56 configd.py: [d54e5bf2-f367-428a-a8d6-831488f4023e] read sensei stats
Mar 5 21:43:55 configd.py: [189af746-8852-4feb-bc24-2a13da1ff032] read sensei stats
Mar 5 21:43:54 configd.py: [dc2193ce-51c2-451e-917e-ebd56814ad1a] read sensei stats
Mar 5 21:43:53 configd.py: [08950c34-f59e-4fa5-95d5-0af61c02bdd1] read sensei stats
Mar 5 21:43:52 configd.py: [ea882489-9044-4768-b09c-ed6a0d5edd6d] read sensei stats
Mar 5 21:43:51 configd.py: [a4beae9e-0848-46df-bfd2-9e884d455d64] read sensei stats
Mar 5 21:43:50 configd.py: [66bc19f1-867a-4cff-bd31-e21221374c82] read sensei stats
Mar 5 21:43:49 configd.py: [1cff607f-dfba-4adb-8839-82dc49b1b83f] read sensei stats
Mar 5 21:43:48 configd.py: [7fee0851-b848-48d8-8d26-bc84b8bdce1b] read sensei stats
Mar 5 21:43:47 configd.py: [a5261abd-d409-4b27-921c-4f7f7ec41b90] read sensei stats
Mar 5 21:43:46 configd.py: [b8b7127a-5d56-408d-b7dd-902dd95e9ea2] read sensei stats
Mar 5 21:43:45 configd.py: [48a32138-cf91-4641-be4f-045f04ec7af6] read sensei stats
Mar 5 21:43:44 configd.py: [8c4ef497-2b33-4144-ba5b-4ef31a654070] read sensei stats
Mar 5 21:43:43 configd.py: [37cfb408-8ef5-408b-9348-53bcbb5bd089] read sensei stats
Mar 5 21:43:42 configd.py: [939282e0-234c-4b5f-ab00-9113bd803c96] read sensei stats
Mar 5 21:43:41 configd.py: [2989a365-034b-4aa6-b69f-a11ad3bd61c9] read sensei stats
Mar 5 21:43:40 configd.py: [5264a79b-1cf0-4d63-83a7-01129eead1ce] read sensei stats
Mar 5 21:43:39 configd.py: [3a8b90d3-46eb-494f-a19f-78817048cd12] read sensei stats
Mar 5 21:43:38 configd.py: [950f188d-26bd-4e9c-ac76-d65cdb48e212] read sensei stats
Mar 5 21:43:37 configd.py: [cea553fe-507d-492d-ab6d-f4318a600400] read sensei stats
Mar 5 21:43:36 configd.py: [f5b111b5-b585-4843-83bb-0a1bbfb2c1cd] read sensei stats
Mar 5 21:43:35 configd.py: [606ca68b-d3c0-4331-b410-afd4fef1a96c] read sensei stats
Mar 5 21:43:34 configd.py: [995954f6-fa00-4a3a-b32a-5638fa5eaffc] read sensei stats
Mar 5 21:43:33 configd.py: [3a856c39-6a60-4c23-83d7-15e7a00c2472] read sensei stats
Mar 5 21:43:32 configd.py: [3cfda134-4227-4c55-bcca-8ee10229e527] read sensei stats
Mar 5 21:43:31 configd.py: [9e43feed-c461-47fa-b692-8d445f317f4f] read sensei stats
Mar 5 21:43:30 configd.py: [02568a2b-6285-4431-bd2e-081b6bc3d77e] read sensei stats
Mar 5 21:43:29 configd.py: [72dbb649-88a3-4991-b51a-47c698256ce4] read sensei stats
Mar 5 21:43:28 configd.py: [1473e74d-fce9-4173-a6fa-bf54eb577778] read sensei stats
Mar 5 21:43:27 configd.py: [4a6222fc-465d-4528-9dcc-c906a5de1855] read sensei stats
Mar 5 21:43:26 configd.py: [b82dd2a5-8c9a-4a02-be10-6ad52bbaac5e] Show system activity
Mar 5 21:43:26 configd.py: [670749ac-91e3-4643-a9c4-5b9fd44f94da] read sensei stats
Mar 5 21:43:25 configd.py: [30d3970c-86fe-4d91-bca6-7353c654df63] read sensei stats
Mar 5 21:43:25 configd.py: [9a8daded-b8e5-4f51-bc56-d016e8ac7c02] read sensei stats
Mar 5 21:43:24 configd.py: [ebb18255-5159-4ab9-b641-b88821bf1e7d] read sensei stats
Mar 5 21:43:24 configd.py: [5120fa8d-e8ef-48a4-96e9-ffe553f81d30] read sensei stats
Mar 5 21:43:23 configd.py: [b727b40c-13ef-4d1e-b251-bf71c98a5b2f] read sensei stats
Mar 5 21:43:23 configd.py: [3634a274-5368-48a6-8867-b9932cd4809d] read sensei stats
Mar 5 21:43:22 configd.py: [0fb20dcf-c03b-4582-9c36-535207c9fa7f] read sensei stats
Mar 5 21:43:22 configd.py: [7d93ab3c-e1d8-452a-9863-c048ca11e7ff] view elasticsearch disk size
Mar 5 21:43:22 configd.py: [f09b62e6-cbf1-41be-97ae-56cce24ed05f] control services
Mar 5 21:43:22 configd.py: [e52be1cb-68be-4eea-b9e1-6c7b0f4e583c] check sensei ui version
Mar 5 21:43:22 configd.py: [02277005-468d-418c-aeea-5f26e03a016a] check sensei db last modified
Mar 5 21:43:22 configd.py: [5d851b8a-fda4-41cc-9967-7fe8ac178622] check sensei db version
Mar 5 21:43:22 configd.py: [99541288-f562-4f59-aa05-8a9b326cac81] check sensei db last modified
Mar 5 21:43:22 configd.py: [a29ac723-7f8f-41c0-8f73-26d60fc2493e] check sensei db version
Mar 5 21:43:22 configd.py: [37de4a96-014a-47fb-b12c-9c6c6aef5f37] check sensei last modified
Mar 5 21:43:22 configd.py: [7b58d2c8-5505-4df3-8a36-c4a6cf63c70b] check sensei version
Mar 5 21:43:22 configd.py: [9f2677fa-a66d-4e81-9d48-3191f60db682] control services
Mar 5 21:43:21 configd.py: [271b39f0-44fd-4ca1-9a0d-57e074e2ac8c] read sensei stats
Mar 5 21:43:20 configd.py: [8be4d78e-c447-4ff4-92b9-8d2de2a0b9a1] view license
Mar 5 21:43:20 configd.py: [ed3ffc6c-13a6-4468-b09d-2c2cba7469d6] read sensei stats
Mar 5 21:43:19 configd.py: [8483e0c4-6b9e-4cb6-a9ff-ac0cceed2488] read sensei stats
Mar 5 21:43:19 configd.py: [eb9e9a55-1aa1-4ece-a8cb-f71a0b1e3d0c] control services
Mar 5 21:43:18 configd.py: [caaf4bb7-d2af-4258-bba1-960e1b3b3bcb] read sensei stats
Mar 5 21:43:17 configd.py: [77b7f220-2a12-4238-a4f4-622639abb5a2] read sensei stats
Mar 5 21:43:16 configd.py: [fbb0669d-a17f-4918-b158-f28d2cc86aae] read sensei stats
Mar 5 21:43:15 configd.py: [f22ac12a-fdbe-45aa-9e2e-cd75abbc5c68] read sensei stats
Mar 5 21:43:14 configd.py: [04bf4e69-7021-48d4-a14c-429bad0bcd9e] read sensei stats
Mar 5 21:43:13 configd.py: [7f0bca65-1c34-45a5-9816-192eedcadc21] read sensei stats
Mar 5 21:43:13 configd.py: [cde48204-6443-48be-93b8-5c57c8d3cb4b] read sensei stats
Mar 5 21:43:12 configd.py: [d9669127-1ec6-482b-9800-34bf1090604d] read sensei stats
Mar 5 21:43:12 configd.py: [9fd1971a-e907-4704-b0b6-9ef8c193b4a0] read sensei stats
Mar 5 21:43:11 configd.py: [7e084ad4-bd04-40b7-a269-f86b030d470b] read sensei stats
Mar 5 21:43:11 configd.py: [e2f40c45-1449-4eaa-adad-392535ab65b9] read sensei stats
Mar 5 21:43:10 configd.py: [c06c00d0-29c3-424c-805a-624b8bb86c2c] read sensei stats
Mar 5 21:43:10 configd.py: [d44777a5-aede-4403-9963-65f5caf835f8] read sensei stats
Mar 5 21:43:09 configd.py: [5d031005-ce3b-4ddb-b119-c15818b64d7c] read sensei stats
Mar 5 21:43:09 configd.py: [4aaab29d-dd26-499b-8a94-114f728d447c] read sensei stats
Mar 5 21:43:08 configd.py: [32811901-60a5-41fb-8a70-23df003b409a] read sensei stats
Mar 5 21:43:08 configd.py: [e7f2cf0d-5ba4-4b5e-bb0f-6483884c55a7] read sensei stats
Mar 5 21:43:07 configd.py: [7e830b6f-f83d-417e-ad4c-a9ed577644dc] read sensei stats
Mar 5 21:43:07 configd.py: [997cb509-1145-43ea-a461-ed291432856c] read sensei stats
Mar 5 21:43:06 configd.py: [54e86060-313f-4c37-b7c8-ce55f24c5363] read sensei stats
Mar 5 21:43:06 configd.py: [b580155d-f96d-4c35-a94a-19b784208558] read sensei stats
Mar 5 21:43:05 configd.py: [eeddf8f5-89b1-491e-a627-aa879133e63a] read sensei stats
Mar 5 21:43:05 configd.py: [4beb04bf-4103-48ae-86ed-98c9ee7f96d0] read sensei stats
Mar 5 21:43:04 configd.py: [08eac025-5388-4807-9da7-f1d6004c4926] read sensei stats
Mar 5 21:43:04 configd.py: [106e18d5-ee88-4dba-b5e7-6d0d4921d065] read sensei stats
Mar 5 21:43:03 configd.py: [3532ac59-95e9-4439-9837-7a1ab5188a8a] read sensei stats
Mar 5 21:43:03 configd.py: [966fa7d7-c5f7-4809-b72f-fafd7e230bf0] read sensei stats
Mar 5 21:43:02 configd.py: [c87d2a2b-3b5c-44be-8e78-5fc89b1ee7b4] read sensei stats
Mar 5 21:43:02 configd.py: [fbc26fe4-dfc6-4991-bf26-6fa726d28c13] read sensei stats
Mar 5 21:43:01 configd.py: [2cfd5f28-21ce-4651-8a6f-68d7bc4ee5bf] read sensei stats
Mar 5 21:43:01 configd.py: [ad503b54-302c-4534-961b-7f4ffd830022] read sensei stats
Mar 5 21:43:00 configd.py: [edd42365-060e-4e8f-8bfb-9022ae8630e2] read sensei stats
Mar 5 21:43:00 configd.py: [9dc39d58-07bd-443d-bd2d-781a88573d10] read sensei stats
Mar 5 21:43:00 configd.py: [bf2bdcc2-2775-40c7-98c9-512ff7032409] check sensei engine health
Mar 5 21:42:59 configd.py: [ef64a92c-1456-4c26-92fd-72d259adfb70] read sensei stats
Mar 5 21:42:59 configd.py: [bd987828-89f8-46c4-8104-1f78e2c395da] read sensei statsI attached the elasticsearch log. This only happens after a reboot with sense .8 beta 1 installed.
Here is the error I get when I start elasticsearch from the shell
Code: [Select]
root@OPNsense:~ # service elasticsearch start
Starting elasticsearch.
Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME
/usr/local/etc/rc.d/elasticsearch: WARNING: failed to start elasticsearch
Looks like the java env variable isn't being saved in the elasticsearch file or getting overwritten on a startup.
I ran this part of the sensei-init.sh script manually and elasticsearch started with no error now.
Code: [Select]
echo -n "Setting up elasticsearch..."
mkdir -p /usr/local/lib/elasticsearch/plugins
chmod -R 755 /usr/local/lib/elasticsearch/plugins
sysrc elasticsearch_login_class="root" >/dev/null 2>&1
sed -i '' -E '/auto_create_index/d' /usr/local/etc/elasticsearch/elasticsearch.yml
echo "action.auto_create_index: false" >> /usr/local/etc/elasticsearch/elasticsearch.yml
/usr/bin/sed -i '' 's/opt\/eastpect\/run\/elasticsearch/var\/run\/elasticsearch/g' /usr/local/etc/rc.d/elasticsearch
/usr/bin/sed -i '' 's/Xms512m/Xms2g/g' /usr/local/etc/elasticsearch/jvm.options
/usr/bin/sed -i '' 's/Xmx512m/Xmx2g/g' /usr/local/etc/elasticsearch/jvm.options
echo 'elasticsearch_enable="YES"' > /etc/rc.conf.d/elasticsearch
echo 'elasticsearch_env="JAVA_HOME=/usr/local/openjdk8"' >> /etc/rc.conf.d/elasticsearch
echo "done"
I'm fairly certain it's the second to last line that's fixing elasticsearch. Just why that isn't surviving past a reboot is beyond my skill set with this.
Post by: mb on March 06, 2019, 02:09:11 pm
You are right, it's:
echo 'elasticsearch_env="JAVA_HOME=/usr/local/openjdk8"' >> /etc/rc.conf.d/elasticsearch
that's fixing it. JAVA_HOME variable should be set to openjdk8 directory.
We're having a look at it why it is not persisting.
Post by: donatom3 on March 06, 2019, 03:57:19 pm
Beyond the elasticsearch issue everything else is working so far. IPv6 is definitely working and blocking categories.
With .7 my ram usage would hover around 4.8gb. With .8 it started around 4.8 but when I went in this morning dropped down to 2.7gb. The only time ram dropped on .7 was when elasticsearch had crashed.
I don’t know if it’s from enabling ipv6 again on my lan or something with .8 but web pages are loading quicker by a noticeable margin as well. I did also turn on cloud threat intel so it could be that too.
Post by: mb on March 07, 2019, 02:28:48 am
Many thanks for the detailed feedback. Very good to see 0.8 with IPv6 is running good.
We've fixed a bug with regard to the Elasticsearch rc script. Our configuration manager was overriding it under a condition. Now elasticsearch starts on boot with no problem.
Wait for 0.8.0.beta2 update. It should be arriving momentarily.
Post by: cfsl1994 on March 09, 2019, 02:27:36 am
Good day to all :),
Recently I'm trying out the sensei package at OPNsense and I thought it was very good, it left me surprised. My questions are:
I would like to know if the primium subscription option is available?
How can I apply filtering for certain IPs?
Thanks
Post by: mb on March 09, 2019, 02:46:22 am
Many thanks for sharing your feedback. Great to see that Sensei is up to your expectations.
Yep, premium subscription will be available and will come with source IP/network based filtering. You'll be able to create custom policies and apply them to different user groups.
We expect to have Sensei 1.0 in early April and will start offering Premium subscription beginning early May.
Beginning with 1.0 version, Sensei will be directly instalable from OPNsense plugin manager.
Post by: opnsenseuser on March 09, 2019, 10:10:53 am
Hi cfsl1994,
Many thanks for sharing your feedback. Great to see that Sensei is up to your expectations.
Yep, premium subscription will be available and will come with source IP/network based filtering. You'll be able to create custom policies and apply them to different user groups.
We expect to have Sensei 1.0 in early April and will start offering Premium subscription beginning early May.
Beginning with 1.0 version, Sensei will be directly instalable from OPNsense plugin manager.
I would wish to incorporate a function that may have fewer features, but also works on low end cpu's better or at all works.
Because in order to really use sensei you need a cpu that consumes a lot of electricity and therefore generates a lot of costs for the private user.
I would be very happy about such a feature and certainly others as well.
Thanks for the great product! Regards rené
Post by: mb on March 09, 2019, 02:22:25 pm
Many thanks for sharing your suggestion.
I'd like to happily tell that we have two ongoing projects which involve:
1. To make Sensei run on very low end devices, which have weak CPU and memory under 1GB.
2. To make Sensei run on very large deployments e.g. sites with thousands of users.
For the former, the hurdle is the backend database. Although it's very efficient for medium to large settings, Elasticsearch is heavy for small deployments. It simply does not successfully run under 4GB memory. We're currently evaluating and testing several other databases which will do the job for small settings.
Expect to hear more on this late fall this year.
With regard to the latter, also this year, we'll announce a solution which will be able to handle many thousand concurrent users.
Post by: opnsenseuser on March 09, 2019, 04:03:52 pm
Hi rené,
Many thanks for sharing your suggestion.
I'd like to happily tell that we have two ongoing projects which involve:
1. To make Sensei run on very low end devices, which have weak CPU and memory under 1GB.
2. To make Sensei run on very large deployments e.g. sites with thousands of users.
For the former, the hurdle is the backend database. Although it's very efficient for medium to large settings, Elasticsearch is heavy for small deployments. It simply does not successfully run under 4GB memory. We're currently evaluating and testing several other databases which will do the job for small settings.
Expect to hear more on this late fall this year.
With regard to the latter, also this year, we'll announce a solution which will be able to handle many thousand concurrent users.
if you really want to do that and really do it, some users would be very grateful to you. Me too of course! ;-)
How can I or how can others keep an eye on the development of this feature?
Is there a kind of roadmap or something similar?
Greetings René
Post by: mb on March 10, 2019, 12:27:05 am
Quote
if you really want to do that and really do it, some users would be very grateful to you. Me too of course! ;-)
How can I or how can others keep an eye on the development of this feature?
Is there a kind of roadmap or something similar?
Hi René,
We will do it :) You're all welcome.
To keep up with the development, roadmap etc, best is to keep following this forum thread and also following company web site and twitter account:
https://twitter.com/sunnyvalley
Beginning April, we'll share more information about the upcoming feature set and more about the technology.
For now, I can tell that the technology at the heart of Sensei is a powerful packet analysis engine which is aimed at providing contextual network visibility, protection at all ports for all devices and also protection against encrypted threats which are gaining momentum.
Utilizing this core tech, our mission is to provide enterprise grade cyber protection for everyone, let it be a household, a small business or an enterprise with thousands of users.
From this perspective, making Sensei run on any scale is our priority.
Post by: donatom3 on March 10, 2019, 05:20:55 am
It's the Qotom Q600G6 for anyone interested.
https://www.aliexpress.com/item/Qotom-DIY-Powerful-Firewall-Router-Appliance-Q600G6-Barebone-System-Support-6th-7th-Gen-Processor-DDR4-RAM/32967092263.html?spm=a2g0s.9042311.0.0.154d4c4d2CNERH
Post by: manjeet on March 16, 2019, 01:44:03 pm
In view error message it says:
{
"error": {
"root_cause": [],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": []
},
"status": 503
}
Both "Sensei Packet Engine" and "Elasticsearch" are running. I have restarted the system and error is still there.
Post by: mb on March 16, 2019, 04:41:36 pm
Thanks for reporting this. Are you on 0.7?
We've got two more reports for the same problem and currently investigating it.
We'd like to dig deeper. Can you share your relevant elasticsearch.log ( located at /var/log/elasticsearch/ ) through sensei - at - sunnyvalley.io ?
For a workaround, you can run these two commands to reset the indexes: (beware: this will erase your reporting history)
/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
Let us know if this does not fix the problem.
Post by: ltb76 on March 17, 2019, 04:41:31 pm
I'm new to OPNsense and Sensei, testing it to replace my soon expering PaloAlto home firewall.
Just did a default install and it seems to be working well (I see several blocked add sites under "Blocked Sites Explorer").
I might be missing something though. I tried adding "Bing" under "App Controls" - however I can still access bing.com. (I then tried adding Facebook - and that blocks Facebook). might the "bing" app be broken or am I missing something?
Another question, I looked in the manual but did not find the answer. Initially I added all my interfaces (WAN, LAN, LAN2 and DMZ) under "Protected Interfaces". dooing that seems to block DNS.
With the WAN interface protected, DNS trafic seems to be blocked with "Network Management category is administratively restricted" - even if does not appear to be blocked under "App Controls". Should I only add "LAN" interfaces to "protected"?
Is there a way to "not protect" an IP on a protected interface? Lets asume I have a device / client on the LAN interface that I for some reasone want to bypass all checks - is that posible?
I'm running
Sensei: 0.8.0.beta4
OPNsense: 19.1.4
Running ontop of VMware, 4 vCPU (D1540), 12GB RAM, vmxnet3 NICs
Post by: hbc on March 17, 2019, 05:58:19 pm
Quote
Should I only add "LAN" interfaces to "protected"?AFAIK Sunnyvalley recommends not to block WAN and use suricata for this instead.
Quote
Is there a way to "not protect" an IP on a protected interface?Not in the free version. That is a feature of the premium edition.
Post by: manjeet on March 19, 2019, 09:08:30 am
I am currently running 0.7 & I am sending you the email for logs and screen shot error.
Post by: BeNe on March 19, 2019, 09:35:04 pm
I use some VLAN on OPNSense and added all my interfaces to the "protected interfaces".
After that all connected VM´s inside the VLAN´s are offline and unable to access the opnsense (which means they are offline for all networks)
If i remove the "LAN" interface from the "protected interfaces" which is my physical interface,
the access from the VM´s inside the VLAN´s is ok again.
I have clients connected to "LAN" as well and would like to protect them, too.
Here is a overview:
LAN (em0) is my physical device and all VLAN are added to this interface:
Code: [Select]
10_DMZ (em0_vlan10) -> v4: 172.16.10.254/24
v6/t6: 2003:f2:63c9:63e1:4c1f:32ff:fe6d:4ae/64
20_VPN (em0_vlan20) -> v4: 172.16.20.254/24
30_Pentest (em0_vlan30) -> v4: 172.16.30.254/24
v6/t6: 2003:f2:63c9:63e3:4c1f:32ff:fe6d:4ae/64
40_WifiGuest (em0_vlan40) -> v4: 172.16.40.254/24
v6/t6: 2003:f2:63c9:63e4:4c1f:32ff:fe6d:4ae/64
50_IoT (em0_vlan50) -> v4: 172.16.50.254/24
v6/t6: 2003:f2:63c9:63e5:4c1f:32ff:fe6d:4ae/64
60_Dev (em0_vlan60) -> v4: 172.16.60.254/24
v6/t6: 2003:f2:63c9:63e6:4c1f:32ff:fe6d:4ae/64
70_WiFi (em0_vlan70) -> v4: 172.16.70.254/24
v6/t6: 2003:f2:63c9:63e7:4c1f:32ff:fe6d:4ae/64
80_Server (em0_vlan80) -> v4: 172.16.80.254/24
v6/t6: 2003:f2:63c9:63e8:4c1f:32ff:fe6d:4ae/64
90_Clients (em0_vlan90) -> v4: 172.16.90.254/24
v6/t6: 2003:f2:63c9:63e9:4c1f:32ff:fe6d:4ae/64
LAN (em0) -> v4: 172.16.17.254/24
v6/t6: 2003:f2:63c9:63e0:4c1f:32ff:fe6d:4ae/64
PIA_VPN (ovpnc1) -> v4: 10.56.10.6/32
WAN (igb0) -> v4: 192.168.217.2/24
v6/DHCP6: 2003:f2:63c9:6300:6eb3:11ff:fe1b:aedf/64
I´m on Sensei 0.8.0.beta4 and OPNsense 19.4.1
Do you need some more informations ?
Thank you!
Post by: mb on March 19, 2019, 09:41:29 pm
We're aware of this issue. There's another Sensei deployment exactly the same setting with yours and experiencing the same problem.
Looks like something weird with em-vlan-netmap trio. We're on this. Will update the thread when it's done.
One question: are you fine when you remove the trunk interface and just protect vlan child interfaces?
Post by: BeNe on March 19, 2019, 10:21:31 pm
thanks for that fast information.
Yes, if i remove the trunk Interface (LAN em0 in my case) from the protected interfaces list, the machines inside the VLAN 's are reachable again.
Gesendet von meinem Pixel 2 mit Tapatalk
Post by: mb on March 20, 2019, 06:12:34 pm
All welcome. Thanks for the information. Can I ask a favor? Can you try the new netmap kernel to see if your current setup works? (child interfaces protected, trunk not protected).
Here's how to do it:
https://forum.opnsense.org/index.php?topic=11477.msg55261#msg55261
Post by: BeNe on March 20, 2019, 08:09:48 pm
of course ;) But the problem is still the same. I installed the new Kernel:
Code: [Select]
# uname -a
FreeBSD surtur.my-network.de 11.2-RELEASE-p9-HBSD FreeBSD 11.2-RELEASE-p9-HBSD 4ea457eb7b8(master) amd64
If i add "LAN (em0)" to the protected interfaces, the VLAN´s are offline.So revert back to the stock kernel. Added a screenshot from my OPNsense Console after adding the interface.
Post by: mb on March 21, 2019, 08:57:19 pm
Messages in the screenshot are ok: netmap telling you it was able to open the ethernet port.
I can confirm that there's something weird with the trunk interface when we bridge hw <-> sw rings. After a while packet transmission stalls for the child interfaces:
Code: [Select]
658.955704 [2909] netmap_transmit igb3 from_host, drop packet size 541392904 > 2048
683.531482 [2909] netmap_transmit igb3 from_host, drop packet size 541392904 > 2048
Looking into that.
For now our advise is - if you're using VLANs -:
- Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to VLANs
- Do not put any untagged traffic to your VLAN trunk port and you should be able to protect vlan child interfaces just fine
Our plan is to be able to process the trunk interface directly and for all VLANs and you'll not need to separately select child interfaces. Will get you updated on this.
For now, if you can carve out the untagged traffic from the trunk port, you're ok.
Post by: mb on March 23, 2019, 01:05:46 am
An update on broken Elasticsearch indices:
After digging together with users who have reported the issue, it looks like the indices were broken because some index file integrity got broken.
This is usually because of abrupt shutdown of the firewall. If power goes off suddenly, before Elastic does a full write of its in-memory buffers, than we have a broken index.
So, not to experience this issue try to turn off your system gracefully.
If in any case this happens, Sensei 0.8.0.beta6 has a "Fix Elastic indices" button under Sensei -> Configuration -> Reporting & Data menu. Just click on the button and Sensei will reset only the broken indices.
0.8.0.beta6 is available for update for 0.8 users.
0.8 looks stable enough to offer as an update for existing 0.7 installations. If we do not see any outstanding issues, we'll move 0.8 to the general repo in a few days.
Post by: donatom3 on March 23, 2019, 02:21:56 am
I'm using dhcpv6 with track interface. Anytime Sensei starts after a reboot or an upgrade my ipv6 stops working until I do a release and renew of the entire WAN interface. It just did it to me again on the beta 6 upgrade.
Code: [Select]
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: updatedns() starting
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv4 default route
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'opt4'
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: On (IP address: X.X.X.X) (interface: XXXXX[opt4]) (real interface: ovpnc2).
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpnc2'
Mar 22 18:13:25 kernel: ovpnc2: link state changed to UP
Mar 22 18:13:24 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: (Success) X.X.X updated to X.X.X.X
Mar 22 18:13:24 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: updating cache file /var/cache/dyndns_wan_X.X.X_0.cache: X.X.X.X
Mar 22 18:13:21 kernel: ovpnc2: link state changed to DOWN
Mar 22 18:13:21 opnsense: /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface WAN.Code: [Select]
Mar 22 18:15:55 dhcp6c: dhcp6c REQUEST on igb0 - running newipv6
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:36:1de7:22c5:7284:90a5/128 on igb0
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a900:4262:31ff:fe00:7873/64 on igb1
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a9ec:4262:31ff:fe00:7874/64 on igb2_vlan55
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a9ef:4262:31ff:fe00:7874/64 on igb2_vlan200
Mar 22 18:15:55 dhcp6c[89888]: Received REPLY for REQUEST
Mar 22 18:15:55 dhcp6c[89888]: Sending Request
Mar 22 18:15:55 dhcp6c[89888]: Sending Solicit
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv4 default route
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: no IPv6 default gateway set, assuming wan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'lan'
Mar 22 18:15:54 dhcp6c[89888]: failed to remove an address on igb1: Can't assign requested address
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:a9ec:X:31ff:fe00:7874/64 on igb2_vlan55
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:a9ef:X:31ff:fe00:7874/64 on igb2_vlan200
Mar 22 18:15:54 dhcp6c[89888]: Sending Release
Mar 22 18:15:54 dhcp6c[89888]: Start address release
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:X:1de7:22c5:7284:90a5/128 on igb0
Mar 22 18:15:54 dhcp6c[89888]: Sending Release
Mar 22 18:15:54 dhcp6c[89888]: Start address release
Mar 22 18:15:54 dhcp6c[89888]: restarting
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Mar 22 18:15:54 kernel: igb1: link state changed to UP
Mar 22 18:15:50 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Mar 22 18:15:50 eastpect[42809]: nm2::igb1^: permanently promiscuous mode enabled
Mar 22 18:15:50 eastpect[42809]: nm1::igb1:1: permanently promiscuous mode enabled
Mar 22 18:15:50 kernel: 750.076995 [2219] netmap_ioctl got 10000 extra buffers
Mar 22 18:15:50 kernel: 750.069849 [ 736] netmap_extra_alloc allocate buffer 24583 -> 24582
Mar 22 18:15:50 kernel: 750.062915 [ 736] netmap_extra_alloc allocate buffer 24582 -> 24581
Mar 22 18:15:50 kernel: 750.055985 [ 736] netmap_extra_alloc allocate buffer 24581 -> 24580
Mar 22 18:15:50 eastpect[42809]: nm0::igb1:0: permanently promiscuous mode enabled
Mar 22 18:15:50 kernel: 750.049074 [ 736] netmap_extra_alloc allocate buffer 24580 -> 24579
Mar 22 18:15:50 kernel: 750.042410 [ 736] netmap_extra_alloc allocate buffer 24579 -> 0
Mar 22 18:15:50 sshlockout[10974]: sshlockout/webConfigurator v3.0 starting up
Mar 22 18:15:50 kernel: 750.035617 [2216] netmap_ioctl requested 10000 extra buffers
Mar 22 18:15:50 kernel: igb1: link state changed to DOWN
Mar 22 18:14:06 dhcp6c[89888]: no responses were received
Mar 22 18:14:06 dhcp6c[89888]: no responses were received
Mar 22 18:14:04 dhcp6c[89888]: no responses were received
Mar 22 18:14:03 dhcp6c[89888]: no responses were received
Mar 22 18:13:49 dhcp6c[89888]: Sending Release
Mar 22 18:13:49 dhcp6c[89888]: Sending Release
Mar 22 18:13:48 dhcp6c[89888]: Sending Release
Mar 22 18:13:48 dhcp6c[89888]: Sending Release
Mar 22 18:13:41 dhcp6c[89888]: Sending Release
Mar 22 18:13:41 dhcp6c[89888]: Sending Release
Mar 22 18:13:40 dhcp6c[89888]: Sending Release
Mar 22 18:13:40 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Post by: mb on March 23, 2019, 05:12:06 am
Thanks for reporting this. Having a look now.
Post by: donatom3 on March 24, 2019, 01:23:42 am
Another issue I've been having is the pan interface randomly disconnecting completely and I have to reboot to ping the interface again.
This is something that started since opnsense 19.1 for me. It happened on sensei 7.0 as well.
It happened on my old hardware and new. Both bare metal installs with Intel nics using the igb drivers. I can't find anything meaningful in the logs.
Im using the stock kernel now. Not sure if the test kernel will help with this lockup of the interface.
Post by: mb on March 24, 2019, 04:39:02 pm
Thanks for reporting the issue in detail. I'll reach out to you to investigate further together.
Post by: astoklas on March 25, 2019, 04:48:53 pm
Dear Sensei users,
An update on broken Elasticsearch indices:
After digging together with users who have reported the issue, it looks like the indices were broken because some index file integrity got broken.
This is usually because of abrupt shutdown of the firewall. If power goes off suddenly, before Elastic does a full write of its in-memory buffers, than we have a broken index.
So, not to experience this issue try to turn off your system gracefully.
If in any case this happens, Sensei 0.8.0.beta6 has a "Fix Elastic indices" button under Sensei -> Configuration -> Reporting & Data menu. Just click on the button and Sensei will reset only the broken indices.
0.8.0.beta6 is available for update for 0.8 users.
0.8 looks stable enough to offer as an update for existing 0.7 installations. If we do not see any outstanding issues, we'll move 0.8 to the general repo in a few days.
I just had a power outage on my opnsense, after the reboot the reports could not be displayed. The "Fix Indices" shows all good, but the report still does not show up. I still have the system in a "broken" state if you want to investigate further...
OpnSense 19.1.4
Sensei 0.8beta6
Post by: mb on March 25, 2019, 05:07:08 pm
Thanks for the report. Reaching out to you now.
Post by: BeNe on March 26, 2019, 05:04:01 pm
is there an option to sync/export the collected data to another ELK Stack ?
Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.
Benefit:
- long time archive
- own correlations searchs with other logs from the network/apps/devices
- build own dashboards and searches
- faster results than on the firewall itself
Thanks
Post by: Archanfel80 on March 27, 2019, 09:53:49 pm
I use Sensei in couple of opnsense system. Works well so far.
I was wondering is there any way to run in a low memory board?
I have a pcengine APU2 board with 2GB memory, but i have a fast V-NAND msata SSD.
I setup 8GB swap file on the opnsense so i have 2GB physical and 8GB swap. The access speed not much differ since the SSD is very fast.
Im removed the memory checking row from the installation script so sensei installed succesfully.
I can configure too, it warns me the physical ram is low but i can continue.
However when i try to start the engine it says: Sensei detected swap usage is too high
And its stopped. Yes i know the swap usage is high but i dont think it can cause any issue since i use the fast ssd. Is there any way to override this? Let sensei use the swap file, i take the risk.
Thanks!
Post by: Antaris on March 28, 2019, 07:22:20 am
Post by: mb on March 29, 2019, 02:12:04 am
Hello Murat,
is there an option to sync/export the collected data to another ELK Stack ?
Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.
Hi BeNe,
Many thanks for your suggestion. This feature - along with syslog and netflow streaming - is in the roadmap.
Post by: mb on March 29, 2019, 02:23:18 am
SunnyValley evaluating lightweight backend database engines to provide a lighter version for home users with low spec hardware. When they are ready, there will not be a need of such swap tricks...
Hi Archanfel80,
As Antaris recommends, you might think of waiting for the alternative db backend work.
Sensei uses in-memory caching so I would worry that swap usage might degrade your system performance bad -- even if you are using SSD.
Still, if you want to go for it, Disable Health Check from Sensei: Configuration: Updates & Support, and you're all set.
Post by: Archanfel80 on March 29, 2019, 05:35:52 pm
Both of you :)
I probably wait for the light version but i give it a try for the ssd swap just for testing. Its a low bandwidth system, just a few users, it might will be no problem. If yes we know its no good :)
Regards, Peter
Post by: mdurkin on March 30, 2019, 09:05:01 am
Anyone else tried blocking YouTube?
Post by: mayo on March 30, 2019, 12:32:18 pm
thank you!
Post by: Archanfel80 on March 31, 2019, 11:10:35 pm
Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...
thank you!
Hi!
On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.
Post by: mayo on April 01, 2019, 12:16:16 pm
Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...
thank you!
Hi!
On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.
Thank you so much! Will try in the afternoon!
Post by: Antaris on April 01, 2019, 06:23:07 pm
Post by: ict-guy on April 02, 2019, 11:05:24 am
this seems to help stablilize the occurends
Post by: Antaris on April 03, 2019, 07:55:42 pm
Post by: SchylgeICT on April 03, 2019, 09:03:14 pm
maybe this helps.
Post by: Archanfel80 on April 03, 2019, 09:08:10 pm
I just started testing and noticed the slowdown. In my case disabling cloud threat intel solved this.
maybe this helps.
I can confirm that, cloud threat intel cause noticable delay in the dns query. Its seems the cloud servers not stable enough, since i see packet loss. In a workaround use the opnsense builtin intrusion detection with ET Pro telemetry (can be installed as a plugin). Its free if you let your firewall send anonymous statistics (why not?).
Other than that sensei is an amazing product!
Post by: mb on April 04, 2019, 12:10:02 am
I just started testing and noticed the slowdown. In my case disabling cloud threat intel solved this.
maybe this helps.
I can confirm that, cloud threat intel cause noticable delay in the dns query. Its seems the cloud servers not stable enough, since i see packet loss. In a workaround use the opnsense builtin intrusion detection with ET Pro telemetry (can be installed as a plugin). Its free if you let your firewall send anonymous statistics (why not?).
Other than that sensei is an amazing product!
I can confirm too ;) We'll be shipping 0.8.0.beta8 tomorrow. It has several fixes which we expect to address this issue.
Plus, it has tagged (trunk) vlan interface support :)
Post by: mb on April 04, 2019, 12:12:46 am
Anyone having problems blocking YouTube using 0.8.0.beta7? I used app control but it has no effect. Other controls seem to work fine. It's a shame as its the reason I installed was to try this out!
Anyone else tried blocking YouTube?
Hi mdurkin,
Many thanks for reporting this. I checked with several deployments now. It looks like it's blocking. Let me contact you, there might be something in your environment which might trigger this.
Post by: OPNsense4ever on April 04, 2019, 04:00:20 am
Thanks!
Post by: mb on April 04, 2019, 07:02:19 am
Many thanks for trying Sensei & reporting the issue.
We changed a field type in Elasticsearch. New query format is not compatible with the data type in old indexes. This is why you cannot see any data with those "histogram"s.
When you have some activity over time, they'll get back to normal, at most in a couple of days.
Post by: mb on April 05, 2019, 02:57:41 pm
We've shipped 0.8.0.beta8 yesterday. This update brings vlan tagged interface support and fixes several issues with beta7. All beta7 users are encouraged to update to beta8.
With regard to Cloud infrastructure, we decided to take following steps to improve the availability:
1. Independent cloud queries:
Currently we're utilizing DNS infrastructure to communicate with our Cloud backend systems. Since we're redirecting dns traffic, this means for the cloud systems, we have to also act like a DNS recursive server. On the recursion side, since this is not within the scope of Sensei project, we cannot always guarantee the best DNS response time.
This is why, starting with 0.8.0.beta9, we'll be doing the cloud threat intelligence lookups with an independent to-the-purpose query.
2. New cloud servers for US-West, US-East and Asia.
To improve cloud response time and distributing load, we'll be introducing new servers for Asia, US-West and US-East regions.
This change will have the following benefits:
1. Improved the availability
2. Improved response times (from avg 100ms to as low as 5ms)
3. You'll be able to continue using your local DNS servers.
4. You'll be able utilize other DNS based solutions (like Pi-hole) - in conjunction - with Sensei.
We plan to have this before 0.8 rc1 so, hopefully we'll ship this with beta9 in two weeks.
Post by: Archanfel80 on April 05, 2019, 06:25:57 pm
Just a curious question. Did you consider using Apache Lucene as the db backend instead of Elasticsearch?
I use lucene in several projects (mostly bitnami) and its a very scalable and fast backend. There is an option to use as a "lightweight" scenario and also like as an "enterprise". It may solve the low memory hw problem.
Im just thinkin loudly :)
Post by: mb on April 06, 2019, 03:15:29 pm
Many thanks for the suggestion. Actually didn't consider this as an option - wasn't aware that lucene had a lightweight option.
Currently we're evaluating Timescaledb and Influxdb. We'll also have a look at lucene lightweight option. Any pointers on this for me?
Post by: Archanfel80 on April 07, 2019, 09:21:15 am
I mostly played with heap sizes and buffer sizes. Lower values results lower memory usage in the cost of performance (slower queries) because the increased disk IO.
TimescaleDB is a good choice too. Im not sure about the Influxdb, i had to use it in the past but cause too much headache. Its not easy to operate.
Elasticsearch memory consumption also can limited. If i use in a low users <100 scenario and does not store more than 3 days data, the whole system memory usage is below 2GB. I run sensei in a 2GB board for almost a week now, small office 8 user only stored 3 days. The boss just want to see what the workers do so he check sensei reports in the end of the day. The whole system memory consumption is below 2GB. I use the default 2GB swap in opnsense but not a single byte used on that. I had to disable the sensei health check because its stopped the engine from time to time, but no issues so far. Also i have a bigger system, college with students, much more user much more data, stored 3 days history, the memory is just a bit above 4GB. I think the 8GB minimum recommended ram is a bit high. I dont have any system what eat this much.
What if sensei will detect the available system memory with the optional swap file too and gray out the big scenarios like 500 user and limit the maximum data history time limit, etc. So the user cant use a big scenario what break down the system?
For example with 2GB system, 25 users max, 3 days history
4GB system 100 users max, 7 days history
etc. And you can limit elasticsearch memory usage too.
And a quick report, after the beta8 the cloud threat query time a bit better but still cause delay what the user noticed.
Keep up the good work :)
Hi Archanfel80,
Many thanks for the suggestion. Actually didn't consider this as an option - wasn't aware that lucene had a lightweight option.
Currently we're evaluating Timescaledb and Influxdb. We'll also have a look at lucene lightweight option. Any pointers on this for me?
Post by: mb on April 08, 2019, 06:48:31 am
Many thanks for sharing your experience. Indeed, we found this very helpful.
Now I'm thinking we might be over optimizing. We were trying to keep the memory usage for the Sensei and DB below 1GB for small deployments, like 25 users. And also we are trying to provide at least a month of history.
If the median minimal RAM size for OPNsense small deployments are 2GB, your suggestion looks very viable.
Let's do a quick twitter poll:
https://twitter.com/sunnyvalley/status/1115109250479476737
With regard to beta8, glad to hear that it looks better. We've received similar feedback from several other users. Hopefully, we will be solving the remaining issue with Cloud with beta9.
Post by: Archanfel80 on April 08, 2019, 09:12:03 am
I think keep the ram usage below 1GB would be a bit hard.
This is my smallest scenario, very low activity, sensei active only in one IF, around 8-10 users.
https://imgur.com/a/t8Bk8qg
This is a VM actually, the ram usage is below 2GB, but higher than 1GB. I cant keep below that. Of course this is the OS+Sensei RAM usage together. OPNSense eat 300-800MB RAM depending on scenario, so the 2GB usage with sensei means sensei use 1-1.5GB RAM with a low end settings.
A 2GB board should handle this, even with a swap file.
I think you can try to reach the ~1GB ram usage for a small scenario, that should be satisfy the low end HW users :)
Hi Archanfel80,
Many thanks for sharing your experience. Indeed, we found this very helpful.
Now I'm thinking we might be over optimizing. We were trying to keep the memory usage for the Sensei and DB below 1GB for small deployments, like 25 users. And also we are trying to provide at least a month of history.
If the median minimal RAM size for OPNsense small deployments are 2GB, your suggestion looks very viable.
Let's do a quick twitter poll:
https://twitter.com/sunnyvalley/status/1115109250479476737
With regard to beta8, glad to hear that it looks better. We've received similar feedback from several other users. Hopefully, we will be solving the remaining issue with Cloud with beta9.
Post by: SchylgeICT on April 09, 2019, 09:18:48 pm
With beta7 i was able to add OPT1(vlan interface) to the protected interfaces. I can still do this with beta 8. What did actually change with
Quote
"We've shipped 0.8.0.beta8 yesterday. This update brings vlan tagged interface support and fixes several issues with beta7. All beta7 users are encouraged to update to beta8.". I think I'm overlooking something.
It would be nice to add different Sensei rules for different Vlans. I was hoping this was one of the things that changed in beta8.
I can confirm faster DNS lookups now with cloud threat intel enabled!
Best regards.
Ruud
Post by: Archanfel80 on April 11, 2019, 09:47:13 am
Post by: opnsenseuser on April 14, 2019, 12:28:43 pm
The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.
is there any news on the topic sensei for low power hardware optimization?
Thank you
Regards, rene
Post by: thg0432 on April 15, 2019, 08:27:42 pm
Is it possible to have parental controls or per device/group filtering?
Post by: rb_newbie on April 18, 2019, 09:49:44 pm
***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
libXdmcp-1.1.2_2 is vulnerable:
libXdmcp -- insufficient entropy generating session keys
CVE: CVE-2017-2625
WWW: https://vuxml.FreeBSD.org/freebsd/1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335.html
1 problem(s) in the installed packages found.
***DONE***
Post by: timota on April 22, 2019, 09:30:27 pm
"Unfortunately Celeron is not supported by Sensei."
i cant say that my CPU is weak, it peforms good on most of tasks.
What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?
Post by: Archanfel80 on April 23, 2019, 02:14:23 pm
Im keen to check your plugin, but installer complains on
"Unfortunately Celeron is not supported by Sensei."
i cant say that my CPU is weak, it peforms good on most of tasks.
What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?
Post by: timota on April 24, 2019, 04:45:47 pm
will try anyway.
Post by: the-mk on May 09, 2019, 06:17:52 pm
is anyone using the scheduled reports in reports&data section of the configuration (Sensei 0.7)?
Is it just me or is the "click to download and view detailed reports" link not working within the email (getting a blank html file with 0 bytes)?
It does not work for me in MS Outlook (Office 365) and Thunderbird.
If I access that mails through the webmail of my GMX (my mail provider) I can see that there's a html file attached. I can see the attachment in the app on my iPhone, but that's not my favorite "view that report" device.
Are there any updates on Sensei 0.8? since that thread fell asleep ;)
Thanks!
Post by: the-mk on May 09, 2019, 06:35:18 pm
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!
Hi Bene,
Messages in the screenshot are ok: netmap telling you it was able to open the ethernet port.
I can confirm that there's something weird with the trunk interface when we bridge hw <-> sw rings. After a while packet transmission stalls for the child interfaces:Code: [Select]658.955704 [2909] netmap_transmit igb3 from_host, drop packet size 541392904 > 2048
683.531482 [2909] netmap_transmit igb3 from_host, drop packet size 541392904 > 2048
Looking into that.
For now our advise is - if you're using VLANs -:
- Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to VLANs
- Do not put any untagged traffic to your VLAN trunk port and you should be able to protect vlan child interfaces just fine
Our plan is to be able to process the trunk interface directly and for all VLANs and you'll not need to separately select child interfaces. Will get you updated on this.
For now, if you can carve out the untagged traffic from the trunk port, you're ok.
Post by: malac on May 11, 2019, 06:32:35 pm
Hi @donatom3,
For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.
For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.
If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.
That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.
We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.
Very happy to hear that you've attained gigabit speeds and happy with the software ;)
Would be great if i could use Cloud database & local dns!
Do you have a pricing idea for premium edition for home user?
thx
Post by: mb on May 11, 2019, 07:43:48 pm
An update on the low-resource systems:
Below is the results of the poll "How much memory do you have on your OPNsense firewall"
Many thanks to those who attended the poll. According to the results, 2/3 of the OPNsense users have either 4GB or more memory.
So, as per Archanfel80's suggestion, enabling for 4GB will allow another 40% to be able to start using Sensei. We thought that this is a huge number and lowered the minimum memory requirement to 4GB (Elastic is configured accordingly).
So, practically, if you have 4GB RAM, than starting with beta9 (coming this weekend), you'll be able to enjoy Sensei for up to 100 users.
I'd like to thank Archanfel80 for his awesome suggestion. It's in the works now.
Alternative database backend work (which will enable Sensei for 2GB or less memory) is continuing, but might take a little longer than we originally planned -- most probably post 2019. (due to other high priority work).
Note: I see that we missed some messages unanswered here. Apologies for that: we're recovering quite a loaded timeframe, and will be getting back to you shortly.
Post by: mb on May 11, 2019, 07:54:34 pm
a nice feature would be synonymous if you could install the plugin as standalone on an external bsd or linux computer and could use the plugin as an analyzer.
The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.
Yes, we have some good news about this. Part of our overload was due to this feature actually. With 0.8.0.beta9 (coming this weekend), you'll notice in Configuration page that we have introduced another deployment option:
L2 transparent bridge.
In this mode, Sensei literally bridges two of your ethernet interfaces.
This way, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.
We introduced this to be able to support sites which have thousands of users.
This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.
A live deployment for 5000 users was done; and looks quite promising.
is there any news on the topic sensei for low power hardware optimization?
Yep, please see my above answer: https://forum.opnsense.org/index.php?topic=9521.msg58741#msg58741
Post by: mb on May 11, 2019, 07:59:34 pm
Would be great if i could use Cloud database & local dns!
Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.
Do you have a pricing idea for premium edition for home user?
Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.
Post by: malac on May 11, 2019, 08:07:27 pm
Would be great if i could use Cloud database & local dns!
Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.Do you have a pricing idea for premium edition for home user?
Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.
GREAT!!! looking forward...THX
Post by: mb on May 11, 2019, 08:10:15 pm
@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!
Hi @the-mk,
Yes, we have updates on this. Sensei is is now able to process VLAN trunk interfaces.
So, if you're using VLANs -, the latest advise is:
- Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to netmap
- You can now protect untagged (trunk) vlan interfaces. Sensei will process both tagged and untagged frames at the same time. This is the advised & performant method.
- Or, you can still choose to protect vlan child interfaces or vlan parent interfaces. The important thing to be careful here is do not have them at the same time, or you'll hit a bug present in current netmap code
Post by: mb on May 11, 2019, 08:15:30 pm
Just installed 0.8.0.beta8 and did an audit of the packages and found that an outdated library is being used that is vulnerable. Any way I can manually update this w/o breaking anything or will it be fixed in the stable release?
libXdmcp-1.1.2_2 is vulnerable:
libXdmcp -- insufficient entropy generating session keys
CVE: CVE-2017-2625
WWW: https://vuxml.FreeBSD.org/freebsd/1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335.html
Hi rb_newbie, many thanks for pointing this out. This is a dependency package required by Elasticsearch/java. We'll go ahead and update it.
Post by: donatom3 on May 11, 2019, 08:19:07 pm
MB,@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!
Hi @the-mk,
Yes, we have updates on this. Sensei is is now able to process VLAN trunk interfaces.
So, if you're using VLANs -, the latest advise is:
- Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to netmap
- You can now protect untagged (trunk) vlan interfaces. Sensei will process both tagged and untagged frames at the same time. This is the advised & performant method.
- Or, you can still choose to protect vlan child interfaces or vlan parent interfaces. The important thing to be careful here is do not have them at the same time, or you'll hit a bug present in current netmap code
Are you saying if I move my 2 vlans off their own interface back to my main trunk I should stop seeing that netmap crash that was causing sensei to stop all traffic?
Sent from my Pixel 3 XL using Tapatalk
Post by: mb on May 11, 2019, 08:59:12 pm
With beta7 i was able to add OPT1(vlan interface) to the protected interfaces. I can still do this with beta 8. What did actually change with beta8? I think I'm overlooking something.
Correct. The difference is; beta7 did not actually process tagged frames, they were just forwarded; whereas beta8 does process both tagged and untagged frames.
It would be nice to add different Sensei rules for different Vlans. I was hoping this was one of the things that changed in beta8.
We're addressing this with Policy based filtering (Interface, VLAN, Subnet based policies) which will appear in Premium subscription.
I can confirm faster DNS lookups now with cloud threat intel enabled!
Many thanks for this update. 0.8.0.beta9 should be slightly better.
Post by: mb on May 11, 2019, 09:07:44 pm
is anyone using the scheduled reports in reports&data section of the configuration (Sensei 0.7)?
Is it just me or is the "click to download and view detailed reports" link not working within the email (getting a blank html file with 0 bytes)?
It does not work for me in MS Outlook (Office 365) and Thunderbird.
If I access that mails through the webmail of my GMX (my mail provider) I can see that there's a html file attached. I can see the attachment in the app on my iPhone, but that's not my favorite "view that report" device.
Hi @the-mk,
Gmail web/iPhone looking good. It looks like a problem embedding the report for Office365/Thunderbird,
Having a look at it. Many thanks for reporting.
Post by: the-mk on May 12, 2019, 11:21:45 am
tested adding the trunk interface only to the protected interfaces - and it processes all VLANs that are on that trunk interface - that's ok for me!
looking forward to beta9! I guess we get a notification here in the forums as soon as it is available?
scheduled reports - the embedded report problem also exists in 0.8 beta8...
Post by: mb on May 12, 2019, 05:53:00 pm
Glad to hear that vlans are working for you. beta9 is reporting vlans & interfaces. Final tests are run for it & should arrive late today (PST) or tomorrow.
Got it. Not able to make the fix for beta9, hopefully with the next beta.
Post by: shijo on May 13, 2019, 04:19:59 pm
Is there any possible way to block Ultrasurf client proxy by using Sensei. Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet Explorer’s proxy settings to run all Internet requests through that local proxy. The default port is 9666. Since the traffic between Ultrasurf and IE is entirely on the localhost, it never goes to the network and can’t be blocked by a firewall. Ultrasurf then sets up an encrypted connection with a remote server in its network of proxy servers. The connection to the remote proxy server is made over port 443. Hopefully someone out there can help me with this.
Thanks in advance ! :) :)
Post by: mb on May 13, 2019, 07:36:04 pm
Thank you very much for trying out Sensei.
The pre-requisite for filtering an application is the identification of that application in the first place. Once its traffic is correctly identified, filtering is the easiest part.
It looks like we're not able to identify this traffic as Ultrasurf Proxy.
We've had requests for Ultrasurf and its identification is on the roadmap.
In the meantime, if you'd like to give that a pace, you can share pcap of a "test" ultrasurf session, that would be really helpful.
Then it'd be faster for us to write the signature for identifying the application.
And once it's identified, filtering is automatically in place.
Post by: mb on May 14, 2019, 12:57:45 am
0.8.0.beta9 is out now. Below are the updates against 0.8.0.beta8:
Support for Large Settings (More than 1000 users)
Thanks to the newly introduced L2 Transparent Bridge Mode, you can run Sensei for thousands of users.
In this mode, where Sensei literally bridges two of your ethernet interfaces, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.
This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.
Practically, what this means is that, if you deploy Sensei on an 8-core server with a --say 64GB of memory, you can serve 8000 users behind this configuration.
Please be noted that we'll need a small integration with OPNsense to be able to fully provide this functionality. We'll keep you posted.
Support for 4GB RAM
In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM.
Please note that if you have 4GB memory, maximum number of users will be 100.
Improved application signatures
- Browsec VPN
- Microsoft Updates
- Office Updates
- Fixed a bug in Web based applications classification module which -in some cases- might lead to a crash.
Cloud
New Cloud Query Infrastructure
Filtering
Fixed a bug where auto-whitelisting a host does not immediately take effect / requiring a restart of engine.
Integrations
- Improved CLI access API
- First bits of Active Directory Integration
Better Reporting
- New report: Ethernet interface reports. You can now see which ethernet interfaces carry the most bandwidth and drill down to per-interface detailed reports.
- New report: VLAN reports. You can filter out a VLAN and drill down as deep as session details.
- New report: User reports. When the OPNsense captive integration is finished, you’ll be able to view user-based reports.
- All live session reports now have VLAN, Interface, Username columns.
- All live session reports now have auto-refresh / refresh interval options
- Fixed a bug where charts were refreshed randomly causing excessive page loads
- Fixed a bug where setting Elasticsearch not to start at boot causing reporting to cease.
- Introduced an option to be able to reset all Elasticsearch Indexes.
- Introduced Elasticsearch Index Health Checker, where you can check and do a fix-up on an index basis
- Elasticsearch shards are now single. Not requiring a replica. All indexes can be seen green now.
- Fixed a bug in Elasticsearch data retiring module, which -in some cases- would result in more disk space consumption
How to update?
For 0.8 users, in the OPNsense Web UI, you should have already seen Sensei reporting 0.8.0.beta9 update. Just click on "Update" and Sensei will take care of the rest.
For 0.7 users, please wait for an announcement for 0.8.0.rc1; when it's out, you should also see 0.8 update in the OPNsense UI. We'll announce it from here and our twitter page.
Hope you enjoy this one.
--
Sensei team
Post by: shijo on May 14, 2019, 12:46:17 pm
Thank you very much for the reply. As you suggested I'm attaching the pcap file for your reference.
Thanks in advance !
Post by: mb on May 14, 2019, 01:58:45 pm
That's awesome. Thank you. This'll help a lot.
Post by: Archanfel80 on May 14, 2019, 02:53:39 pm
Dear Sensei users,
0.8.0.beta9 is out now. Below are the updates against 0.8.0.beta8:
Support for Large Settings (More than 1000 users)
Thanks to the newly introduced L2 Transparent Bridge Mode, you can run Sensei for thousands of users.
In this mode, where Sensei literally bridges two of your ethernet interfaces, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.
This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.
Practically, what this means is that, if you deploy Sensei on an 8-core server with a --say 64GB of memory, you can serve 8000 users behind this configuration.
Please be noted that we'll need a small integration with OPNsense to be able to fully provide this functionality. We'll keep you posted.
Support for 4GB RAM
In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM.
Please note that if you have 4GB memory, maximum number of users will be 100.
Improved application signatures
- Browsec VPN
- Microsoft Updates
- Office Updates
- Fixed a bug in Web based applications classification module which -in some cases- might lead to a crash.
Cloud
New Cloud Query Infrastructure
Filtering
Fixed a bug where auto-whitelisting a host does not immediately take effect / requiring a restart of engine.
Integrations
- Improved CLI access API
- First bits of Active Directory Integration
Better Reporting
- New report: Ethernet interface reports. You can now see which ethernet interfaces carry the most bandwidth and drill down to per-interface detailed reports.
- New report: VLAN reports. You can filter out a VLAN and drill down as deep as session details.
- New report: User reports. When the OPNsense captive integration is finished, you’ll be able to view user-based reports.
- All live session reports now have VLAN, Interface, Username columns.
- All live session reports now have auto-refresh / refresh interval options
- Fixed a bug where charts were refreshed randomly causing excessive page loads
- Fixed a bug where setting Elasticsearch not to start at boot causing reporting to cease.
- Introduced an option to be able to reset all Elasticsearch Indexes.
- Introduced Elasticsearch Index Health Checker, where you can check and do a fix-up on an index basis
- Elasticsearch shards are now single. Not requiring a replica. All indexes can be seen green now.
- Fixed a bug in Elasticsearch data retiring module, which -in some cases- would result in more disk space consumption
How to update?
For 0.8 users, in the OPNsense Web UI, you should have already seen Sensei reporting 0.8.0.beta9 update. Just click on "Update" and Sensei will take care of the rest.
For 0.7 users, please wait for an announcement for 0.8.0.rc1; when it's out, you should also see 0.8 update in the OPNsense UI. We'll announce it from here and our twitter page.
Hope you enjoy this one.
--
Sensei team
Post by: malac on May 14, 2019, 02:56:37 pm
Also local DNS an Cloud Threat Intel is working, GREAT!
Only: I cannot set deployment size, drop down is empty....but thats it
Post by: hbc on May 14, 2019, 04:24:26 pm
Im glad i can help :)
How does it help to just quote the complete previous text without any sensful addition? ::)
Post by: Archanfel80 on May 14, 2019, 04:36:01 pm
Im glad i can help :)
How does it help to just quote the complete previous text without any sensful addition? ::)
Post by: ruffy91 on May 15, 2019, 09:38:45 am
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'
The folder /usr/local/sensei/log does not exist.
After manually creating /usr/local/sensei/log/active the plugin does seem to work.
The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Post by: Archanfel80 on May 15, 2019, 09:52:15 am
mkdir -p /usr/local/sensei/log/active
mkdir -p /usr/local/sensei/log/archive
reboot
I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'
The folder /usr/local/sensei/log does not exist.
After manually creating /usr/local/sensei/log/active the plugin does seem to work.
The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Post by: mb on May 15, 2019, 02:04:01 pm
The folder /usr/local/sensei/log does not exist.
After manually creating /usr/local/sensei/log/active the plugin does seem to work.
The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Hi ruffy,
Having a look at log folder creation. Thanks for reporting this.
As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?
Post by: Archanfel80 on May 15, 2019, 02:40:48 pm
The folder /usr/local/sensei/log does not exist.
After manually creating /usr/local/sensei/log/active the plugin does seem to work.
The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Hi ruffy,
Having a look at log folder creation. Thanks for reporting this.
As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?
Post by: hbc on May 15, 2019, 04:34:03 pm
Im using tagged vlan interfaces and all shown correctly. See attached image.
Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.
mb:
Quote
[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]
You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.
Post by: Archanfel80 on May 15, 2019, 06:01:53 pm
I can confirm that, i dont see the vlan interfaces unless i add manually to the config.xml (Sensei section) or do the same what you mentioned.
Im using tagged vlan interfaces and all shown correctly. See attached image.
Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.
mb:Quote[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]
You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.
Post by: opnip on May 15, 2019, 10:57:37 pm
Post by: mb on May 16, 2019, 03:03:29 am
As a private message, can you share your firewall's IP address with me? Let's do a trace.
Hi updated from beta8 to 9, everythings looks fine so far.
Also local DNS an Cloud Threat Intel is working, GREAT!
Only: I cannot set deployment size, drop down is empty....but thats it
@holger, fixed for beta10.
I get the following error when accessing the Dashboard or any sensei page:
73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'
@ruffy, fixed for beta10.
@Archanfel80, @hbc, @ruffy,
Please watch for beta10. We removed the filter for VLAN child interfaces.
So the latest situation:
You can either
- Add the parent/tagged ethernet interface and protect the whole tagged/untagged
traffic passing through the interface
or
- Add each vlan child interface seperately to the protected interfaces. The thing
to note here is do NOT add both the parent and the child interfaces at the same
time, or you'll hit a netmap bug.
Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?
Post by: donatom3 on May 16, 2019, 03:49:12 am
Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?
Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3
Sent from my Pixel 3 XL using Tapatalk
Post by: donatom3 on May 16, 2019, 03:50:13 am
Just saw you said more than 2 I can add a third one just for fun.
Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?
Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3
Sent from my Pixel 3 XL using Tapatalk
Sent from my Pixel 3 XL using Tapatalk
Post by: manjeet on May 16, 2019, 06:11:22 am
Post by: malac on May 16, 2019, 06:26:46 am
Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?
i have exact same behavior!
Post by: mb on May 16, 2019, 02:16:38 pm
Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3
Just saw you said more than 2 I can add a third one just for fun.
Hi @donato,
Thanks, much appreciated. Please note that problem seem to arise when you add more than two "child" vlan interfaces. Haven't beed reported of a problem with tagged/trunk interfaces, although curious to know if there are any.
Post by: mb on May 16, 2019, 02:22:48 pm
This is addressed via policy based filtering coming up with Premium subscription. Details almost complete. Hope to announce it very soon.
@malac,
Please send your public IP address to sensei - at - sunnyvalley.io. We'll run a trace.
Post by: manjeet on May 17, 2019, 06:31:17 am
Also, Yesterday i enabled the email reporting and today i got this message "Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually."
Elastic search is working fine, reports in dashboard and reports section looks all good. Do not understand what could be the issue..
Post by: mb on May 17, 2019, 03:52:32 pm
We're having a look at Scheduled Reports now, let's also check this.
Post by: the-mk on May 18, 2019, 12:55:13 pm
Post by: N0_Klu3 on May 18, 2019, 01:05:41 pm
As in AD Blocking?
Also I read stuff about VLANs, basically I have 2 VLANs running on my main LAN Ethernet port.
Would Sensei work?
I'm planning on rebuilding to OPNSense hopefully today, but I'd really like some sort of ad blocking to replace pfblockerng.
Post by: mb on May 18, 2019, 02:04:53 pm
Do you see different statistics in the UI, or are they the same?
If they are: we saw this happen when Sensei was being run for a WAN interface. In that, LAN/WAN directions are being reversed for Sensei. So you see remote host count in place of locals and vice versa.
If not, let's have a look if we're missing something.
Hi @N0_Klu3,
You can try for yourself. It's easy to try out Sensei.
Yep, if you just add the parent LAN interface to the protected interfaces, than you're good to go.
Post by: N0_Klu3 on May 18, 2019, 06:14:01 pm
Post by: mb on May 18, 2019, 06:16:04 pm
You can use this command to install 0.8:
curl https://updates.sunnyvalley.io/getsensei8 | sh
Post by: Space on May 19, 2019, 10:15:09 am
are these files needed? Took most of my disk space ...
Code: [Select]
root@OPNvirt:/usr/local/sensei/log # du -sm * | sort -n
1 active
14156 archiveThese logs contain statistics for all interfaces per second ... but I did not find an option to disable these logs ...
Thanks and best regards,
Space
Post by: malac on May 19, 2019, 11:54:43 am
@manjeet,
This is addressed via policy based filtering coming up with Premium subscription. Details almost complete. Hope to announce it very soon.
@malac,
Please send your public IP address to sensei - at - sunnyvalley.io. We'll run a trace.
Have you found something?
Post by: mb on May 19, 2019, 04:16:50 pm
are these files needed? Took most of my disk space ...
These logs contain statistics for all interfaces per second ... but I did not find an option to disable these logs ...
Hi @Space,
Within this beta period, in times of troubleshooting, they can be very valuable for us to point out the location of some of the problems.
Nearing 1.0, we'll cease to archive logs. In the meantime, adding a functionality to automatically purge logs older than 10 days.
Thanks for pointing this out.
Post by: mb on May 19, 2019, 04:19:02 pm
Have you found something?
Hi @malac,
Yep, it looks like engine is still a little bit too sensitive for response times. We've lowered the thresholds a bit. Coming with beta10.
Post by: the-mk on May 19, 2019, 04:48:13 pm
Hi @the-mk,
Do you see different statistics in the UI, or are they the same?
If they are: we saw this happen when Sensei was being run for a WAN interface. In that, LAN/WAN directions are being reversed for Sensei. So you see remote host count in place of locals and vice versa.
If not, let's have a look if we're missing something.
when comparing the quick facts from the last report mail with the conns facts from the dashboard - they are pretty much the same when having the report interval set 05/18/2019 00:00 to 05/19/2019 00:00.
I'd expect that the number of unique local hosts are about the same numbers as IP-addresses are listed in the table of local assets from the dashboard.
protected interfaces on the firewall in question with sensei 0.7.0 are 6 vmx-network cards to different LANs and one vmx to WAN.
but maybe my understanding if unique local hosts is wrong here?
could it be that i.e. a host talking on the network of interface #1 is talking to another host on the network interface #2 and the same source hosts also talks to the internet (WAN)?
Post by: mb on May 20, 2019, 05:49:22 pm
Thank you very much for providing additional information.
Whether we decide if some IP address is local or remote depends on the flow direction.
A little bit of background info how Sensei works & decides the flow direction:
Sensei deploys between the ethernet adapter and the host operating system, bridging the two, forwarding packets back and forth, and at the same time doing the inspection. Typically we are deployed on inner-facing interfaces.
It assumes that ethernet side of the bridge is LAN and Operating System side is WAN. So flows initiated from the LAN side is considered they are egress, and flows which are initiated from the WAN side are ingress.
For eggress connections, the source IP address who initiated the connection is tagged as "Local", whereas for ingress connections, it's the destination IP address.
So, in your scenario, I'd expect that you having a protected interface on the WAN side might complicate things, since this time sensei will regard all outgoing connections as Ingress (for that interface) and regard the remote IP addresses as local.
Might worth removing that interface from protected interfaces and try to see if this changes things.
If that's not the case, please let us know so that we can have a look at it together.
Post by: kaviraj on May 21, 2019, 09:26:44 am
Been testing sensei 0.8.0.beta9 since some days now and since yesterday am facing some strange problems. Some clients are unable to resolve DNS. If i change the client IP everything start to work again. I tried to uninstall and reinstall but still the same.
OPNsense is running over virtualised environment (Proxmox) with kernel 19.1.4 having netmap support as am using virtio.
Test case:
1. I have a client with IP 10.249.10.228/24. When i run a dig it returns a timed-out. A tcpdump on the hypervisor shows that the request was forwarded over the OPNsense interface but a dump on OPNsense interface shows nothing.
2. I stop sensei engine dig starts to work. But as soon as i start it, the client is unable to resolve DNS.
3. Same client but i change IP to 10.249.10.11/24. Dig works.
I may provide remote access if needed.
Thanks for your help.
Post by: mb on May 21, 2019, 01:46:56 pm
Many thanks for reaching out. Please watch for 0.8.0.beta10 which will be coming out today. We have a fix for this.
Post by: mb on May 21, 2019, 06:15:02 pm
Sensei 0.8.0.beta10 is out. This brings back VLAN child interfaces and fixes a bug with Cloud Threat Intel. You should now see much better uptimes.
Also addressed: libXdmcp, an Elasticsearch dependency package, is updated to version 1.1.3, fixing a security issue.
Complete list is as follows:
- VLAN child interfaces are back
- Better availability for Cloud servers
- Fixed senseigui.log directory creation error which resulted in a bumpy new install
- Elasticsearch dependency libXdmcp upgraded to release 1.1.3. To update, please use OPNsense update manager
- New feature: Engine Bypass: you can now temporarily bypass Sensei engine at runtime. This allows you to pause packet processing without completely stopping Sensei
- Whitelisting a web category from Live Blocked Sessions Explorer now works
- Fixed a bug in which you couldn't set the deployment sizes larger than 100 users
- More reliability fixes
Enjoy :)
Sensei team
Post by: the-mk on May 21, 2019, 08:51:30 pm
Post by: OPNsense4ever on May 22, 2019, 07:10:28 pm
Thanks!
Post by: mb on May 22, 2019, 07:58:03 pm
You can use the following guide to determine for how many days you can have your reporting data.
https://guide.sunnyvalley.io/sensei/getting-started/getting-ready#disk-space
Then navigate to Sensei -> Configuration -> Reporting & Data
and set the maximum number of days to store reporting data.
When you set this number to a value smaller than the current one, Sensei will confirm with you if you want the surplus data to be deleted.
For this you need Elasticsearch to stay open, temporarily disable Health check to prevent Sensei from shutting it down again.
Post by: OPNsense4ever on May 25, 2019, 12:34:38 am
Post by: JohnDoe17 on May 28, 2019, 05:28:35 pm
I do occasionally get a "crash report" notification though.
Here is the sequence of events:
0) Sensei was not installed.
1) Upgraded OPNsense from 18.7.10_4 to 19.1.8.
2) Installed Sensei 0.8.0.beta10.
3) Successfully completed the initial Sensei configure wizard.
4) Noticed a "crash report" when I went to the OPNsense Dashboard.
Unfortunately, I don't have the crash report in front of me at the moment, but I *did* submit it, so hopefully you'll get it from the OPNsense team eventually. It was something about PHP crashing with bad data related to the "TCP Service Security" password. I'll keep you posted if I see it again.
Post by: mb on May 28, 2019, 05:30:41 pm
Thanks, great that you found Sensei useful for you.
One question: did you install Sensei 0.7 or the new 0.8 version?
Post by: JohnDoe17 on May 28, 2019, 05:35:02 pm
Quote
2) Installed Sensei 0.8.0.beta10.
Post by: mb on May 28, 2019, 05:36:56 pm
Having a look at it if we're missing something. In the meantime, if you encounter it again, feel free to email the screenshot to sensei - at - sunnyvalley.io.
Post by: JohnDoe17 on May 28, 2019, 06:11:31 pm
Note that "Rainbow#Bicycle" is the password I was using for the test. Does Sensei handle the "#" symbol in a password?
Code: [Select]
[28-May-2019 11:08:17 America/Chicago] PHP Fatal error: Uncaught Error: Class 'OPNsense\Sensei\Exception' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(151): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4346, 1, '', 1)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(134): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4346, 'Rainbow#Bicycle', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(89): OPNsense\Sensei\Sensei->runCLI(Array)
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php on line 111
Post by: mb on May 29, 2019, 02:10:25 am
Sensei 0.8.0 Release Candidate 1 is out. This marks the first step into releasing 0.8 and towards 1.0. There will be no 0.9 :)
Change log is as follows:
- Per-process health monitoring. Sensei engine now checks heartbeats from its packet processors and taking the corrective action in case of trouble.
- Customizable live session explorers. You can now customize which columns to be displayed and re-organize columns. Just drag a column and drop it on its new place.
- Performance improvement for Active Directory Module
- Engine logs older than two weeks are automatically purged now
- Fixed a bug with Sensei CLI API which caused some errors be reported in OPNsense Crash Reporter
- Default report retention time has been adjusted to be 7 days. You can set this to as high as 90 days
We're running 0.7 to 0.8 upgrade tests. As soon as they show that we're good to go, 0.7 users will be reported of the new 0.8 update.
Enjoy :)
Sensei team
Post by: patcsy88 on May 29, 2019, 01:42:31 pm
Post by: mb on May 29, 2019, 01:48:31 pm
@JohnDoe17, can you have a look and see if 0.8.0.rc1 is solving your issue?
Post by: hbc on May 29, 2019, 03:36:27 pm
Sensei just on backup node seems to works, but except for proxy there is no traffic passing.
Post by: mb on May 29, 2019, 03:43:13 pm
Since running the netmap bridge application produces the same result, we suspect this to be a netmap issue. I've been trying to get Chelsio adapter to see if we can re-produce this.
In the meantime, any chances you can try the same setup with a different adapter -- preferably em or igb?
Post by: hbc on May 29, 2019, 03:53:08 pm
Post by: donatom3 on May 29, 2019, 05:33:35 pm
Dear Sensei users,
Sensei 0.8.0 Release Candidate 1 is out. This marks the first step into releasing 0.8 and towards 1.0. There will be no 0.9 :)
Change log is as follows:
- Per-process health monitoring. Sensei engine now checks heartbeats from its packet processors and taking the corrective action in case of trouble.
We're running 0.7 to 0.8 upgrade tests. As soon as they show that we're good to go, 0.7 users will be reported of the new 0.8 update.
Enjoy :)
Sensei team
@mb Just checking if that is the fix we were talking about to the issue I was seeing with Sensei/netmap crashing causing all traffic to stop until I rebooted the whole firewall.
The last times it happened restarting Sensei from the GUI did not let traffic resume. I had to restart the whole firewall with the auto start of the packet engine turned off.
I did the upgrade to rc1 yesterday so I'll let you know if I still see the issue.
Post by: JohnDoe17 on May 29, 2019, 06:18:58 pm
Yes, I can confirm the fix in rc1 did resolve the error I saw with the Sensei CLI API and OPNsense Crash Reporter.
Thank you!
Post by: mb on May 29, 2019, 07:31:30 pm
@donatom3 hi,
Yes, it's also netmap related but a different issue. After many trials, I was able to reproduce your situation. Doing a ifconfig down/up seem to resolve the problem.
After Sensei 1.0, we'll have another dive at netmap. It's a great tool, but certainly needs some industry help to get to a super stable state.
Post by: patcsy88 on May 30, 2019, 02:49:48 am
Just reinstalled OPNsense and the RC1 on APU2C4 with 2GB Swap - so far so good!
So Sensei detected high Swap usage over the last 10+ hours and shut itself down. On prompt, I restarted ES. I have now also disabled the Health Check and on the Configuration page started Sensei Packet Engine and the overlay on the page says it is waiting for the service to startup. After 10 or so minutes, nothing happens on the page but vmstat in a shell suggest it is back up. Refreshing the OPNsense page and then going to the Configuration page again shows Sensei is up and running. Not sure if it is the OPNsense framework or Sensei page that is not polling for refresh of content/data...
Post by: donatom3 on May 30, 2019, 03:40:04 am
Great to hear that @JohnDoe17, thanks for letting us know.
@donatom3 hi,
Yes, it's also netmap related but a different issue. After many trials, I was able to reproduce your situation. Doing a ifconfig down/up seem to resolve the problem.
After Sensei 1.0, we'll have another dive at netmap. It's a great tool, but certainly needs some industry help to get to a super stable state.
@MB
I believe I just had one of the crashes again but looks like it reconnected on it's own. I noticed it while browsing my apple tv that streaming stopped working and my harmony showed it was offline then was online a few seconds later. This was in the main log file
Code: [Select]
2019-05-29T18:28:37 ERROR: Watchdog: Worker [0] failed to send heartbeat for 6 seconds
2019-05-29T18:28:37 ERROR: Watchdog: Killing Worker [0]
2019-05-29T18:28:37 CRITICAL: Sending TERM signal to worker pid 98083
2019-05-29T18:28:38 CRITICAL: WaitWorkers: processing dead child: pid: 98083
2019-05-29T18:28:38 CRITICAL: WaitWorkers: Child worker0, [pid: 98083] terminated with signal: 11
2019-05-29T18:28:38 CRITICAL: WaitWorkers: Child worker0, [new pid: 60913] re-spawned
And here is the matching time stamp from the worker log.
Code: [Select]
2019-05-29T18:28:38 INFO: Packet Processor [60913] started working
2019-05-29T18:28:38 INFO: Packet Processor [60913] sleeping a while since we're respawned
2019-05-29T18:28:50 INFO: Worker [pid:60913] Pinning to CPU #1
2019-05-29T18:28:50 INFO: Worker [60913] started working
If this was your fix it did it's job very fast. I wouldn't have noticed it unless I was doing some realtime traffic
Post by: mb on May 30, 2019, 04:22:00 pm
...overlay on the page says it is waiting for the service to startup. After 10 or so minutes, nothing happens on the page but vmstat in a shell suggest it is back up. Refreshing the OPNsense page and then going to the Configuration page again shows Sensei is up and running. Not sure if it is the OPNsense framework or Sensei page that is not polling for refresh of content/data...
@patcsy88, we have been reported a similar case. Now, it looks like, if the system is under load and not responsive enough, Sensei UI might be waiting for the response for a long time.
Thanks for your input, this would be helpful in diagnosing the root cause.
One question: I guess you have like 4 GB of memory. For how many devices are you running Sensei for?
Post by: mb on May 30, 2019, 04:29:11 pm
If this was your fix it did it's job very fast. I wouldn't have noticed it unless I was doing some realtime traffic
Hi @donatom3, yes, chances are high that it might be fixing yours.
We implemented the heartbeat mechanism for any cases where packet engine might hang for more than 5 seconds.
If the main process senses that the packet processor process is not feeling well enough, it simply restarts the process.
This is to keep network availability high in case anything goes wrong.
Post by: patcsy88 on May 30, 2019, 04:32:17 pm
One question: I guess you have like 4 GB of memory. For how many devices are you running Sensei for?
@MB only 4 devices with normal web browsing
Post by: mb on May 30, 2019, 04:38:27 pm
@MB only 4 devices with normal web browsing
@patcsy88, what does the following tell?
Code: [Select]
cat /usr/local/libexec/elasticsearch/config/jvm.options | grep "^\-Xm"
ps awxu | grep elastic | grep -v grep
ps awxu | grep eastpect | grep -v grep
Post by: patcsy88 on May 30, 2019, 04:44:24 pm
@patcsy88, what does the following tell?Code: [Select]cat /usr/local/libexec/elasticsearch/config/jvm.options | grep "^\-Xm"
-Xms2g
-Xmx2g
ps awxu | grep elastic | grep -v grep
elasticsearch 4875 2.2 46.6 3878304 1927928 - I 08:22 74:00.13 /usr/local/openjdk8/bin/java -Xms2g -Xmx2g -XX:+UseConcM
ps awxu | grep eastpect | grep -v grep
root 7417 0.5 4.5 3094852 185100 - S< 08:35 8:29.81 eastpect: Eastpect Instance 0 (eastpect)
root 66470 0.0 0.0 1270428 0 - IW< - 0:00.00 eastpect: Eastpect Streamer Instance (eastpect)
root 80093 0.0 2.2 1270428 92760 - S< 08:35 0:04.70 /usr/local/sensei//bin/eastpect -D
Post by: mb on May 30, 2019, 04:50:50 pm
Code: [Select]cat /usr/local/libexec/elasticsearch/config/jvm.options | grep "^\-Xm"
-Xms2g
-Xmx2g
There it is. Edit this file, change these line to read:
Code: [Select]
-Xms512m
-Xmx512m
and stop/start elasticsearch service. You should be good to go.
For fresh installs we adjust this setting. Any chances you had a prior Sensei installation in this device?
Post by: patcsy88 on May 30, 2019, 04:57:50 pm
For fresh installs we adjust this setting. Any chances you had a prior Sensei installation in this device?
No it was a fresh install!
Post by: mb on May 31, 2019, 12:57:38 am
How is the system doing after you adjusted Elastic memory?
Post by: alelnr on May 31, 2019, 11:01:39 am
in our environment OPNsense 19.1.8 + Sensei 0.7, sensei cloud reputation is completely blocking OPNsense unbound DNS service. To allow unbound dns answer to queries on sensei protected interfaces, i had to disable cloud reputation service.
Thank you
Post by: patcsy88 on May 31, 2019, 10:17:05 pm
No it was a fresh install!
Running "ps awxu | grep elastic | grep -v grep" shows the following output:-
elasticsearch 18938 30.9 61.1 3897508 2528480 - I 04:09 6:49.91 /usr/local/openjdk8/bin/java -Xms2g -Xmx2g -XX:+UseConc
"cat /usr/local/libexec/elasticsearch/config/jvm.options | grep 512" gives me
-Xms512m
-Xmx512m
I restarted ElasticSearch via the UI.
Is there a default setting it is picking up instead of from usr/local/libexec/elasticsearch/config/jvm.options?
Post by: mb on June 01, 2019, 03:13:01 am
@patcsy88, that should be the file elasticsearch is getting the settings from. Let's try to reproduce the issue here. I'll update you.
Post by: spetrillo on June 01, 2019, 10:17:31 pm
Post by: mb on June 01, 2019, 10:29:57 pm
Is Sensei available from the plugins section or do we need to do a CLI install? I would very much like to try it out.
Hi @spetrillo,
Thanks for your interest in Sensei. You'll need to install it from OPNsense CLI.
Please see here:
https://guide.sunnyvalley.io/sensei/getting-started/prepare-your-firewall
https://guide.sunnyvalley.io/sensei/getting-started/setup
Post by: spetrillo on June 01, 2019, 10:41:17 pm
What does Sensei replace?
Post by: mb on June 02, 2019, 04:25:58 pm
OPNsense is already a great firewall. Nothing to replace indeed.
Sensei is augmenting the firewall with commercial grade next generation features like:
- Application Control
- Cloud Threat Intelligence
- Best-in-segment network analytics and reporting (amongst UTM products)
- Web Security & Filtering
- Cloud Application Control
- Encrypted threats protection
And yet many to come...
It integrates in such a way that it makes it possible for you to continue to use all of the existing OPNsense functionality.
Post by: spetrillo on June 02, 2019, 04:37:27 pm
Post by: ruffy91 on June 02, 2019, 06:34:50 pm
Both do Deep Packet Inspection but with other targets.
Suricata is only an engine, you have to select the rules yourself to reach your target.
You can use abuse.ch SSL Blacklist to block known bad Certificates or ET Pro Trojan Rules to block and detect network traffic from trojans and many more. It's there to defend against known exploits, vulnerabilities and threats mostly. You can enhance it yourself by adding the right rules.
Sensei classifies Traffic into application + web categories and allows you to specify what to block.
For example block File-Upload/Sharing sites to enforce the policy that employees have to use your in-house file sharing system etc. which would be very hard to do using suricata.
As addition they provide a blacklist of sites they see spreading malware.
So I see it like this: Block known threats using suricata and use Sensei for defense-in-depth by disabling apps you do not need or do not want in your network.
Also sensei has usable reporting, suricata just shows alerts, sensei shows relations and also what is happening in your network even if it's not an alert.
Gesendet von meinem MI 9 mit Tapatalk
Post by: spetrillo on June 02, 2019, 07:05:56 pm
Post by: mb on June 04, 2019, 01:02:34 am
Is there a default setting it is picking up instead of from usr/local/libexec/elasticsearch/config/jvm.options?
Hi @patcsy88, it turns out that the correct jvm.options path should be:
Code: [Select]
/usr/local/lib/elasticsearch/config/jvm.optionsFix is also included in 0.8.0.rc2. Many thanks for bringing this into our attention.
Post by: JohnDoe17 on June 04, 2019, 06:08:42 pm
Looks like this issue wasn't completely resolved afterall...
Code: [Select]
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
FreeBSD 11.2-RELEASE-p10-HBSD 5e5adf26fc3(stable/19.1) amd64
OPNsense 19.1.8 dff8692b8
Plugins os-arp-scan-1.1 os-ftp-proxy-1.0_1 os-sensei-0.8.0.rc1 os-sensei-updater-0.8.0_21 os-vmware-1.5
Time Tue, 04 Jun 2019 11:05:35 -0500
OpenSSL 1.0.2r 26 Feb 2019
PHP 7.2.18
PHP Errors:
[04-Jun-2019 11:02:51 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
[04-Jun-2019 11:03:24 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
Post by: mb on June 05, 2019, 07:14:02 am
Post by: BeNe on June 05, 2019, 04:24:07 pm
one question. The problem with the VLAN Interfaces should be fixed since two versions what i saw.
I'm on 0.8.0.rc1 and still have the same problem as in version 0.8.0.beta4.
Problem was described here in this topic -> https://forum.opnsense.org/index.php?topic=9521.msg55463#msg55463
Should this case also be fixed with the current version ?
Thank you!
Post by: mb on June 05, 2019, 05:58:39 pm
Yes, you should be able to protect your VLAN interfaces now. You have two options:
1. If you add the VLAN parent interface to the protected interfaces list, then you should be all set. Sensei processes all VLANs as well as the untagged packets for that interface.
2. If you want to add vlan child interfaces one by one, you should also be able to do that provided that you do not add the parent interface at the same time. (due to a netmap issue). We also have a check in the UI for that.
I've heard from people running both of the options fine, though option number #1 should be more preferable performance-wise. Since in that mode we're using the netmap mode natively for a variety of interfaces (em, igb etc).
Post by: BeNe on June 05, 2019, 09:41:22 pm
If i add the VLAN parent interface to the protected interfaces list, all VLAN child are unable to connect to the OPNsense anymore. I can see entries in the Firewall Live-Log, that all packets are denied.
If i stop the Sensei Packet Engine everything works fine again and there are no more denied packets.
Is there something i can debug ?
Thanks
Post by: donatom3 on June 05, 2019, 10:01:30 pm
@mb Thank you for your answer.Bene you're only adding the parent interface right?
If i add the VLAN parent interface to the protected interfaces list, all VLAN child are unable to connect to the OPNsense anymore. I can see entries in the Firewall Live-Log, that all packets are denied.
If i stop the Sensei Packet Engine everything works fine again and there are no more denied packets.
Is there something i can debug ?
Thanks
I had this problem before when adding both parents and vlan.
Sent from my Pixel 3 XL using Tapatalk
Post by: BeNe on June 05, 2019, 10:11:44 pm
Post by: mb on June 05, 2019, 10:19:12 pm
A few questions:
1. I'm assuming you're on the latest 0.8.0.rc1, correct?
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same?
3. Which ethernet adapter are you using? Intel, Broadcom or any other?
Post by: BeNe on June 05, 2019, 10:52:18 pm
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same? -> Still the same
3. Which ethernet adapter are you using? Intel, Broadcom or any other? ->Intel
OPNsense is running inside a KVM (Virtual Maschine on a Proxmox Host).
The WAN Interface is a Intel Card with PCI Passthrough directly to the VM
The LAN is virtual Network Interface
(https://i.ibb.co/tcnX7Jy/block.png) (https://ibb.co/tcnX7Jy) (https://i.ibb.co/n1gwh6f/bypassed.png) (https://ibb.co/n1gwh6f) (https://i.ibb.co/yqvRm94/lan.png) (https://ibb.co/yqvRm94) (https://i.ibb.co/G7GGVJn/interfaces.png) (https://ibb.co/G7GGVJn)
There is the traffic blocked on the "LAN" interface from 172.16.50.0/24 that is normaly on VLAN_50.
On the LAN is 172.16.17.0/24. Of course is this traffic source blocked on that interface. Did i missed something that i need to adjust ?
Post by: mb on June 05, 2019, 11:07:55 pm
I think there is something else in your configuration that needs attention. I'll reach out to you. Let's have a look together.
Post by: BeNe on June 07, 2019, 01:23:11 pm
thanks for your help! I changed my interface from "em" to "igb" as you said.
Now it works.
So i can confirm a problem with "em" interfaces. In my case, i let the "igb" interface ;)
Post by: mb on June 07, 2019, 05:46:38 pm
Thank you very much for your update. Now it's clear for me.
When an interface is opened in netmap mode, ARP packets destined for vlan child interfaces do not make its way to their destinations.
This seems to be fixed in FreeBSD 11.2-stable.
We'll sponsor another round of netmap work which is specifically focused on fixing known problems.
For now a bit of advise who are using Sensei or Suricata (IPS mode):
1. Last thing I'd want would be to endorse a brand/model, however for us, igb(4) based adapters seemed to be the ones which gave the best results in terms of reliability / performance (with regard to netmap support).
2. If you're using igb(4) and experiencing high interrupt utilization, you can set:
a) hw.igb.rx_process_limit: -1 (default is 100)
b) machdep.hyperthreading_allowed: 0
We've seen these settings help improve the performance for igb(4) based systems.
Post by: mb on June 11, 2019, 11:09:18 pm
Sensei 0.8.0 Release Candidate 2 is out. This marks the final step into releasing 0.8 and towards 1.0
This version is also available for an update for 0.7 users.
Change log is as follows:
- Sensei 0.7 to 0.8 updates are tested and ready to roll
- A fix for systems with 4GB memory: A backend misconfiguration has been fixed. Now you can run on 4GB
- Enable support for Hardware-assisted bypass functionality (For experimental L2-Bridge mode deployments). Currently Silicom Bypass adapters are supported.
- More reliability fixes
Enjoy :)
Sensei team
Post by: adel_xf on June 14, 2019, 01:18:30 pm
I tried to go with Sensei, when selecting the network interfaces I have no interface proposing networks.
My OPNSense configuration:
OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s May 28, 2019
OPNSense is a VM Proxmox
2 virtio network cards
100 GB disk
8 GB of RAM
I tried both versions of Sensei (0.7, 0.8 ).
Thank you for your attention.
Post by: adel_xf on June 14, 2019, 01:37:37 pm
Code: [Select]
opnsense-update -fbkr 19.1.4-netmap
Post by: mb on June 14, 2019, 06:25:41 pm
I tested the following command that seems to work your opinions?Code: [Select]opnsense-update -fbkr 19.1.4-netmap
Hi @adel_xf,
Many thanks for giving Sensei a try. OPNsense created 19.1.4-netmap kernel to integrate the latest improvements and bug fixes including the Sunny Valley sponsored virtio/vmx work.
It should be ok to use that. However make sure you're not missing anything important with the newer stock kernels
After Sensei 1.0, we'll do another round of netmap work to complete upstream netmap import process.
Post by: manjeet on June 15, 2019, 11:51:56 am
1. Do not see deployment size above 25 (Using routed mode)
2. Disabled the health check in previous version and now if i enable it then do not see the save options. Disabled / grayed out.
3. Email reports not working: After update it generated the report once and it was working i.e. showing the result but after that one report didn't receive any new email.
If i reenter the mail server details and click test then it is working and sends a notification email. but do not receive the report email generated at night.
Also why it happens i.e. if i test email and save it. Then refresh the page and retest it, it just give me an error:
Your mail configuration is invalid!
Response: (535, '5.7.8 Authentication rejected')
Meaning we can only test it once and then save details and leave it that way. It works and emails works, but why receive error when try to test again until we reenter the password before clicking the test.
Post by: mb on June 15, 2019, 10:45:04 pm
Thanks for the report.
Looks like #2 and #3 are buggies. We fixed them today. Should be arriving with 0.8 release next week.
#1, if your RAM is 4GB, this is the expected behavior, since we were reported of swap utilization with deployments of around 70-80 users and 4GB RAM.
So we thought that it would be safer to restrict deployment size to 25 users or less if the device has 4GB of memory.
If it's not the case for you, then it's probably a browser issue. Let's have a look together.
Post by: manjeet on June 17, 2019, 06:41:22 am
As per your email and post, here are the details you asked:
1. Did you udpate from 0.7 or from an earlier 0.8 beta/rc?
---> Updated from 0.7
2. How much memory do you have?
---> 8GB
3. Which browser are you using? Anything changes if you switch to Google Chrome?
---> Chromium
4. Does your email account password include any special characters e.g. "&" ?
---> It does contains special characters
5. What happens if you invoke the report manually ? command is as follows:
---> Command ( /usr/local/sbin/configctl sensei mail-reports) gave me OK and received the email report
Update: Ever since i reconfigured the email reporting from Saturday (IST), i am receiving the report email. I think i must be the update which somehow messed something.
b> My System is Intel Core i5-7400 CPU @ 3.00GHz with 8 GB RAM and 8 GB SWAP.
c> I use Chromium. But tested it on Google Chrome and firefox and deployment size is still the same.
Post by: thg0432 on June 17, 2019, 03:19:47 pm
Can you tell us if/when users/groups will be implemented within Sensei?
Post by: ruffy91 on June 17, 2019, 08:34:51 pm
The interface is just the LAN interface which is a igb NIC without VLAN or LAGG.
Without Sensei 250/50 Mbps
With Sensei 140/40 Mbps
I enabled some security features of sensei and I blocked the malware Web category.
I do not use any other features which do have an impact on throughput like IDS or traffic shaping.
Post by: Antaris on June 17, 2019, 11:41:06 pm
Post by: mb on June 18, 2019, 04:00:08 am
@manjeet, glad that your problem with the e-mail report is resolved. it looks like re-configuring the e-mail server settings proved to be a workaround.
However, for the root cause, if anyone out there who has upgraded from 0.7 and experiencing the e-mail reporting problem, we'd like to dig together.
Regarding deployment size, it looks like that sometimes physical memory size is reported less than exact 8GB (e.g. 7.8GB). So we've adjusted the minimum threshold a bit to accommodate that case.
We'll ship 0.8 release tomorrow morning PST. Hopefully it will resolve your situation.
Post by: marcri on June 18, 2019, 09:40:32 am
some questions about sensei:
- is it possible to use an existing elasticsearch instance on a dedicated server?
- if it's possible, can I use one elastic-server for two opnsense instances (failover-setup)?
- where can i get information about using sensei on a corporate network? Prices?
Best
Marc
Post by: aimdev on June 18, 2019, 11:03:08 am
Issues I encountered after installing Sensei included web interface locking up, and unable to access opnsesne via ssh. I could still interact with the console. After this occurred i had to uninstall the plugin.
Hopefully the information that the plugin sent back to sunnyvalley will provide insight into my web/ssh issues.
I have the same issue, no access to ssh (an operational requirement) however by enabling bypass mode I can access ssh.
I am running the latest beta version, downloaded today.
Fine Tuning the Remote access option (tediously disable all except the Secure Shell option) gets access back.
Post by: mb on June 18, 2019, 11:05:42 pm
Fine Tuning the Remote access option (tediously disable all except the Secure Shell option) gets access back.
@aimdev, many thanks for the feedback. I guess the confusing thing is we also have a "ssh" application under "General TCPIP" category. We're fixing this with the upcoming 1.0.
@marcri,
For the main database, you cannot use an external database at the moment. Though premium subscription is offering an option to stream reporting data to an "additional" elastic search database via either syslog or native elasticsearch REST API.
From time to time we get this request. I guess we should start planning on having the database on an external system. When we do that, it should be trivial to have one elastic instance (either clustered or not) serving many Sensei deployments.
Imagine you're an MSP serving multiple clients or you are a corporate having multiple OPNsense deployments. With such a setup, you should be able to have an aggregate big picture view of whole assets in a centralized system. This way, you could also benefit from Kibana and other 3rd party reporting tools.
Today we're releasing 0.8. Next month, we'll ship 1.0, integrated with OPNsense; and with the details of Premium subscription. Stay tuned :)
Post by: mb on June 19, 2019, 02:38:53 am
After six months of ongoing effort & field testing, it's our pleasure to announce that Sensei 0.8 is finally released.
For some of you who were using 0.7, this version brings quite a loaded set of features:
https://www.sunnyvalley.io/post/sensei-0-8-is-released
We will be releasing Sensei 1.0 next month, in July 2019, which will also cease the BETA program and the software will be publicly available for all users.
Post by: Archanfel80 on June 19, 2019, 02:33:45 pm
Post by: mb on June 20, 2019, 02:30:08 am
Many thanks for your feedback. With its open, flexible, extendable architecture; and its great community of users, we love working with OPNsense.
We will do our best to keep adding more value.
Post by: manjeet on June 20, 2019, 06:21:47 am
Now i have 1 issue and 1 feature request (If its not already there)
Issue: I am not able to update sensei package from command line when using the autoupdate of opnsense i.e. option 12. Same thing happened when i upgraded from 0.7 and now same for yesterday's update. I can only update sensei package from sensei dashboard in web gui.
Feature: Is there any way to for an single or multiple websites / app / category to only put in alert mode. For example if i want my network users to allow access to certain websites but also want to know who access the website or protocol and when AND for specific blocked contents i.e. when someone tried to access it and rather then looking for access logs or block logs just simply have a different tab for alerts only to check easy and fast. I know we can filter it on reports but it will be easy to have an alert tab for both allowed and blocked for that specific alert mode. AND Can we also send alerts via email ?
Post by: Archanfel80 on June 20, 2019, 09:27:21 am
If you installed sensei from the cli first while in the beta and updated since then for some reason the search data not deleted and consumed the disc space after the final 0.8 upgrade. I cant delete the date from the webui it just says simply 'error'.
I cant figured out why but removed the sensei completely, deleted the '/usr/local/sensei' folder and reinstall sensei from the plugins. Now everything works and the disc usage reduced dramatically. So if you're like me, so installed sensei while in the beta probably the best to backup the config remove sensei, delete the sensei directory, reinstall sensei and restore the config which is restore your custom sensei settings.
Post by: the-mk on June 20, 2019, 11:25:11 am
looked at the /usr/local/sensei directory - mine was about 44 gigabytes - most of it in /usr/local/sensei/log/archive
Post by: mb on June 21, 2019, 12:14:57 am
With regard to archived logs, you can use the following commands to get rid of very old logs:
find /usr/local/sensei/log/active -type f -mtime +15d | xargs rm -f {}\;
find /usr/local/sensei/log/archive -type f -mtime +15d | xargs rm -f {}\;
Sensei health check system should have had this handled. Looks like a commit which did not end up in the release. Will integrate for 1.0.
For the elasticsearch data, along the way to 0.8, we changed the naming scheme for the indexes. This should be the reason why some indexes were not purged.
We'll also handle that with 1.0. For now, the workaround would be resetting reporting data (Sensei -> Configuration -> Reporting & Data) (be aware: this will delete all reporting history).
Post by: mb on June 21, 2019, 03:54:26 am
Currently, we're locking the os-sensei package. This is why OPNsense autoupdate do not update Sensei package. This was done for the period of integration to the OPNsense and for a more controlled software delivery. Lock will be removed shortly and Sensei will get updated along with other OPNsense packages.
Your feature request sounds cool; though we'll need to think a bit more on the correct implementation and also try to see how many other users would also be interested in this feature.
Post by: bulmaro on June 28, 2019, 04:28:12 pm
Any suggestions for my case?
Post by: mb on June 28, 2019, 05:40:31 pm
The reason is most likely Elasticsearch consuming all memory and OS begins swapping. When the OS does swapping overall system performance is significantly degraded and this in turn affects Sensei doing its job.
To avoid a connectivity problem, we shut down Sensei with a warning like this (numbers seem weird, need to look at that)
How many devices do you have behind sensei and what is your hardware configuration?
https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
This will give you an overview of the recommended HW configuration according to the size of your deployment.
Post by: bulmaro on June 28, 2019, 09:37:11 pm
physical equipment with 30 connected clients, equipment characteristics:
CPU 3-2105 CPU @ 3.10GHz (4 cores)
RAM memory: 8GB
Azure server, 3 clients connected
CPU E5-2673 v4 @ 2.30GHz (2 cores)
4GB RAM
it's exactly the same message for both
Post by: mb on June 28, 2019, 09:43:46 pm
Thanks for the swift reply. These configurations look perfectly ok for the deployment size. Let me reach out to you; and we can have a look together.
Post by: mb on June 29, 2019, 01:28:22 am
These configurations look perfectly ok for the deployment size. Let me reach out to you; and we can have a look together.
Dear Sensei users,
Out of @bulmaro's case, I think it's important to give a heads-up on this:
The hardware recommendation we provide is calculated based on the fact that the system runs OPNsense with Sensei. We did not take other services which might be already running on the firewall (IDS, Proxy etc.) into consideration.
We highly recommend that you also oversee the requirement of those services and do your own sizing according to that.
In @bulmaro's specific case, 1/2 of the memory was already consumed by the squid service. And the system was swapping even Sensei and Elasticsearch were not active.
@bulmaro, many thanks for your help to diagnose the issue.
Post by: donatom3 on July 01, 2019, 06:42:14 am
Not sure if this has ever been brought up. It's something I've seen for a while.
On any of the live session explorers or drill down of traffic if I do a whois for the record that is the domain name it always only resolves the top level domain. For example US.lgtvsdp.com does a whois for domain COM thus always giving me the same result for any .com address.
Shouldn't it be doing the whois query on the second level domain?
Post by: manjeet on July 01, 2019, 07:44:22 am
Few days back we had power issue and after that "Elasticsearch" is not working. I have tried start the service many times, rebooted and tried but didn't work. "Sensei Packet Engine" is working.
I have tried "Perform health check for indices" and it kind of stuck and does not do anything. "You can erase reporting data" option is grayed out. I also tried to run these command from terminal and got the error:
1. /usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
2. /usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
ERROR: ***ERROR: Connection could not be established with elasticsearch server.**
Also tried reset the package but it didn't fix the issue. Haven't delete / uninstall and reinstall the package yet. kindly help.
Post by: mb on July 01, 2019, 11:13:51 pm
@manjeet, "Reset reporting" will be enabled even if Elasticsearch is not running. Fixing for 1.0.
Post by: thg0432 on July 02, 2019, 02:52:03 pm
I was wondering if there's a setting for rotating the logs that are in /usr/local/sensei/log/archive ? or is that something that needs to be cleaned out manually?
Post by: mb on July 03, 2019, 07:24:47 am
You're right. Currently we run the whois query the for the whole FQDN. We should be doing for the domain part only. Fix is implemented today and shipping with 1.0.
@thg0432,
Engine logs older than two weeks are to be automatically deleted. 0.8 had a glitch doing the actual delete. Fix is implemented for 1.0.
In the meantime, you can get rid of them by running this command:
find /usr/local/sensei/log/archive -type f -mtime +15d | xargs rm -f {}\;
Post by: zyon on July 03, 2019, 10:36:11 pm
All i need in one application :)
For my information sensei work with squid ? if yes it's possible to use it like a proxy server ? ( for mobile for example )
Thanks for your hard work :)
Post by: mb on July 04, 2019, 04:15:42 am
Thanks for your feedback. Glad that you found Sensei useful for you. All welcome.
Sensei plugs kind of transparent to the system. So it does not change the way other services like Squid are operating.
I think I did not completely get your question.
Do you want to learn if Sensei can act like a proxy, for instance, for caching?
Post by: manjeet on July 04, 2019, 06:20:02 am
OR
More accurately for my case, bypass anyone which goes from a particular gateway.
Actually, i have 2 ISPs which are in load balancing mode on opnsense, i want anyone connected to gateway 2 to just bypass any filters or blocking or logging.
Post by: mb on July 09, 2019, 02:30:29 am
Actually, i have 2 ISPs which are in load balancing mode on opnsense, i want anyone connected to gateway 2 to just bypass any filters or blocking or logging.
I believe - in your case - the outbound route selection is done randomly and not through a policy decision based on source IP address, am I correct?
If that is so, and it's not something related to the source IP/network address, I'm afraid there is no way we can correlate the user with the outbound ISP. This is because we jump into the scene way too early, without routing/NAT'ing logic comes into the scene.
If it's source IP related, it's possible, and along with user/group based filtering, this is one of the features of the premium edition:
https://help.sunnyvalley.io/hc/en-us/articles/360025173953-Sensei-Editions
Post by: donatom3 on July 10, 2019, 01:34:29 am
This probably isn't Sensei since it affects Suricata to. But since I upgraded to 19.7 RC1 suricata won't start because it can't find my interface and Sensei says no interface selected in the status page. I can change to any of my interfaces and they all say the same.
Here is a portion of the worker thread when I started this morning. From it it looks like everything points to netmap being the issue. I started a thread in the 19.7 release candidate forums about it. Just a warning to anyone relying on Sensei.
Code: [Select]
2019-07-09T07:38:49 INFO: Packet Processor [39794] started working
2019-07-09T07:38:49 INFO: Worker [pid:39794] Pinning to CPU #1
2019-07-09T07:38:49 INFO: Worker [39794] started working
2019-07-09T07:38:49 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:38:49 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:38:49 INFO: Created a new Worker Instance pid: 39794
2019-07-09T07:38:49 INFO: Requested Single Threaded Stack
2019-07-09T07:38:49 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:38:50 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:38:50 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:38:50 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:38:50 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:38:50 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:38:50 INFO: Initializing for BRIDGE Mode
2019-07-09T07:38:50 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:38:50 ERROR: Failed Initializing Interfaces, bailing out
2019-07-09T07:38:51 INFO: Packet Processor [19965] started working
2019-07-09T07:38:51 INFO: Packet Processor [19965] sleeping a while since we're respawned
2019-07-09T07:39:03 INFO: Worker [pid:19965] Pinning to CPU #1
2019-07-09T07:39:03 INFO: Worker [19965] started working
2019-07-09T07:39:03 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:39:03 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:39:03 INFO: Created a new Worker Instance pid: 19965
2019-07-09T07:39:03 INFO: Requested Single Threaded Stack
2019-07-09T07:39:03 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:39:04 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:39:04 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:39:04 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:39:04 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:39:04 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:39:04 INFO: Initializing for BRIDGE Mode
2019-07-09T07:39:04 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:39:04 ERROR: Failed Initializing Interfaces, bailing out
2019-07-09T07:39:05 INFO: Packet Processor [18480] started working
2019-07-09T07:39:05 INFO: Packet Processor [18480] sleeping a while since we're respawned
2019-07-09T07:39:17 INFO: Worker [pid:18480] Pinning to CPU #1
2019-07-09T07:39:17 INFO: Worker [18480] started working
2019-07-09T07:39:17 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:39:17 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:39:17 INFO: Created a new Worker Instance pid: 18480
2019-07-09T07:39:17 INFO: Requested Single Threaded Stack
2019-07-09T07:39:17 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:39:18 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:39:18 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:39:18 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:39:18 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:39:18 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:39:18 INFO: Initializing for BRIDGE Mode
2019-07-09T07:39:18 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:39:18 ERROR: Failed Initializing Interfaces, bailing out
Post by: mb on July 10, 2019, 02:19:07 am
Many thanks for the heads-up.
Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new (https://forum.opnsense.org/index.php?topic=13436.msg61861#new), I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.
Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.
This is the setting which is working for us for 19.7.r1
If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.
Post by: marcri on July 10, 2019, 08:25:06 am
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.
Best,
Marc
Post by: donatom3 on July 10, 2019, 10:48:28 am
Hi @donatom3,
Many thanks for the heads-up.
Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new (https://forum.opnsense.org/index.php?topic=13436.msg61861#new), I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.
Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.
This is the setting which is working for us for 19.7.r1
If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.
MB,
Looks like Franco saw my post and sees that a merge for the ring size didn't make it to the 19.7 netmap kernel.
https://forum.opnsense.org/index.php?topic=13436.msg61879#msg61879
He says he'll have it fixed by release.
For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.
Post by: mb on July 10, 2019, 06:52:06 pm
He says he'll have it fixed by release.
For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.
@donatom3, perfect. Thanks for your help. This would cause some headache.
Post by: mb on July 11, 2019, 01:27:59 am
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.
Hey Marc,
Yes, it is possible. In Web Controls menu, put the whitelisted URL in a user defined custom category. And mark the category as allowed.
Than you should be good to go.
More info:
https://help.sunnyvalley.io/hc/en-us/articles/360025100393-Web-Control
Look for User Defined Categories.
Post by: aimdev on July 12, 2019, 12:54:22 pm
Please select the interface paris from below boxes to create your protected L2 pridge
change paris to pairs
change pridge to bridge
Post by: aimdev on July 12, 2019, 12:56:23 pm
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to
stats.g.doubleclick.net
stats.i.doubleclick.net
Post by: mb on July 12, 2019, 08:25:52 pm
change paris to pairs
change pridge to bridge
1. allow dates to be entered in european/other format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to
stats.g.doubleclick.net
stats.i.doubleclick.net
Hi @aimdev,
Thanks for the corrections. They had been fixed for 1.0.
You should be fine putting domain.com into a user defined category and it should also match subdomain.domain.com.
Didn't it work for you?
Post by: aimdev on July 12, 2019, 08:31:29 pm
Can you confirm that entering google.com will work, or does it need wildcard character/regex?
Tks
Post by: mb on July 13, 2019, 08:43:57 pm
Yep, it should work that way. Just put google.com there and it'll match all subdomains.
Post by: mb on July 17, 2019, 04:29:45 am
Post by: donatom3 on July 18, 2019, 04:14:19 am
So after the upgrade to 19.7 release I was able to change my tunables back to 4096 for rx and tx.
Here is the issue. And I've seen this on a few upgrades with no changes but firmware or sensei upgrades.
After the unit reboots after the upgrade I can reach the firewall until Sensei's engine starts. At that point it drops all traffic on my protected interfaces. I've been keeping an unprotected interface that I can easily swap to for these times. All I have to do to fix this is to disable "Enable engine heartbeat monitoring". Once I do packets start flowing again and I can re enable it without issue. I'll pull the worker logs and send them to you if that helps.
Post by: opnip on July 18, 2019, 01:58:09 pm
Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
Post by: malac on July 18, 2019, 05:23:53 pm
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"
Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)[/quote]
same error on my setup
Post by: mb on July 18, 2019, 07:05:00 pm
@donatom3, please go ahead and e-mail the logs to me. Does that happen in every reboot, or was it after the 19.7 upgrade reboot?
Post by: Space on July 18, 2019, 09:05:12 pm
where can I configure the retention time for the worker logs? Shouldn't they be compressed somehow?
On my system the worker logs takes about 13GB ...
Thanks and best regards,
Space
Post by: mb on July 20, 2019, 03:05:49 am
A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.
You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.
@space, can you check whether old logs are pruned?
Post by: Space on July 20, 2019, 12:04:03 pm
Post by: malac on July 20, 2019, 12:18:09 pm
@opnip, @malac, @space,
A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.
You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.
@space, can you check whether old logs are pruned?
great!!
does it also fix:
Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually.
Post by: Space on July 20, 2019, 01:25:31 pm
@mb Thanks for the quick response ... I have updated to 0.8.1. When are the logfiles usually pruned? At some specific time?
Yes, it's fixed now ... I just checked and it only kept the last 14 days ... now it's using only 2GB ...
Thanks!
Post by: biomatrix on July 21, 2019, 03:49:58 am
the 0.8.1 hotfix fixed the first error I was having - now I get this error :
(http://i.imgur.com/z4S9ymY.png) (https://imgur.com/z4S9ymY)
my settings are :
(http://i.imgur.com/kkh7oWv.png) (https://imgur.com/kkh7oWv)
I have restarted the device - I have reset the config - I have uninstalled and reinstalled 0.8.1.
let me know if there is any other steps or information I need to proceed.
EDIT : had the #'s of the versions wrong.
Post by: malac on July 21, 2019, 12:52:16 pm
@opnip, @malac, @space,
A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.
You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.
@space, can you check whether old logs are pruned?
great!!
does it also fix:
Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually.
i still get this error after upgrading to 0.8.1 (occuring since upgrade to 19.7)
Post by: fiterzs on July 22, 2019, 11:33:56 am
Post by: mb on July 22, 2019, 09:20:08 pm
I'd appreciate if you can share the these oddities so that we can address them.
For now we are aware of:
1. elastic search stopping - so scheduled reports not generating
2. engine not being able to open interface in netmap mode
3. UI not recognizing already selected interface
These seem to pop up in limited use-cases, still trying to understand the exact root causes.
We'll reach out to @malac, @biomatrix to diagnose.
@fiterzs, you can do (thorough OPNsense shell)
Code: [Select]
service eastpect onestop
pkg unlock os-sensei
pkg remove os-sensei
fetch https://updates.sunnyvalley.io/repo/All/os-sensei-0.8.0.txz
pkg add os-sensei-0.8.0.txz
pkg lock os-sensei
But I'm not sure if the problems you're seeing are related to 0.8.1 since there are very minimal changes. I'm inclined to think that they might be related to sensei -> 19.7 compatibility. Would be happy if you can report back if anything is better with 0.8.0.
@space, glad that logs are pruned now. With 1.0 we are disabling log archiving at all. Logs will hold very minimal disk space.
Post by: fiterzs on July 23, 2019, 04:58:33 am
Thank you for your help, but when I run this command, System prompted to find the file.
fetch: https://updates.sunnyvalley.io/repo/All/os-sensei-0.8.0.txz: Not Found
Post by: mb on July 23, 2019, 09:01:48 am
If you've uninstalled os-sensei, just type
# pkg install os-sensei
and it'll install 0.8.2.
If you still want to revert back to 0.8.0 you can do so by resuming the commands batch i've shared earlier.
Post by: mb on July 23, 2019, 09:10:16 am
Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention
Dear Sensei users,
Issues which arose after 19.7 upgrade seem to be the result of OPNsense python 3.7 migration. Removal of unused Python 2.7 modules caused issues since they were required by some Sensei scripts.
We just released 0.8.2 addressing this. While you're upgrading to 0.8.2 missing python dependencies will be automatically installed.
Sorry for the inconvenience this might have caused.
Please feel free to share any further problems you've encountered.
Post by: fiterzs on July 23, 2019, 11:38:15 am
Thank you for your help
now I am back to version 0.8.
It still looks stable at the moment, I will try version 0.8.2 later, thank you
Post by: mb on July 23, 2019, 08:48:39 pm
Post by: abraxxa on July 23, 2019, 10:23:03 pm
Post by: mb on July 24, 2019, 02:31:54 am
0.8.2 still doesn‘t start for me on 19.7.
@abraxxa, just sent a private message to you. Let's have a look at it together.
Post by: malac on July 24, 2019, 08:02:33 pm
Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention
Dear Sensei users,
Issues which arose after 19.7 upgrade seem to be the result of OPNsense python 3.7 migration. Removal of unused Python 2.7 modules caused issues since they were required by some Sensei scripts.
We just released 0.8.2 addressing this. While you're upgrading to 0.8.2 missing python dependencies will be automatically installed.
Sorry for the inconvenience this might have caused.
Please feel free to share any further problems you've encountered.
Scheduled Reports are working now with 0.8.2! Thx
Post by: abraxxa on July 24, 2019, 09:20:08 pm
The /usr/local/sensei/log/active/main_20190724T000000.log logfile showed the error:
Code: [Select]
019-07-24T20:54:57 ERROR: CloudReputationNodeManager:loadNodes: cannot access file /usr/local/sensei//db/Cloud//nodes.csv: No such file or directory
Post by: mb on July 25, 2019, 03:28:51 am
mb fixed the issue on my OPNSense 19.7 running Sensei 0.8.2 by dis- and enabling Cloud Reputation & Web Categorization and saving the configuration.
@abraxxa, thanks for your help to diagnose this.
Sensei users,
After 19.7 migration and even after you update Sensei 0.8.2, if you cannot start sensei engine, please follow these steps:
- Navigate to Sensei -> Configuration -> Cloud Threat Intel
- Disable and then enable a cloud node; you'll see "Save Changes" enabled
- Click on "Save Changes"
- Navigate to Sensei -> Status, and start Sensei Engine
This will trigger a configuration re-write and previously failed scripts will re-configure the necessary configuration files.
Post by: thg0432 on July 29, 2019, 03:13:41 pm
You mentioned you had some updates on potential Users/Groups due out this month...any word on that by chance?
Post by: mb on July 29, 2019, 10:10:07 pm
Yep. With 1.0, you'll start seeing user information being reported in reports. We can now poll users from OPNsense captive portal authentications.
On this occasion, a little update on 1.0 release schedule:
Due to 19.7 integration efforts, 1.0 release schedule got delayed by 10 days. Currently running latest integration tests. If all goes well new ETA is this Thursday.
Also you can expect to hear more on Premium Subscription and the related launch schedule later this week.
Post by: l0rdraiden on July 31, 2019, 11:16:59 am
Like new URL's or IP's to block?
Post by: mb on July 31, 2019, 06:23:55 pm
You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.
Would that work if we added a bulk list add functionality to User Defined Categories?
Post by: Csykes27 on August 01, 2019, 06:34:32 am
Starting elasticsearch
s: /usr/local/sensei//output/active/*.ipdr: No such file or directory
Post by: marcri on August 01, 2019, 07:16:11 am
SNMP-Traffic (161/UDP) seems to be categorized as Quic protocol / Streaming.
Best
Marc
Post by: l0rdraiden on August 01, 2019, 08:35:59 am
Hi @l0rdraiden,
You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.
Would that work if we added a bulk list add functionality to User Defined Categories?
Hi @mb,
Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.
https://www.netgate.com/resources/videos/pfblockerng-on-pfsense.html
BTW the cloud threat intelligence that you add for bad sites or ip's is based on free lists or paid?
Why don't you include TSL inspection in the freemium version? at least for home use.
Post by: malac on August 01, 2019, 01:23:11 pm
Post by: marcri on August 02, 2019, 12:56:44 pm
how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...
Post by: mb on August 03, 2019, 12:27:18 am
I am having an issue when I reboot the firewall and it reloads I get the following error and it will no longer pass traffic.
@cykes, I'm reaching out to you. Let's investigate this together.
Post by: mb on August 03, 2019, 01:03:48 am
Sensei's Cloud Threat Intelligence is proprietary and commercial. License permitting, we're also utilizing few lists from the community.
Many thanks for the clarification. Technically, it would be trivial for us to utilize these local lists. The thing is we need to be careful about the licenses under which these lists are distributed.
I guess if the lists are not distributed by the sensei package itself; but instead sensei utilizes already downloaded lists, this should be permissible. We'll have a look at this.
We're indeed evaluating the option to have TLS for up to some number of users.
Post by: mb on August 03, 2019, 01:08:39 am
We'll look into SNMP/QUIC identification.
Quote
how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...
Actually, this is some roadmap item which we call "Protocol anomaly detection". With this feature, you'll be able to lock specific ports to some allowed protocols/applications.
So now, we have a POLL:
Which protocols/applications would you like implemented first?
https://www.surveymonkey.com/r/YCMNBGN
Post by: jjanzz on August 05, 2019, 04:21:54 pm
Code: [Select]
OPNsense version later than 19.7.2, activating Sunny Valley Networks Sensei packet repository via "os-sunnyvalley"...Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sunnyvalley' have been found in the repositories
Repo package "os-sunnyvalley" installation failed!
***ERROR***
This is on OPNsense 19.7.2
EDIT: I was able to install the engine version 1.0, by removing os-sensei and reinstalling it via the package tools. Though, sensei-updater continues to throw the same error.
Post by: mb on August 05, 2019, 04:57:23 pm
Post by: mb on August 05, 2019, 08:06:46 pm
It's because of the fact that we don't -yet- have a os-sunnyvalley package for OPNsense LibreSSL. We have a workaround for this for now, and will be shipping it shortly.
Post by: mb on August 06, 2019, 04:11:54 am
We're super excited to announce that Sensei 1.0 for OPNsense is finally out and available for everyone to enjoy.
This release is considered stable and marks the end of the BETA program. We’d like to take the time to convey our gratitudes to all beta users for testing the software and giving feedback to us.
A special thanks go to the OPNsense team for their precious time & help in integrating the software to OPNsense.
During BETA period, product received very quality feedback from the community and improved a lot. We're looking forward to continuing the collaboration and providing more value to the community.
Comparing to 0.8.x, below are the features that are introduced with 1.0:
- First version of Active Directory Agent. You can now integrate Sensei with Microsoft Active Directory to get user/group info in reports.
- OPNsense Captive Portal Integration: Captive Portal users are now displayed in reports.
- Sensei can now be automatically updated via OPNsense firmware updater.
- 11 more applications are recognized
- Engine logs are not archived anymore
- Premium subscription features are introduced in this release
More information on Installing, Updating:
https://www.sunnyvalley.io/post/sensei-1-0-out
Post by: mb on August 07, 2019, 04:14:46 am
Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.
Hi @l0rdraiden, a quick update on this. We've decided to bring this functionality to the freemium edition of sensei.
Will post another update on the timing.
Post by: Marcel_75 on August 07, 2019, 09:33:12 am
installed Sensei today (latest version 1.0.1) on my OPNsense and wondering, why some manual filters work and some not?
I've created a new "User Defined Category" inside "Web Controls" called "Mac-Warez" and added the following three mac warez domains to it:
cmacapps.com
macwarez.net
nmac.to
UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.
Is this normal?
Post by: opnsenseuser on August 07, 2019, 03:38:23 pm
Post by: mb on August 07, 2019, 09:30:59 pm
UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.
Is this normal?
Hi Marcel, not indeed. Restart should not be required. New configuration is handed over to the packet engine on the fly.
Though we're fixing an issue which might cause occasional problems for the rule reload. Can you test with the upcoming 1.0.2? (should arrive this week).
@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.
Post by: Marcel_75 on August 07, 2019, 11:24:14 pm
sure, will give it a try with the upcoming version 1.0.2, thanks for the fast answer and all the best.
Marcel
Post by: opnsenseuser on August 08, 2019, 04:02:29 pm
Quote
@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.
thx very much!
by the way. there are a few css classes in sensei that need to be customized!
i think you didn´t use the default css classes of opnsense.
Post by: mty620 on August 09, 2019, 05:37:41 am
Shella List has a URLs where you can:
1. Search what category a specific URL falls under. so I see that "porn.com" category "porn/domains"
http://www.shallalist.de/search.html
2. submit or revise URLs
http://www.shallalist.de/search.html
Post by: mb on August 10, 2019, 04:48:46 am
@mty620, not yet. Both are on the roadmap. #2 should be coming up sooner.
Post by: mb on August 10, 2019, 10:05:30 pm
We've just released 1.0.2 to address below issues and introduce a few enhancements:
- Installer/Updater: Fix LibreSSL install and update problem
- UI fix: Delete policy time schedule button has been placed in a more appropriate section
- UI fix: Fixed an issue which cause app/web category listing being incomplete during Policy creation
- Convenience: Removed an unnecessary engine restart during policy creation
- Filtering: Fixed a bug preventing Landing Page to display when blocking a connection
- Policy filtering: Fixed a bug affecting daily schedules
- Enable unmapping of user <-> ip addresses
- New feature: Live Authenticated Users View (Captive Portal/Active Directory)
Enjoy your weekend :)
- Sensei team
Note: The fix for LibreSSL install/update is temporary. In the coming week, we plan to deploy a separate repo for the LibreSSL build.
Post by: opnsenseuser on August 11, 2019, 01:27:42 pm
@opnsenseuser, we'll be revisiting css/jscript codes.
Thx. If you need help just ask!
Post by: ctr on August 11, 2019, 05:06:11 pm
When "protecting" Trust (the main interface) in Sensei, I have intermittent packet loss for about 3-4 seconds, every 10-15 seconds. No data is seen by Sensei (according to live view and reports) at all.
When trying to select Trust and a DMZ I get an error message:
"You cannot protect both parent and its child VLAN interface"
Technically OPNsense doesn't really see them as parent and child interface though, at least the report always shows sth like interface "ix1_vlan2" and vlan "0" when activated *on a VLAN interface only*.
It seems to work fine though when only "protecting" VLAN interfaces without the main interface. Only the interface naming is not consistent: for some of my VLANs the "friendly" name is displayed (i.e. "DMZ" or "voice") for some the subinterface name, i.e. ix1:3
This could be observed both with versions 1.0.1 and 1.0.2
Unrelated to the VLAN issues:
My RFC1918 IP address range 172.17.2.0/24 is recognized to be from Australia in the Geo IP view (Top Destination Locations Heatmap).
"Network interfaces" on the status page is not showing what is configured. Sometimes it shows nothing, sometimes an interface that has not been configured.
Post by: Marcel_75 on August 11, 2019, 08:31:43 pm
thx for the update, also checked the behaviour again – but this time not with my "Mac-Warez" blocking sites, but with an own whitelisting area:
Sensei | Web Controls | User Defined Categories
"Whitelisted-Sites"
I've added all these sites to have the Ookla Speedcheck from https://www.speedtest.net/ working (not sure if all of them are needed for the Speedtest, but with the help of the uMatrix-plugin I could see they are accessed when you open speedtest.net)
1 *.cdnst.net
2 *.cronon.net
3 *.gtt.net
4 *.ooklaserver.net
5 *.speedtest.net
6 *.wittenberg-net.de
But again it was only working like expected after a complete restart of my OPNsense … :-\
Not a big issue for me, as it's fine if it's working as expected after a restart, but of course it would be nicer if these filters will be active when you change them without an extra restart … ;)
PS: Strange, it worked after the restart – but as I was posting this, now it's not working again, Firefox can't open the site.
So it was working for some minutes after the restart but is now blocked again by Sensei? (if I switch sensei off, it's working fine … tested this of course)
Post by: opnsenseuser on August 12, 2019, 04:10:32 pm
@opnsenseuser, we'll be revisiting css/jscript codes.
Thx. If you need help just ask!
@mb one more thing
for popup´s you also need to use the original opnsense classes. so it´s easier for the sensei plugin to work with all themes. see my screenshots! thx
Post by: mb on August 12, 2019, 09:25:37 pm
Thanks for the detailed feedback and trying out Sensei.
If you do not have a preference, we suggest you have the main interface for the VLANs. When you configure the main interface (e.g. ix1 in your case), it will be effective for all of the VLANs on this interface.
Because of a netmap-bug we deliberately prevent both parent/child interfaces configured at the same time.
Can we have a look at your installation? Non-routable IP addresses shouldn't be enriched with GeoIP data.
Post by: ctr on August 12, 2019, 09:27:12 pm
Post by: mb on August 12, 2019, 09:28:38 pm
1 *.cdnst.net
2 *.cronon.net
So it was working for some minutes after the restart but is now blocked again by Sensei? (if I switch sensei off, it's working fine … tested this of course)
Hi Marcel,
Thanks for the update. Can you try them without the leading "*." characters? That might be the thing. cdnst.net/cronon.net should match for all subdomains.
If it's not working, just PM me so that we can have a look together.
Post by: mb on August 12, 2019, 09:29:29 pm
Post by: mb on August 12, 2019, 09:32:15 pm
for popup´s you also need to use the original opnsense classes. so it´s easier for the sensei plugin to work with all themes. see my screenshots! thx
Yep, we'll need a work there.
Post by: samsonmcnulty on August 13, 2019, 06:28:20 pm
Post by: mb on August 13, 2019, 10:19:34 pm
Post by: seitzbg on August 14, 2019, 01:52:49 am
(https://img.bsd-unix.net/screenshots/user1/611143de0.png)
Post by: xpendable on August 14, 2019, 03:01:52 am
I recently installed Sensei in my home environment, here is my experience with it so far and thoughts/requests for the product.
Sensei does not seem to install properly on LibreSSL with the current fix (v1.0.2) as os-sunnyvally plugin is unavailable and does not get installed. Also after selecting the LAN interface, even though it is in the selected list in the configuration tab... Sensei packet engine fails to start indicating that you must select at least 1 interface and no Cloud nodes are listed in the status page as well as no selected interfaces. After switching back to OpenSSL, installing the os-sunnyvalley plugin and doing a factory reset in Sensei, I was able add the LAN interface and Sensei then works as expected.
While talking about interfaces, I am unable to add my VPN (WireGuard) interface to Sensei successfully. Once added the status page says that there are no interfaces selected and the cloud nodes are also no longer listed, however the Sensei packet engine continues to run. I created an interface (OPT1) and assigned (wg0) network port to it with no additional settings, and this is the interface that I added to Sensei with no success. Are there plans to add support for assigning a WireGuard VPN interface within Sensei?
So far I am quite happy with Sensei's overall performance and the features that it provides, but I was hoping that it would completely replace my previous suricata/pihole setup that I had before for the LAN with one of the main functions being to block ads network wide. However I have noticed that the current ad blocking provided by Sensei does not appear to be quite as good when compared to the pihole, but it's hard to say for sure. Also since the VPN interface is currently unprotected, no VPN clients receive the benefits of Sensei as I did before with the pihole setup.
I did see the announcement of supporting community filter lists in a future update, so that will more then likely provide more ad blocking coverage along with providing additional block lists for other categories which will be great for the community edition.
Some nice things that I would like to see change would be to make the health checks based locally and to have an option to provide statistics back to Sunny Valley. I don't see why these checks need to be run/verified on a remote Nagios server. I believe most cpu/memory/disk checks... etc. can be run on the local server via either a local script and/or using Monit for these checks and alerts.
I'm sure this is probably in the works, but adding a widget for Sensei Status would be great to be able to have a quick look available right from the OPNsense dashboard.
Post by: mb on August 16, 2019, 05:04:13 pm
Trying to install Sensei 1.0 on OPNsense 19.7.2 and it will not let me pick the WAN interface to protect. Any ideas?
Hi @seitzbg, thanks for trying out Sensei.
We filter out the WAN interface. Reason is Sensei grabs the packets after the network stack is done with them in the outbound packet flow.
In the practical sense, in case of NAT (nearly all of the use cases), when we deploy on WAN interface, we loose local IP address information.
Post by: mb on August 16, 2019, 07:14:16 pm
Many thanks for trying out Sensei and providing a detailed review. This is one of the things we love for making Sensei available in an open source community. We receive very quality feedback. I strongly believe quality feedback helps build great products.
Sensei does not seem to install properly on LibreSSL with the current fix (v1.0.2) as os-sunnyvally plugin is unavailable and does not get installed....
We're building a separate repo for LibreSSL. As a workaround for now, 1.0.2 can install onto a LibreSSL deployment with the old method where we do not configure our repository with the help of a package.
Starting with 1.0.2, this workaround should actually be solving this. I'm guessing that you might have tried a bit earlier before we updated the getsensei script.
Quote
While talking about interfaces, I am unable to add my VPN (WireGuard) interface to Sensei successfully.
Can you try this command to see if you are reported any errors and packet transmission is ok during the test. Make sure sensei and suricata is not using this interface during your test.
Code: [Select]
# ifconfig wg0 up -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6
# /usr/local/sensei/bin/nmbridge -i netmap:wg0 -i netmap:wg0^If you experience any problems here, then the issue here is netmap, the I/O subsystem that we are utilizing to access the raw packets off the wire, and it does not play well with some interfaces. Last year, we sponsored a development effort to add support for virtio and vmx interfaces and this also came along with some reliability fixes.
Budget permitting, this year, we'll sponsor another development effort which will just focus on interface support and reliability fixes.
When it's done, I expect that more issues should have been addressed, including better interface support.
Quote
So far I am quite happy with Sensei's overall performance and the features that it provides, but I was hoping that it would completely replace my previous suricata/pihole setup that I had before for the LAN with one of the main functions being to block ads network wide.
We'll do a more thorough check with a special emphasis on ad blocking.
Quote
I did see the announcement of supporting community filter lists in a future update, so that will more then likely provide more ad blocking coverage along with providing additional block lists for other categories which will be great for the community edition.
Yep, we're looking forward to delivering this asap.
Quote
Some nice things that I would like to see change would be to make the health checks based locally and to have an option to provide statistics back to Sunny Valley. I don't see why these checks need to be run/verified on a remote Nagios server. I believe most cpu/memory/disk checks... etc. can be run on the local server via either a local script and/or using Monit for these checks and alerts.
During beta period, these statistics have proven to be lighthouses for us in spotting some issues. We have an open development item to make this optional.
Quote
I'm sure this is probably in the works, but adding a widget for Sensei Status would be great to be able to have a quick look available right from the OPNsense dashboard.
Yes, along with a more dynamic Sensei dashboard, this is in the works.
Again, thanks for taking the time to provide this detailed feedback.
Post by: xpendable on August 17, 2019, 03:34:43 am
Per my main issue below, I disabled suricata, left the VPN unassigned in Sensei and tried to run the below commands. However the ifconfig command gave me an error straight away saying "ifconfig: -txcsum: Invalid argument".
Taking away any option such as -txcsum to start with -rxcsum results in the same error but on the next switch, in this case -rxcsum
So I'm guessing this is a netmap issue? fyi, I have OPNsense running in a VM on ESXi using the vmxnet3 vNIC. I have also enabled the following tunable (vmxnet3.netmap_native = 1) as I believe netmap was updated in v19.7 with support for this option.
Hopefully this can be resolved at some point as I would really like to protect the VPN interface using Sensei. Thanks for getting back to me and I look forward to future updates, especially the community filter lists ;D
UPDATE:
So I decided to do the nmbridge test even though the offload settings could not be disabled via the ifconfig command. See
Quote
Can you try this command to see if you are reported any errors and packet transmission is ok during the test. Make sure sensei and suricata is not using this interface during your test.Code: [Select]# ifconfig wg0 up -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6
# /usr/local/sensei/bin/nmbridge -i netmap:wg0 -i netmap:wg0^
If you experience any problems here, then the issue here is netmap, the I/O subsystem that we are utilizing to access the raw packets off the wire, and it does not play well with some interfaces. Last year, we sponsored a development effort to add support for virtio and vmx interfaces and this also came along with some reliability fixes.
Budget permitting, this year, we'll sponsor another development effort which will just focus on interface support and reliability fixes.
When it's done, I expect that more issues should have been addressed, including better interface support.
Post by: opnsenseuser on August 18, 2019, 12:35:22 am
@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.
@mb menu problem solved!!
working on the "css code" fixes for sensei now!! this will come later this week!!
https://github.com/opnsense/core/pull/3653 (https://github.com/opnsense/core/pull/3653)
Post by: opnsenseuser on August 18, 2019, 07:30:14 pm
@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.
@mb menu problem solved!!
working on the "css code" fixes for sensei now!! this will come later this week!!
https://github.com/opnsense/core/pull/3653 (https://github.com/opnsense/core/pull/3653)
@mb css code fixes for tukan and cicada
https://github.com/opnsense/plugins/pull/1456 (https://github.com/opnsense/plugins/pull/1456)
Everything is done.
One last css thing i found in the css code of sensei. i will tell you by email!
Post by: opnsenseuser on August 18, 2019, 07:52:17 pm
Post by: mb on August 19, 2019, 06:28:42 am
UPDATE:
So I decided to do the nmbridge test even though the offload settings could not be disabled via the ifconfig command. See attached for the results, I did one test with an active VPN connection and one with no VPN connection.
Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?
If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.
We're also giving wireguard a try here. Will keep you updated.
Post by: mb on August 19, 2019, 06:29:22 am
Post by: xpendable on August 20, 2019, 03:03:55 am
Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?
If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.
We're also giving wireguard a try here. Will keep you updated.
Hi @mb,
I did a quick test during the netmap command in which a website loaded correctly, google news was checked, and I even played a youtube video with no issues.
I would imagine that it is a pseudo interface as by default WireGuard does not show up as an actual interface under interfaces within OPNsense. I manually create a new interface in OPNsense under interfaces and assign "wg0" to it, and then enable that newly created interface with no other settings because the IP address is already being assigned by WireGuard. This allows me to see the netflow/insight data for the VPN connections, because by default the "WireGuard" interface that is shown in netflow/insight always shows no data.
Post by: mb on August 21, 2019, 03:50:00 am
Thanks for further analysis. This tells us that a wireguard interface can be used with netmap. That's very good news.
We did a quick wireguard install. Looks like it's a tun interface instead of a tap interface. If it was tap, than if would be as easy as tweaking the offloading settings, since tap is identical to a virtual ethernet interface.
tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.
Post by: xpendable on August 22, 2019, 04:15:37 am
tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.
Hi @mb,
That's great to hear, thanks for looking into this and putting it on the roadmap. Just another great feature to look forward to in Sensei ;D
Post by: donald24 on August 22, 2019, 07:34:56 pm
Is it normal that there are no web-categories in web-controls, no entries in app-controls and security? I cannot even add something in security or app-controls?
Thanks for clarification!
Post by: mb on August 22, 2019, 08:23:29 pm
Many thanks for trying out Sensei.
This is not normal. Can you PM a screenshot of your screen to me? Also please share a screenshot of "Lobby -> System Information"
Post by: marcri on August 23, 2019, 02:55:12 pm
is there a bug?
Code: [Select]
[23-Aug-2019 14:33:30 Europe/Berlin] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:335 - Undefined offset: 50 (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:85
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(335): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Undefined offse...', '/usr/local/opns...', 335, Array)
#1 [internal function]: OPNsense\Sensei\Api\EngineController->licenseAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'licenseAction', Array)
#3 [internal function]: Phalcon\Dispatcher->dispatch()
#4 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#5 {main}Best
Marc
Post by: h311m4n1 on August 23, 2019, 03:22:16 pm
Been an OpenSense User for a few months now, switched from pFsense. Love it so far.
Maybe like others here, I'm a cryptocurrency enthusiast and I need to strengthen the security of my machine where my wallets run on. I'm planning on moving it to a separate VLAN and authorize only specific ports for the wallets that need them. I want no web trafic on it. However while checking the traffic to list the ports I need to let through, I see two of the wallets I have (which are multiasset) use 443 and I want to avoid just opening 443 on that VLAN.
Where I work we use a PaloAlto firewall and the application based filtering is really handy. I just discovered Sensei and I'm playing around with it. I assume you could let 443 through for a specific application.
One question: is there a way to add custom application to the app control that aren't in the list?
I think this answers it: https://help.sunnyvalley.io/hc/en-us/articles/360025098033
But still wanted a confirmation.
Thanks!
Post by: mb on August 24, 2019, 07:13:03 am
@marcri, we had an update on the licensing API, might be that this fell into the same window. It should be all ok now.
@h311m4n1, many thanks for trying out Sensei. User-defined application signatures are not here yet. This is one of the most wanted features, and will be implemented in near future.
Post by: yukaia on August 25, 2019, 10:01:59 pm
http://cdn-11.eft-store.com
Here's a download for the game launcher.
http://cdn-11.eft-store.com/LauncherDistribs/0.7.2.569_a332f4f4-2fcb-43cb-bc8a-cd0d1692a6a8/BsgLauncher.0.7.2.569.exe
Post by: mb on August 26, 2019, 06:12:08 am
We'll be launching a web re-categorization feedback service soon.
Post by: opnsenseuser on August 26, 2019, 08:20:15 am
but i think he didn´t get my mails?
Any Problems on your/his email Server?
anyway..
1. i only found one margin problem in the sensei html/css code.
For the main color modification i made a pr on github for Tukan/cicada themes which will be released in the next opnsense Firmware update!
2. the active menu problem i fixed and i made a pr too. this is already merged. it will be also released in the next firmware update!
regards rené
Post by: mb on August 26, 2019, 06:15:56 pm
We'll be incorporating the suggested change with the next upcoming release (1.0.3)
Post by: sol on August 27, 2019, 06:25:31 pm
I cannot see a feature to resolve local hostnames in reports.
"show hostnames" does not show me names, just ips.
In Reporting / Insights opnsense will show names when using reverse lookup.
Do I miss a setting for this? Or is this not implented yet?
All local users have static ips with
Furthermore is there any way to show in a simple report how long a local ip has used the internet each day; e.g. a chart / graphic ip online from 2pm till 4 pm on Monday, online 5pm till 8pm on a Sunday or something
Cheers
Post by: mb on August 28, 2019, 12:56:44 am
I cannot see a feature to resolve local hostnames in reports.
...
All local users have static ips with
Sensei does an in-flight enrichment of ip addresses with hostnames when it sees a related DNS transaction. Or, in the case of local nodes, Sensei also keeps track of MDNS messages for this purpose.
If the IP addresses are not resolved to hostnames, my first guess would be that you're running a local DNS server and most of the DNS messages are transported without Sensei in the scenes.
We also do not do an in-flight explicit DNS call for IP address resolution because of performance reasons.
What we can do is during reports viewing, we could try to resolve the IP address, when you have your mouse on one of them in the charts or grid reports. Actually this is what we do for remote addresses currently, we can do the same for local addresses if we see that it's not resolved beforehand.
Would that work?
Quote
Furthermore is there any way to show in a simple report how long a local ip has used the internet each day; e.g. a chart / graphic ip online from 2pm till 4 pm on Monday, online 5pm till 8pm on a Sunday or something
Not yet. In the roadmap ;)
Post by: sol on August 28, 2019, 07:21:49 pm
I use unbound.
But only 1 local ip shows the hostname - even when I do not hover over it. See attachment.
Looking forward to the update on "online time". Will it be included in the free version?
Post by: Wyrm on August 28, 2019, 10:42:52 pm
In installation in SSH was all ok and success. In web gui all the settings were ok and after finishing and refreshing it says in status the service is not running. I correctly selected interfaces and all the settings.
When I click on start of service it says it does not have selected any interfaces, but they were selected in configuration!
HW is quad-core Xeon and 8GB RAM. It is VMWARE ESXI 6.7 virtual, but it should work.
I have also upgraded to actual production version which is 19.7.3
I have another installation where is opnsense 19.1 and it is running well.
Could you help me what is wrong ?
There is status screenshot included
Thanks very much
Post by: mb on August 29, 2019, 04:47:08 am
This is most probably since Sensei was able to spot a dns transaction and get a hint for that IP. We'll introduce lookup of local IP's in the coming release (1.0.3).
We haven't yet thought about the edition of "online time" reporting.
As for @Wyrm's issue, it turned out that two python dependencies did not get installed although they are configured as the plugin's dependencies and the packages are available in the OPNsense LibreSSL package repository.
We couln't reproduce this in our lab.
Are there any other LibreSSL users experiencing the same problem?
Post by: BeNe on August 29, 2019, 12:54:24 pm
I have an error in my Logfile - every minute.
The strange thing is -> Sensei is complete disabled - but there are still jobs running ?!
There is also one with an Error:
Code: [Select]
Aug 29 12:46:00 configd.py: [5413e5ea-0d25-4052-8b5f-8d2a1f09b02b] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:46:00 configd.py: [5413e5ea-0d25-4052-8b5f-8d2a1f09b02b] captive login logout enrich
Aug 29 12:46:00 configd.py: [c12694fb-94c0-434c-8723-fefad2299514] check sensei engine health
Aug 29 12:46:00 configd.py: [c0c97d1e-9572-4363-9944-503805f19016] Runing periodical scripts
Aug 29 12:45:27 configd.py: [b1408ad6-4305-45ba-99aa-89785b7e1d38] view license
Aug 29 12:45:06 configd.py: [656dcab2-ba0a-4284-8bda-4eb63b4379e3] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:45:05 configd.py: [656dcab2-ba0a-4284-8bda-4eb63b4379e3] captive login logout enrich
Aug 29 12:45:00 configd.py: [6826b4d8-a469-4409-a06f-f9e2bae21679] check sensei engine health
Aug 29 12:45:00 configd.py: [0128a6ba-9005-4456-831c-8d5da47a1362] Runing periodical scripts
Aug 29 12:45:00 configd.py: [d9b4c8b8-6ffa-4a65-bbfc-1586848bc494] check sensei engine health
Aug 29 12:44:51 configd.py: [dfb2ad02-35ea-407e-839d-2c789acbd715] control services
Aug 29 12:44:29 configd.py: [a752df4d-1f04-4295-9e52-3aba5ddd37ea] check sensei updates
Aug 29 12:44:29 configd.py: [edbf53e3-085a-40ad-ab35-be0bcbccf271] view elasticsearch disk size
Aug 29 12:44:29 configd.py: [66a74d51-8631-4897-b52f-82e6d6cfebc6] control services
Aug 29 12:44:29 configd.py: [a76246b9-cbc1-40ac-816c-1cb8a6ffc2d8] check sensei ui version
Aug 29 12:44:29 configd.py: [2977d7e6-1d94-483f-9df6-3454b38f623c] check sensei db last modified
Aug 29 12:44:29 configd.py: [05bccd05-3e71-45fa-bb7f-79c365d8b60c] check sensei db version
Aug 29 12:44:29 configd.py: [275abcbd-a41b-4a55-aa04-b855946124fe] check sensei db last modified
Aug 29 12:44:29 configd.py: [cb42810a-74a8-4b3c-a5b3-30a06fbfbec4] check sensei db version
Aug 29 12:44:29 configd.py: [c636a48c-393a-4fcc-9ec8-821475effd62] check sensei last modified
Aug 29 12:44:29 configd.py: [6606bf25-295f-49d9-974c-3c45551f7d03] check sensei version
Aug 29 12:44:29 configd.py: [f66b94cc-138d-4a33-9d61-f0623205cd8f] control services
Aug 29 12:44:26 configd.py: [ebaf16ea-7086-4663-9e93-41268042a8a8] view elasticsearch disk size
Aug 29 12:44:26 configd.py: [b6248966-ac6d-4c33-ae11-86f3ef503415] control services
Aug 29 12:44:26 configd.py: [9b585355-19fd-4cfb-85a1-6a216f5ed7a1] check sensei ui version
Aug 29 12:44:26 configd.py: [d9b79260-5dfb-4b8f-b3e0-c69fe24d91ff] check sensei db last modified
Aug 29 12:44:26 configd.py: [bd339ddb-6073-407f-a17e-8318214e5b21] check sensei db version
Aug 29 12:44:26 configd.py: [77e95c98-9e7a-4186-8793-740dd19a654a] check sensei db last modified
Aug 29 12:44:26 configd.py: [9e789111-39b2-41b9-b85c-d4b00a42e771] check sensei db version
Aug 29 12:44:26 configd.py: [eaa3f74c-bb21-41a1-a7ed-678bbe16124c] check sensei last modified
Aug 29 12:44:26 configd.py: [4d463eb5-95d6-4437-a9c2-02326b8efdec] check sensei version
Aug 29 12:44:26 configd.py: [edc50189-fd8f-4e08-ad76-bb2843227fc3] control services
Aug 29 12:44:24 configd.py: [63f5b4df-30a0-4678-a0f2-a9e577bba2ed] check sensei updates
Aug 29 12:44:23 configd.py: [83b1e0cc-8cd6-42a0-a08f-d8ba551a4814] check hardware
Aug 29 12:44:22 configd.py: [061a0e97-d2ef-4859-885d-d80f82fb9b39] view license
Aug 29 12:44:00 configd.py: [af175a5c-bee8-4eab-93c2-d80969cbc6ff] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:44:00 configd.py: [af175a5c-bee8-4eab-93c2-d80969cbc6ff] captive login logout enrich
Aug 29 12:44:00 configd.py: [c043869a-d6ec-4a5e-9ed0-939262d08cce] check sensei engine health
Aug 29 12:44:00 configd.py: [e408fbac-3585-451f-97d6-0c8f02978f23] Runing periodical scripts
Aug 29 12:43:54 configd.py: [eede6a57-4704-4642-9e90-4337e9e4526e] request pfctl byte/packet counters
Aug 29 12:43:49 configd.py: [2baa7185-8ae9-4127-ab7c-9886ef7d10c8] request pfctl byte/packet counters
Aug 29 12:43:43 configd.py: [54f33596-62e2-43ec-89bd-3e1e809db62c] request pfctl byte/packet counters
Aug 29 12:43:00 configd.py: [f92788bb-fd0c-4177-a4f1-ad1f6568d204] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:43:00 configd.py: [f92788bb-fd0c-4177-a4f1-ad1f6568d204] captive login logout enrich
Aug 29 12:43:00 configd.py: [5c7c03be-071f-4914-b050-7895ce71974a] check sensei engine health
Aug 29 12:43:00 configd.py: [894347ec-50c4-4de6-85a3-3ef60b32c32b] Runing periodical scripts
Aug 29 12:42:00 configd.py: [735dad9a-a836-4f62-a8db-aaac917ea1bb] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:42:00 configd.py: [735dad9a-a836-4f62-a8db-aaac917ea1bb] captive login logout enrich
Aug 29 12:42:00 configd.py: [e83fd212-4ac4-4da3-9347-a964882163b7] check sensei engine health
Aug 29 12:42:00 configd.py: [9b10878e-3fe5-4acf-9424-2c11e29a533e] Runing periodical scripts
Searched in the Forum, but threre was not hit with userenrich.py. Does anyone else have the same errors ?My Versions:
Engine Version: 1.0.2
App DB Version: 1.0.3
Rules DB Version: 1.0.3
Versions OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
LibreSSL 2.9.2
Thanks!
Post by: mb on August 29, 2019, 07:12:48 pm
Batch jobs like userencricher (health check, updates check) continue to run in the background if you have Sensei installed. Stopping the packet engine just stops packet processing. Elasticsearch and background bookkeeping jobs will continue to run.
The duty of the Userenricher is to feed captive portal user/group information to Sensei so that it can map the ip addresses to users/groups.
In your case, you do not have Captive Portal enabled and this triggered this error (indeed a test code which tests this case),
Fixed as of now and for 1.0.3. Many thanks for reporting this.
Post by: BeNe on August 29, 2019, 08:58:51 pm
The Status e-Mail is also sent out if Sensei is disabled (packet engine and elasticsearch)
Post by: mb on August 31, 2019, 04:04:34 am
We are aware of an issue affecting LibreSSL users. A few package dependencies, which are important for the operation of the plugin, do not get installed. This results in initial configuration being not written into configuration files.
As a workaround, for now, we advise that you install the dependencies manually:
Code: [Select]
pkg install py27-dnspython
pkg install py27-Jinja2
pkg install py27-sqlite3
pkg install os-sensei-updater
We'll issue the fix with 1.0.3.
Post by: donald24 on September 02, 2019, 12:10:49 pm
I have a problem after having upgraded to 19.7.3.
My configuration is still fairly out of the box, my LAN-side is using two separate VLANs next to its untagged main-traffic. I got notification, that my telephone is dead, my VOIP-vlan was not letting packets to the inside. I checked the VOIP-VLAN and no traffic was going to the internet. LAN was okay. I rebooted the firewall and afterwards I could not reach the firewall even from LAN-area anymore.
So I needed to hook the machine to a monitor and ran the uninstall steps, I have found in this thread:
Code: [Select]
service eastpect onestop
service elasticsearch onestop
pkg delete elasticsearch5
pkg delete os-sensei
rm -rf /var/db/elasticsearch/nodes/*Though I remember that one pkg wasnt found, might be another name, but afterwards I had immediate access and running internet to all interfaces.
Is there still something missing for uninstallation? The configuration files is also having a lot of sensei parts in it, would I have to reinstall sensei, to run its uninstallation from the GUI, or is there even a manual way?
Thanks!
Post by: mb on September 02, 2019, 09:52:00 pm
Here are the manual steps to be able to remove Sensei from the system:
Code: [Select]
# service eastpect onestop
# pkg remove elasticsearch5
# pkg autoremove -y
# rm -rf /usr/local/sensei/
# rm -rf /var/db/elasticsearch/nodes/
On the other hand, I'm very much curious about what went wrong there. I'll be reaching out to you to see if we can have a look at your system together.
Post by: tusc on September 03, 2019, 01:50:13 am
I only have 4GB of ram on my OPNsense server so assumed I'm running into something related to that.
Post by: mb on September 03, 2019, 02:04:04 am
Your case looks more like you have a netmap-incompatible ethernet device. Let's have a look at your system together.
Post by: tusc on September 03, 2019, 02:32:20 am
Code: [Select]
root@OPNsense:~ # dmesg |egrep igb
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> mem 0xfe880000-0xfe8fffff,0xfe90c000-0xfe90ffff irq 27 at device 0.0 on pci1
igb0: Using MSIX interrupts with 5 vectors
igb0: Ethernet address: xx:xx:xx:xx:xx:xx:xx
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: Bound queue 2 to cpu 2
igb0: Bound queue 3 to cpu 3
igb0: netmap queues/slots: TX 4/2048, RX 4/2048
Post by: mb on September 03, 2019, 02:40:50 am
Really? I'm using a quad port Intel GigE card so wasn't aware this was netmap-incompatible:Code: [Select]...
igb0: netmap queues/slots: TX 4/2048, RX 4/2048
Nope, you're right. Actually this is the best one in terms of inter-operability. I notice you have 2048 tx/rx descriptors.
Can you try setting tx/rx descriptors to 1024 and see if you still have the problem?
Code: [Select]
hw.igb.txd: 1024
hw.igb.rxd: 1024
Post by: mb on September 09, 2019, 07:20:52 am
Some of you who uninstalled/re-installed Sensei might have noticed: with 1.0.2, we introduced a feedback form in which you could provide as a feedback for why you're uninstalling the plug-in.
Looking at the results, it looks like more than %80 of the time the reason is low hardware resources.
Seeing that, we have accelerated our efforts to be able to run Sensei on low-end devices (like 2GB RAM, embedded CPUs etc.)
Our test device is a Qotom having an Intel Celeron j3060 @1.60 Ghz. This device has a ubench score of 170.000. Looks like Sensei is running fine /w most of the reporting on this device.
We are wondering how your devices compare to our test device.
For those of you who could not run Sensei due to hardware limitation, any chances that you can run:
Code: [Select]
# ./ubench -c -s on your device and report the results to us? You can PM me or shoot an e-mail to sensei at sunnyvalley.io. We need the cpu information and ubench single core cpu score.
Any help on this is greatly appreciated.
pS: OPNsense repo does not have ubench, you can download the binary from https://updates.sunnyvalley.io/downloads/ubench
Post by: Archanfel80 on September 11, 2019, 04:26:33 pm
Post by: mb on September 11, 2019, 05:44:56 pm
Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?
Post by: Archanfel80 on September 11, 2019, 07:29:25 pm
It seems only the fresh install affected, or if i change the interface config in the exsisting one. That is also break something.
Hi @Archanfel80,
Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?
Post by: mb on September 11, 2019, 10:23:16 pm
Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Post by: Archanfel80 on September 11, 2019, 10:30:31 pm
Hi @Archanfel80,
Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Post by: Archanfel80 on September 11, 2019, 11:15:28 pm
Thank You for the help! :)
It was the libressl package issuse.
I had the 19.7.3 upgraded 19.7.4 now but same issue.Hi @Archanfel80,
Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Post by: mb on September 11, 2019, 11:20:08 pm
You're all welcome. For any LibreSSL users, who might experience the same, resolution is here:
https://forum.opnsense.org/index.php?topic=9521.msg64618#msg64618
1.0.3, which will ship next week, will also be solving this.
Post by: bunchofreeds on September 16, 2019, 09:46:56 am
Does Sensei aim to supercede IPS in OPNsense?
I cannot run both (IPS and Sensei) as I use PPPoE on the WAN and cannot run both IPS and Sensei on the LAN.
Sensei looks awsome and provides amazing insights into the network traffic, but does it protect against emerging threats in a similar way to IPS using Suricata?
Thanks
Post by: mb on September 17, 2019, 12:26:42 am
With OPnsense, Sensei does not replace IDS. We recommend using both of them.
We have a solution for co-existing Suricata and Sensei on the same interface. Hope to ship the functionality this year. Basically we'll have a virtual device between Sensei and the IPS engine. We have initial thoughts to provide TLS decryption for the IPS engine through this integration.
Post by: bunchofreeds on September 17, 2019, 06:17:38 am
Thanks for confirming that and I'm looking forward to you and your teams future efforts with Sensei.
It really is quite an excellent addition to the already amazing Firewall/Router/Swiss Army Knife OPNsense.
Thanks again for providing this.
Post by: nullinger on September 17, 2019, 10:41:50 pm
i am on my third day with sensei, and i like it very much. Today, i tried to setup reports by mail and got some problems because the system sets "autoreports@sunnyvalley.io" as sender. As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.
Thanks !
Post by: marcri on September 18, 2019, 07:39:00 am
As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.
Post by: karl047 on September 19, 2019, 09:55:37 am
The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription? because 499,00€ a year is too heavy with the small plan for 25 Devices! Another Firewall solutions are free for Home Users (or for a small price a year) with the most benefits of different policies & another Services like Sensei!.
Regards;
Karl
Post by: lfirewall1243 on September 19, 2019, 11:22:01 am
first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.
But a integration of ClamAV or CICap would be very cool (if its possible).
Post by: mb on September 19, 2019, 06:59:08 pm
As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.
@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.
Post by: mb on September 19, 2019, 07:14:24 pm
The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription?
Hi @karl047, many thanks for trying out Sensei and glad that you've loved it.
We have plans to have Home edition. We have a two step acion plan for this:
Step 1. We're currently working on a project, where we'll be able to make Sensei available to run on low-end devices (many home users seem to be running these). Initial tests look very good, we're able to run Sensei with reporting on a low-end Qotom device (Celeron J1900 @1.6GHz, 2GB RAM). Deciso's lowest-end device has a powerful CPU compared to this. So, when we're done with this project, theoratically, we should be able to cover nearly all of the x86-based hardware out there.
Step 2. Sunny Valley sales team is working on home-user licensing. Our aim here is to make it competitive and affordable.
As for timing, current plan is to have step 1 available by mid-October. Latter one, I guess it'll be early 2020.
And one more note: we're just starting, this is going to be a hell of a solution ;)
Post by: mb on September 19, 2019, 07:29:34 pm
Hi,
first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.
But a integration of ClamAV or CICap would be very cool (if its possible).
Hi @lfirewall1243, many thanks for trying out Sensei and providing feedback.
You should be able to do this with Suricata + ClamAV. Did you try that? If so, what were you missing with the solution?
Post by: BeNe on September 20, 2019, 04:55:48 pm
will you add the Status for Sensei Service and the Elasticsearch Service also to the Dashboard in future Version ?
Would be handy to have all need Services in the status Dashboard.
A cheaper Home-License for Sensei would be awseome! Btw. How do you calculate the exact amount of IP's in Sensei ?
Because my Unique amount of Host that i see in the daily e-Mail which i recieve from sensei has a range from 61 Host up to 74 Hosts. I never have that amount on host at home :o Maybe it has something todo with IPv6 and the temporary IPv6 addresses ?
Thank you.
Post by: mb on September 20, 2019, 07:06:46 pm
Yep, we'll be adding a widget to the OPNsense dashboard, it's in the roadmap.
It's the number of unique local IP addresses within a day. Since normally IPv6 is used dual-stack, we don't count IPv6 addresses for license.
To check, filter the connection reports for a day and filter TCP and UDP as the Transport Protocol. (TCP6 and UDP6 implies IPv6, whereas TCP and UDP means IPv4 was being used)
Post by: nullinger on September 22, 2019, 11:42:12 pm
@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.
That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !
Post by: mb on September 23, 2019, 12:45:43 am
That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !
Got it. All welcome. Fix is applied for 1.0.3. Final tests ongoing. Shipping mid next-week.
Post by: the-mk on September 24, 2019, 12:52:08 pm
"df -h" and zabbix report about 29G disk usage...
Post by: mb on September 24, 2019, 10:57:29 pm
what might be wrong if the OPNsense dashboard diskusage shows 29G of 115G while the status of Sensei displays a disk usage of 39 GB?
"df -h" and zabbix report about 29G disk usage...
Hi @the-mk,
Thanks for reporting this. Yep, this was a bug, which got fixed with 1.0.3.
Post by: the-mk on September 25, 2019, 03:51:35 pm
I'd like to ask again BeNe's question how the number of hosts is calculated - but for a different reason.
On my OPNsense host I have 7 different interfaces/networks (where one of them is the WAN interface), based on my Ubiquiti UniFi Management WebUI I have 50 different hosts connected to my switches and APs, while my daily mail report always shows a much higher number for the last 24 hours (around double the amount of hosts I have based on my UniFi information). And I do not understand why that number is so high.
Side informations:
- on one of my networks I have a PiHole DNS server where every host connects to when performing DNS operations
- some of my hosts of one network also talk to another local network too
- but most of the networks are firewalled so they can't see and talk to each other (only two networks can see the other networks too, but four of them only can talk through WAN)
- all of them are configured IPv4, IPv6 is disabled on the interfaces/networks on my OPNsense host
which information do you need besides the lines above to explain the higher number of hosts reported by Sensei?
Post by: mb on September 25, 2019, 07:31:01 pm
It's our pleasure to announce the availability of Sensei 1.0.3 release.
This release comes with the below feature set.
You can update your Sensei through Sensei -> Status menu or through OPNsense updater.
What is new in Sensei 1.0.3
Application control & filtering
- 22 new applications (Ad Tracking)
- Fixed an issue affecting a block 172.16.0.0/16 being recognised as public IP addresses
- Re-evaluation of policy rules when a policy is re-configured
- Fixed an issue matching policies with a Captive Portal user group
- Captive portal: provide user group information to Sensei
Reporting
- Scheduled e-mail reports: now support STARTTLS method e-mail transport security
- Scheduled e-mail reports: you can now specify a sender address for the e-mails
- Reverse DNS lookups for local IP addresses
Performance
- Output directory is now a memory-backed filesystem for higher file system performance
Cloud Threat Intelligence
- new US-West Cloud servers (Test)
- new Asia Cloud servers (Test)
- You can now request web sites being re-categorized by sharing your custom lists with Sensei team
UI/UX
- Important engine-related messages are communicated through UI
- Now working with tucan/cicada themes (thanks to opnsenseuser of Team Rebellion for OPNsense commits)
- During uninstall, you can now request to be contacted by the Sensei team about your problem
- Fixed an issue preventing to select whole application category
- Better user feedback forms
Misc
- Proper LibreSSL build and repo
- Installer now does a CPU benchmark test to see if Sensei can run successfully on your hardware
- Migrated to Python 3.7
- More reliability and performance improvements
Enjoy,
Your Sensei team.
Post by: the-mk on September 26, 2019, 06:36:38 am
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!
Post by: opnip on September 26, 2019, 01:51:00 pm
"Reverse DNS lookups for local IP addresses" translates some IPs into names in "Sensei -> Reports -> Connectios" e.g.
But not all IPs are translated into there names. Manual reverse lookup of IPs via dig or nslookup are fine.
Do Sensei need more time for reverse lookups?
Post by: mb on September 26, 2019, 07:40:08 pm
after upgrading to Sensei 1.0.3 the automatic report mail broke...
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!
Hi @the-mk, sorry about that. Yes, since we changed the input method, you'd need to re-configure connection reports.
Let me write a detailed post about how we do reverse dns mapping for ip addresses.
Glad to hear that disk usage got fixed. I'll reach out to you for local host report.
Post by: mb on September 26, 2019, 08:00:09 pm
Engine doing the mapping realtime:
Engine keeps track of all dns transactions that it can see flowing over itself. When it detects an IP address resolution (either an A/AAAA/CNAME or PTR), packet engine caches the IP addresses and the corresponding fully qualified domain name.
All charts/tabular reports and live session reports display this cached hostname when you view the reports.
UI doing mapping during reports viewing:
This applies to live session reports only: When you view a live session report, while you're browsing over records, UI runs a background job to see if a particular record has its hostname resolved. If it detects an unresolved IP address, it runs a background query to resolve the IP address via the name server you've configured on Sensei -> Configuration -> Reporting and Data.
@the-mk, since daily reports are making use of realtime cached hostname resolutions, newly introduced feature will not have effect on them.
@opnip, you should see them being resolved, while you're walking your mouse over them. Does that happen?
Post by: opnip on September 30, 2019, 10:34:18 pm
Post by: DeathWingMT on October 01, 2019, 01:50:53 pm
Note that I am using VLANs and have added the physical port as a sensei protected interface
Post by: mucflyer on October 01, 2019, 11:47:02 pm
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3
Post by: Ralf_s on October 02, 2019, 07:37:11 am
Hi,
is it possible to bypass/exclude internal devices from scanning? i.e. there are streaming devices like Amazon FireStick or Roon Rock that have issues with content.
I'm settimg all filters to allow - there are issues
I'm settimg the sensei engine in bypass mode - there are no issues
OpnSense are running on LANNER hardware with Intel C2558, 8GB RAM and server SSD.
best regards,
Ralf
Post by: the-mk on October 02, 2019, 02:38:28 pm
I've already checked the settings and performed to send a testmail (which arrived), as well as disabling and reenabling it did not help.
After the upgrade-process to Sensei 1.0.3 was successful one report mail arrived since then, but after that no more mails :(
Post by: opnsenseuser on October 02, 2019, 02:54:18 pm
Post by: mb on October 03, 2019, 12:20:08 am
It should be ok for you. You can just click on "Continue" and install Sensei. Your CPU looks almost good.
With 1.0.3, we've introduced this cpu benchmark, where we are measuring how powerful the cpu is. This was the first step to the upcoming 1.1 release where we'll have an alternative methodology for providiging Sensei for low-end devices like Deciso A10 / APU systems.
So the upcoming release will use Elasticsearch as the database if RAM is at least 4GB and more and CPU ubench score is higher than 300000.
If the amount of RAM is below 4GB and CPU is less powerful Sensei will use Mongodb as the database backend.
This way, we will be able to provide Sensei for low-end systems where cpu and RAM resources are limited.
We're only days away from creating the first BETA. If anyone interested to try out before the release, just PM me ;)
Post by: mb on October 03, 2019, 12:24:29 am
... Unfortunately, the adult site still loads. The manual does not provide any details on how to enable the service from a clients perspective or whether HTTPS is also filtered.
Note that I am using VLANs and have added the physical port as a sensei protected interface
Hi DeathWingMT,
VLANs should be ok. HTTPS/QUIC traffic is also filtered. We'll add this to the manual and make it more specific.
On the other hand, We'd like to diagnose as to what is going on during filtering in your case. First guess is loss of cloud connectivity.
I'll PM you, then we can have a look together.
Post by: mb on October 03, 2019, 02:17:16 am
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3
Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?
Post by: mb on October 03, 2019, 02:22:59 am
@Ralf_s, whitelisting according to ip/vlan/user is available in the premium subscription. The thing that you're not having any issues when in bypass mode make me thing we need to have a look at this.
I'll PM you.
Post by: sol on October 03, 2019, 01:43:55 pm
Either is was high cpu usage or yesterday this happened:
Sensei has detected a problem during operation and has shut down Sensei services in order to prevent a network outage.
It is because we detected high SWAP (21 -- 13821280% usage)
I run sensei on OPNsense 19.7.4_1-amd64
Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz (4 cores)
8 GB Ram
and also use proxy and ips
Connection is a 100/40 mbit line
and there are about 10 users
Restarting sensei works though, it just crashes after 3 - 5 days.
Post by: sol on October 03, 2019, 01:49:39 pm
And local hostname resolution does not work for me or I'm not using the right configuration.
Opnsense runs unbound and dnscrypt proxy.
Which server do I have to use?
DNS server IP addresses to do reverse IP lookups:
127.0.0.1,192.168.1.1
is the current setup.
Post by: Ralf_s on October 03, 2019, 05:45:38 pm
thank you for your answer. But the premium edition is to expensive for home use - only for the feature excluding IP addresses. I looking forward to your next releases. In the meantime, I'll use my Sophos XG home on an APU for transparent content/security filtering.
Post by: mb on October 03, 2019, 06:19:33 pm
Thanks for the feedback. Sunny Valley sales team is working on home use. Expect an announcement early 2020.
Post by: mb on October 03, 2019, 06:56:15 pm
And another question. How can I use sensei for my openvpn network. I cannot select it at the interface selection.
They utilize tun interfaces, which Sensei does not have support at the time being. Support is planned for early 2020.
See: https://help.sunnyvalley.io/hc/en-us/articles/360025100613#no_tun
Quote
And local hostname resolution does not work for me or I'm not using the right configuration.
Opnsense runs unbound and dnscrypt proxy.
Which server do I have to use?
DNS server IP addresses to do reverse IP lookups:
127.0.0.1,192.168.1.1
is the current setup.
127.0.0.1 would be the best bet since I'm guessing it would be the best knowledgeable one in terms of local name resolutions.
When you open live session explorer and hover over src hostname fields, you should see them being resolved, isn't it the case?
See: https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123
In terms of SWAP, normally this configuration should easily handle your scenario. Does turning off squid help? We have seen some cases where web cache was already using more than half the memory, so Sensei couldn't fit in.
Post by: giovanit on October 04, 2019, 01:53:12 pm
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3
Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?
Same problem here. Started after upgrading to version 1.0.3
WAN adapter: Intel
LAN adapter: tp-link
Post by: the-mk on October 04, 2019, 03:37:00 pm
is it possible that the daily report mail is broken somehow since the upgrade to Sensei 1.0.3?strange... did not change anything since the last post, I didn't even reboot or something like that... but today I received a report... lets see what happens tomorrow...
I've already checked the settings and performed to send a testmail (which arrived), as well as disabling and reenabling it did not help.
After the upgrade-process to Sensei 1.0.3 was successful one report mail arrived since then, but after that no more mails :(
is there somewhere a log that tells me that the mails were sent and I have a problem with my mailaccount?
mail is sent from a gmail.com address and received from a GMX address - but there was nothing in a spamfolder...
Post by: mb on October 04, 2019, 05:39:11 pm
WAN adapter: Intel
LAN adapter: tp-link
@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?
Post by: mb on October 04, 2019, 05:39:57 pm
WAN adapter: Intel
LAN adapter: tp-link
@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?
Post by: giovanit on October 04, 2019, 06:34:05 pm
WAN adapter: Intel
LAN adapter: tp-link
@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?
@mb, tp-link is re.
The firewall is running in production and I don't have another adapter at the moment. I disabled Sensei, as crashes are becoming frequent.
Is it possible to go back to the previous version?
Post by: ErkDog on October 04, 2019, 08:07:09 pm
Post by: ErkDog on October 04, 2019, 08:08:30 pm
Post by: mb on October 04, 2019, 08:36:15 pm
Post by: mucflyer on October 09, 2019, 11:54:59 pm
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-kGood day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3
Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k
Post by: Tubs on October 12, 2019, 04:38:53 pm
Somehow Sensei is not filtering on my machine. But I cound not yet figure out if it is because of LAGG interface, running squid webproxy or IPv6 GIF tunnel.
I started here before I found this thread.
https://forum.opnsense.org/index.php?topic=14649.0
Post by: Ralf_s on October 12, 2019, 06:38:46 pm
creating a new interface for a child wifi and installing SENSEI again as a content filter fonly for this interface and block the categories "child porn", "adult", "pornography" and some more. Connecting with an iPAD, switching to private mode in safari and searching for "porn" at google. 60% of listed results are accessible. The rest are blocked by the Sensei splash screen.
Are the content filter under development? What about the other categories?
best
Ralf
Post by: actionhenkt on October 24, 2019, 10:47:40 pm
When browsing the session explorer, I wanted to block a website directly from the session explorer, is it possible block single websites without blocking the whole web/app control from the session explorer ?
Is it possible to bulk import websites into the "white/black-list" ?
Can I add my own webcontrols/appcontrols ?
Redirect to the "block page" doesnt work when connecting over https. Do I need TLS inspection for this ?
Thanks!
Post by: mb on October 25, 2019, 12:10:27 am
This looks like the result of a combination of factors:
With increasing number of Sensei users, 2 weeks ago, we experienced a performance issue, which persistent 2-3 days. This looks to be overlapping the time you experienced the problem.
In the Free Edition, the blocking feature is limited to 20 Million sites. If the queried site does not fall in this cloud, the site is not blocked.
If Sensei cannot correlate the hostname to the connection it's inspecting, (i.e. missing dns transaction) it wouldn't block.
But for your case, looking at the ratio and the nature of your particular test, I'm guessing the first one might be the primary problem.
For the second item, with 1.1, we're changing how we are handling the free/paid database queries. Since we could not measure if we really missed a site or it was a limitation of the free edition; we've removed the site limit and it'll be unlimited. The differentation of will be based on the number of web categories blocked.
For the third item, 1.1 does send a cloud query even after later stages in the connection (i.e. when TLS SNI seen, HTTP Hostname is seen etc.). So this allows the engine to be able to have further policy decision even if the cloud answer does not come very fast and early in the connection.
Post by: mb on October 25, 2019, 12:12:09 am
Yes, that's because of the lagg interface. Since it's a software interface, netmap cannot find any hw rings. Solution is that we're introducing the option to be able to protect lagg/bridge members interfaces (which are real interfaces with hw/sw rings).
This functionality is coming with 1.1. When that ships, go to Sensei -> Configuration -> Interface Selection. There you'll see "Unasigned" interfaces. Select the ones which constitutes your lagg / bridge, and you should be good to go. For the lagg interfaces, you might want to select an algorithm which does a symmetric load balancing - i.e. avoid roundrobin).
1.1 is scheduled for early November.
Post by: mb on October 25, 2019, 12:19:34 am
When browsing the session explorer, I wanted to block a website directly from the session explorer, is it possible block single
websites without blocking the whole web/app control from the session explorer ?
Good catch!. We'll add this to the upcoming release. Hopefully will ship with 1.1.
Quote
Is it possible to bulk import websites into the "white/black-list" ?
Can I add my own webcontrols/appcontrols ?
Not yet. Both roadmap items.
Quote
Redirect to the "block page" doesnt work when connecting over https. Do I need TLS inspection for this ?
Correct, since TLS session preceeds the HTTP session. Yes, with TLS, this would be possible.
Post by: mb on October 25, 2019, 12:29:24 am
Some good news from a super-busy month working on the upcoming 1.1 release. Here are some of the major goodies that are shipping with 1.1.
The most notable one is the support for low-end devices. We're now able to install on low-end devices with weak CPUs and with memory as low as 2GB. Yes!, with reporting.
Please find the detailed list below.
We're targeting early November for the release.
In the meantime, just PM me if you'd like to test drive before it's made publicly available.
What will be coming up with Sensei 1.1
Better low-end device support
- Support for low-end devices with weak CPUs. Try Sensei on your Deciso A10 / Pcengines APU devices: Yes! with reporting :)
- Minimum RAM requirement lowered to 2GB
More interface support
- lagg(4) and bridge(4) interface members can be protected now
New Cloud Servers Infrastructure goes live
- New less-latency cloud servers for US-West, US-East, Asia and Australia regions
- New web category/threat intelligence database
- Improved/faster cloud query mechanism
- Better availability
- Status screen now shows uptime in a prettier format
Reporting
- Reporting Performance Improvements (Reports load faster (a lot faster ;))
Post by: opnsenseuser on October 25, 2019, 09:18:34 am
Dear Sensei users,
Some good news from a super-busy month working on the upcoming 1.1 release. Here are some of the major goodies that are shipping with 1.1.
The most notable one is the support for low-end devices. We're now able to install on low-end devices with weak CPUs and with memory as low as 2GB. Yes!, with reporting.
Please find the detailed list below.
We're targeting early November for the release.
In the meantime, just PM me if you'd like to test drive before it's made publicly available.
What will be coming up with Sensei 1.1
Better low-end device support
- Support for low-end devices with weak CPUs. Try Sensei on your Deciso A10 / Pcengines APU devices: Yes! with reporting :)
- Minimum RAM requirement lowered to 2GB
More interface support
- lagg(4) and bridge(4) interface members can be protected now
New Cloud Servers Infrastructure goes live
- New less-latency cloud servers for US-West, US-East, Asia and Australia regions
- New web category/threat intelligence database
- Improved/faster cloud query mechanism
- Better availability
- Status screen now shows uptime in a prettier format
Reporting
- Reporting Performance Improvements (Reports load faster (a lot faster ;))
great news :-) an sensei widget would be also great! thx regards rené
Post by: mayo on October 25, 2019, 09:32:46 am
Post by: mb on October 29, 2019, 12:44:56 am
great news :-) an sensei widget would be also great! thx regards rené
Hi rené,
What would you like to see in the widget?
Post by: tong2x on October 29, 2019, 02:53:28 am
great news :-) an sensei widget would be also great! thx regards rené
Hi rené,
What would you like to see in the widget?
network interface with the throughput
(as a scale of time of possible)
maybe...
recent security blocks
(no idea yet if in graph or test)
Post by: mb on October 29, 2019, 05:29:38 pm
Quote
recent security blocks
Got it. Any other ideas?
Post by: opnsenseuser on October 29, 2019, 05:58:56 pm
great news :-) an sensei widget would be also great! thx regards rené
Hi rené,
What would you like to see in the widget?
maybe some of the status informations of sensei as widget?
Post by: mb on October 29, 2019, 06:16:12 pm
Quote
maybe some of the status informations of sensei as widget?
Good idea. Got it.
Post by: mb on November 03, 2019, 04:30:12 am
We've made release 1.1 available for LibreSSL users. LibreSSL flavor users can now do a fresh install for / update to Release 1.1.
Tests underway for OpenSSL flavor. Hope to ship this one on Tuesday.
Post by: mow4cash on November 05, 2019, 04:53:54 am
Post by: JohnDoe17 on November 05, 2019, 03:47:52 pm
Quote
Elasticsearch service is not running! In order to view reports, you need to start Elasticsearch service. Do you want to start it?
And when I click "Yes," it doesn't seem to start. I just get a
Quote
Waiting for database service to come upbar.
This used to work fine. Any ideas?
Post by: JohnDoe17 on November 05, 2019, 03:55:32 pm
See attachment.
Post by: mb on November 05, 2019, 04:47:41 pm
I just updated from 19.1.10 to 19.7.6. Now I'm getting the following message every time I click on the Dashboard:QuoteElasticsearch service is not running! In order to view reports, you need to start Elasticsearch service. Do you want to start it?
This used to work fine. Any ideas?
@JohnDoe17,
Messages on the console are related to HardenedBSD's SEGVGUARD. It detected that syslog-ng process crashed several times. This does not seem to be related to Sensei.
There was a major python upgrade from 2.7 to 3.7 in OPNsense 19.7. We have mechanisms to handle this, though it's possible to miss something.
Can we have a look at your system together? I'll be contacting you.
Post by: mb on November 05, 2019, 06:12:48 pm
Can anyone who is experiencing Elasticsearch issue contact me? We can't reproduce this in our test/PoC systems.
Any help is much appreciated.
Post by: mb on November 05, 2019, 08:31:13 pm
Just wanted to say it's a very nice interface and works well. Very user friendly. Ran into an issues where the reports are getting corrupted and I have to fix them. How far away on the roadmap is importing custom whitelist/blacklist and will it be on the free tier? Maybe even a page to add url's to pull our favorite lists and a few popular ones preloaded to enable?
Hi @mow4cash, glad to hear that Sensei is of use for you.
The thing about reports might be due to abrupt shutdown of the firewall or /var directory being mounted as a tmpfs directory. Former breaks database indexes and latter one resulting in loss of indices after a reboot.
You can currently create user defined black/white lists and custom categories with user-defined web categories.
I guess what you're looking for is bulk addition, am I correct? I guess we can provide a functionality to bulk import URLs/Domains in the free edition. This could be an enhanced version of the current functionality where you can not only input a single domain but a batch of domains to any user defined category.
Would that work?
Post by: mb on November 05, 2019, 09:35:41 pm
With 1.1 release, we had removed Elasticsearch package dependency (Because from now on, Sensei can also run with other databases).
With prior installation of Sensei, this means, elasticsearch is now an orphaned package.
OPNsense update triggered a pkg autoclean, which resulted in orphaned elasticsearch5 package being removed. Reports data is not deleted and safe.
For the workaround, you'll need to re-install elasticsearch with this command;
Code: [Select]
pkg install elasticsearch51.1_2 is on the way to handle the new updaters.
Post by: mb on November 05, 2019, 11:00:16 pm
1.1_2 hotfix is out. This addresses the Elasticsearch issue.
Make sure you have Health Check enabled. It will take care of the rest and re-install the database for you.
Post by: mow4cash on November 06, 2019, 02:35:58 am
Just wanted to say it's a very nice interface and works well. Very user friendly. Ran into an issues where the reports are getting corrupted and I have to fix them. How far away on the roadmap is importing custom whitelist/blacklist and will it be on the free tier? Maybe even a page to add url's to pull our favorite lists and a few popular ones preloaded to enable?You can currently create user defined black/white lists and custom categories with user-defined web categories.
I guess what you're looking for is bulk addition, am I correct? I guess we can provide a functionality to bulk import URLs/Domains in the free edition. This could be an enhanced version of the current functionality where you can not only input a single domain but a batch of domains to any user defined category.
Would that work?
That would be great to be able to bulk import lists. Would it be possible to have imports from URL?
When I use the live session report viewer I noticed there is only a blacklist action and not a whitelist action. Is this by design?
Post by: tong2x on November 06, 2019, 03:14:31 am
@mow4cash
would all/most blacklist have the same format? like Shalla's Blacklists, the free ones.
Post by: ckishappy on November 06, 2019, 09:39:06 pm
Thanks to @JohnDoe17's help, we figured out what's causing the Elasticsearch issue.
With 1.1 release, we had removed Elasticsearch package dependency (Because from now on, Sensei can also run with other databases).
With prior installation of Sensei, this means, elasticsearch is now an orphaned package.
OPNsense update triggered a pkg autoclean, which resulted in orphaned elasticsearch5 package being removed. Reports data is not deleted and safe.
For the workaround, you'll need to re-install elasticsearch with this command;Code: [Select]pkg install elasticsearch5
1.1_2 is on the way to handle the new updaters.
Post by: mb on November 06, 2019, 11:38:55 pm
thanks this helped to fix it
@ckishappy, all welcome.
A quick note: we are aware of a problem with vlans. Looks like an ABI issue, and a re-compile is fixing. Will post an update soon.
Post by: hbc on November 07, 2019, 09:52:27 am
Version 1.1. patronizes me what I have to find moderate.
Post by: actionhenkt on November 07, 2019, 02:59:33 pm
Post by: mb on November 07, 2019, 05:42:21 pm
@hbc, just replied to your e-mail.
@tong2x, @mow4cash; we gave a bit of thought to this. We can provide an interface to process bulk domain/url imports. On the other hand, trying to pull the lists from list source URLs have multiple challenges. As @tong2x wrote, they have different formats, and trying to do that in the firewall itself; this looked like a seperate project, which required additional resources from the team. If someone is willing to handle that, we are happy to provide an interface in Sensei's UI so that they can be easily managed (i.e. they appear as third party community categories, and can be checked in/out).
Post by: xpendable on November 07, 2019, 07:07:40 pm
I just upgraded to version 1.1 of Sensei and and find the new category presets in web controls to limiting as I am now locked in to the presets defined by Sunny Valley. I know the pricing for home versions will be coming shortly, however perhaps a better solution for restricting the web controls would be to limit the amount of categories selected to say 8-10 categories instead of predefined categories within set profiles.
Other then that I look forward to the subcription pricing for home users.
Post by: giovanit on November 08, 2019, 01:09:47 pm
Hello,
I just upgraded to version 1.1 of Sensei and and find the new category presets in web controls to limiting as I am now locked in to the presets defined by Sunny Valley. I know the pricing for home versions will be coming shortly, however perhaps a better solution for restricting the web controls would be to limit the amount of categories selected to say 8-10 categories instead of predefined categories within set profiles.
Other then that I look forward to the subcription pricing for home users.
I agree.
In my case, I use only 3 categories.
Post by: JohnDoe17 on November 10, 2019, 11:39:18 pm
I just upgraded my firewall from 19.1.10_1 to 19.7.6 again, and I'm having the same problem with elasticsearch. It's not starting. In fact, I don't think it's even installed. It looks like engine 1.1_3 is used, so I assumed the issue would be fixed.
Are you aware of this? Did I misunderstand the fix?
Also, if I just upgrade the 19.1.10 components (and not go to 19.7.x), it seems to break Sensei too in the same way.
Post by: bunchofreeds on November 11, 2019, 01:07:42 am
Apologies if this has already been covered.
Can Sensei and Suricata co-exist on the LAN interface yet?
Thanks for any update on this.
Post by: mb on November 11, 2019, 05:32:49 am
@JohnDoe17, elastic issue has been addressed with 1.1_3. Health check does the elasticsearch5 re-install if it was removed. Make sure health check is turned on. If it does not do the job, just run
Code: [Select]
# pkg install elasticsearch5and you are good to go. Your data is safe, after reinstall you'll have your old reports.
@bunchofreeds, yes this is not addressed yet. This is now one of the things in the top of our list. Hope to have it end of this year or early next year.
Post by: mb on November 11, 2019, 05:49:03 am
With 1.1_3, we think it is safe to officially declare 1.1 release is out.
@opnsenseuser, we were able to add Sensei Dashboard Widget to this release.
List of new features that have been shipped with 1.1:
Better low-end device support
- Support for low-end devices with weak CPUs. Try Sensei on your Deciso A10 / APU devices. Yes! with reporting :)
- Minimum RAM requirement lowered to 2GB
- See updated Hardware Requirements: https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements (https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements)
Better Security
New security features for the Premium Edition:
- Protection against malware, virus, phishing attacks which have recently came into existence, mostly within zero to one week timeframe.
- Blocking sites which utilize Dynamic DNS services. Although Dynamic DNS itself isn't malicious, it could be a sign of other problems, abuses or threats to your network's security.
- Blocking Newly registered domains which are an effective tool for threat actors. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent there via a URL from a malicious campaign.
- Blocking Newly Recovered sites. Like newly registered sites, sites which have undergone a long period silence and become recently up might be also be used by the attackers. Sites which has a good reputation history are especially used by the cyber criminals to evade reputation-based security mechanisms.
- Blocking Dead Sites, which are not actively maintained. These sites are also a good candidate for cyber criminals for launching their attacks.
More interface support
- lagg(4) and bridge(4) interface members can be protected now
New Cloud Servers Infrastructure goes live
- New less-latency cloud servers for US-West, US-East, Asia and Australia regions
- New web category/threat intelligence database
- Improved/faster cloud query mechanism
- Better availability
- Status screen now shows uptime in a prettier format
Reporting
- Reporting Performance Improvements (Reports load faster)
- Long-awaited OPNsense Dashboard Widget
Related Blog Post:
https://www.sunnyvalley.io/post/sensei-1-1-released-providing-support-for-low-end-devices-deciso-a10-opnsense-pcengines-qotom (https://www.sunnyvalley.io/post/sensei-1-1-released-providing-support-for-low-end-devices-deciso-a10-opnsense-pcengines-qotom)
Enjoy ;)
Your Sensei team.
Post by: Supergiovane on November 12, 2019, 11:09:19 am
First of all, thank you very much for this plugin.
I tried installing it on Pondesk hardware and on a Supermicro server (in a VM).
On both, i can only achieve Small II (Max 50 users).
I've a home net with more than 50 devices (homekit devices, Konnex devices, Hue bulbs, IP Phones, 3 robot cleaners, a robot mower etc...). All of this requires a gateway to be able to update software and to be controlled on cloud.
My question is: after the first 50 devices Sensei sees, what happens to the others? How can i check what are the first 50 devices handled by Sensei?
Thanks.
Post by: marcri on November 12, 2019, 11:24:18 am
Post by: sol on November 12, 2019, 07:49:32 pm
I have a few questions:
Custom interval selection does not let me select any date later than August 7th although the selection of 24h, 7 days, 30 days in the drop down menu does work.
Furthermore show hostnames still keeps showing ip's only although this has been added to the reverse lookups. Opnsense shows hostnams in insight.
Post by: mb on November 13, 2019, 02:19:05 am
@marcri, thanks for the answer. Asset Discovery is on the way ;) With Asset Discovery, Sensei will be able to associate IP addresses with a single device. This will also provide information about the specific device (Operating System, Hardware Vendor, Device Type etc.)
@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:
https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123
Post by: puddles on November 16, 2019, 10:07:29 pm
I can block per host now with this update, nice.
Would you mind showing us how this works? I have looked in the (sparse) documentation and I didn't find this per-host functionality (in the Free Edition). I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.
I'd really love the ability to apply blocking policies per-device basis.
Post by: mb on November 17, 2019, 02:44:04 am
I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.
I'd really love the ability to apply blocking policies per-device basis.
Hi @puddles, many thanks for trying Sensei.
What @actionhenkt is referring to is the ability to whitelist individual destination hostnames/domain names via a shortcut from Live Blocked Sessions Explorer.
You're able to create policies per ip/subnet/vlan/interface/user/group with Policy Based Filtering which is available in Premium.
We'll also be announcing Home Premium Subscription the coming week. It'll have suitable pricing for the Home users.
Post by: opnsenseuser on November 19, 2019, 09:04:41 am
Since Sensei now also officially supports low end hardware, I have now installed it on my live environment. but it does not work if i want to block facebook for example. I have attached all settings as a screenshot. what am I doing wrong? Can it be due to the firewall rules? Unfortunately, a restart did not help either. The sensei widget says, that everything is stopped and according to sensei status, it should work. strange
see my screenshots
thx
regards rené
Post by: mb on November 19, 2019, 08:12:48 pm
If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.
Post by: opnsenseuser on November 19, 2019, 08:16:41 pm
Hi rene,
If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.
thx the "active" folder has 122 mb. how should i send this to you?
Post by: opnsenseuser on November 19, 2019, 08:21:18 pm
Hi rene,
If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.
i have zipped it. now it has 8 mb.
Post by: sol on November 19, 2019, 09:26:52 pm
@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:
https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123
In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.
Although the fixed intervals (15 mins, 1h, ...) show me actual data.
In regards of dns: is it maybe dnscrypt proxy which interfers here?
Post by: opnsenseuser on November 19, 2019, 09:30:30 pm
@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:
https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123
In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.
In regards of dns: is it maybe dnscrypt proxy which interfers here?
I´m using unbound with DoT.
Post by: sol on November 19, 2019, 09:31:47 pm
Post by: mb on November 19, 2019, 09:32:36 pm
Post by: sol on November 19, 2019, 09:33:20 pm
Post by: opnsenseuser on November 19, 2019, 09:34:24 pm
rene, i was able to reproduce the issue. thanks for the hand. 1.1_4 coming up shortly.
that is fast. what´s the problem?
Post by: mb on November 19, 2019, 09:35:44 pm
In regards of dns: is it maybe dnscrypt proxy which interfers here?
sol, the issue with rene is different. yes, if you have dns encryption most probably this is the reason.
Post by: mb on November 19, 2019, 10:48:54 pm
that is fast. what´s the problem?
rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.
sol, we're thinking of implementing "lazy dns resolution" for these cases like dns encryption. This will allow Sensei to do realtime dns query for any ip addresses for which it does not have a dns mapping in its cache. Most probably it'll ship Q2 2020.
Post by: opnsenseuser on November 20, 2019, 09:28:46 am
that is fast. what´s the problem?
rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.
sol, we're thinking of implementing "lazy dns resolution" for these cases like dns encryption. This will allow Sensei to do realtime dns query for any ip addresses for which it does not have a dns mapping in its cache. Most probably it'll ship Q2 2020.
you are the best. thx for your really fast response.i´ll test this later!. :-)
Post by: opnsenseuser on November 20, 2019, 04:04:57 pm
that is fast. what´s the problem?rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.
works. thx very much!! :-)
2 more questions:
1. is there a way to make a custom block html template? and perhaps upload it?
2. i get this error message in System: Firmware: Reporter
Code: [Select]
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning: explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 175
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning: Invalid argument supplied for foreach() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 176
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning: explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 181
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning: Invalid argument supplied for foreach() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 182
Post by: mb on November 21, 2019, 03:53:50 am
Dashboard widget error got already fixed in 1.2, which will also ship this week :)
Post by: opnsenseuser on November 21, 2019, 05:00:07 am
Hi rene, you're all welcome. custom landing page is available within Premium Features. SOHO Edition is coming this week.
Dashboard widget error got already fixed in 1.2, which will also ship this week :)
is there no standard block template in the free edition ?. because the message that I get when blocking a page is a connection error page. It is therefore difficult to determine if this is a real connection error or not.
the html block template that I found did not work. or is it intended?
best regards, rene
supplement:
I noticed now, if I use "app controls" and block for example, facebook, then there is no html block template but only a connection error page (see my screenshot). if I block a page under "web control", then comes the block template. Is it wanted like that? best regards, rene
Post by: tusc on November 21, 2019, 10:49:20 pm
Searching in /usr/local/sensei/log/active I see this in the logs
Code: [Select]
root@OPNsense:/usr/local/sensei/log/active # egrep igb main*
main_20191119T000000.log:2019-11-19T10:45:28 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1
main_20191119T000000.log:2019-11-19T21:18:49 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1
main_20191120T000000.log:2019-11-20T19:16:42 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1
Why is WAN referencing igb0^? Shouldn't it be igb1?
If I grep for igb1 in the directory nothing comes back.
Here's another output from a worker logfile:
Code: [Select]
root@OPNsense:/usr/local/sensei/log/active # egrep igb worker0_20191120T000000.log | tail
2019-11-21T14:57:19 INFO: Stats LAN igb0:0 [ 4024 pkts, 0 drp, 610.74 KB]
2019-11-21T14:57:19 INFO: Stats LAN igb0:1 [ 109564 pkts, 0 drp, 150.78 MB]
2019-11-21T14:57:19 INFO: Stats LAN igb0:2 [ 27493 pkts, 0 drp, 2.00 MB]
2019-11-21T14:57:19 INFO: Stats LAN igb0:3 [ 33916 pkts, 0 drp, 2.54 MB]
2019-11-21T14:57:19 INFO: Stats WAN igb0^ [ 239646 pkts, 0 drp, 177.91 MB]
2019-11-21T14:57:20 INFO: Stats LAN igb0:0 [ 4024 pkts, 0 drp, 610.74 KB]
2019-11-21T14:57:20 INFO: Stats LAN igb0:1 [ 109564 pkts, 0 drp, 150.78 MB]
2019-11-21T14:57:20 INFO: Stats LAN igb0:2 [ 27493 pkts, 0 drp, 2.00 MB]
2019-11-21T14:57:20 INFO: Stats LAN igb0:3 [ 33917 pkts, 0 drp, 2.54 MB]
2019-11-21T14:57:20 INFO: Stats WAN igb0^ [ 239646 pkts, 0 drp, 177.91 MB]
Let me know what else I can provide to help troubleshoot this as I've noticed others have posted a similar problem. Thanks.
Post by: mb on November 22, 2019, 01:20:22 am
Yes, customizable block page is available in Premium.
1. With regard to how we display block page: we display Block Page only if it is an HTTP connection.
2. For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display.
3. For Application control, we do not display since it might be a connection which does not speak HTTP.
For the third item, I think there is a window of improvement there; since we can still detect if it is HTTP
and therefore we can display a block page.
For HTTPS connections, block pages will be available along with TLS feature.
Post by: mb on November 22, 2019, 01:32:43 am
WAN in that file is an internal Sensei terminology and it is different from general firewall terminology. Sensei acts like a bridge connecting hardware rings of the ethernet driver and the Operating System network stack (with the help of netmap). Taking into account the fact that we're protecting LAN-facing interfaces, Sensei considers the Operating System side of the "virtual bridge" as WAN since packets going to/coming from that way is Internet-bound.
It is expected that packet flow can pause a 2-5 seconds during engine restarts. This is because once sensei starts running it initializes the interfaces in netmap mode which -in turn- causes them to go down/up.
If it halts the packet flow permanently, this is very interesing, which I would definitely want to have a look. Can you PM me so that we dive into this?
Post by: donatom3 on November 22, 2019, 04:56:21 am
How does soho work with the 15 device limit for those of us with well over that on our home networks?
Do we pick and choose what's protected or is it any device that's on the protected interface?
Post by: robvanhooren on November 22, 2019, 06:52:47 am
"An error occurred while report is being loaded!"
details and log excerpt below.
thoughts?
thanks.
Code: [Select]
{
"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "alert_all",
"index_uuid": "_na_",
"index": "alert_all"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "alert_all",
"index_uuid": "_na_",
"index": "alert_all"
},
"status": 404
}
-----8<-----{snip}-----8<-----
/usr/local/sensei/log/active
ipdr_streamer.log:2019-11-22T00:43:47.637231 response: {"took":0,"errors":true,"items":[{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}}]}
Post by: Quetschwalze on November 22, 2019, 11:46:10 am
Will there be a monthly option for paid home use?
Post by: opnsenseuser on November 22, 2019, 02:52:56 pm
Hi Rene,
Yes, customizable block page is available in Premium.
1. With regard to how we display block page: we display Block Page only if it is an HTTP connection.
2. For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display.
3. For Application control, we do not display since it might be a connection which does not speak HTTP.
For the third item, I think there is a window of improvement there; since we can still detect if it is HTTP
and therefore we can display a block page.
For HTTPS connections, block pages will be available along with TLS feature.
thx for your information. this plugin is really really great!. great work! :-)
Post by: mb on November 23, 2019, 02:52:30 am
Having said that, as a gratitude to our BETA users like you, we'll be providing a suitable discount for higher tiers so that it would still be in the lower tier price range. More on this next week.
Post by: mb on November 23, 2019, 02:56:41 am
rene, thank you very much for the feedback. We hope sensei will add more value in the future.
@Quetschwalze, many thanks for the feedback, glad that you loved Sensei. Yes, home subscription is coming late this week/early next week.
Post by: robvanhooren on November 23, 2019, 05:01:44 pm
question: now that there is data to review, I see some sites are miscategorized.
how would you like to deal with reporting that, so it can be corrected? e.g., centos mirrors being declared malware/virus; opensubtitles.org being declared warez; etc....
Post by: robvanhooren on November 23, 2019, 05:25:06 pm
just saw the SOHO pricing, $99/yr is very competitive.
the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.
for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.
per the current structure, that would cost ~$1200/yr, which is completely unreasonable.
no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.
security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.
while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.
would you consider raising the paid SOHO plan limit to 50?
-- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).
LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)
thanks!
(likely a big thanks from everyone!! :) )
Post by: sol on November 23, 2019, 08:20:39 pm
App DB Version: 1.1.1
Rules DB Version: 1.1.1
Reports / Security
Code: [Select]
{
"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "alert_all",
"index_uuid": "_na_",
"index": "alert_all"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "alert_all",
"index_uuid": "_na_",
"index": "alert_all"
},
"status": 404
}Errors also occure at Reports / Web
Although I cannot open view erro message.
Furthermore since the update of sensei yesterday some sites aren't displayed fully with a running sensei.
Post by: Antaris on November 23, 2019, 08:44:27 pm
May be it's not good idea to take feature after feature from the free version with every update after all...
Post by: marcri on November 24, 2019, 09:29:46 am
After taking out the custom option in web controls from our hands, youtube not loading video after added in Auto Whitelist Hosts.
May be it's not good idea to take feature after feature from the free version with every update after all...
Same problem here, can't control anything anymore and have to allow everything. that's really bad!
And SOHO with 15 devices/ip addresses means 7 dual stack "devices" is really much too low, even for a one-person household.
Post by: chemlud on November 24, 2019, 02:25:52 pm
It's the Google principle: make them addictive for free, then start taking money for your stuff. That's the way it is these days.
Post by: robvanhooren on November 24, 2019, 05:16:06 pm
that said, the free = product is exactly what we have with the etPro-telemetry IPS option plugin here already (for example).
it's a consensual, opt-in model, and the quid pro quo is user data, in exchange for a better sigset from the vendor. the (hopefully GDPR-compliant?) data being exfiltrated to ProofPoint serves as substitute for an exchange of fiat currency in the transaction.
getting back on-topic to the thread ...
for the case of Sensei for home users, while the proposed price point is viable for that market segment, the SOHO paid version in the present circumstance is worse than the free version, due to a device cap that's way too low. so low as to be unusable in practice for anything other than non-serious demonstration purposes.
home users inclined to pay at all won't have issues paying $99/yr for a device count that's realistic for the current era.
15 was alright for 2004.
50 is reasonable for 2019.
Post by: donatom3 on November 26, 2019, 02:45:57 am
@donatom3, which devices would be out-of-scope is random and dependent on the memory state buffers. With device identification we'll enable user to select which devices to cover. For now, a higher tier would be more suitable. Also note that only IPv4 addresses count, so if you have a dual stack, it won't affect memory buffer limits.
Having said that, as a gratitude to our BETA users like you, we'll be providing a suitable discount for higher tiers so that it would still be in the lower tier price range. More on this next week.
@MB Can't wait for the home/discounted licensing.
Once Sensei can be integrated with firewall and routing rules I'll be able to start selling management on OPNSense + Sensei as an alternate offering for our customers. So it will be good if I can show them what it can pick up and report on.
Post by: mb on November 27, 2019, 03:34:56 am
1.2 is almost there. Running final tests. Hope to ship it this week. Will be back with more news this week.
Here's what will be coming with 1.2:
Home Premium Subscription
- Sensei Home Subscription goes live
- In-App purchase option. You can now purchase Sensei Subscription easily through Sensei User Interface
- Monthly and Yearly Subscription Options
Performance
- UI responsiveness has been increased considerably
Reporting
- Fully Customizable Dashboard. You can now choose which Charts gets displayed in your Sensei Dashboard
- Scheduled Reports are now available for Mongodb backend
- Security Reports: "Block Message" added as a filter for Security Reports
- Bug-fix: Mongodb autostart problem resolved
- Bug-fix: Mongodb backend: Top Destinations Heatmap
- Bug-fix: OPNsense Sensei Dashboard Widget fixed to handle an error condition
Other
- Shortcut to Contact Sensei Team directly and easily from Sensei User Interface
- A better and user friendly notification and warning interface
- Bug-fix: Handle Hardware Check falsely reporting a low-device in some cases
- Other performance and reliability improvements
Post by: mb on November 29, 2019, 09:53:10 pm
As promised, 1.2 is out. With this release, you can purchase Home Subscription through Sensei User Interface. Monthly or Annual subscription is possible. You'll also be able to purchase the annual home subscription from the OPNsense webshop in a few days.
Other important improvements with 1.2:
- UI responsiveness has improved a lot. This is due to an optimization.
- Fully Customizable Dashboard. You can now choose which Charts gets displayed in your Sensei Dashboard
- Mongodb backend fixes
For a full feature list, please see: https://www.sunnyvalley.io/post/sensei-home-for-opnsense (https://www.sunnyvalley.io/post/sensei-home-for-opnsense)
We've received many feedback about how we could be structuring the Home Edition. I would like to thank all of you. Thanks to these feedback including @robvanhooren's comments, we've increased the device limit to 50 devices valid till January 1, 2020.
It looks like we need to work more on this. Please feel free to reach out to us at sensei -at- sunnyvalley.io and provide feedback.
At Sunny Valley Networks, our vision is to provide advanced persistent protection for everyone and everything. I hope this marks another milestone in realizing our objective.
Enjoy :)
Post by: robvanhooren on November 29, 2019, 10:29:58 pm
@admins, has Sensei grown enough to graduate to its own (sub)forum here? perhaps under the IDS category. :)
Post by: donatom3 on November 29, 2019, 10:33:48 pm
Post by: l0rdraiden on November 30, 2019, 10:26:08 am
@mb (again) .....
just saw the SOHO pricing, $99/yr is very competitive.
the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.
for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.
per the current structure, that would cost ~$1200/yr, which is completely unreasonable.
no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.
security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.
while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.
would you consider raising the paid SOHO plan limit to 50?
-- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).
LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)
thanks!
(likely a big thanks from everyone!! :) )
@mb
He is totally right I have IoT at home so I have more thant 50 IP's to control and we are 3 in the house and one of them is a kid 3 yeras old, so the home plan is not for me.
The home version is aready limited in features to consider it for an enterprise use, in fact is hard to consider opnsense for enterprise use. So I wouldn't limit the home version based on number of devices, it's already limited in must have enterprise features.
In addition I consider the price a little bit high considering you have sophos XG home edition for free or that you can build something similar in terms of protection with pfblockerng.
By the way Sophos XG Home edition has no limit in IP's or devices, the only limit is that only uses 4 Cores and 6 GB of RAM.
For less than 30$ per year I would think about it but considering that Sophos XG home edition is free...., or maybe 100$ for a lifetime plan for home users.
Post by: the-mk on November 30, 2019, 01:36:59 pm
how is decided how big the environment can be during setup (with 6 GB of RAM it offers me Home 10 users, Home 15 users and Small 25 users; with 8 GB of RAM I get the full list offered until Xlarge with 1000 users)?
when uninstalling Sensei (and Sensei was installed with MongoDB) - why is the MongoDB not removed even if those two checkboxes are checked during uninstall? (the checkboxes are named "Remove Reports data" and the "Remove all install directories")
how can MongoDB be uninstalled? because the security check in the OPNsense update area tells me that there are security vulnerabilities with MongoDB...
during uninstall and reinstall a few settings are remembered (i.e. TCP service security password in Configuration>General) - seems like the "remove all install directories" switch is not working properly?
Post by: yeraycito on November 30, 2019, 03:07:37 pm
Equipment:
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8GB
Sensei: good
Sensei plus Suricata: bad
(opnsense blocking)
netmap suricata error
For when compatibility sensei - suricata?
Post by: mb on November 30, 2019, 03:34:13 pm
@robvanhooren, @donatom3 you're all welcome. Thanks for the feedback.
Post by: mb on November 30, 2019, 04:03:04 pm
The threshold for running Elastic Search is whether RAM is below or above 8GB. Under 8GB, mongodb provides a lot better results. With a resourceful hardware, Elastic Search is the way to go. Under 8GB and with mongodb, we have not yet tested Mongodb with larger workloads, so for now we keep it up to 50 devices.
For a hint: we have been reported of deployments with 16GB RAM protecting around 1000 devices, using Elastic Search.
You're right. mongodb/elastic should also be removed during uninstall. (fixing for 1.2.1) You can manually uninstall it via System -> Firmware -> Packages.
We're shipping mongodb 4.0.12 which has proper fixes for OpenSSL flavor. LibreSSL flavor looks fine.
Remaining configuration is the one which we place in config.xml. Yep, that should be removed as well if user wants everything deleted. (fixing for 1.2.1).
Thanks for the heads-up.
Post by: mb on November 30, 2019, 04:15:41 pm
Post by: the-mk on November 30, 2019, 06:01:54 pm
since I wanted to reduce the RAM footprint of my OPNsense installation on my VMware host, I tried running it with 6 GB (coming from 8 GB; target is 4 GB) - so the MongoDB got installed during Sensei installation. With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?
uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...
BTW: I like it that the available views are now configurable on the Sensei dashboard!
another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?
Post by: mb on November 30, 2019, 06:12:44 pm
With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?
Correct. 50 should be there. 1.2.1 will address this. Since 1.2.1 is a hotfix, we will ship it quick. It should arrive early next week.
Quote
uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...
You're right. Alternatively you can just remove it from the ssh console:
Code: [Select]
# pkg remove mongodb40Quote
BTW: I like it that the available views are now configurable on the Sensei dashboard!
Glad to know that :)
Quote
another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?
This will get resolved with device identification. We will track devices with their MAC addresses and associate IPv4/6 addresses with a unique device. Hoping to have this for 1.3 since this also has implications with regard to licensing.
Post by: opnip on December 02, 2019, 09:51:41 am
some small findings:
1. Filter on Policy Id (from pie-graph -> Sessions Detail) in Reports (created a new policy before) shows only a rotating circle.
Home Edition bug?
2. Block a URL via Action from Reports -> Connections -> Live Session Explorer results in the following message:
Code: [Select]
Error
Could not find: msmetrics.ws.sonos.comIn Version 1.1 a new Category "Auto Blacklist Hosts" are created. In version 1.2 (Home Editon) the category would not be created. And message above appears.
Home Edition bug?
3. Under Reports -> Security -> Live Blocked Sessions Explorer the coulmn "source ip" (my LAN IPs) shows also the different country flags of the "Dest Hostname" coulmn.
General bug?
Edit: I also did a reset of the config and started from scratch. Same results.
Thanks
Post by: mb on December 03, 2019, 12:03:54 am
Update: all bugs confirmed and fixed. Fixes will appear in 1.2.1. this week.
Post by: jf2001j on December 04, 2019, 07:53:55 am
I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).
It is possible to see the packages in "Firewall: Log Files: Live View" for example.
=> How would I do this in Sensei?
In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.
Best regards,
Post by: donatom3 on December 05, 2019, 02:39:08 am
I did submit a report through the interface with logs. Hopefully that helps.
Post by: stephan79 on December 05, 2019, 07:17:44 am
Got a question about subscription key/code: can you use that on multiple firewalls?
(haven’t found any info on this)
I’m running 2 FW’s with HA for production and 1 in LAB for testing purposes.
But if I must buy a subscription per FW then the cost would be too much for me. :(
Post by: mb on December 05, 2019, 07:29:25 pm
I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).
This would be a cool feature, though not trivial to implement. Reason is that Sensei deploys on inner-facing interfaces; and to be able to inspect firewall's own traffic, we'll need to also deploy on WAN interface, which would mean we would produce duplicate logs (since the traffic has already got inspected on the inner-facing interfaces).
Quote
In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.
I guess you mean Sensei Menu on the left. Well noted.
Quote
@mb I'm running into that bug that I reported back during beta again.
@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.
Post by: mb on December 05, 2019, 07:36:17 pm
Post by: Antaris on December 05, 2019, 10:02:38 pm
In Web Controls, Auto Whitelist Hosts, there is a field "Send this re-categorization as a feedback to Sensei Team to improve web categorization. " that wont remember his setting. Every time when i logon and go to this menu to add another site, it's ticked on. I turning it off every single time before save.
Post by: mb on December 05, 2019, 10:10:07 pm
Post by: JohnDoe17 on December 06, 2019, 05:57:02 pm
Please consult the attached picture...
Is this message normal? What does it mean?
Thanks.
Post by: mb on December 07, 2019, 03:30:39 am
This is HardenedBSD's SEGVGUARD. Message means, sensei engine terminated once and SEGVGUARD tracked the application for some time to make sure someboady is not trying to do a memory-guessing brute-force attack.
If it was, the mechanism would have stepped in and prevented further restarts of the process.
Although, this does not have a practical effect on your traffic, we would like to analyze these to find the root cause and fix the root problem.
When for any reason sensei engine is terminated, it is automatically restarted; and traffic flow resumes.
Post by: jf2001j on December 08, 2019, 09:42:00 am
I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).
Privacy is my concern. I use Sensei for getting an overview over iOT devices, but also want to trust that Sensei itself does not do unwanted connections. For this i have disabled all settings inside Sensei for connections to the Sensei backend, including auto-update.
Could you please describe why the JS from stripe.com included in several Sensei Dashboard webpages is loaded and why it posts data to https://m.stripe.com/4?
I'm also wondering why I did get the notification "Engine 1.2.1" is available for update inside Sensei without auto-update. But I don't have facts here. Perhaps an error on my side.
Post by: mb on December 09, 2019, 09:39:27 pm
Stripe is our payment backend. This JS needs to get loaded if you want to do an in-app purchase for Sensei Subscription. Though, it might be better to delay its loading until the user opens "Upgrade to Premium" menu, instead of loading it during Sensei UI initialization routines.
If you disabled "Check For Updates Automatically", Sensei should not contact our update server anymore. If you did see a new update notification, two possibilities:
1. This could be a cached result of an update check done before you disabled auto updates.
2. You could have manually invoked "Check for updates" from Sensei -> Status and, this could be a cached result of this operation.
Thank you for your attention. Feel free to get back to us (you can also e-mail to privacy - at - sunnyvalley.io) if you see anything that needs further attention here.
Post by: mb on December 10, 2019, 11:18:26 pm
Sensei 1.2.2 is out fixing some minor problems reported.
https://www.sunnyvalley.io/post/sensei-1-2-2
Enjoy,
Sensei Team
Post by: tusc on December 10, 2019, 11:59:17 pm
Quote
@mb I'm running into that bug that I reported back during beta again.
Quote
@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.
@mb, is this resolved in 1.2.2? I thought my issue was fixed when I disabled other services like maltrail and ntopng but I still see this problem. I just updated to 1.2.2 and about a few minutes after the packet engine is started I lose complete access to the firewall and Internet. Let me know what logs I can provide to help figure this out. Thanks.
Post by: mb on December 11, 2019, 12:18:15 am
or
Click on Contact Sensei Team on the upper right hand corner, select Problem Report and make sure you select "Send logs" option.
Post by: Quetschwalze on December 11, 2019, 12:41:01 pm
Post by: mb on December 11, 2019, 05:49:33 pm
Post by: jh on December 12, 2019, 03:17:29 pm
i'm already using the free version for some time now and thinking about buying the home edition
so i still have some questions about the upper limit of 50 clients for the home edition.
My daily sensei report for the free version shows me an entry "Unique Local Hosts". Is this the value I can orientate myself on for the limit of 50?
How is the number of clients exactly calculated? IPs in use?
What about clients/ip-addresses that are already blocked in the opnsense firewall and don't generate any traffic through the firewall at all? are they included in the calculation?
Currently I get 29 hosts displayed under Unique Local Hosts. But this is not correct. Only when I additional count my default gateway, coupling networks on the WAN side I get 29 clients.
what exactly happens when the maximum is exceeded?
Thank you
Juergen
Post by: Quetschwalze on December 12, 2019, 06:22:55 pm
@Quetschwalze, this would be a great feature. Added to the 1.3 workload ;)
Awesome, looking forward to that!
I have a question I'm not sure whether its been asked before.
I'm utilizing policies to have different features active for different subnets. However, this only seems to work for me in conjunction with VLANs. If I try to bind a different policy on an untagged / default VLAN (only using the IP / Network Description) its not working. Only the Default Policy shows up in the reports. Is this expected?
Post by: mb on December 12, 2019, 08:07:15 pm
Internal memory buffers are adjusted according to IPv4 hosts. You don't need worry about IPv6 addresses.
Unique Local Hosts include both IPv4 and IPv6 addresses. If you want to see only IPv4 addresses, add a "Transport Proto" filter (Add Filter button on the top of Reports page) as TCP. Then the number of unique hosts value shows your actual device count.
We're updating Conn - Facts information to better show this information. With 1.3, you'll also have "Unique Local Devices" information.
So, for your Home Subscription, we had set it to 50 for providing a peace of mind; so it should be enough for Home use. If in any case, number of devices exceeds this, provided that it's not sustained, it should not cause a problem.
Post by: mb on December 12, 2019, 08:14:15 pm
Subnet/IP address based policies should work with or without VLAN. Let me reach out to you, and see what goes on there.
Post by: mb on December 16, 2019, 06:50:07 pm
Sensei 1.2.3 maintenance release is out. Below is the Changelog:
Premium
- Convenience: warning message displayed when allowed number of policies reached for Home Edition
- Fix: Policy refreshes
- Local Unique Devices information added to Conn - Facts chart in Connections View
- Autowhite/blacklist Hosts: remember user preference (sending categorization feedback)
- Fix: Increase netmap buf_num value to accommodate both Suricata and Sensei on high-end servers
- Other performance and reliability improvements
Enjoy ;)
Sensei Team
Post by: yeraycito on December 16, 2019, 06:58:13 pm
Fix: Increase netmap buf_num value to accommodate both Suricata and Sensei on high-end servers
compatibility sensei - suricata low-end devices?
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8GB
Post by: mb on December 16, 2019, 07:01:03 pm
dev.netmap.buf_num value was low if both Sensei and Suricata was run on -even- different interfaces. This was due to some high-end network adapters having multiple Rx/Tx queues, and thus requiring more kernel memory.
Work on Suricata+Sensei running on the same interface is underway.
Post by: marcri on December 16, 2019, 07:07:19 pm
Machine Version: 1.2.3
UI Version: 19.12.14
Database Version: 1.2.0
Post by: mb on December 16, 2019, 07:16:19 pm
Post by: marcri on December 16, 2019, 07:36:25 pm
Hi @marcri, sensei needs at least two cloud nodes. You should be able to select any other node as the second one. Can you confirm that this is the case? If not let's check it out.Hi @mb, selecting an other second node works.
Thanks
Post by: mb on December 16, 2019, 07:37:54 pm
Post by: Kruemel on December 17, 2019, 11:50:01 pm
just wondering: I setup sensei to block advertisments. Sometimes I get the page:
#################
The page you are trying to access is restricted by your organization.
Reason: Advertisements site access
Client IP: 192.168.1.30
Remote IP: 91.215.103.xxx
Application: Web Browsing
Application Category: Web Browsing
Web Category: Advertisements
#################
And sometimes the connection is just reset: ERR_CONNECTION_CLOSED
Why is this?
Thanks and best regards
Marco
Post by: mb on December 18, 2019, 01:26:07 am
This happens if the blocked connection is not speaking HTTP. Sensei displays Landing Page only if it is an HTTP connection.
For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display the landing page (behavior to change with TLS inspection feature, see below)
3. For Application control, we do not display since it might be a connection which does not speak HTTP.
For HTTPS connections, block pages will be available along with TLS inspection feature.
For more FAQ, see: https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ
Post by: opnsenseuser on December 18, 2019, 04:36:33 pm
Today i did a opnsense firmware update to 19.7.8
After this update i can´t start monogdb anymore.
I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!
What can i do?
See my screenshot!!
thx
regards rené
Post by: opnsenseuser on December 18, 2019, 08:18:52 pm
@mb
Today i did a opnsense firmware update to 19.7.8
After this update i can´t start monogdb anymore.
I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!
What can i do?
See my screenshot!!
thx
regards rené
don´t know where the problem is!
Post by: mayo on December 18, 2019, 08:32:01 pm
@mb
Today i did a opnsense firmware update to 19.7.8
After this update i can´t start monogdb anymore.
I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!
What can i do?
See my screenshot!!
thx
regards rené
don´t know where the problem is!
Post by: Antaris on December 18, 2019, 08:54:58 pm
Same for me. Decided to uninstall and not install anymore.And the relation to the problem of this thred is??@mb
Today i did a opnsense firmware update to 19.7.8
After this update i can´t start monogdb anymore.
I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!
What can i do?
See my screenshot!!
thx
regards rené
don´t know where the problem is!
Can you be more specific why you abandone Sensei?
Post by: mayo on December 18, 2019, 09:00:06 pm
Same for me. Decided to uninstall and not install anymore.And the relation to the problem of this thred is??@mb
Today i did a opnsense firmware update to 19.7.8
After this update i can´t start monogdb anymore.
I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!
What can i do?
See my screenshot!!
thx
regards rené
don´t know where the problem is!
Can you be more specific why you abandone Sensei?
Post by: Antaris on December 18, 2019, 09:28:31 pm
Simple: every Opnsense update Sensei stops working.Sensei is relatively new addon to OPNsense. Monogdb in it is even newer. I think we need more patience here...
Post by: mb on December 18, 2019, 09:35:33 pm
19.7.8 update seems to remove mongodb40 and dependencies.
Code: [Select]
=====
Message from opnsense-19.7.8:
--
Roar!
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 3 packages:
Installed packages to be REMOVED:
boost-libs-1.72.0
icu-65.1,1
snappy-1.1.6_1
Number of packages to be removed: 3
Update: Problems is related to mongodb package. Elasticsearch is fine. We're shipping new mongodb40 packages momentarily. Will update the thread.
Post by: mb on December 19, 2019, 01:44:41 pm
The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).
The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.
Post by: opnsenseuser on December 19, 2019, 01:47:50 pm
@Antaris, thanks for the understanding. @mayo, rene, sorry for the inconvenience.
The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).
The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.
Thx very much for your fast support👍
Regards,
Rene
Post by: mb on December 28, 2019, 10:42:34 pm
Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.
One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues
What is new in Sensei 1.2.4:
Premium
- Fix: Modifying an existing Policy
- Fix: Deleting Exempt VLAN/Networks
Application Database
- New app signatures for TikTok, Discord App, GroupMe, Houseparty
Reporting
- Fix: Drilling down to a local host (specifially IP addresseswith hostnames associated with them)
Other
- Fix: Reset factory defaults also resetting policies
- Revert: netmap buf_num value to OPNsense deafult.
- Other performance and reliability improvements
Wishing you holiday cheer and a happy new year.
Sensei Team
Post by: opnsenseuser on December 29, 2019, 11:58:45 am
Dear Sensei users,
Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.
One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues
What is new in Sensei 1.2.4:
Premium
- Fix: Modifying an existing Policy
- Fix: Deleting Exempt VLAN/Networks
Application Database
- New app signatures for TikTok, Discord App, GroupMe, Houseparty
Reporting
- Fix: Drilling down to a local host (specifially IP addresseswith hostnames associated with them)
Other
- Fix: Reset factory defaults also resetting policies
- Revert: netmap buf_num value to OPNsense deafult.
- Other performance and reliability improvements
Wishing you holiday cheer and a happy new year.
Sensei Team
great news. thx very much! :-)
Post by: manf0001 on December 29, 2019, 05:16:58 pm
I have some feedback more like feature requests or suggestions.
1) I am using policies for the web security. One for my wife's and mine devices and another controlled policy for the kids. It would be a good feature to include Quota's for sites.. Ie: Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark, either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.
2) Under the security settings, would like to have a test option. You create a policy and have a user name or IP linked to it. (I use static IPs so this is not an issue) setup the sites I want to block etc..
But then the test option can be to put in a domain name, and the IP address of user name of who I want to test the policy out as and the output tells me that yes that site is blocked or allowed for this computer/user using this policy and what category under App and Web control it falls under. This is also a good troubleshooting tool too, as maybe you blocked a category or two, then a site or app that is ok is not working, and you can use this feature to determine that oh, it looks like its under this category and then you can make what adjustments you need to make.
Overall I am enjoying it, and am looking forward to new features.
Post by: Antaris on December 29, 2019, 10:32:18 pm
Revert: netmap buf_num value to OPNsense deafult.
How increased was memory consumption?
Post by: mb on December 30, 2019, 08:00:46 pm
Hi @Antaris,
It had increased the wired kernel memory around 1 - 1.5 GB. So, for now we reverted it until we implement another solution (i.e. adjusting this according to the available RAM in the system).
Hi @manf0001,
Glad to hear that you're enjoying your subscription. Quick answers to your questions/requests;
Quote
Under the security settings, would like to have a test option. You create a policy and have a user name or IP linked to it. (I use static IPs so this is not an issue) setup the sites I want to block etc..
Got it.
For now, you can view which connections are matching your newly created policy by drilling down to the specific policy. (i.e see Sensei - Drilling down to details: https://www.youtube.com/watch?v=sRvI7oAz2ac)
Quote
It would be a good feature to include Quota's for sites.. Ie: Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark, either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.
Yep, we have this in the roadmap. This will be one of the features you'll see in the new year. Feel free to suggest more. You can also suggest more features via "Contact Sensei Team" option in the top right side of the Sensei UI.
Post by: apiods on December 31, 2019, 11:40:05 am
- Bought new QOTOM hardware (primarily to try out Sensei - having run OPNsense successfully for some time on an APU2C4 box)
- Setup QOTOM box, and installed Sensei
- Have a few VLANs configured, so set the main LAN interface (igb0) as the Sensei protected interface
- Additionally, configured a new WAN interface (attached to a 2nd DSL line - but not using failover, etc. Just routing some traffic out an alternate WAN link)
Then, a problem started whenever the OPNsense box rebooted. Initially, this was just during an upgrade but for troubleshooting I also rebooted it.
The issue was that the LAN interface was no longer reachable, so no internet connection for any hosts on any VLAN.
Using the serial console connection on the box, from a shell i could ping outbound (both gateways), but could not ping any internal hosts. No igb0 traffic was being routed.
Rebooted again this morning (due to an error with Sensei reports not showing), and the same thing. After a 'reload services' (serial console option 11?) - some traffic on the default VLAN was working okay. But other VLANs were not.
I then noticed in the DHCP server log that discover packets from clients that were supposed to be on the 'other' VLANs was showing up on the default VLAN, and the DHCP server was offering IPs from the default VLAN (no subsequent DHCP requests were showing up though). Why would traffic from other VLANs be showing up on the default VLAN ???
3 main things had changed since the issues started: 1. new hardware, 2. installed Sensei, 3. Added new WAN interface
So, first off I uninstalled Sensei, rebooted ... and all was working with no issues.
Rebooted again, still working.
For now, it seems Sensei was the problem. No idea what it was doing to my VLAN traffic.
Post by: Antaris on December 31, 2019, 12:39:55 pm
If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.
Post by: apiods on December 31, 2019, 05:01:20 pm
If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.
I do have a spare interface. So, you mean add a new interface (label TRUNK, no IP), then move the existing VLANs onto the new trunk interface ? Assume I'll also have to tag the previous default VLAN now.
Is that the preferred way to configure VLANs - I couldn't see a guide for this ?
Post by: Antaris on January 01, 2020, 04:52:01 am
@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...
Post by: apiods on January 03, 2020, 10:20:00 am
There is no one. It's from BSD. Don't use tagged and untagged packet on the same interface with Sensei. Try it and give feedback, please...
Working on it. Have the trunk now setup (had some interesting times trying to get it to work with my unifi switch/APs, but have now simplified my overly complex config, hopefully).
Just making some final tweaks and then I'll look at re-installing Sensei and see how it goes.
Post by: mb on January 03, 2020, 09:23:27 pm
@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...
Hi @Antaris,
Confirmed & fixed. We'll ship this and a few other fixes with 1.2.5 in a couple of days.
Post by: AlexV on January 04, 2020, 03:18:36 am
I Use OpnSense from agust 2019.
I have the firewall installed on virtualized enviroment for testing proupose.
The firewall is configured in this manner :
Squid trasparent proxy + clam AV
UnBound DNS + Dnscrypt Proxy
Suricata on Wan interface (Et Pro telemetry)
I also Have Configured Captive portal (on another interface) (that emulate a WIFI free access )
and Configured Ipsec and OpenVpn server.
I have installed Sensei but i see that with this configuration sensei don't block any site even listed in App or Web or in use defined category.
I suppose that this behavior is determined by the Squid proxy or by the Dns configuration, there is a manner to configure Sensei to work with this configuration ?
For the moment i Dont want to disable Squid or DnsCrypt Proxy.
If this type of configuration isn't supported, there is a Hope that sensei can support this in future ?
Best Regards
A.V.
Post by: mb on January 04, 2020, 03:26:35 am
Can you reach out to us using the "Contact Sensei Team" menu in the Sensei UI? Do not forget to check the "Share Sensei program logs" option in the form.
This configuration should work with Sensei. Let's see what's going wrong.
Post by: Antaris on January 04, 2020, 09:18:22 am
Post by: mb on January 08, 2020, 03:07:17 am
Sensei 1.2.5 is out with some bug-fixes:
Filtering
Fix: firewall reboots causing default policy rules being deleted
Reporting
Scheduled Reports: errors are now communicated through the user interface
Configuration
Fix: deployment size setting
Fix: re-assigning network interfaces
Enjoy.
You Sensei Team.
Post by: tong2x on January 08, 2020, 07:44:38 am
Security-> Essential security
all setting gets disabled
i am using the free version
Post by: tusc on January 08, 2020, 03:37:44 pm
I'm also still seeing loss of traffic after starting up the engine after a few minutes. Pings to the firewall drop and Internet access is dropped. What logs can I provide?
Post by: mb on January 08, 2020, 03:40:45 pm
Can you use "Contact Sensei Team" menu (located on the upper right hand side of the screen) to send a problem report.
We'll follow-up there.
Post by: Darkopnsense on January 08, 2020, 03:51:51 pm
I also use sensei free version, for six months.
At each update the parameters are reset in two places.
sensei / security / essential security
sensei / web controls
We have to reselect our choices.
Although it has been reported many times.
Regards, my mother tongue is French
Post by: the-mk on January 10, 2020, 06:16:57 am
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error: Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"
Post by: opnsenseuser on January 10, 2020, 09:01:02 am
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error: Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"
i have the same Problem. had to uninstall sensei to get my firewall working again!
Post by: Darkopnsense on January 10, 2020, 09:33:41 am
mb, je confirme ce disfonctionnement dans sensei/rapports depuis la mise à jour opnsense 19.7.9
{
"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "conn_all",
"index_uuid": "_na_",
"index": "conn_all"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "conn_all",
"index_uuid": "_na_",
"index": "conn_all"
},
"status": 404
}
Cordialement.
Post by: opnsenseuser on January 10, 2020, 02:23:38 pm
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error: Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"
After updating to opnsense to 19.7.9_1 everything works again!
Post by: the-mk on January 10, 2020, 03:06:45 pm
but there was no official announcement forum for that tiny patch? usually Franco adds some info to his release post?
if I read the logs right PHP might be missing the libraries for MongoDB?!?
Post by: Darkopnsense on January 10, 2020, 03:45:23 pm
La version 19.7.9_1 ne résout RIEN.
Cordialement.
Post by: the-mk on January 10, 2020, 03:58:05 pm
after uninstalling and reinstalling sensei the issue was fixed. I can see the graphs again...
Post by: Darkopnsense on January 10, 2020, 06:24:01 pm
For the malfunction between sensei and the opnsense update 19.7.9_1, I tested two methods:
1) on OPNsense 19.7.8-amd64 update to OPNsense 19.7.9_1-amd64 & SENSEI / dashboard and report is in php error
2) on OPNsense 19.7.8-amd64 before migrating,
(sensei / statute) I stopped sensei packet engine & db services and start on boot
(system / firmware / plugins) updated to 19.7.9_1
(sensei / status) I activated the sensei packet engine & db and start on boot services
FAILURE sensei / dashboard and report do not work any graphics.
My solution:
To restore the functioning of SENSEI
Sensei / configuaration / uninstall
-stop sensei packet engine
- reset to sensei factory defaults & yes
-follow the wizard: / install database & proceed / next / interface selection / next / cloud reputation / next / sensei cli / next / updates & health check / next / deployment size / next / finish / finish
-power / restart & yes
SENSEI WORKING AGAIN
cordially
Post by: mb on January 10, 2020, 07:26:59 pm
Will keep the thread updated.
Post by: opnsenseuser on January 11, 2020, 10:50:31 am
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error: Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"
After updating to opnsense to 19.7.9_1 everything works again!
1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works
Post by: opnsenseuser on January 11, 2020, 11:29:23 am
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.
I will not install sensei now until the problem is finally fixed. sorry ...
Post by: the-mk on January 11, 2020, 12:29:21 pm
1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works
do you uninstall sensei everytime an OPNsense update is available?
Post by: mb on January 11, 2020, 06:15:47 pm
With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.
It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.
We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.
Post by: opnsenseuser on January 12, 2020, 08:22:58 am
Hi @opnsenseuser,
With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.
It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.
We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.
sensei is a really great plugin. I also know that you and your team will solve the problem.
But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.
but i know i will reinstall it as soon as the problem is fixed. thanks again for your great support.
Regards
Rene
Post by: greeno on January 12, 2020, 01:30:02 pm
Post by: apiods on January 12, 2020, 04:29:30 pm
But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.
I had a similar problem - my LAN interface was unreachable after a reboot of the OPNsense box, so no Internet access.
Uninstalling Sensei fixed the problem.
On this thread, I was advised:
Quote
Don't use tagged and untagged packet on the same interface with Sensei
Which is what I had - a native (untagged) VLAN on the same interface as a trunk (tagging a few other VLANs).
I have now added another interface - a trunk with no native VLAN, and tagging all VLANs on that interface.
But, I have not re-installed Sensei yet - just waiting as there seem a few install issues still. Once these are sorted, I will install and try again.
Post by: mb on January 12, 2020, 05:59:26 pm
same here after last update, seems not working correct... uninstalling necessairy?
Hi @greeno, run below commands and it should fix:
Code: [Select]
pkg install php72-pecl-mongodb
/usr/local/sbin/configctl webgui restart
Post by: Ultra on January 13, 2020, 09:33:03 pm
after a successfull installation of all Sensei plugins on the latest Opnsense version (19.7.9) I've trouble to finish the installation. The list of availible Interfaces is empty. See screenshot below. Is that because I am using an USB-to-LAN adapter as my LAN interface? The adapter works fine with Opnsense. Thanks for your help!
Ultra
Post by: Ultra on January 13, 2020, 09:37:53 pm
Post by: mb on January 13, 2020, 11:17:50 pm
Yes, switch adapters for WAN/LAN and use em for the LAN side. netmap[1] is pretty picky when it comes to compatibility.
[1] https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4 (https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4)
Post by: donatom3 on January 20, 2020, 06:57:47 am
After restarting the firewall, the network connection on an interface no longer worked.
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.
I will not install sensei now until the problem is finally fixed. sorry ...
I reported on this issue months ago. I must have had a config that tripped it more often than others.
What I found was to leave the auto start for the Sensei Packet engine off then after a restart everything is fine you just need to go in and start sensei manually. I also keep an unprotected interface free now so I can just swap my pc to the second drop I have nearby so I can get in the router to fix it.
Post by: mb on January 20, 2020, 06:22:27 pm
Yes, this workaround would work for people who experience this problem.
This looks like a race condition in netmap(4). Team is working to provide a patch for FreeBSD.
Post by: AlexV on January 21, 2020, 12:01:49 am
And after a period of intese testing, I can Say Wow GOOD WORK, and tanks to the team, for the freeware relase.
I work with every type of network device from Nexus 7000 switch to ASR900 router, and from asa firewall, to firepower, checkpoint, and palo alto, and i think that sensei can reach the same level of this NGFW.
i see that sensei have some difficulties to match traffic when on the firewall is used Squid as t proxy. infact sensei dont inspect the traffic directed to the squid proxy port, or if it do there is some problem because in this condition the web filtering dont work, can implement this feature ?
I can help you in some manner ?
Post by: mb on January 21, 2020, 09:05:01 pm
Many thanks for trying Sensei and your feedback. All welcome and much appreciated.
We're just starting out... Future will bring lots of exciting developments here.
With regard to Squid. For plain HTTP based traffic, you should see no difference. But for HTTPS based traffic, we might be missing Squid's CONNECT requests. Let us have a look at this. I'm guessing this wouldn't be a hard thing to implement.
Post by: mb on January 23, 2020, 02:55:34 am
I'm pleased to announce that Sensei 1.3 is out with the following new features / fixes:
SOHO Subscription goes live
- Sensei SOHO Subscription goes live
- In-App purchase option for all subscription options. You can now purchase all Sensei Subscriptions easily through Sensei User Interface
Filtering
- New Premium feature: Pause/Resume internet for a policy with a single click
- User defined lists: handle subdomain matching more intutively. If you add domain.com, sensei will match all subdomains under this domain
Reporting
- New Premium feature: Export PDF: You can export the charts or live session reports as PDF files
- New Premium feature: Activity Report: A more condensed and brief version of live connection activity report
- New Premium feature: Fully Customizable Views. You can now add new fully configurable views
- Security Reports renamed as "Block Reports
- Optimized time based charts (Mongodb backend)
- Fixed policy name in Security Reports
Other
- Contact Sensei Team: improved to share more relevant information during bug-reports
- Version history now shows feature history for all previous releases
- API security tokens: ability to remove existing keys
- Scheduled e-mails: fixed timing bug sometimes causing scheduled emails to fail
- Wizard: initial configuration wizard now checks if your OPNsense is current and up to date
- Dropped support for OPNsense 19.1.x and prior releases
- Other performance and reliability improvements
We'll have another post about planned upcoming developments regarding netmap project, better OPNsense integration and new features that are to be shipping in 2020.
Enjoy :)
Your Sensei Team
Post by: malac on January 23, 2020, 12:28:07 pm
After installing premium key and doing configuration manually, it seems to work o.k. again
Post by: Darkopnsense on January 23, 2020, 12:37:23 pm
After the SENSEI 1.3 update, on three machines the widget no longer works. Even after uninstalling and reinstalling the SENSEI plugin.
cordially
Post by: Darkopnsense on January 23, 2020, 04:45:25 pm
Version 1.3_1 did not reinstate the widget bug.
But after an hour, the widget displays again ???
Post by: malac on January 23, 2020, 04:55:51 pm
After installing premium key and doing configuration manually, it seems to work o.k. again
will that happen on every update now?
Post by: mb on January 23, 2020, 06:33:39 pm
We couldn't reproduce the widget issue. Can you create a problem report via "Contact Sensei Team" menu located on the upper right hand corner? Make sure you check all three options. We'll take it from there.
Hi @malac,
Sorry for the invonvenience, 1.3 had a url translation bug which leaded to the license issue. 1.3_1 is a hotfix for this. You've upgraded to 1.3_1 but since the currently running code was still 1.3 you still had the problem. Looking forward you should be safe.
Security settings issue is related to the above problem. You should be safe now.
Post by: opnip on January 25, 2020, 08:29:48 am
Code: [Select]
Jan 25 08:05:00 kernel: -> pid: 47971 ppid: 25978 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Jan 25 08:05:00 kernel: [HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (47971)] Suspension expired.
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.20.1) (interface: Guest[opt2]) (real interface: igb0_vlan20).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0_vlan20'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:08 opnsense: plugins_configure hosts ()
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.8.1) (interface: LAN[lan]) (real interface: igb0).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:08 kernel: igb0_vlan30: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan40: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan20: link state changed to UP
Jan 25 08:01:08 kernel: igb0: link state changed to UP
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for NoT(opt3) but ignoring since interface is configured with static IP (192.168.30.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for IoT(opt5) but ignoring since interface is configured with static IP (192.168.40.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:03 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:03 sshlockout[69152]: sshlockout/webConfigurator v3.0 starting up
Jan 25 08:01:03 kernel: igb0_vlan30: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan40: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan20: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0: link state changed to DOWN
Jan 25 08:01:03 kernel: pid 6147 (eastpect), uid 0: exited on signal 11
Post by: yeraycito on January 25, 2020, 06:32:57 pm
Sensei integration with opnsense: Very bad
Sensei integration with Suricata: Very bad
Sensei's performance in general: Very bad
The funny thing is that they want us to pay for unfinished software that doesn't work.
Post by: mb on January 25, 2020, 07:43:20 pm
Post by: mb on January 25, 2020, 07:59:01 pm
Many thanks for trying Sensei and sharing your feedback.
Glad to hear that you find Sensei idea interesting.
As of today, there are around 1000 global Sensei deployments spread over 70+ countries. Eacch deployment protect a wide range: from 5 devices to thousands of devices. A proportion of these deployments are Premium Subscribers.
Like any other software in the world, Sensei will work for some people now, for some in the near future.
Eventually, Sensei team will complete every single item in their roadmap to make it work for everybody.
We're committed to accomplish this goal.
The best way to see if it's working for you now is to try the Free Edition, and consider the Premium Edition afterwards if you see it fit for your use cases.
The best way to help improve Sensei is reaching out to us through "Contact Sensei Team" menu option in the Sensei User Interface. You can create bug reports and even suggest ideas for us to consider.
We may not get back to you the second you send a report, however be assured that these reports are evaluated at the highest level in the company.
We've worked hard to be able to provide Sensei to the OPNsense community. We'll work ever harder to make it a perfect solution in the world.
Post by: Antaris on January 26, 2020, 05:49:23 pm
Post by: the-mk on January 26, 2020, 06:00:31 pm
Post by: mb on January 26, 2020, 07:40:47 pm
@Antaris, any chances you can send a PR (Contact Sensei Team menu located in the upper right hand corner of the UI).
Post by: Antaris on January 26, 2020, 09:25:03 pm
Sent for this one and replied for the one from 24-th...
Post by: mb on January 26, 2020, 09:35:05 pm
Post by: faisalreza on January 27, 2020, 11:31:49 am
been searching this thread but cannot find it yet
how to change db engine from mongodb to elasticsearch?
now already installed elasticsearch5 via the shell
does we have to reset sensei to default config or uninstall then install it back?
thanks for the clue
Regards
Reza
Post by: mb on January 27, 2020, 02:57:21 pm
Many thanks for trying Sensei.
Backend Database selection is done automatically based on your hardware resources. If you have less than 8GB RAM, sensei will pick mongodb.
Post by: faisalreza on January 27, 2020, 04:03:04 pm
i have xeon e3 4 core 8 thread with 16gb ram
but no options for using elasticsearch, any required steps or i missed something?
regards
Reza
Post by: mb on January 27, 2020, 05:10:10 pm
Than it must be the cpu score. There is a 300.000 minimum cpu score requirement for Elasticsearch.
Here's a quick hack:
1. Remove /usr/local/sensei/etc/.configdone
Code: [Select]
rm /usr/local/sensei/etc/.configdone3. Edit /usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh file and locate these lines:
Code: [Select]
if [ $CPU_SCORE -le 300000 ]; then
CPU_PROPER="false"
else
CPU_PROPER="true"
fi
Change 300000 to a lower value, like 200000.
4. Do a browser refresh on the OPNsense UI, and click on any sensei menu. It'll re-run the config wizard. Now it should select Elasticsearch.
Now I'm thinking: for cpu scores between 200K and 300K and if there is enough memory (>=8GB) I think we should let the user decide on the database backend.
Post by: faisalreza on January 28, 2020, 07:06:12 am
/usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh
Code: [Select]
{
"memory": {
"size": 17179869184,
"proper": true
},
"cpu": {
"model": "Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz",
"proper": true,
"score": 224783
},
"opnsense_version": "1979_1"
}
is there any possibility to separate log file location for the reporting?, i have opnsense installed on a 128GB ssd and sensei looks like take amount of space for keeping log, does 500gb - 1tb disk good enough for log and analytics?Post by: mb on January 28, 2020, 07:19:09 am
Good, you can now do the initial configuration, it should install Elasctic now.
Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.
For disk sizing, you can use this guide:
https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
Post by: colourcode on January 29, 2020, 08:08:13 am
[29-Jan-2020 07:02:25 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20170718/mongodb.so (Shared object "libcrypto.so.9" not found, required by "mongodb.so"), /usr/local/lib/php/20170718/mongodb.so.so (Cannot open "/usr/local/lib/php/20170718/mongodb.so.so")) in Unknown on line 0
In /user/local/lib there is a libcrypto.so.11 ..
Post by: dragon2611 on January 29, 2020, 01:55:59 pm
CPU Model:Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz
CPU Score:384496
Physical Memory Size:2.13 GB (Mini only has 4GB)
Code: [Select]
Please make sure you are running the latest OPNsense versionCode: [Select]
OPNsense 19.7.10-amd64OPNsense isn't finding any newer updates than this ???
I could try an install on more powerful hardware but then I'd have to tunnel the traffic I wanted to pass through Sensei to the datacentre first.
Edit:
Seemed to work following a reboot, guess there was an installed update that needed a reboot.
Post by: mb on January 29, 2020, 07:05:57 pm
I guess you are on OPNsense 20.1rc1. Current Sensei repo is not yet ready for 20.1 since it's not yet released.
Two options:
1. Wait until 20.1 is officially released and re-install sensei, since we'll ship the required dependency packages when 20.1 is officially released.
2. Use 19.7.10 for now.
I would suggest waiting a bit more since we expect that OPNsense will release 20.1 tomorrow. (then we'll ship the 20.1 repo)
Post by: hbc on January 30, 2020, 02:39:35 pm
What system privileges are needed to display / restrict sensei pages? I have several groups with just access to certain pages (viewonly, voucher creation, basic operation, etc.)
There exist no predefined privileges for sensei. I want just to allow reports and status. Without possibility to edit settings.
How can I restrict that?
Post by: faisalreza on January 30, 2020, 05:02:49 pm
after doing the cpu score hack, is still installing mongodb, and i cannot see either options to install elasticsearch
i continue installation and after finished, shown error like this
Quote
Warning: Sensei is stopped because of a problemany clues?
Sensei has detected a problem during operation and has shut down Sensei services in order to prevent a network outage.
Cannot find workers map file
If you think this is something we should have a look, just click here to let us know about the details and we will investigate this further.
You can re-enable the services from Status page.
Hi faisal,
Good, you can now do the initial configuration, it should install Elasctic now.
Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.
For disk sizing, you can use this guide:
https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
Post by: mb on January 30, 2020, 06:07:56 pm
We advise that you postpone 20.1 upgrades for a day or two while we confirm everything works as expected.
20.1 is a major upgrade, we want to make sure upgrade path for Sensei users is clear.
We'll post an update here and from twitter once we have confirmed everythins is ok.
Post by: colourcode on January 31, 2020, 10:53:32 am
I have a dogshit CPU, E3950 @ 1.60GHz (4 cores).
However the CPU is barely breaking a sweat and memory utilization is ~20% (8gb).
is this what I can expect performance-wise out of this hardware?
I was thinking abut upgrading but I'm doubting the Hades Canyon or similar can pull it if this isn't working out right now?
Or could there be some configuration error at play here?
Edit: Hardware offloading was the problem. now it's around 300 :)
Post by: mb on February 01, 2020, 01:43:41 pm
We advise that you postpone 20.1 upgrades for a day or two while we confirm everything works as expected.
20.1 is a major upgrade, we want to make sure upgrade path for Sensei users is clear.
We'll post an update here and from twitter once we have confirmed everythins is ok.
Tests have been completed and looks good. We're all clear for 20.1.
Post by: xsfpo on February 01, 2020, 04:08:00 pm
Code: [Select]
PHP Warning: PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20170718/mongodb.so (Shared object "libcrypto.so.11" not found, required by "mongodb.so"), /usr/local/lib/php/20170718/mongodb.so.so (Cannot open "/usr/local/lib/php/20170718/mongodb.so.so")) in Unknown on line 0Even after complete uninstall of sensei plugin.OPNsense 19.7.10_1-amd64
Post by: mb on February 01, 2020, 04:16:33 pm
This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.
If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.
Post by: opnsenseuser on February 01, 2020, 08:47:11 pm
Hi @xsfpo,
This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.
If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.
After installing sensei i get this error
PHP Errors:
Code: [Select]
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning: filesize(): stat failed for /tmp/mongodb_dahsboard5e35d54da4d3d_result.json in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 78
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning: explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 187
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning: array_map(): Argument #2 should be an array in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 188
Post by: opnsenseuser on February 01, 2020, 08:49:25 pm
Post by: mb on February 01, 2020, 09:06:13 pm
Code: [Select]
pkg install -f os-sensei
Post by: Antaris on February 02, 2020, 12:05:45 pm
Post by: petrus on February 02, 2020, 12:49:22 pm
Thanks for providing Sensei! I thought now with the 20.1 OPNsense release it's just the right time to try.
Unfortunately I ran into an issue before I was able to test Sensei: some network cards are not shown.
My HW: Core i5-8400+16G RAM, some RTL onboard card (available from OPNSense, also not shown in Sensei, but I dont use that anyway)
NIC I use: Intel i350 quad port, igb0+igb3=lagg0, igb1=wan
Strangely igb0 and igb3 are available in Sensei as unassigned, but not igb1 and igb2.Also all VLANS on lagg0 are available separatley.
I was looking into the tunables and reset them according to this post, reset Sensei to factory defult, but that did not help: https://forum.opnsense.org/index.php?topic=13436.msg61860
Code: [Select]
hw.igb.rxd 1024
hw.igb.txd 1024
net.link.ifqmaxlen 2048I don't see anything special in dmesg/syslog.
Sensei works for some of the VLANs, but it should actually work for WAN, which is igb1, and that's not available.
Suricata is not running on WAN.
Any ideas?
Thanks
Petrus
Code: [Select]
Sensei version info
Engine Version: 1.3.1 View Changelog Version History
UI Version: 20.1.31
Database Version: 1.3.1
Opnsense:
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019
Post by: Antaris on February 02, 2020, 05:36:10 pm
Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.
Post by: mb on February 03, 2020, 02:56:43 am
@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.
Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?
Post by: Antaris on February 03, 2020, 08:10:07 pm
Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.
Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?
Post by: mb on February 03, 2020, 08:28:26 pm
Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.
Got it. It should appear shortly this month/early next month.
Post by: petrus on February 06, 2020, 04:41:41 pm
Hi Petrus,
Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.
Hi Antaris,
thanks & sry, should have been obvious about the WAN port.
What I still miss is the list of supported NICs, because I can't see the two onboard ports, just the i350 Interfaces.
Peter
Post by: mb on February 07, 2020, 01:52:23 am
To be able to access packet off the wire, Sensei makes use of a FreeBSD subsystem called netmap(4).
Netmap can be a pretty picky when it comes to ethernet device compatibility. So we try to filter out any devices that are known to be having problems with netmap.
Netmap team seems to be maintaining Intel based drivers, igb(4), em(4) being two of the most widely used ones.
Post by: Antaris on February 07, 2020, 07:47:10 pm
If you will not use them better disable them in BIOS.
Post by: opnsenseuser on February 08, 2020, 11:01:08 am
Post by: marcri on February 08, 2020, 11:21:50 am
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene
maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
"indices": "<index_name>",
"ignore_unavailable": true,
"include_global_state": false
}'
Post by: siga75 on February 08, 2020, 11:57:35 am
Post by: Darkopnsense on February 08, 2020, 12:38:12 pm
Post by: colourcode on February 08, 2020, 01:16:17 pm
I have a bunch of vlans, all going to a Pihole (for now) then back to unbound and out from there.
IIRC i lose the lookup if u exclude all but one interface in Unbound aswell.
Sensei doesnt seem to take 127.0.0.1 / self as an exclusion.
Looking for ideas on how to set this up the best way :)
Post by: mb on February 08, 2020, 03:01:40 pm
www pornhub com is not in pornography category, really?
Hi @siga75, it looks like it's correct in the database. Let's see what happened in your case. Kindly send a PR through Report a bug menu located in the upper right hand corner of the UI.
Post by: mb on February 08, 2020, 03:05:58 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene
maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
"indices": "<index_name>",
"ignore_unavailable": true,
"include_global_state": false
}'
@marcri, thanks for the hint.
@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.
One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.
Would that also do the trick?
Post by: siga75 on February 08, 2020, 04:05:58 pm
www pornhub com is not in pornography category, really?
Hi @siga75, it looks like it's correct in the database. Let's see what happened in your case. Kindly send a PR through Report a bug menu located in the upper right hand corner of the UI.
OK, report just submitted.
Thanks a lot :)
Post by: opnsenseuser on February 08, 2020, 04:11:27 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene
maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
"indices": "<index_name>",
"ignore_unavailable": true,
"include_global_state": false
}'
@marcri, thanks for the hint.
@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.
One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.
Would that also do the trick?
due to my hardware, i can only use mongodb. will this also possible with this database?
Post by: opnsenseuser on February 08, 2020, 04:18:48 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene
maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
"indices": "<index_name>",
"ignore_unavailable": true,
"include_global_state": false
}'
@marcri, thanks for the hint.
@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.
One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.
Would that also do the trick?
due to my hardware, i can only use mongodb. will this also possible with this database?
or is the database always external so that the own system resources no longer matter?
Post by: mb on February 12, 2020, 01:22:17 am
or is the database always external so that the own system resources no longer matter?
Correct. Database puts some weight on the device, we think offloading it would provide a lot of flexibility. Engine itself consumes as low as 256MB memory. This way it could be possible to run Sensei even in 512MB memory.
Post by: actionhenkt on February 16, 2020, 06:45:32 pm
Made a new policy besides the default and disabled "firstly seen sites", re-enabled on the default. The policy isnt being picked up. How can I work the policy so I can set exclusions in it while keeping the settings in the default policy ?
Thanks!
Post by: mb on February 16, 2020, 07:43:45 pm
It's probably both policy descriptions overlap and the first in the policy list is matching packets. Click "Contact Team" on the right hand corner of the UI. And team member will follow up with you shortly.
Post by: Wyrm on February 17, 2020, 05:27:59 pm
I have some problems with Sensei on PC Engines APU - mainly with graphs and reports.
HW is PC Engines APU4, 4GB RAM, CPU AMD GX-412TC SOC (4 cores), 128GB SSD.
There is new updated opnsense to 20.1(libressl) and sensei latest install. I repeated also install today again.
Sensei shows in status it is OK, but I do not see any graphs or reports.
Is there some advice how to solve this ?
Post by: mb on February 17, 2020, 09:00:31 pm
This is due to firewall being shut down abruptly or that /var is a temp filesytem.
If none is valid for your case, just shoot a Problem Report (top right hand corner of the UI) and a team member will follow up with you shortly.
Post by: Wyrm on February 17, 2020, 09:08:29 pm
I checked now Dashboard and I see this:
Disk usage
9% / [ufs] (8.9G/108G)
0% /usr/local/sensei/output/active/temp [ufs] (8.0K/9.3M)
In attachement is screenshot...
What does it mean ?
Post by: mb on February 17, 2020, 09:36:41 pm
"/usr/local/sensei/output/active/temp" directory is auto-created by Sensei, so it is ok.
I don't see /var here, which tells me that /var is not tmpfs.
Send a Problem Report (top right hand corner of the UI), and we'll have a look.
Post by: Wyrm on February 17, 2020, 11:15:47 pm
Post by: nikkon on February 21, 2020, 05:07:20 pm
I'm running out of disk
Post by: mb on February 21, 2020, 06:36:31 pm
We've implemented this for 1.5, which should arrive late March.
For now, you can do a "Reset Reporting" from Sensei -> Configuration -> Reporting & Data. Please be noted that this will erase all reporting data.
Post by: nikkon on February 21, 2020, 07:27:57 pm
Post by: mb on February 27, 2020, 03:28:36 pm
Bringing High Availability Clustering support, better Ad Blocking, more improvements and some bug fixes; Sensei 1.4 release is out for OPNsense.
For a complete list of new features and improvements:
- https://www.sunnyvalley.io/post/sensei-for-opnsense-1-4-released/
What’s cooking for Sensei in 2020?
We value your opinion. You can fill out “Sensei Roadmap Survey” and help shape Sensei’s roadmap for 2020. Takes 30 seconds to 1min to complete:
- https://www.surveymonkey.com/r/BTMH9P7
Enjoy :)
Your Sensei Team
Post by: hbc on February 27, 2020, 03:42:14 pm
Bringing High Availability Clustering support, better Ad Blocking, more improvements and some bug fixes; Sensei 1.4 release is out for OPNsense.
Is HA cluster support a premium feature?
I just get "The changes have been applied successfully, remember to update your Sensei backup FW in System: Sensei/Configuration/HA", but I have no "Sensei/Configuration/HA" tab and 'System: High Availability: Settings' has no Sensei option to check for sync.
Post by: mb on February 27, 2020, 07:05:52 pm
Post by: ckishappy on February 28, 2020, 07:10:43 am
Post by: colourcode on February 28, 2020, 09:32:04 am
I can SSH between my servers on the same interface. (LAN/untagged)
Any fix for this, or do I have have to remove myself from sensei to manage my servers?
I can move them onto a vlan if that's a solution.
Post by: mb on February 28, 2020, 06:23:09 pm
Hi @lakej, is it just SSH or do you have problem accesing the other services/computers on the other VLAN? Are these vlans on the same parent interface?
Post by: ckishappy on February 28, 2020, 07:23:23 pm
Post by: mb on February 28, 2020, 07:29:50 pm
Code: [Select]
pkg install -f os-senseiWhat happens if you run this command?
Post by: ckishappy on February 28, 2020, 08:44:34 pm
$ sudo pkg install -f os-sensei
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sensei' have been found in the repositories
$
Post by: mb on February 28, 2020, 10:10:27 pm
Code: [Select]
pkg install os-sunnyvalley
pkg install -fy os-sensei-updater
pkg install -fy os-senseiAlternatively, installing os-sunnyvalley from the UI and trying the update again should produce the same result.
Post by: ckishappy on February 29, 2020, 12:28:15 am
Post by: siga75 on March 01, 2020, 11:53:56 am
Post by: cgone on March 01, 2020, 12:15:58 pm
First I have the following setup:
Internet <-> Firewall (with sensei) <-> fritzbox (VOIP).
Only the LAN-interface is assigned to be controlled by sensei.
Incoming SIP Invites are not passing sensei.
The SIP Invite-packets arrives as fragmented udp packets.
The problem is that fragmented udp-packets are discarded by sensei.
The packets never reach the LAN-network, if sensei ist enabled.
If the bypass-mode from sensei is active, the packet are passed normally through the firewall and reach the fritzbox.
I believe that sensei is silently discarding fragmented udp-packets.
Post by: mb on March 01, 2020, 03:50:12 pm
@siga75, logs contain quite many information which might be abundant trying to display in the UI. Instead, our approach is to selectively notify users for important events via the User Interface.
@cgone, we received your report. Team will get back to you momentarily.
Post by: xsfpo on March 02, 2020, 08:06:54 pm
It looks like that in dmesg.today log file:
Code: [Select]
[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (62199)] Suspension expired.
-> pid: 62199 ppid: 13537 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...
[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (49329)] Suspension expired.
-> pid: 49329 ppid: 44449 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...
When I tried to enable Generation of Support Data (Sensei -> Configuration -> Updates & Health; here turn on "Enable Generation of Support Data".) - nothing happened. After page refresh - "Enable Generation of Support Data" still disabled.
How also I can enable generation of support data to catch core dump file ?
Post by: mb on March 03, 2020, 03:08:00 am
We need a core file to debug this. Just reach out to us through "Report Bug" menu located on the upper right hand corner of the UI. Team will guide you.
Post by: siga75 on March 03, 2020, 12:34:17 pm
I suggest to have, as an option, a blacklist instead of whitelist (even if generally not a good choice from a security perspective) so if a connection is not correctly detected by default it pass. Otherwise the only way is to completely enable the Generic TCPIP category, which contains more than 700 entries.
Post by: packetmangler on March 04, 2020, 04:39:16 am
Not sure if it's a bug or not but on I've recently upgraded to v1.4 and I noticed in:
Sensei: Configuration: General: Deployment Size
Database: Elasticsearch
Deployment Size: Home (Max 15 Devices) <--- Here
I have the Home subscription and thought the max devices count should be 50. I checked the About: View License page and it does show 50 devices there. Is this something I should be concerned about? I've not noticed anything negative so far.
Thanks!
Post by: guest23448 on March 04, 2020, 02:57:26 pm
What‘s the plan for Sensei in the future? I really like the approach and added value to OPNsense, but will it be able to replace some other services like web proxy and clamAV? Or is the intention to run everything independently!?
Currently, they are asking about development preferences for 2020 in a survey, but do not differentiate between subscriptions. E.g. if we vote for TLS inspection, it will not be possible for home users according to their plans published on the website. So the survey results may lead to an undesired focus, not? Although, it is definitely one of the important features that should be also possible for home users in order to allow improving the overall security level since most traffic is encrypted now (as per my knowledge, Sensei does not even take usage of traffic decrypted within the proxy). Sophos has also integrated dpi inspection without a real MITM and is able to scan other ports (e.g. IMAPS).
If malware scanning would also be included (I guess currently, it‘s not using a malware engine but rather blocks based on urls), the replacement/alternative to the proxy would be perfect in my opinion....
Post by: mb on March 04, 2020, 05:52:27 pm
And, thanks for the suggestion. I might have a few questions to make sure I understand correctly.
Hi @packetmangler, this looks like a glitch with this setting. We are fixing this in the coming release. For now, you do not need to worry since packet engine honors the actual value stored in the license, which is 50 devices.
Post by: mb on March 04, 2020, 06:13:21 pm
Many thanks for your encouraging comments. We've decided to walk through a 'never-tried-before' path for going to the market and delivering the product. Instead of building a full-blown product, we are complementing what's already doing great. It's super to see validation that this is a good idea.
The core technology behind Sensei product is a very powerful packet inspection engine. Indeed, only some fraction of the current underlying capabilities are reflected through the User Interface. Packet engine has a very performant All-ports Full TLS Inspection Capability already built-in (can do almost 500 Mbps on a i5 3Ghz CPU - single core). So in that regard, providing what's available with Squid+ClamAV is possible (i.e. file based AV/Sandbox)
The poll for the 2020 roadmap is kind of what we think we will be providing as of this year. Free/Premium distinction is not decided yet, but we can go ahead and mark the ones which is likely to appear in the Premium version). The poll system did not have a free-answer option. But I think we should be having another poll to have your ideas as to what you would like to see for Sensei (apart from the ones presented in the current poll [1]).
[1] https://surveymonkey.com/r/BTMH9P7
Post by: siga75 on March 05, 2020, 04:30:05 pm
root@linjs:/root # ssh www.signorini.in
ssh_exchange_identification: Connection closed by remote host
root@linjs:/root # dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==================-============-============================================
ii ssh 1:7.9p1-10+deb10u2 all secure shell client and server (metapackage)
Post by: mb on March 05, 2020, 07:50:56 pm
Post by: Tubs on March 08, 2020, 02:25:01 am
Can Sensei have advantage of AD integration agent in Free plan?
The feature table shows "User based reporting (AD/LDAP) = up to 5 devices" for free plan. But when I install AD agent on DC Sensei reporting shows 0 for authenticated users. The instruction documents are not clear to me in this point.
Something wrong on my set-up or is it supposed to be in this way?
Post by: xsfpo on March 08, 2020, 12:53:16 pm
https://forum.opnsense.org/index.php?topic=16164.0 (https://forum.opnsense.org/index.php?topic=16164.0)
Post by: mb on March 08, 2020, 03:45:29 pm
Post by: Antaris on March 13, 2020, 04:25:38 pm
Hi faisal,
Than it must be the cpu score. There is a 300.000 minimum cpu score requirement for Elasticsearch.
Here's a quick hack:
1. Remove /usr/local/sensei/etc/.configdoneCode: [Select]rm /usr/local/sensei/etc/.configdone
3. Edit /usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh file and locate these lines:Code: [Select]if [ $CPU_SCORE -le 300000 ]; then
CPU_PROPER="false"
else
CPU_PROPER="true"
fi
Change 300000 to a lower value, like 200000.
4. Do a browser refresh on the OPNsense UI, and click on any sensei menu. It'll re-run the config wizard. Now it should select Elasticsearch.
Now I'm thinking: for cpu scores between 200K and 300K and if there is enough memory (>=8GB) I think we should let the user decide on the database backend.
This solution no longer works on fresh install today. And i can't find from where to choose Elastic engine...
Post by: mb on March 13, 2020, 05:07:58 pm
This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).
We hope to release 1.5 late this month.
By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)
https://www.sunnyvalley.io/site-classification/
Post by: Antaris on March 14, 2020, 12:01:43 pm
Hi @Antaris,Hi @mb,
This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).
We hope to release 1.5 late this month.
By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)
https://www.sunnyvalley.io/site-classification/
Looking forward to 1.5 and thx for the classification option. :)
Post by: deibit on March 15, 2020, 12:29:07 pm
I have just installed OPNsense after many (more than i recall) years using PfSense. One of the first things I installed is Sensei.. I liked it so much that I even paid for the home license :)
I run OPNsense in a SC813 Supermicro Rack, with a X10SLM+LN4F MoBo, 32GB DDR-1600 ECC RAM, a Xeon E3-1230L V3 CPU and a 2TB Seagate Ironwolf HDD (all baremetal, not virtualized).
I use a single 1.000/50 Mbit/s WAN, not many simultaneous webusers (4 or 5) but heavy traffic on the 4 VPN tunnels (fileserver)
The CPU gives 267.081 Single CPU Ubench index. So it's underpowered according to Sensei/Elasticsearch standards.
I guess I wouldn't have any problem in upgrading the CPU, but why is the single core performance so important? ElasticSearch s supposed to take advange of multiple cores isn't it? (CPU has 4 cores and 8 threads)
Should I be worried? Where can I look if my CPU is struggling? Everything "feels" good so far...
Post by: Antaris on March 16, 2020, 12:28:20 am
I think every Intel Core with AES and 4 or more cores @3GHz or more is OK for OPNsense with Sensei and Elastic. In the incoming 1.5 you will have the option to choose backend database manually and this misunderstanding will be solved. May be it's good to upgrade cpu to non-L Haswell or Broadwell cpu for better VPN throughput. Also you have to know that for some strange reason Ubench rates Haswell Xeons way lower than non-xeon i5 on same clocks...
Post by: Quetschwalze on March 17, 2020, 11:57:08 pm
Any news/eta on those botnet and DNS tunneling features already shown in the policy?
Gesendet von meinem MI 9 mit Tapatalk
Post by: deibit on March 18, 2020, 09:26:36 pm
Hi @deibit,
I think every Intel Core with AES and 4 or more cores @3GHz or more is OK for OPNsense with Sensei and Elastic. In the incoming 1.5 you will have the option to choose backend database manually and this misunderstanding will be solved. May be it's good to upgrade cpu to non-L Haswell or Broadwell cpu for better VPN throughput. Also you have to know that for some strange reason Ubench rates Haswell Xeons way lower than non-xeon i5 on same clocks...
I "upgraded" to a E3-1268L that I had here "laying around". Now the ubench score is in the 342.000 range, I don't think it makes a big difference but my karma is again in balance due to sensei not complaining about my router being lower end :)
I still wonder why the single core performance is so important for elasticsearch though...
Post by: guest23448 on March 20, 2020, 08:57:48 am
@mb sensei is still running very smooth for me
Any news/eta on those botnet and DNS tunneling features already shown in the policy?
Would be also great if we can get a little bit more background how the sensei cloud works. Is it feeded with external sources (e.g. phishtank, malware companies etc.) so that we can avoid duplicated filtering on dns, proxy or ICAP level?
Furthermore, I am wondering how often decisions about security categorization like "undecided safe sites" are made. I believe there are some blocked domains hanging in such status for more than 1 week. Shouldn't this be faster?
Post by: scrensen on March 20, 2020, 11:21:14 pm
But I do not have Suricata running, Intrusion detection is completely disabled. I did have it running few weeks back, but disabled it a week ago. So to be sure I rebooted my router/fw before installing Sensei, but still same message.
I did a quick search via the command line for Suricate config files to check for interface config, but didn't find anything useful.
Anyone that might be able to help me out here?
Thanks in advance!
Post by: scrensen on March 20, 2020, 11:29:08 pm
during Sensei installation I get the following message: "Oops, it looks like LAN interface is also in use by Suricata"
But I do not have Suricata running
I still decided to check the Captive Portal settings and I removed LAN from the interfaces and applied. And that actually solved the issue. Even though it was not active....
Post by: mb on March 21, 2020, 06:00:05 am
We're investing heavily on application, threat intelligence and security databases. With 1.5 version, you'll start seeing weekly / daily database updates. Up until now databases were being updated with every release.
With regard to Botnet filtering / DNS Tunnel filtering, we expect to land them in Q3 this year.
@bEeReE, we are adding more information to our documentation about the cloud architecture. We'll make it available early April.
Post by: mb on March 21, 2020, 06:07:01 am
I still wonder why the single core performance is so important for elasticsearch though...
Hi @deibit, glad that Sensei is happy with you hardware now.
As for Elasticsearch, you are right, Elasticsearch is multi-threaded and will benefit from multi-core cpus.
For the packet engine itself, for each interface, it has a worker process and workers are currently running single threaded; so each worker process pin itself to a single cpu core. This is why single-core cpu score is also important.
When the kernel in OPNsense becomes RSS-enabled, packet engine will also be able to make use of multiple cpu cores, basically enabling it to process multi-gigabit workloads.
Post by: mb on March 21, 2020, 06:11:49 am
But I do not have Suricata running, Intrusion detection is completely disabled. I did have it running few weeks back, but disabled it a week ago. So to be sure I rebooted my router/fw before installing Sensei, but still same message.
Hi @scrensen, even if it's disabled, if you have the interface configured for Suricata, Sensei will still warn you. Because what usually happens is people enable Suricata in some future time forgetting that it's in use by Sensei.
We wanted to be in the safe side; and decided to warn users about this even Suricata is disabled.
Post by: scrensen on March 22, 2020, 02:27:18 pm
So I got Sensei to work, but then I found my wifi access point (Unifi AP-HD) stopped working right after.
And after some troubleshooting I saw that it could not reach the controller anymore (running on server in same LAN). Since Sensei was the only and most recent change in my network I disabled it and within seconds the UAP-HD came online again an I was able to adopt it again in the controller.
So it seems Sensei is blocking my Unifi AP to reach the controller (http://ip-of-controller:8080/inform) somehow. I'm using the hostname.domain of my controller, perhaps it's something to do with DNS being blocked or so?
Post by: Quetschwalze on March 22, 2020, 04:26:52 pm
Ok, makes sense.Pretty sure that's the cause. You probably need to whitelist that URL. Verify that sensei is the cause via Reports-Blocked-Live blocked sessions
So I got Sensei to work, but then I found my wifi access point (Unifi AP-HD) stopped working right after.
And after some troubleshooting I saw that it could not reach the controller anymore (running on server in same LAN). Since Sensei was the only and most recent change in my network I disabled it and within seconds the UAP-HD came online again an I was able to adopt it again in the controller.
So it seems Sensei is blocking my Unifi AP to reach the controller (http://ip-of-controller:8080/inform) somehow. I'm using the hostname.domain of my controller, perhaps it's something to do with DNS being blocked or so?
This will show everything being blocked right now. If you see your unifi URL there just whitelist it.
Gesendet von meinem MI 9 mit Tapatalk
Post by: lbakyl on March 22, 2020, 05:39:16 pm
First of all, I wanted to praise you for a great innovation technology that you have worked on hard! I am testing a free version for home use but will consider deploying a paid version in work environment once thoroughly tested.
While in the free version, I blocked some hostnames while viewing live traffic. It was just for a test and now I would like to remove that. Yet I do not see any blacklist on whitelist. I do not mind finding it manually on the FreeBSD system if you tell me where I can find it.
In addition, it would be great to see a comparison with older NIDS tools like Snort (that runs with PulledPork, Barnyard2 and BASE).
Yours,
Jan
Post by: Darkopnsense on March 22, 2020, 07:17:51 pm
The functionalities to manage your own blocklit and whitelist lists are in
sensei-> web controls => user defined categories
auto blocklist hosts (edit)
auto whitelist hosts (edit)
Regards,
Post by: mucflyer on March 31, 2020, 09:23:51 pm
Does Sensei support IPv6 ?
Post by: mb on March 31, 2020, 09:28:45 pm
Yes, Sensei supports IPv6.
Cloud servers serving over IPv4 are able serve both IPv4 and IPv6 queries.
Post by: sol on April 15, 2020, 11:01:05 am
I’m using dnscrypt proxy and sensei cannot resolve local hostnames.
As mentioned a few weeks before, is their an option in the roadmap for sensei to have their own resolver?
Post by: packetmangler on April 15, 2020, 05:12:49 pm
So I've got a host on my network that I want to get detailed info about. I go to Sensei -> Reports and then click add filter [host] and enter the IP address I want to include. Lastly, I click Refresh.
When I do this I the graphs don't really change nor does the output for Activity Explorer. It seems that the filter isn't working for me. There's no change when I use that same IP address for Source IP as a filter.
Am I missing something obvious? Should the reports only include the any applied filters and exclude anything that doesn't match?
Thanks!
Post by: meazz1 on April 15, 2020, 06:54:20 pm
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?
Post by: packetmangler on April 15, 2020, 09:05:07 pm
I have been using sensei home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?
I personally limit myself to a single forwarder only because having multiple might make troubleshooting issues harder.
My flow is: pi-holes -> quad9 -> Sensei. And even then it's a matter of tracking down whether or not it's the pi-holes, quad9 or Sensei doing the blocking. Then add in the pressure of family saying they're unable to get to a super important site right now or something on their precious iOS device isn't working quite right. It can be a pain. :D
Post by: meazz1 on April 15, 2020, 09:33:00 pm
I have been using sensei home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?
I personally limit myself to a single forwarder only because having multiple might make troubleshooting issues harder.
My flow is: pi-holes -> quad9 -> Sensei. And even then it's a matter of tracking down whether or not it's the pi-holes, quad9 or Sensei doing the blocking. Then add in the pressure of family saying they're unable to get to a super important site right now or something on their precious iOS device isn't working quite right. It can be a pain. :D
This is the exact issue I'm facing, "is internet down? I can't open this site" from a family member alsmost everyday.
Can you explain your flow? The Pihole doing the DNS using 9.9.9.9 and sensei doing web and app filtering/
Post by: packetmangler on April 15, 2020, 10:35:32 pm
This is the exact issue I'm facing, "is internet down? I can't open this site" from a family member alsmost everyday.
Can you explain your flow? The Pihole doing the DNS using 9.9.9.9 and sensei doing web and app filtering/
Sure.
Since I run my own internal DNS server, I don't allow clients to connect to external DNS servers over port 53. I have OPNsense redirect any queries to my pi-holes. This applies to ipv4 and ipv6.
I run two pi-holes and both point to my internal dns server. the internal dns server then connects to quad9 via stubby (uses DNS over TLS) for any further queries.
Assuming clients resolve their queries OK (and don't get denied by pi-holes), they then go through Sensei for further web / app filtering and then out to the Internet.
Post by: mb on April 15, 2020, 11:13:27 pm
I have been using sensei home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?
Hi @sol, many thanks for your feedback.
This has become one of the most wanted feature request (what we call in-flight dns query). We've added this to the road-map and should appear sometime around Q2-Q3 this year.
Quick update:
For remote IP addresses, even if Sensei cannot see DNS transactions, it should still be able to map hostnames with IP addresses if the session is HTTP/TLS/QUIC (since there are other places where we can extract hostnames)
For local IP addresses <-> hostnames mapping, in-flight dns reverse query feature will do the trick.
Post by: mb on April 15, 2020, 11:23:04 pm
So I've had Sensei working really well for the past couple of months but it seems that reports aren't working or they're not working the way I think they should.
So I've got a host on my network that I want to get detailed info about. I go to Sensei -> Reports and then click add filter [host] and enter the IP address I want to include. Lastly, I click Refresh.
When I do this I the graphs don't really change nor does the output for Activity Explorer. It seems that the filter isn't working for me. There's no change when I use that same IP address for Source IP as a filter.
Am I missing something obvious? Should the reports only include the any applied filters and exclude anything that doesn't match?
Hi @packetmangler, thank you very much for the report. We couldn't reproduce this in our lab.
Any chances that you can create a bug report (Report Bug menu on the upper right hand corner).
Let's take a closer look.
Post by: mb on April 15, 2020, 11:36:01 pm
For troubleshooting, a quick note:
If Sensei is blocking a connection, it should be reporting that in Reports -> Blocks.
Reports -> Live Blocked Sessions Explorer displays this information on a per-connection basis.
Post by: mb on April 15, 2020, 11:53:37 pm
I hope everyone is at home and staying healthy. During the Corona days, Sensei team was mostly busy with 1.5 features.
1.5 is in pilot tests right now, and will be most likely released late this month.
Here is the Release Notes for this upcoming release:
What is new in Sensei for OPNsense Release 1.5
Application Control
Application Database will be a seperate package and will be updated independently and more frequently
- New feature: More frequent (e.g. weekly) application database updates
- New feature: User-defined application signatures
- New feature: QUIC v46 support
- Improved app detection logic
- 100+ new application signatures
Privacy and Compliance
- New feature: Ability to anonymize local / remote IP addresses
- New feature: Ability to disable Username / DNS enrichments
- New feature: Ability to selectively delete reports for specified IP addresses
Policies and Filtering
- New feature: Multiple time schedules for a single policy
- New feature: Tool tips for policy screens
- New feature: Policies can now match inbound/outbound flows selectively (You can specify flow direction for Policy Configuration)
- New feature: Ordering and prioritizing policies
- New feature: Sensei can now inspect and filter Proxy-ed connections (CONNECT method - Not transparent Proxy)
- Improved Ad Blocking (Especially for Android mobile devices / Google Chrome mobile browsers)
- Fix: Whitelisting for App Controls issue is fixed
- Fix: Over-night time schedules
- Fix: Engine reloading (during rule updates) issue is fixed
- Fix: Mongodb Backend: Enlarged Charts can now pull data for all "Top" queries
Reporting
- New feature: You can now specify an external Elasticsearch instance for the main reporting database
- New feature: You can now select the Backend Database Engine during initial configuration
- New feature: Scheduled Reports: PDF Reports
- New feature: Scheduled Reports: Weekly e-mail reports
- New feature: Ability to provide an "exclude filter" for "Add filter" functionality
- New feature: Ability to move Reporting Database to a different directory (To be able to move database from a tempfs e.g. /var partition)
- New feature: Read-only access to reports: you can now restrict a OPNsense UI user to only be able to view reports (Select Dashboard permission)
- New feature: Ability to re-order/re-organize report charts
Cloud
Improved feedback loop for Web Categorization:
When you submit an entry for re-classification we can now re-categorize it within as fast as 10 minutes. Re-categorized web sites may become available via Cloud as soon as 15 minutes. You can submit web sites for re-classification either through our Web site (https://www.sunnyvalley.io/site-classification (https://www.sunnyvalley.io/site-classification)/) or through the Sensei UI when you add a site to whitelist/blacklist or to a user defined category.
- Optimized Cloud Query Caching
- Fix: case sensitive queries
Integrations
- Improved MS Active Directory caching performance
Other
- New feature: Configuration Backup and Restore
- New feature: Health: You can now specify your own threshold for SWAP high utilization ratio
- New feature: Health: Check and warn if reporting database is located on a tempfs
- Improvement: Install/Configuration: You can now re-try hardware compatibility check in case first try fails
- Other performance and reliability improvements
Stay safe,
Your Sensei team
https://sunnyvalley.io/sensei
https://help.sunnyvalley.io
Post by: packetmangler on April 16, 2020, 05:23:40 am
Hi @packetmangler, thank you very much for the report. We couldn't reproduce this in our lab.
Any chances that you can create a bug report (Report Bug menu on the upper right hand corner).
Let's take a closer look.
Report sent! I'm truly expecting a reply along the lines of: You're doing something really stupid. So don't do that. :D
Looking forward to the release of 1.5!
Tbanks!
Post by: guest23448 on April 16, 2020, 03:09:44 pm
Hi mb,
Thanks a lot for your great work - also during this hard times!
Could you shortly specifcy this a little bit more, please:
Cloud
Improved feedback loop for Web Categorization:
When you submit an entry for re-classification we can now re-categorize it within as fast as 10 minutes.
Is there a kind of check/rating you perform in order to maintain overall security for all users connecting to the cloud or how does it work?
Is there also an improvement / faster updates in the cloud-based re-classification of web sites, without having users involved (e.g. potenially dangerous / undecided not safe / undecided safe sites) which aren't updated, currently?
Thanks a lot!
Post by: l0rdraiden on April 19, 2020, 11:57:03 am
If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?
Does sensei allows the load external IP block lists?
For when is planned the integration with suricata 5 in opnsense?
Are you doing the app control with snort?
Post by: mb on April 21, 2020, 03:18:36 am
Thanks for your feedback, much appreciated.
From time to time, we receive questions about the Cloud Reputation System. You can see the following article for detailed information:
https://help.sunnyvalley.io/hc/en-us/articles/360046515334-Cloud-Reputation-Threat-Intelligence (https://help.sunnyvalley.io/hc/en-us/articles/360046515334-Cloud-Reputation-Threat-Intelligence)
Regardless of user feedback, the database is continuously updated. We prioritize sites which we see active in the field. If you think we're missing some sites, that's something we should be looking at. Any chances that you can reach out to us via "Contact Team" menu? We'd like to run a trace.
Post by: mb on April 21, 2020, 03:29:32 am
If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?
Correct. Let us think about it. We strive to strike a good balance between paid and free editions. While trying to provide many features in the free edition, we want to make sure paying users have good differentiation.
Quote
Does sensei allows the load external IP block lists?
Not currently. We understand the need to be able to feed custom lists to Sensei and working on a solution. I'll write more about this later on.
Quote
For when is planned the integration with suricata 5 in opnsense?
It's going to be available this year.
Quote
Are you doing the app control with snort?
No. From ground-zero, Sensei is a unique technology. We do not utilize any open source IDS/IPS tools in our source code.
Post by: zerolution on April 21, 2020, 01:36:48 pm
Hi faisal,
Good, you can now do the initial configuration, it should install Elasctic now.
Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.
For disk sizing, you can use this guide:
https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
Could you please explain how I can move db location to a secondary disk / partition ?
Thx
Post by: mb on April 21, 2020, 03:34:08 pm
1.5 will have the option to do that. Find the feature under Sensei -> Configuration -> Reports & Data.
See attachment.
1.5 is in pilot tests right now. We plan to release it late this month.
Post by: zerolution on April 22, 2020, 08:17:37 am
Thank you for your reply !
So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?
There is no application (sensei) limitation to the path I will be able to provide ?
Looking forward to being able to use this as my current HD is at 90% usage :)
Post by: mb on April 22, 2020, 07:53:43 pm
So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?
There is no application (sensei) limitation to the path I will be able to provide ?
Correct :) I think we'll be able to release 1.5 by the end of April.
Post by: m1ke486837 on April 25, 2020, 12:20:47 am
Post by: mb on April 25, 2020, 01:50:18 am
This should already work like this. You might be blocked by the App filter, since this comes earlier to the scene (This is improved in 1.5). Can you confirm if this is the case from "Reports -> Blocks -> Live Blocked Sessions" ? See if it is blocked by App Controls or Web Controls.
If this is not the case send a PR from "Report Bug" menu located on the upper right hand corner of the UI and team will take a deeper look.
Post by: m1ke486837 on April 25, 2020, 04:35:03 am
Post by: m1ke486837 on April 26, 2020, 07:00:30 pm
There was mention of a new release (1.5) on the horizon. Will there be a way to whitelist for App Filtering, or will hosts listed in Web Filtering take precedence over App Control?
Loving the premium features of this plugin, and looking forward to further development and features.
Post by: Mks on May 02, 2020, 04:20:13 pm
I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.
Anybody with an similar issue?
I've already filed a bug to the SunnyValley Helpdesk.
br
Post by: l0rdraiden on May 02, 2020, 08:21:44 pm
Since sensei is based on ELK here are some ideas to include in sensei, both quite impressive. This will provide more added value to sensei over the standalone opnsense.
https://github.com/3ilson/pfelk
https://github.com/robcowart/elastiflow
Post by: donatom3 on May 02, 2020, 10:34:33 pm
Hi opnsense community.
I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.
Anybody with an similar issue?
I've already filed a bug to the SunnyValley Helpdesk.
br
For the vlans are you adding the vlans themselves to the protected interface or the physical interface the vlans are on. Make sure you aren't doing both. I was having this bug to and I was just adding the physical interface. It didn't happen all the time. As soon as it happens send the bug report over so they have more reports than just mine.
Since It last happened to me I think mb and team told me in the ticket they found an issue with netmap when sensei packet engine started at startup. I have since created a bridge from my firewall to my switch, mainly to increase bandwidth and now the bridge interface isn't even an option in Sensei but I can add all the vlans and I haven't had the problem since.
One workaround I did before the bridge though was to turn Sensei auto startup off, and turn sensei back on manually after a reboot. It's not ideal but it's something. You could probably make a cron job to start the packet engine everyday at a certain time that way in case you forget to turn it on after a reboot it can turn on with the job.
Post by: Mks on May 03, 2020, 10:46:18 am
thanks for the feedback.
I'm already in contact with the Sensei support and its as you described an issue with netmap.
I switched back to the VLAN Interfaces.
br
Post by: Mitheor on May 03, 2020, 11:41:45 am
in your Sensei, is the name resolution working properly?
In my case it´s not in the reports page (realtime sessions works because the IPs are resolved in that moment).
(https://i.imgur.com/ubf5vWu.jpg)
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.
Am i right? Or what am i missing here?
Post by: mb on May 03, 2020, 07:54:41 pm
After some testing, it appears it is working as it should. All of the blocks were specific to the App Controls. It gives the option to whitelist the host, but that is whitelisting the host address for the Web Controls rather than App Controls. I know it is possible to drill down into the categories and unblock entire sub-categories, but it would be nice to have more control as we do with whitelists.
There was mention of a new release (1.5) on the horizon. Will there be a way to whitelist for App Filtering, or will hosts listed in Web Filtering take precedence over App Control?
Loving the premium features of this plugin, and looking forward to further development and features.
Hi @m1ke486837,
Thanks for your positive feedback. Yes, as you put it, With 1.4, app control takes precedence so whitelisting does not apply to App Controls.
We've improved this behavior with 1.5. With that, App Controls also takes whitelists into account.
You won't need to write seperate rules for App Controls. The ones on Web Controls will also work for it.
Post by: mb on May 03, 2020, 08:15:31 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.
Hi @Mitheor,
For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"
One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.
For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.
If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.
Post by: mb on May 03, 2020, 08:15:47 pm
@donatom3, thanks for the hint.
@Mks, glad to hear that donatom3's hint also worked for you.
We hope to kill all netmap(4) related issues soon. Additionally we hope to bring netmap(4) support for lagg(4), bridge(4) and tun(4) based interfaces.
For that we might need some help in re-producing the bugs for the developers; and testing the fixes. I'll create a dedicated thread about this later this month.
Post by: Mitheor on May 03, 2020, 10:10:07 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.
Hi @Mitheor,
For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"
One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.
For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.
If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.
Thanks for the reply.
I don’t think it’s the case because I can see those dns queries for these hosts en the Sensei DNS session browser 🤷🏻♂️
Post by: mb on May 03, 2020, 10:17:55 pm
I don’t think it’s the case because I can see those dns queries for these hosts en the Sensei DNS session browser 🤷🏻♂️
Hi @Mitheor, got it. Send a PR and we'll look closer into that.
Post by: packetmangler on May 04, 2020, 04:45:25 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.
Hi @Mitheor,
For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"
One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.
For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.
If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.
I have this issue as well since I run multiple pi-holes and an internal authoritative bind server, but I've ignored it for the most part.
If the DNS records are updated when requests pass through the firewall, would something as simple as having the firewall run through a list of reverse IP addresses and performing lookups on them work?
EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier. So now the question is how often should that run?
Post by: Callahan on May 06, 2020, 03:54:39 am
Question one
To give you specifics in the hope that it helps give you/me a better understanding of what is going wrong (or more likely what I'm missing), my setup is as follows:
- OPNSense running on an i5 NUC with 8GB RAM.
- 1 LAN subnet of 192.168.100.0/24 which is attached to the physical LAN in OPNSense.
- 1 DMZ subnet (192.168.50.0/24), which is a virtual interface (VLAN) hanging off the LAN interface of OPNSense.
- 1 Proxy server on the DMZ.
- 1 Guest network (192.168.150.0/24), which is a virtual interface (VLAN) also hanging off the LAN interface of OPNSense.
- 1 WAN interface using PPoE to a DSL modem.
- A Windows domain of around 10 Windows servers and multiple Linux servers with 2 Windows DNS servers sitting at 192.168.100.14 & 192.168.100.15.
- A Pihole running on the same subnet (192.168.100.18).
- Both Windows DNS servers have the Pihole set as their forwarder.
- DHCP is handled by the same Windows servers that handle DNS queries.
- OPNSense is set up as a DHCP relay for both the Guest and LAN subnets.
- Windows DHCP is set up to always update DNS so I can see all of the hosts, regardless of type, are being registered in DNS.
- DNS query route goes: Client --> Windows DNS --> Pihole --> Internet.
Further testing shows that if I use the FW to do DNS then I see the hostnames.
Is the only solution to this setup, to set the DNS in my DHCP scopes as the firewall then set the forwarder on the firewall DNS to be my Windows DNS servers (to keep the domain working), then the forwarder on the Windows DNS servers to be my Pihole docker container? That seems an overly excessive amount of DNS queries but it's the only way I'm seeing this working. This would be a pretty standard setup in most orgs in the sense that the first DNS host they query will always be the Windows DNS servers on the domain.
If this is the solution, then I don't understand why the option to allow the reverse lookup of IPs is present in Sensei.
Question 2
I am looking at the reports for "Top Remote Hosts" and I am seeing entries in there as FQDNs that are my internal hosts on the 192.168.100.0/24 subnet. Definitely not remote hosts. Interestingly, as Sensei is reporting the FQDN, it has to be getting that from my Windows DNS servers (I'm running split DNS so my domain is resolved internally), so it is able to query my DNS servers and retreive local addresses. Surely it should know that if the resolved address sits on a range that it knows it hosts on the LAN interface, it isn't remote. I'd almost accept it if the address was on my DMZ but even then, the DMZ (in my specific case here), is a virtual interface of the LAN so again, easy to spot that it's not Remote.
Or maybe I'm misunderstanding your meaning of "remote". :)
Last question/bug report
Go to Sensei/Configuration/Reporting & Data
Click the small orange "i" next to: "Perform health check for indices:" and you'll see that the help section for "Connection Security" and the section for "Reporting Criteria" in the block below opens up with the explanation for setting the Reporting Criteria for the email reports. The same thing happens if you click the orange "i" for "You can erase reporting data:"
Sorry for the overly long post, thanks for making it this far! I look forward to any insight you can offer to the above questions.
Thanks.
Post by: Callahan on May 06, 2020, 04:07:45 am
Post by: l0rdraiden on May 06, 2020, 07:12:05 pm
I'd like to chime in with the same question and an additional question (plus a small cosmetic bug report at the end).
Question one
To give you specifics in the hope that it helps give you/me a better understanding of what is going wrong (or more likely what I'm missing), my setup is as follows:I've installed Sensei today and also added the DNS servers (192.168.100.14 & 192.168.100.15), under: Sensei/Configuration/Reporting & Data with the expectation that Sensei would check DNS for the hostnames of the IPs that are hitting the LAN interface. This doesn't appear to be happening and I'm not clear on why that is.
- OPNSense running on an i5 NUC with 8GB RAM.
- 1 LAN subnet of 192.168.100.0/24 which is attached to the physical LAN in OPNSense.
- 1 DMZ subnet (192.168.50.0/24), which is a virtual interface (VLAN) hanging off the LAN interface of OPNSense.
- 1 Proxy server on the DMZ.
- 1 Guest network (192.168.150.0/24), which is a virtual interface (VLAN) also hanging off the LAN interface of OPNSense.
- 1 WAN interface using PPoE to a DSL modem.
- A Windows domain of around 10 Windows servers and multiple Linux servers with 2 Windows DNS servers sitting at 192.168.100.14 & 192.168.100.15.
- A Pihole running on the same subnet (192.168.100.18).
- Both Windows DNS servers have the Pihole set as their forwarder.
- DHCP is handled by the same Windows servers that handle DNS queries.
- OPNSense is set up as a DHCP relay for both the Guest and LAN subnets.
- Windows DHCP is set up to always update DNS so I can see all of the hosts, regardless of type, are being registered in DNS.
- DNS query route goes: Client --> Windows DNS --> Pihole --> Internet.
Further testing shows that if I use the FW to do DNS then I see the hostnames.
Is the only solution to this setup, to set the DNS in my DHCP scopes as the firewall then set the forwarder on the firewall DNS to be my Windows DNS servers (to keep the domain working), then the forwarder on the Windows DNS servers to be my Pihole docker container? That seems an overly excessive amount of DNS queries but it's the only way I'm seeing this working. This would be a pretty standard setup in most orgs in the sense that the first DNS host they query will always be the Windows DNS servers on the domain.
If this is the solution, then I don't understand why the option to allow the reverse lookup of IPs is present in Sensei.
Question 2
I am looking at the reports for "Top Remote Hosts" and I am seeing entries in there as FQDNs that are my internal hosts on the 192.168.100.0/24 subnet. Definitely not remote hosts. Interestingly, as Sensei is reporting the FQDN, it has to be getting that from my Windows DNS servers (I'm running split DNS so my domain is resolved internally), so it is able to query my DNS servers and retreive local addresses. Surely it should know that if the resolved address sits on a range that it knows it hosts on the LAN interface, it isn't remote. I'd almost accept it if the address was on my DMZ but even then, the DMZ (in my specific case here), is a virtual interface of the LAN so again, easy to spot that it's not Remote.
Or maybe I'm misunderstanding your meaning of "remote". :)
Last question/bug report
Go to Sensei/Configuration/Reporting & Data
Click the small orange "i" next to: "Perform health check for indices:" and you'll see that the help section for "Connection Security" and the section for "Reporting Criteria" in the block below opens up with the explanation for setting the Reporting Criteria for the email reports. The same thing happens if you click the orange "i" for "You can erase reporting data:"
Sorry for the overly long post, thanks for making it this far! I look forward to any insight you can offer to the above questions.
Thanks.
The only clean solution would be to feed pihole or adguard home logs into logstash so it can be displayed by sensei. Maybe with the API's something can be done.
https://github.com/AdguardTeam/AdGuardHome/tree/master/openapi
Or doing exactly this
Pi-hole data visualization using Elasticsearch, Logstash and Kibana
https://github.com/nin9s/elk-hole
Post by: l0rdraiden on May 07, 2020, 10:54:59 pm
Post by: mb on May 08, 2020, 02:45:45 am
EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier. So now the question is how often should that run?
Hi @packetmangler,
With release 1.5, cache time to live is 8 hours. (higher with 1.4) So, could be every 6 hours so that it replenishes the cache.
Post by: mb on May 08, 2020, 02:59:21 am
Thanks for taking the time and sharing your thoughts. Much appreciated.
Correction & suggestion well noted.
For IP <-> Hostname mapping, please see this FAQ entry:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ#h_023043d9-df52-46e7-a7f6-cded4bf8f697
As for some hosts being reported as "Remote": Yes, there's some philosophy here:)
Sensei runs on inner-facing interfaces and determines the "remote" / "local" properties in terms of where the connection is initiated. If it comes from the LAN side, than the src ip address is considered local and dst ip address is regarded as "remote".
So if a connection is from a local host behind network A to a host behind local network B, sensei will consider the host on local network B as "remote", since for the context of the connection, it was the "remote end".
Obviously this is creating a bit confusion. Let us give this a bit of thought.
Post by: mb on May 08, 2020, 03:05:24 am
https://www.sunnyvalley.io/post/sensei-for-opnsense-1-5-released/
Hi @l0rdraiden, thanks for the post.
Yes, Sensei for OPNsense Release 1.5 is available for update/installation.
Enjoy and stay safe
Sensei team
Post by: guyp2k on May 09, 2020, 09:21:10 pm
Installed Sensei and subscibed but stuck at "waiting for database service to come up." Any suggestions as I have tried w/ out success.
I reinstalled elasticsearch5 w/ out success.
Thanks
Post by: packetmangler on May 10, 2020, 01:39:50 am
EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier. So now the question is how often should that run?
Hi @packetmangler,
With release 1.5, cache time to live is 8 hours. (higher with 1.4) So, could be every 6 hours so that it replenishes the cache.
Thanks mb. I have my simple one-liner running every 4 hours for the time being and it seems like it's doing what it needs.
Enjoying 1.5!
Post by: tong2x on May 10, 2020, 05:36:29 am
Disregard, I was able to address the issue.
Installed Sensei and subscibed but stuck at "waiting for database service to come up." Any suggestions as I have tried w/ out success.
I reinstalled elasticsearch5 w/ out success.
Thanks
there should be a next button at the bottom...
in anycase... try to uninstall (via web or console) and reinstall then do the wizard again
Post by: tong2x on May 10, 2020, 05:39:17 am
where is this in 1.5?
is this available in free?
also can we now upload list instead?
Post by: Mitheor on May 10, 2020, 12:41:27 pm
quick question here regarding the different plans.
I´m already paying for the home premium and i´d like to know if features like the "Stream Reporting Data to External Elasticsearch" or the future "SSL proxy/inspection" are included in this tier or only in the premium (highest enterprise plan).
Post by: Callahan on May 11, 2020, 04:02:23 pm
Sensei runs on inner-facing interfaces and determines the "remote" / "local" properties in terms of where the connection is initiated. If it comes from the LAN side, than the src ip address is considered local and dst ip address is regarded as "remote".Yep that makes complete sense. Should have given that more thought before posting. I guess, you could build into an option to "Define local hosts" whereby we could add all addresses or subnets that we class as local and use them in the report. You couldn't just use RFC1918 as you'd end up with IPs on the end of VPNs being considered local. So easier said than done no doubt but if you were to use Logstash (you don't I know but as you're using an Elastic backend, the reference is somewhat valid), you could have all submitted "local addresses" assigned to a key/value pair file and import them into an array to use in the filter.
So if a connection is from a local host behind network A to a host behind local network B, sensei will consider the host on local network B as "remote", since for the context of the connection, it was the "remote end".
Obviously this is creating a bit confusion. Let us give this a bit of thought.
You'd loop through that array on each update of the report and if the source address existed in the KV pair, add a field called "local" then use than field as a key in the report for local connections. Given that very little thought until now so there are probably many reasons why that wouldn't work. Overhead for one thing... :-)
Post by: mb on May 11, 2020, 06:43:17 pm
Hi @tong2x, Policy based filtering is available in all paid subscriptions.
Hi @Mitheor, for log streaming to elasticsearch, you can do that with the Free Edition. But please note that this will offload the database to this remote database system.
Starting with SOHO subscription tier, you can both have local Elastic/Mongo and at the same time stream reporting data to another remote database.
TLS decryption will appear on the highest plan (Premium, which will be re-named to Enterprise soon).
For the complete list of features and how they appear in free/paid subscriptions, please refer to this page:
https://sunnyvalley.io/plans
Post by: mb on May 11, 2020, 06:51:29 pm
Thanks for the suggestion. I would agree, simply RFC1918 wouldn't do the job.
Indeed, we evaluated to have this on the packet engine itself since it can already do a lot more complex data enrichment.
We were not sure whether people would want to manually enter such a list. Thinking again, this list wouldn't be such a long one anyway.
Post by: Mks on May 12, 2020, 09:06:51 pm
do you see also a huge increase in memory consumption (~20%) due to the last update?
br
Post by: mb on May 13, 2020, 02:30:59 am
1.5 do not normally have any updates which might induce increased memory usage. Let's see if some other people also experience this, and we can analyze further.
What we've observed however that, with one of the OPNsense 20.1.x updates, Operating System swappiness behavior changed in a way that it is more likely to do swapping even if there's decent amount of free memory in the system. This is why we've introduced SWAP warning threashold configuration parameter. This might be unrelated to your case though.
Post by: Parallax on May 16, 2020, 02:32:27 am
{"type": "server", "timestamp": "2020-05-16T00:28:33,695Z", "level": "DEBUG", "component": "o.e.a.b.TransportShardBulkAction", "cluster.name": "docker-cluster", "node.name": "da8d9957dfaf", "message": "[conn-200516][0] failed to execute bulk item (index) index {[conn_write][_doc][_9_hGnIBvp4cvgKY7pYd], source[{\"transport_proto\":\"UDP\",\"policyid\":\"0\",\"interface\":\"vtnet0\",\"vlanid\":\"0\",\"conn_uuid\":\"12a6680a-5ce0-4a7c-ae38-1a27c85ff66d\",\"src_hostname\":\"librarian.local\",\"src_username\":\"\",\"ip_src_saddr\":\"10.1.1.10\",\"ip_src_port\":65062,\"src_dir\":\"EGRESS\",\"dst_hostname\":\"81.0.84.116\",\"dst_username\":\"\",\"ip_dst_saddr\":\"81.0.84.116\",\"ip_dst_port\":57997,\"dst_dir\":\"INGRESS\",\"input\":1,\"output\":1,\"src_npackets\":1,\"src_nbytes\":0,\"src_pbytes\":104,\"dst_npackets\":2,\"dst_nbytes\":345,\"dst_pbytes\":317,\"src tcp_flags\":\"\",\"dst tcp_flags\":\"\",\"start_time\":1589588789000,\"end_time\":1589588911000,\"encryption\":\"TLS\",\"app_id\":16,\"app_proto\":\"QUIC\",\"app_name\":\"Quic UDP Connection\",\"app_category\":\"Streaming\",\"tags\":\"Encrypted,SSL,QUIC\",\"src_geoip\":{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"\",\"country_name\":\"\",\"country_code2\":\"\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":0.0,\"longitude\":0.0,\"location\":{\"lat\":0.0,\"lon\":0.0}},\"dst_geoip\":{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"Duna�jv�ros\",\"country_name\":\"HU\",\"country_code2\":\"\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":46.983299255371097,\"longitude\":18.933300018310548,\"location\":{\"lat\":46.983299255371097,\"lon\":18.933300018310548}}}]}", "cluster.uuid": "3zoVrbvRRfmZcZZHbXwCZw", "node.id": "5MoI-6jVTFGAfVm-XSZ4TA" ,
"stacktrace": ["org.elasticsearch.index.mapper.MapperParsingException: failed to parse field [dst_geoip.city_name] of type [text] in document with id '_9_hGnIBvp4cvgKY7pYd'. Preview of field's value: ''",
"Caused by: com.fasterxml.jackson.core.JsonParseException: Invalid UTF-8 middle byte 0x72",
" at [Source: (org.elasticsearch.common.bytes.AbstractBytesReference$MarkSupportingStreamInputWrapper); line: 1, column: 1108]",
"at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1840) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:712) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidOther(UTF8StreamJsonParser.java:3574) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidOther(UTF8StreamJsonParser.java:3581) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._decodeUtf8_3fast(UTF8StreamJsonParser.java:3386) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._finishString2(UTF8StreamJsonParser.java:2490) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._finishAndReturnString(UTF8StreamJsonParser.java:2438) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText(UTF8StreamJsonParser.java:294) ~[jackson-core-2.10.4.jar:2.10.4]",
"at org.elasticsearch.common.xcontent.json.JsonXContentParser.text(JsonXContentParser.java:83) ~[elasticsearch-x-content-7.7.0.jar:7.7.0]",
"at org.elasticsearch.common.xcontent.support.AbstractXContentParser.textOrNull(AbstractXContentParser.java:253) ~[elasticsearch-x-content-7.7.0.jar:7.7.0]",
"at org.elasticsearch.index.mapper.TextFieldMapper.parseCreateField(TextFieldMapper.java:823) ~[elasticsearch-7.7.0.jar:7.7.0]",
"at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:284) ~[elasticsearch-7.7.0.jar:7.7.0]",
And so on. The Opnsense install is the DVD ISO in Proxmox 6.2, the Elasticsearch is in a Docker container on an adjacent host. Any ideas?
Post by: mb on May 16, 2020, 04:00:29 am
Thanks for the heads-up. Remote Elastic support is quite fresh. There might still be some bugs left.
Can you reach out to the team via "Report Bug" so that we can follow up?
EDIT: Spotted and fixed this. Fix is shipping with 1.5.1 scheduled for this week(end).
Post by: nikkon on May 18, 2020, 12:26:28 pm
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?
i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917
Post by: binaryanomaly on May 18, 2020, 12:46:24 pm
super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?
i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917
Reports -> Blocks -> Live Blocked Session Explorer -> find Session -> Click green ✅ and allow host
Post by: Mitheor on May 18, 2020, 12:48:18 pm
super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?
i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917
It´s via what binaryanomaly said or in policies / web control / Whitelist
Post by: nikkon on May 18, 2020, 08:42:30 pm
super helpfull. I should have spend more time looking for it.
Post by: nikkon on May 19, 2020, 09:15:06 am
Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any
Post by: binaryanomaly on May 19, 2020, 06:24:08 pm
Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any
Really? Not seeing this?
Post by: mb on May 20, 2020, 06:54:40 pm
If you're using Mongodb as the db backend, please postpone your OPNsense 20.1.7 update a bit since we're trying to verify if evertyhing works with the current Sensei release.
We'll post an update later today once we have the confirmation.
Elasticsearch looks fine.
UPDATE 5/20/20 10:00 PT:
20.1.7's new PHP package is incompatible with Mongodb. New package build in progress. ETA 3 hours.
UPDATE 5/20/20 18:35 PT:
Mongodb users can update to 1.5_1 to handle the incompatibility. 1.5_1 will automatically fix the problem behind the scenes.
Post by: jf2001j on May 21, 2020, 10:45:24 am
there seems to be a bug, that using Drill Down/Session Details of ipv6 addresses is not possible because of additional \ characters
Problem:
a) Selection of an ip6-address 2aaa:1234:1234:1234:1234:1234:1234:1234 in a chart of the Dashboard screen.
b) Source Hostname is now: 2aaa\:1234\:1234\:1234\:1234\:1234\:1234\:1234
c) => no results
Workaround:
manual filter Source-Hostname 2aaa:1234:1234:1234:1234:1234:1234:1234
=> expected results
Could you please fix this?
Post by: nikkon on May 21, 2020, 03:09:32 pm
Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any
Really? Not seeing this?
No i don't have the options you show me.
see the attached file
Post by: Mitheor on May 21, 2020, 03:11:53 pm
Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any
Really? Not seeing this?
No i don't have the options you show me.
see the attached file
Could you show the session being blocked in the Blocks / Live web explorer?
Post by: nikkon on May 21, 2020, 10:37:10 pm
Sent from my iPad using Tapatalk
Post by: mb on May 23, 2020, 02:44:35 am
Post by: mb on May 23, 2020, 02:45:52 am
As promised, we've[1] kicked off another project which focuses on killing remaining netmap bugs on HardenedBSD 12 (FreeBSD 12).
Please see the main topic here:
https://forum.opnsense.org/index.php?topic=17363.0
Post by: sol on May 23, 2020, 10:06:40 pm
I disable the cache in pihole and still cannot see local resolved hostnames in sensei's reports.
Dns Crypt proxy is used though.
Can I change anything to resolve the hostnames or will you guys add an option update to handle this case?
Furthermore do you have a date for the update to automaticly impoert / update custom block lists like in pihole, etc?
Thx
Post by: nikkon on May 24, 2020, 07:15:49 pm
Hi @nikkon, send a problem report and the team will have a look at it.Ok. I will
Post by: mittenz on May 24, 2020, 09:23:25 pm
Reporting configuration suggests Elasticsearch can be used. I would like to forware this to my ELK stack.
The help page says "Sensei Premium can stream data to external remote Elasticsearch or MongoDB servers for log parsing and Security Information and Event Management (SIEM) system integration. In the Configuration section of the Sensei OPNsense portal select the Reporting & Data tab."
However, there is no such section on my reporting page.
Any ideas?
PS - would it be worth this forum having a seperate OpnSense subforum, as searching through one single long thread is a little tricky.
Post by: mb on May 30, 2020, 01:29:20 am
Are you using DnsCrypt Proxy on the firewall? If so, since it runs on WAN, it should not interfere with Sensei.
Are you sure DNS traffic (querying local hostnames) is passing through the Sensei protected interface?
To make sure this is the case, you can run a quick tcpdump session and check if you can see any dns/mdns/llmnr requests for local devices.
For the custom block lists: it's not yet in the short-term roadmap :(
Post by: mb on May 30, 2020, 01:30:04 am
With home edition, you can completely offload your database to a remote ES instance. But beware this option is only configurable during initial configuration wizard:
Backup Sensei && Uninstall Sensei && Install Sensei and during initial config, select remote ES as the database.
Here's a quick blog post explaining this in detail:
https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/
About subforum: Good idea, thanks for the suggestion. Let me discuss this with the OPNsense team. Maybe we can have this under a section called "Third Party Tools".
Post by: mb on May 30, 2020, 02:56:43 am
Sensei packages for OPNsense 20.7 (amd64/OpenSSL) is out and available for testing.
If you test OPNsense 20.7, as a bonus, you get to access to the latest Sensei (1.5.1.rc1) which is yet to be released ;)
PS: Make sure you update to the latest 20.7 beta after the ISO installation, since latest 20.7 includes some important patches with regard to interface drivers. Kernel should read 12.1-RELEASE-p5 or later:
12.1-RELEASE-p5-HBSD FreeBSD 12.1-RELEASE-p5-HBSD #0 d8b850736ba(master)-dirty
Post by: mb on June 03, 2020, 05:16:53 pm
In case you did not notice: fixing some issues reported by 1.5 users, Sensei 1.5.1 release it out:
https://www.sunnyvalley.io/post/sensei-1-5-1-for-opnsense-is-out/
Post by: mb on June 13, 2020, 02:20:10 am
Below file keeps the last status for the Ethernet Drivers <-> netmap compatibility.
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0
This page also explains how you can easily test OPNsense 20.7 netmap.
Feel free to grab a driver, test and provide test results. You should be able to leave comments on the Google Sheets file.
It looks like there's some work to do. We're here to fix.
Just test and provide feedback.
PS: Please use the thread under: https://forum.opnsense.org/index.php?board=35.0 for communication around this subject.
Post by: GreenMatter on June 19, 2020, 03:58:28 pm
In my instance, Sensei works over vlans' parent interface which is VMware's vmx (vmxnet3 driver). Hardware offloading is disabled.
- Number of devices: for home users limit of 50 is not enough nowadays: IoT devices, multiple devices per family's member and on top of that seems like Sensei counts vlans' interfaces and network appliances too (switches, access points). I run also a few services in my network: file servers, media servers, dns filtering and backup servers which have dedicated interfaces in vlans. For example, Untangle doesn't have such a limit for non-commercial users.
- Top Remote Hosts showing local IPs: I have 10 vlans (including VPN), parent interface is set in Sensei... If Sensei can't recognize/categorize local and "real" remote hosts you should rename that section, i.e.: Top destinations and Top origins? Otherwise it's confusing
- Pricing: as above, I'm home user with extended capabilities :-) - I run "connected home" and I can't find limit of 50 devices satisfactory. I'm not fully committed to OPNsense (it's installed as VM) yet and I'm thinking about running Untangle HomePro which seems to be more flexible (https://forums.untangle.com/installation/41906-before-i-buy-what-home-license-restrictions.html).
Are you going to reconsider limits for home users? If you need to put any limit, I would say 100 devices is a fair number. Of course I'm not threatening / blackmailing, I'm only considering all available options...
And keep up the good work!
Post by: siga75 on June 19, 2020, 04:43:11 pm
Anyway it's not a must to put everything behind OPNsense, you don't have it to protect your phones when you are not at home
Post by: GreenMatter on June 19, 2020, 04:50:12 pm
At the moment I have 54 devices discovered by Sensei but only 44 are in ARP table.
I have many IoT devices and cameras so I'm very much on the limit.
Post by: binaryanomaly on June 19, 2020, 07:36:48 pm
50 devices is fair enough in my opinion, even considering IoT
Not really. Got 39 here with two adults and a baby and I do not have that many devices besides the standard IoT (lights, plugs, heater,...) stuff. If we'd live in a house it would probably be >50 already.
Imho <100 would be more appropriate.
Post by: mb on June 19, 2020, 11:09:08 pm
We hear you :) I've been notified about your suggestion.
The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.
This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.
On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.
Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)
Post by: GreenMatter on June 20, 2020, 08:38:41 am
Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)It's good to know that at least somebody likes us 8)
Anyway, I hope you guys will be not only flexible but proactive when it comes to market demands, haha! I have family of 5, multiple devices, IoT, servers, docker containers running on macvlan networks, freenas jails, VPN users and vlans. Thus number of 50 doesn't sound big enough. And as I'm migrating from Unifi, I like nicely presented reporting. That's why I keep fingers crossed you'll change your policy...
Have a great weekend!
Post by: l0rdraiden on June 24, 2020, 11:59:25 pm
Hi @GreenMatter,
We hear you :) I've been notified about your suggestion.
The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.
This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.
On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.
Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)
First of all it doesn't make a lot of sense that a free user get unlimited devices and a paid one 50, I know there are other limitations.
On the other hand what differentiates Sophos/enterprise from Home/free should be the professional support and not the features, no one will install this in an enterpise wihtout support. Another thing is LDAP and you are doing it right here. So would not be affraid of companies using your software for free even if the home version features were free.
I still think that the price of the home version might be high considering the alternatives. Maybe selling it as a perpetual license for home users would be an option, or lowering the price to 2-5$ per month and limit more the free edition if you want home users which should be your target to pay for it.
Post by: nzkiwi68 on June 25, 2020, 06:34:20 am
We need this in an education environment to stop students bypassing the filters.
Post by: packetmangler on June 25, 2020, 03:41:56 pm
Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?
We need this in an education environment to stop students bypassing the filters.
There is an App category for Proxies. I don't see SkyVPN, but you do have the ability to add it manually if you know the hostname(s) and IP addresses the service uses.
Post by: Koldnitz on June 27, 2020, 01:08:46 am
I have 2 questions.
First, are you aware that every so often sensei seems to make one of the interfaces I have configured in a Lagg (lacp) go down? The eastspec(?) process on one of my cores (i7-7500) goes crazy, on the status tab one of the 2 interfaces watched for my Lagg (it can be either of them) dies, while all the bandwidth goes to the other, and only way to fix it is to turn sensei on and off (sometimes takes multiple tries, usually happens within first 10 minutes or after days / weeks of uptime). The problem occurs randomly to the point that I no longer have sensei configured to automatically load on reboot (I have been fooling with settings and rebooting router a lot to make sure things work still). I assume you are aware and this will be fixed on 20.7, but if you are not if I can help you make sensei better I am all for it.
Second, I have been trying to get a cloud account set up, but when I click the email validation link it, the webpage tells me this is not a valid link. My email is registered and I have gotten a password reset just fine, but I am unable to validate my account.
Please let me know.
Cheers,
Post by: mb on June 27, 2020, 03:18:41 am
Post by: mb on June 27, 2020, 03:25:33 am
Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?
We need this in an education environment to stop students bypassing the filters.
Hi @nzkiwi68, we see growing interest from the education community. Proxy identification/filtering is one of the most requested features.
Proxy filtering can be done both from the Web Controls and App Controls. App Controls come handy if the identification might be trickier for a particular application.
Having said that, SkyVPN, Ultrasurf and a few other trikcy proxy applications are being worked on.
As @packetmangler put it, if you already know the destination IP/hostnames you can create custom applications and enforce policies using the custom developed applications.
Other than that, do not hesitate to reach out to us via "Contact Team" menu on the right hand side of the menu. We want to know more about your problems in the field and create solutions as soon as possible.
Post by: mb on June 27, 2020, 03:33:08 am
Thank you very much for your feedback. We're happy to hear that you like Sensei so far.
We are curious about the lagg interface problem. Yes, as you put it, Sensei protects member interfaces. It's normal if they go down/up during Sensei start/stop because enabling netmap mode forces an interface down/up event.
But I guess this is different, and if you can create a problem report from the Sensei UI - Report Bug - on the UI right hand corner , that would be very much helpful.
For the Cloud Portal account, if you do additional password reset requests previous links become invalid and you need to use the latest activation code. If you can PM your email address to me, I can have it inspected.
Post by: Koldnitz on June 27, 2020, 06:29:30 am
Generally, what seems to happen is that after I start Sensei (within 10 to 20 minutes) something happens with my interfaces and it says in the logs shown on Dashboard / Lobby screen a hot plug event and then shortly thereafter I get a line saying possible flapping and one of the Lagg ports goes down (light on router port stops blinking / goes solid, and status tab in Sensei shows one interface doing everything whole other interface is all 0s or bytes.
In the System Diagnostics Activity tab the 1 of the 2 Eastspec processes (my processor is a 2 core 4 (hyper)threads but it looks like 4 CPUs to Opnsense) goes nuts. On Netdata the temperature chart gets weird, showing 2 cores 20+ celsius hotter than the 2. Also in Netdata one of the CPUs (threads) goes crazy compared to the other 3.
I never had this problem until I set up the Lagg interface (I ran Sensei for maybe 2 to 4 weeks before I set it up), and once Sensei is shut down(I do it from the status tab) it disappears because whenever Sensei is started / shutdown all interfaces reinitialize up and down.
This leads me to be 99% certain it has to do with Sensei interacting with the Lagg interface. Furthermore, I have not seen it happen without Sensei running, and I have had to restart Sensei 2 to 3 times at times to get it to start correctly.
I will definitely create report and send you all the logging information available to the report next time it happens.
P.S. I did all the tweaks I could find to eliminate flapping on this forum and over at pfsense forum but it still happens.
Post by: mb on June 29, 2020, 06:49:54 pm
It looks like we have your problem report. Team will be following up with you.
Post by: GreenMatter on June 29, 2020, 07:51:51 pm
(...)
On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.
Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)
So, have you reached conclusion when it comes to number of devices (>50) for home users?
Post by: mb on June 29, 2020, 10:37:10 pm
So, have you reached conclusion when it comes to number of devices (>50) for home users?
Hi @GreenMatter, yes. Hopefully we'll have an announcement this week.
Post by: mb on June 29, 2020, 10:38:19 pm
As some of you might have noticed, Sensei 1.5.2 is out.
This is a maintenance release for 1.5. For the full Release Notes:
https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/
Post by: STX on June 30, 2020, 09:32:15 am
Gave Sensei a go over the past 5 days or so. Linked up with AWS ElasticSearch and pushed on. My initial impressions were good but at the end of that test some strange things began to happen.
Serving FW would drop LAN randomly around every 5 minutes or so. Checked logs tried turning every added feature off even re-configuring anew. Finally turned off and uninstalled Sensei completely and now everything is fine. Not sure exactly what was causing the issue due hasty resolve but definitely not stable.
Paid for a license too early it would seem.
Also, the UI is buggy. Around 60% of the time the status and reporting graphs would shake around a little in their designated cells. This behavior would continue until I logged out and back in but not always.
Promising and indeed grateful to have this for an open project but needs more work before prime-time in a serious/critical environment IMHO.
Specs:
Manufacturer: Supermicro
Product Name: Super Server
Processor: Intel(R) Pentium(R) CPU N3710 @ 1.60GHz
Core: 4
RAM: 8GB
Post by: GreenMatter on June 30, 2020, 09:58:36 am
Dear Sensei users,
As some of you might have noticed, Sensei 1.5.2 is out.
This is a maintenance release for 1.5. For the full Release Notes:
https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/ (https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/)
Yes, I have updated to 1.5.2 and have noticed that Live Blocked Sessions Explorer displays empty page. See attachment.
Post by: GreenMatter on June 30, 2020, 10:42:13 am
Local Domain Name To Exclude From Cloud Queries:
Shall I separate them by space or coma or something else...?
Post by: binaryanomaly on June 30, 2020, 06:17:38 pm
So, have you reached conclusion when it comes to number of devices (>50) for home users?
Hi @GreenMatter, yes. Hopefully we'll have an announcement this week.
https://www.sunnyvalley.io/plans/
Quote
Up to 100 Devices
Kewl thx ;)
Post by: mb on June 30, 2020, 06:49:54 pm
Having said that, chances are high that the thing with the interface going down/up might be related to netmap(4).
Let us have a closer look. You can send a problem report through the user interface. Just click on "Report Bug" menu located on the upper right hand corner. Make sure you share the relevant logs and team will take it from there.
Post by: mb on June 30, 2020, 06:55:48 pm
I'll share a simple command which will get it sorted out.
For the cloud query, you can only specify a single domain name there, since it was meant to whitelist local network. However, domains ending in ".local", ".localdomain", ".lan", ".intra", ".intranet", ".bind", ".home", ".mshome", ".corp", ".mail", ".group", ".workgroup" are considered local and they do not get queried from the Cloud.
Post by: mb on June 30, 2020, 06:58:20 pm
https://www.sunnyvalley.io/plans/QuoteUp to 100 Devices
Kewl thx ;)
Yes, and all welcome :) Still a few minor things left to get it right technically. Official announcement to follow shortly.
Post by: yeraycito on June 30, 2020, 07:35:13 pm
FreeBSD 12.1-RELEASE-p5-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Sensei 1.5.2 missing:
Post by: mb on June 30, 2020, 07:40:14 pm
pkg remove os-sunnyvalley-devel
pkg install os-sunnyvalley-devel
pkg install -f os-sensei
Post by: yeraycito on June 30, 2020, 08:41:19 pm
Post by: mb on June 30, 2020, 09:26:39 pm
Post by: yeraycito on June 30, 2020, 09:28:54 pm
Post by: GreenMatter on June 30, 2020, 09:30:47 pm
@GreenMatter, this is caused by a bug in earlier versions. Though it is fixed in 1.5.2, since the erroneous entry is still in the database you still experience the problem.
I'll share a simple command which will get it sorted out.
For the cloud query, you can only specify a single domain name there, since it was meant to whitelist local network. However, domains ending in ".local", ".localdomain", ".lan", ".intra", ".intranet", ".bind", ".home", ".mshome", ".corp", ".mail", ".group", ".workgroup" are considered local and they do not get queried from the Cloud.
Thanks @mb!
I've just received a prompt reply from support and running following command:
Code: [Select]
echo -n "delete from user_configuration where id = 2;" |sqlite3 /usr/local/sensei/userdefined/config/settings.dbhas fixed an issue...And thanks for updating Sensei plans!
Post by: yeraycito on June 30, 2020, 09:34:03 pm
os-sensei-updater ????????????
Post by: GreenMatter on July 02, 2020, 09:44:28 am
If I have multiple policies, does their order make any difference?
For example, I have 2 almost identical policies: #1 is the main, set as vlan13, #2 is a copy with additionally blocked app, set as vlan13 subnet (I couldn't choose same vlan13) and with active schedule (on & off).
So now policies order is as follow:
Default
#2
#1
If it is like that:
Default
#1
#2
would it change anything?
Post by: yeraycito on July 03, 2020, 02:24:13 am
Post by: mb on July 03, 2020, 07:45:03 am
Yes, policy order does matter. Suppose that you have:
Default
Policy 1
Policy 2
Engine tries to match in this order:
Policy 1
Policy 2
if none matches assigns Default policy.
With 1.6, we've changed the display order so it will be just as it is evaluated:
Policy 1,
Policy 2,
Default
PS: in case you did not notice: you can re-order policies in the policy list view which is displayed when you click on the Policies from the left menu.
Post by: mb on July 03, 2020, 07:48:03 am
After installing version 1.5.2 I tried to install wireguard but it didn't work. I have uninstalled wireguard and restarted opnsense and mongodb does not start.
Hi @yeraycito,
Might be that wireguard has a clashing dependency. Let's have a look here.
Anyhow, to re-install just do:
pkg remove mongodb40
pkg install mongodb40
Post by: yeraycito on July 03, 2020, 03:14:36 pm
After installing version 1.5.2 I tried to install wireguard but it didn't work. I have uninstalled wireguard and restarted opnsense and mongodb does not start.
Hi @yeraycito,
Might be that wireguard has a clashing dependency. Let's have a look here.
Anyhow, to re-install just do:
pkg remove mongodb40
pkg install mongodb40
It worked, thanks.
Post by: actionhenkt on July 04, 2020, 08:45:05 am
1 I have a home subscription, is TLS/SSL inspection available for home users (if so how do I set it up?) ?
2. Is it possible to view blocks in a table format so I can easily see which website has been blocked ?
3. There is a template blockpage set up to show up when a website is being blocked, I almost never see this page when a site is blocked, is it possible to show this block page on ssl connections (its a little confusing now because now i see an error page that says dns_probe_finished or connection_closed so I dont know if this was sensei blocking the page, or if my DNS has some issues. to check I have to go through reports on sensei so thats my reason for question2) ?
Thanks!
Post by: mb on July 04, 2020, 05:54:23 pm
1. TLS/SSL inspection will be on the premium (will be renamed to enterprise soon) tier.
2. Sure, you have it already. Go to Reports -> Blocks -> Live Blocked Sessions Explorer. This shows in realtime which connections are blocked and for what.
3. Yes, please see this FAQ entry:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ#h_3fc561e1-efd2-4e19-8cc7-accb5b2ebaac
Post by: mb on July 04, 2020, 06:12:12 pm
As this is a very much requested feature, I feel like I should let you know now:
Beginning with release 1.6, Sensei will have two more dns enrichment sources
1. Engine will do an active real-time reverse PTR query in case it cannot detect an immediate dns enrichment data from previous attempts (available in home & higher subscription tiers)
2. Also, it'll utilize and prioritize OPNsense alias definitions if you have created a Host alias. (will be available in all tiers)
We hope to ship 1.6 later this month.
Stay safe & healthy,
Sensei team
Post by: Rickytr on July 07, 2020, 01:59:40 pm
Any suggestion?
Post by: evergreek on July 07, 2020, 05:44:28 pm
0% /usr/local/sensei/output/active/temp [ufs]
go above 100% - is that normal?
Post by: mb on July 08, 2020, 08:44:14 pm
Hi @evergreek, is that you see 100% active/tmp utilization during peak time? or you see no utilization at all?
Post by: evergreek on July 08, 2020, 11:07:53 pm
Post by: mb on July 09, 2020, 02:21:33 am
Post by: Mitheor on July 09, 2020, 03:56:15 pm
Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)
I have the same problem. Resetting the reports does not solve the problem.
Live session explorer of connections and TLS works though. It's failing in DNS and Blocks.
Edit. Solved after opening a bug report.
Post by: Mitheor on July 09, 2020, 07:18:55 pm
I'd like to test some policies but I need this info :P
Post by: evergreek on July 09, 2020, 11:32:49 pm
Jul 9 16:28:12 kernel: /usr/local/sensei/output/active/temp: optimization changed from SPACE to TIME
Post by: donatom3 on July 12, 2020, 10:27:57 pm
Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)
I have the same problem. Resetting the reports does not solve the problem.
Live session explorer of connections and TLS works though. It's failing in DNS and Blocks.
Edit. Solved after opening a bug report.
Reported bug through the GUI with my logs.
I also have the same problem. I think the issue is the live blocked sessions explorer is now missing all the columns such as start, end, source IP, protocol. Now it shows the columns you expect on the overview page such as "alerts - top blocks" "top remote hosts" Checking all those shows undefined and there is loaded record counter. So the data is there but the web page for it is missing the columns it needs to show the data.
Live blocked sessions. https://imgur.com/a/B1qt9EP
Here are the columsn in every other live report. https://imgur.com/a/IKIz8Ec
Post by: mb on July 14, 2020, 05:12:41 pm
UI bug which was causing this had been fixed with 1.5.2. But the database entry was still there.
1.6 will auto-detect this issue and fix it during post-install.
Below command should handle this for the time being:
Code: [Select]
echo -n "delete from user_configuration;" | sqlite3 /usr/local/sensei/userdefined/config/settings.db
Post by: mb on July 14, 2020, 05:19:11 pm
Jul 9 16:28:12 kernel: /usr/local/sensei/output/active/temp: optimization changed from SPACE to TIME
This is a notification from Unix File System (UFS) about its data placement policy. It tells that new priority is back to performance.
This is related to this directory being 100% utilized. We do not expect this to happen under normal traffic conditions. Can you open a PR in case you did not do so?
Post by: evergreek on July 16, 2020, 05:00:10 pm
I having a big problem - after upgrading from free -> premium - every couple of days the Sensei instance seems to be killing my internet. I have to login to the shell and kill the sensei process. Then everything starts work again.. a reboot does not fix it .. the problem persists until I kill the process.. i sent in a bug report but I was wondering if you guys had seen this before or someone else on this forum.
Post by: mb on July 16, 2020, 06:41:57 pm
Post by: DenverTech on July 16, 2020, 11:16:20 pm
Having some issues with a new deployment. Previously, we'd had no problems choosing larger sized deployments during install. Based on that, a client hired us to setup a large OPNsense deployment with Sensei. However, it won't let me pick anything larger than "Small II." Specs of the firewall below...it definitely should be able to do far more than Small II. Amusingly, those are the same limitations our 2-core ATOM CPU at another office gets, so something isn't quite right. I've tried uninstalling, reinstalling, rebooting, etc.
CPU: Xeon, 1.9ghz, 6 cores, hyperthreading (12 logical cores)
Memory: 64gb
Score: 131578 (low-end?!)
How can I get Sensei to properly recognize this overpowered beast of a firewall?
Post by: mb on July 16, 2020, 11:19:20 pm
We received several other reports and looking into this.
Post by: DenverTech on July 17, 2020, 04:43:34 am
Looks like a ubench bug!
Post by: mb on July 17, 2020, 06:47:20 pm
Thanks for the update. Yes, most CPUs look ok, but with some, ubench is producing lower scores.
Team is looking for an alternative solution which could better yield the computing power of the cpu.
Post by: m.chupin on July 23, 2020, 11:23:02 am
I'm newbie for Sensei. I need an application filter. I plan to apply policy "Deny all, except certain apps".
Firstly, apply "Block all" on "App controls" page. Check some apps (like TeamViewer, Skype, Windows Store) - they really don't work. Then I check Telegram Desktop app - it started up and works without problems. Though "Reports" show that Sensei recognize Telegram.
I try free version of Sensei.
What should I do to block Telegram?
Post by: zauopn on July 23, 2020, 08:30:09 pm
Internet WAN -> Modem -> Opnsense device (Ethernet port) LAN -> USB Ethernet adapter (usb connected to Opnsense device and Ethernet to WAN Ethernet port of router) -> Router ( multiple devices connected to it via Ethernet LAN ports and WiFi)
However, there are some issues with Sensei and IDS/IPS that need to be fixed:
1) All the web traffic in opnsense has the same WAN IP from router, so it makes it look that there is only one device connected to the network. I need to see in the Sensei and IDS traffic logs exactly the IP of the device in the network (I.e printer, PC etc..) that generates the traffic. For example, if a user using a smartphone goes to Facebook, I need to see the IP of the smartphone, not the WAN IP of the router.
2) Snort rules are not getting triggered, there are several ERR INVALID SIGNATURE in the IDS logs. Also, the GeoIP settings have an issue, the country flags are not showing up in the logs maxmind was already added to the geoip settings. :-\
I also have ET telemetry and some of the rules work but many of those rules are empty, it seems that ET Telemetry doesn't have the same rulesets as ET PRO.
Does anyone know how fix these issues? I'd appreciate your help. Thanks
Post by: mb on July 24, 2020, 11:22:43 pm
This looks like Sensei/OPNsense is not the gateway for your devices and thus traffic does not flow through Sensei.
In reports, if all you see is WAN IP, it might be that your router might be doing NAT for the devices behind it.
To make sure it is not the case, run a tcpdump trace to see if you can see the internal IP addresses.
For the other question, is it Snort or Suricata? If Suricacata, IDS/IPS forum might be a better place to ask:
https://forum.opnsense.org/index.php?board=27.0
Post by: Xelas on July 25, 2020, 07:46:45 am
Code: [Select]
Starting elasticsearch service...
***ERROR***: Elasticsearch service could not be started in 60 seconds!***
***ERROR*** CODE:2***ES installation log attached.
/var/log/elasticsearch/ is empty.
Post by: mb on July 26, 2020, 01:29:57 am
Code: [Select]
service elasticsearch5 status
Post by: Xelas on July 26, 2020, 06:49:13 am
Code: [Select]
root@OPNsense:~ # service elasticsearch5 status
elasticsearch5 does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
root@OPNsense:~ #
Post by: mb on July 26, 2020, 05:26:36 pm
Post by: mb on July 28, 2020, 02:47:17 am
OPNsense 20.7 is set to be released this week Thursday.
This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.
We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.
With regard to the netmap improvement efforts, a bit of caution is necessary since we witnessed regression with some device drivers, vtnet being the most notable one.
Here's the detailed netmap status:
https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/
Speaking with @franco, some good news: it looks like OPNsense team will be able to provide a test kernel and start landing the bug-fixes with 20.7.1 or 20.7.2.
As mentioned in the blog post, we need more testing with regard to some drivers. Any help in that regard would be much appreciated.
We can't start fixing a problem if we don't know there is a problem.
Post by: donatom3 on July 28, 2020, 05:18:56 am
Dear Sensei users,
OPNsense 20.7 is set to be released this week Thursday.
This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.
We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.
Should we submit bug reports if Sensei Packet Engine wont' start cuz we upgraded to 20.7 early and didn't see this or is it known that it isn't working?
For me Sensei Packet engine fails on starting and I get a popup that let's me report it's not working but then nothing pops up.
Post by: mb on July 28, 2020, 05:59:49 am
Yes, this is expected. Fix is easy. Below commands should fix it:
Code: [Select]
pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-senseiIf db is elasticsearch:
Code: [Select]
pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5Mongodb:
Code: [Select]
pkg remove mongodb40
pkg autoremove
pkg install mongodb40All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.
On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.
Post by: donatom3 on July 28, 2020, 06:03:55 am
Hi donato,
Yes, this is expected. Fix is easy. Below commands should fix it:Code: [Select]pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-sensei
If db is elasticsearch:Code: [Select]pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5
Mongodb:Code: [Select]pkg remove mongodb40
pkg autoremove
pkg install mongodb40
All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.
On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.
I missed what you said about the PR until after I ran the first three commands. I sent it anyway even though it's in the middle of updating the SunnyValley repository catalogue. Hopefully it still helps.
Post by: almodovaris on July 28, 2020, 08:50:14 am
Post by: mb on July 29, 2020, 03:18:02 am
Post by: mb on July 29, 2020, 03:21:26 am
An update for the OPNsense 20.7 upgrade and compatibility:
https://www.sunnyvalley.io/post/sensei-and-opnsense-20-7-all-set-to-go/
All you need to do is running "Check Updates" once more after you're finished with upgrading to OPNsense 20.7.
OPNsense package manager will install the packages for the new OPNsense version and you'll be all set.
Post by: nines on July 31, 2020, 12:34:15 pm
is this issue already known?
Post by: mb on July 31, 2020, 01:28:08 pm
Can you send a PR? We want to have a closer look.
Post by: nines on July 31, 2020, 01:33:54 pm
yes of course. like described here: https://help.sunnyvalley.io/hc/en-us/articles/360045745053-Reporting-a-bug
?
Post by: mb on July 31, 2020, 01:34:56 pm
yes of course. like described here: https://help.sunnyvalley.io/hc/en-us/articles/360045745053-Reporting-a-bug
Yep.
Post by: nines on July 31, 2020, 02:20:16 pm
Hi @nines, thanks for letting us know. Yes, we did not have reports for vmx up until now.
Can you send a PR? We want to have a closer look.
unfortunately I cant, the vm instantly reboots after the update
any ideas?
Post by: mb on July 31, 2020, 02:23:55 pm
Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.
Also make sure that you don't have Suricata enabled.
Upgrade the system, and before starting Sensei/Suricata send the PR.
Post by: GreenMatter on July 31, 2020, 05:27:05 pm
Are you going to improve compatibility for vmx drivers?
Post by: sorano on July 31, 2020, 06:25:48 pm
So I started playing around, switched to just using vmx0 interface together with vlan id's in sensei and got my host in a crash bootloop without a snapshot ::) . Is there anyway to disable sensei during boot?
Post by: nines on July 31, 2020, 07:15:51 pm
Try this:
Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.
Also make sure that you don't have Suricata enabled.
Upgrade the system, and before starting Sensei/Suricata send the PR.
that worked, report sent!
Post by: sorano on July 31, 2020, 08:59:17 pm
Is there anyway to disable sensei during boot?
Well, I answered my own question:
Boot up in single user mode
Mount the fs
/usr/local/etc/rc.d/eastpect disable
Post by: mb on July 31, 2020, 09:00:42 pm
Your message just landed while I was preparing my post. Nicely done. Thanks for the update.
Upon user reports received, we've just updated the latest netmap status. Please see below post before you update to 20.7:
https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/
For the problematic drivers, work has already begun. I'll provide interim updates on their status.
Post by: mb on August 01, 2020, 02:13:31 am
Which ESX version are you on? We would like to know about the problematic versions.
Post by: sorano on August 01, 2020, 02:55:28 am
Friends who use OPNsense on ESX:
Which ESX version are you on? We would like to know about the problematic versions.
This is my setup:
Hypervisor: VMware ESXi, 7.0.0, 16324942
VM Compatibility: ESXi 7.0 and later (VM version 17)
Distributed switch version: 7.0.0
Distributed Port group: Vlan trunk (Tagging vlans inside OPNsense)
Distributed Port group Security Policies:
Promiscuous mode Reject ( I'm running Native MAC Learning instead to work around the vswitch + CARP duplicates issue)
MAC address changes Accept
Forged transmits Accept
Like I wrote earlier; Running Sensei on the interfaces that are tagged in OPNsense (vmx0_vlan#) works, but running on the "native" vmx0 interface + vlan id in sensei will cause kernel race.
Post by: Waschl on August 01, 2020, 10:26:37 am
Friends who use OPNsense on ESX:
Which ESX version are you on? We would like to know about the problematic versions.
Hello. I have the same problem. My setup:
Hypervisor: VMware ESXi 6.7.0 Update 3 Build 16316930
VM Compatibiltiy: 6.7 U2
Standard vSwitch
Running OPNsense with no special interfaces configurations (VLAN etc.) using vmxnet3.
Post by: scream on August 01, 2020, 11:06:41 am
Code: [Select]
Hypervisor: VMware ESXi, 7.0.0, 16324942
VM compatibility: 6.7 U2
OPNSense VM having 7 vmx interfaces. I use VLAN in my networks but I do tagging on ESX dvSwitch so OPNSense isn't aware of VLANs. Just seeing vmx0 - vmx6 interfaces.
Reverted to snapshots of 20.1.9 I created before upgrade.
Post by: mb on August 01, 2020, 07:12:28 pm
https://svnweb.freebsd.org/base?view=revision&revision=363163
Let's do some tests.
Post by: nines on August 02, 2020, 09:36:23 am
Friends who use OPNsense on ESX:Already answerred Matt via mail but here's mine just for reference
Which ESX version are you on? We would like to know about the problematic versions.
6.7.0 update 2 build 13473784
Gesendet von iPhone mit Tapatalk
Post by: scream on August 02, 2020, 11:26:55 am
Ok, I think this vmx bug has been resolved on FreeBSD 12-STABLE:
https://svnweb.freebsd.org/base?view=revision&revision=363163
Let's do some tests.
How can we easy test this? As I'm on a vm I can just create a snapshot before to easy revert back, if something goes wrong :)
Post by: franco on August 02, 2020, 11:36:33 am
Cheers,
Franco
Post by: mb on August 03, 2020, 11:19:36 pm
I'll be updating here once I have some news.
Post by: almodovaris on August 04, 2020, 10:48:58 am
Post by: mb on August 04, 2020, 03:29:33 pm
Indeed, it is multi-core, but we had to run it single core in the current environment (Routed / L3 mode) because of a lack of OS feature (netmap multiple host rings) and kernel flow asymmetry. In some environments (Bridged / L2 mode), we deploy Sensei - with a custom kernel- in multi-core mode to be able to serve multi-gigabit speeds and userbase exceeding several thousand users.
Multiple host rings feature has been introduced with FreeBSD-12. Flow symmetry requires a bit of work.
Currently, the focus is to help OPNsense ship the new netmap kernel to be able to provide a seamless Sensei / Suricata experience.
Next, this is also planned down the road.
Post by: cgone on August 05, 2020, 02:26:06 pm
I got often the following error messages (and lags):
Aug 5 12:40:53 firewall kernel: pid 83092 (eastpect), uid 0 inumber 5 on /usr/local/sensei/output/active/temp: filesystem full
Aug 5 12:40:57 firewall kernel: pid 83092 (eastpect), uid 0 inumber 8 on /usr/local/sensei/output/active/temp: filesystem full
Post by: mb on August 05, 2020, 08:09:37 pm
Check for a new configuration item under "Configuration -> Reporting & Data" : "Size of Temporary Memory Disk Space".
Post by: Rickytr on August 06, 2020, 06:13:49 pm
Any help?
Post by: mb on August 06, 2020, 06:27:16 pm
https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997
Post by: Rickytr on August 07, 2020, 04:22:56 pm
Post by: mb on August 07, 2020, 04:27:10 pm
Below table summarizes the current situation.
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0
I'll post more updates once we confirm everything is working.
Post by: actionhenkt on August 07, 2020, 08:25:34 pm
Post by: mb on August 07, 2020, 08:29:24 pm
on 20.7, we explicitly filter out some interfaces to prevent a system crash. If yours is vtnet, this is one of them.
Please see this thread:
https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997
Good news is; vtnet fix looks good. There'll be a test kernel soon.
Post by: actionhenkt on August 07, 2020, 08:41:26 pm
Post by: mb on August 07, 2020, 09:45:12 pm
Open /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php with your favorite editor and comment below lines:
Code: [Select]
if ((substr($interface, 0, 5) == 'vtnet') && (floatval($netmapVersion) < 13 or floatval($opnsenseInfo['product_version']) >= 20.7)) {
$filterflag = true;
}Post by: actionhenkt on August 08, 2020, 08:26:30 am
Post by: mb on August 10, 2020, 08:49:35 pm
Post by: nines on August 11, 2020, 01:11:44 pm
Any hints?
Post by: mb on August 11, 2020, 06:37:31 pm
Having said that, you can also issue the following commands:
pkg remove os-sensei
pkg remove elasticsearch5|mongodb40 (choose your database here)
pkg remove os-sunnyvalley
pkg autoremove -y
rm -rf /usr/local/sensei
Are there any errors reported? If you have any error reports or screenshots, feel free to send a PR and we'll have a look.
Post by: nines on August 11, 2020, 08:00:50 pm
https://forum.opnsense.org/index.php?topic=18552.msg84503#msg84503
@mb: are you able to help anyway by having a look into the dmesg log?
did that, no errors, seems like the gui installs button is doing the same.
would love to share a crash log but the whole vm crashes instantly after finished booting which makes it difficult (with just a vmware console) to copy logs etc.
strange at least ...
Code: [Select]
root@OPNsense:/home/shelladmin # pkg remove os-sensei
No packages matched for pattern 'os-sensei'
Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg remove mongodb40
No packages matched for pattern 'mongodb40'
Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg remove os-sunnyvalley
No packages matched for pattern 'os-sunnyvalley'
Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg autoremove -y
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages:
Installed packages to be REMOVED:
ubench-0.32
Number of packages to be removed: 1
[1/1] Deinstalling ubench-0.32...
[1/1] Deleting files for ubench-0.32: 100%
root@OPNsense:/home/shelladmin # rm -rf /usr/local/sensei
Post by: mb on August 12, 2020, 06:31:16 pm
We're working with netmap maintainers to fix the problem. Crash is resolved for now, but it'll take a bit more to get it fully functional (vmware vmx + netmap).
Post by: robvanhooren on August 13, 2020, 07:07:36 am
thanks,
R.
Post by: mb on August 14, 2020, 08:14:42 pm
We don't have any feedback on cxgbe+netmap duo. If you have a test system and give it a try, it'd be much appreciated:
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0
Post by: nikkon on August 15, 2020, 06:41:25 pm
after a fresh install under Sensi-> Reports -> Bloks section is absolutely empty. After 2 weeks is still not populated considering the app control is enabled and under security, everything is checked.
any ideas?
Post by: myzar495 on August 15, 2020, 08:22:27 pm
Thanks ::)
Post by: mb on August 15, 2020, 08:26:34 pm
Below command will do the trick:
pkg install -f -y os-sensei
If not, send a PR and team will have a closer look.
Post by: mb on August 15, 2020, 08:30:32 pm
Reason is, later on users might start Suricata with the saved configuration forgetting that Sensei is running on the same interface.
Post by: myzar495 on August 15, 2020, 08:33:09 pm
Hi @myzar495, Sensei will complain if you configured Suricata on one of its interfaces (even if Suricata is not running yet).
Reason is, later on users might start Suricata with the saved configuration forgetting that Sensei is running on the same interface.
I don't remember ever even using it on this particular OPNSense setup. It's off now. I can't really uncheck WAN as it doesn't let me save without an interface assigned.
Is there a workaround? Can I assign it to another interface? Can I remove the config file?
Post by: nikkon on August 15, 2020, 09:12:22 pm
Post by: myzar495 on August 15, 2020, 10:11:06 pm
Perhaps adding this to the knowledge base, or recommending it in the error prompt, would let people know to do this if they choose to use bridged mode?
Post by: mb on August 17, 2020, 09:26:05 pm
Post by: bunchofreeds on August 20, 2020, 11:45:26 pm
UPDATE - I'm making some progress using Sensei Reports and discovering what rule is blocking my progress.
Is it possible to show 'Block Sub Category' in the Reports view?
I can see for example Blocked by 'Application Category Online Utility' but not specifically what Signature it is. Like 'Microsoft Licensing' for example.
I'm trying to create a Policy that restricts internet usage for my kids. More out of interest than anything really, and they are the best testers to be honest.
My approach so far is 'select option>save>test' which is really slow considering the number of options.
Also browser caching on the client is annoying.
My Policy is controlling a set of IP addresses (not an entire subnet) that are assigned to their devices. Being an android phone, android tablet and two windows 10 laptops.
Ultimately I'd like to create a 'Family Safe' setup for the kids and maybe even restrict it to certain times.
Any help or advice on what to do or where to look with regards to configuring Sensei for info on this would be great.
Thanks in advance
Post by: sorano on August 21, 2020, 04:09:45 pm
Ultimately I'd like to create a 'Family Safe' setup for the kids and maybe even restrict it to certain times.
Any help or advice on what to do or where to look with regards to configuring Sensei for info on this would be great.
I've put my kids devices on a separate VLAN.
Then just created a policy named Kids with the rules I wanted for them, added a schedule for that policy and configured the policy to match the kids VLAN interface. Then just sit back and prosper when they start complaining that they cannot watch youtube anymore! 8)
Kinda self explanatory really.
Post by: Dayve on August 21, 2020, 07:02:04 pm
Post by: sorano on August 21, 2020, 08:13:54 pm
Is there a way to have Sensei not block when I'm connected to one of my VLAN's?
Yes you can use Exempted VLANs & Networks
Post by: Dayve on August 22, 2020, 01:33:50 am
Is there a way to have Sensei not block when I'm connected to one of my VLAN's?
Yes you can use Exempted VLANs & Networks
Guess I need to pay for that option.
Post by: almodovaris on August 22, 2020, 11:42:02 am
Post by: mb on August 22, 2020, 07:44:57 pm
Some good news. Please give this kernel a test drive and provide feedback.
https://forum.opnsense.org/index.php?topic=17363.msg85539#msg85539
If you don't see your interface show up in Sensei interface configuration, /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php is the file you'll need to play with. You'll need to comment lines which filter your interface:
Code: [Select]
3 if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
74 $filterflag = true;
75 }
Post by: Dayve on August 23, 2020, 03:00:32 pm
Code: [Select]
if (strpos(strtolower($interface), "lagg") !== false && strpos(strtolower($interface), "vlan") == false) {
$filterflag = true;
}
if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
$filterflag = true;This is what I see in the ToolsController.php
Not sure which one would be my VLAN20 and do I just edit the "$filterflag" to be false?
Post by: scream on August 23, 2020, 04:08:17 pm
I installed the test kernel. The only interface I have selected in the UI is the LAN.Code: [Select]if (strpos(strtolower($interface), "lagg") !== false && strpos(strtolower($interface), "vlan") == false) {
$filterflag = true;
}
if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
$filterflag = true;
This is what I see in the ToolsController.php
Not sure which one would be my VLAN20 and do I just edit the "$filterflag" to be false?
I just commented out the lines with "#" on each of the lines belonging to one interface type.
I do not use VLAN so I can't answer about that. But basicly the filter matches the name of the interface.
So just take a look at "ifconfig" and you should see which you've to comment out.
Post by: almodovaris on August 24, 2020, 04:39:41 pm
Speedtest APU2 with Sensei, but through OpenVPN from a Linux box behind it, Aug 22 test kernel: 149.5 Mbps download speed from my own internet provider.
Post by: mb on August 25, 2020, 04:43:16 am
https://forum.opnsense.org/index.php?topic=17363.msg85734#msg85734
Post by: DenverTech on August 27, 2020, 06:58:16 pm
Possibly because this is a vmware guest, or something else?
Post by: mb on August 27, 2020, 07:09:11 pm
See here: https://forum.opnsense.org/index.php?topic=17363.msg85734#msg85734
Make sure you're running the netmap test kernel; or the fw will crash.
Post by: DenverTech on August 27, 2020, 07:13:18 pm
Post by: Julien on August 28, 2020, 01:55:01 am
So had to remove it unfortunately
Post by: aelghamrawy on August 29, 2020, 08:56:15 pm
Pls I have a strange thing PS4 nat type fails when I am running sensei ( all app and web are allowed ) and as soon as I stop or change sensei to bypassmode PS4 nat pass and give type 2
Is there any solution to over come this strange thing
Pls in steps would be helpful
Thank you in advance
Post by: mb on August 29, 2020, 08:58:59 pm
Send a bug report, and team will have a look.
Post by: nikkon on September 02, 2020, 01:54:55 pm
As of now i used Sensei only for the WAN interface.
I am enabling Suricata in WAN and I tried to enable sensei on all my Vlan (LANS)
The problem I see is that Sensei does not support LAGG interfaces. Any ETA for this?
Post by: mb on September 02, 2020, 06:25:13 pm
Quote
As of now i used Sensei only for the WAN interface.
Hi @nikkon, for the sake of clarification: are your running Sensei on WAN or LAN interfaces?
lagg, bridge along with tun support is related to netmap and we're sponsoring another round of work on the netmap side.
Please see:
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0
tun(4) support has been implemented. Others are under development.
I guess they can be all available in late September / October.
Post by: nikkon on September 02, 2020, 07:01:32 pm
I intended to use lan ( which in my case is a lagg)
Now I keep my old setup running it on Wan only.
Post by: mb on September 03, 2020, 01:17:05 am
A quick node: Sensei 1.6 will re-enable vlan interfaces on lagg. You don't need to wait for an updated kernel since they are using the netmap emulated driver.
Post by: nikkon on September 03, 2020, 05:19:11 pm
Post by: GreenMatter on September 05, 2020, 05:12:57 am
I still use 20.1.9 (as it runs on ESXi using vmx) and today I lost connectivity (around 0330 AM LT) in my whole lan. I'm out of home but all the time I connect to it through OpenVPN. Opnsense uptime was 35 days.
Long story short - I couldn't reach any hosts/services inside my LAN but I could luckily ping all opnsense interfaces. Pinging from opnsense gave the same results - no connectivity. So I did a reboot. Afterwards, when checking logs, I'd seen following:
Quote
2020-09-05T03:26:09
syslog-ng[21339]: I/O error occurred while writing; fd='23', error='Host is down (64)'
2020-09-05T03:01:13
kernel: 673.129619 [1180] netmap_grab_packets bad pkt at 5 len 0
2020-09-05T03:01:13
kernel: 673.129612 [1180] netmap_grab_packets bad pkt at 4 len 0
2020-09-05T03:01:13
kernel: 673.129604 [1180] netmap_grab_packets bad pkt at 3 len 0
2020-09-05T03:01:13
kernel: 673.129596 [1180] netmap_grab_packets bad pkt at 2 len 0
2020-09-05T03:01:13
kernel: 673.129587 [1180] netmap_grab_packets bad pkt at 1 len 0
2020-09-05T03:01:13
kernel: 673.129419 [ 277] vmxnet3_netmap_rxsync 1 skipped! idx 26
2020-09-05T03:01:13
kernel: vmx1: watchdog timeout on queue 0
2020-09-05T03:01:08
eastpect[5346]: nm1::vmx1^: permanently promiscuous mode enabled
2020-09-05T03:01:08
eastpect[5346]: nm0::vmx1: permanently promiscuous mode enabled
And
Quote
2020-09-05T03:28:00 configd.py: [f7eb1ea5-7a25-46ae-a9bf-d217585eccbf] Sensei heardbeat
Therefore I think it could be something Sensei related. If so, I hope it is/will be taken care of in upcoming update...?
Post by: mb on September 05, 2020, 06:07:11 am
Netmap error messages make me think this is related to netmap.
We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x
Post by: GreenMatter on September 05, 2020, 02:54:24 pm
Hi GreenMatter, sensei heartbeat is unrelated to this.I couldn't find anything more related to this issue. One more contributing factor was/is that Sensei is set to work on vmx1 (LAN) interface and vmx0 is WAN. And affected interface was LAN, nothing could go out through LAN interface...
Netmap error messages make me think this is related to netmap.
We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x
Anyway, do you know release date of fully functional update?
Post by: hushcoden on September 05, 2020, 11:53:39 pm
Is there some sort of criteria to determine the best value based on the hardware specs (attached)?
Tia.
Post by: mb on September 06, 2020, 05:31:44 pm
Default value (30%) is OK. This setting has been introduced to handle a recent OS behavior change where OS started to swap pages more ofthen.
If you have enough memory, you wouldn't need to change anything at all. If you see Sensei warning you about swap space, than you can increase this value to instruct sensei to embrace higher swap utilizations.
Having said that, for optimal performance, we recommend having enough RAM on the device so that you don't need to think about SWAP.
Post by: guyp2k on September 06, 2020, 06:44:43 pm
I assume this is the correct thread to post in specific to opnsense and sensei. The issue I am having is specific to my ring cameras and sensei. I am unable to pull up the live video from the ring app on either my PC or mobile devices unless I enter bypass mode in sensei.
I have checked the policy and I don't have any setting that would block ring as far as I can tell however, when I look at the sensei logs I see the following, see attached file.
What's odd is that the sensei log/reports secure web browsing is blocked, but when I look at the policies this is not the case.
Lastly, I decided to reinstall sensei and now I receive the following error during hardware check, unable to complete hardware check. I am running a Corei7 and 32GB RAM and didn't have any issues during the initial install.
Post by: r4nd0m on September 09, 2020, 03:55:33 pm
but here my interfaces:
LAN (vmx1) -> v4: 192.168.x.x
WAN (pppoe0) -> v4/PPPoE: x.x.x.x/32 (which is the vmx0 hardware interface)
so not sure why the interface mapping is incorrect? any ideas?
Post by: mb on September 09, 2020, 05:49:00 pm
Yes, we are currently filtering out vmx/vtnet interfaces, because they cause OS to crash in netmap mode.
Stay tuned for 1.6, which is planned to be released this week/early next week. We enable these interfaces back; and instead of filtering out, you'll get a warning with a pointer to a netmap status page in case you're trying to use a problematic driver.
All these crash problems have been fixed in the test kernel, opnsense will be shortly shipping an official netmap kernel.
See here for the latest status: https://www.sunnyvalley.io/post/opnsense-kernel-netmap-status/
Post by: GreenMatter on September 09, 2020, 09:35:40 pm
Hi GreenMatter, sensei heartbeat is unrelated to this.And again it happened again the same (on 20.1.9 - I'm waiting for final netmap version) within a few days from the first occurrence: lost access to all internal vlan networks.
Netmap error messages make me think this is related to netmap.
We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x
Quote
2020-09-09T04:31:07 kernel: 667.875025 [1180] netmap_grab_packets bad pkt at 390 len 0What surprising me is that all has been working fine for months, I had done no changes in setup, no new packages were installed and all of sudden this problem appears. I know it's net map but could it be triggered somehow by Sensei which inspects parent interface vmx1?
2020-09-09T04:31:07 kernel: 667.875016 [1180] netmap_grab_packets bad pkt at 389 len 0
2020-09-09T04:31:07 kernel: 667.875008 [1180] netmap_grab_packets bad pkt at 388 len 0
2020-09-09T04:31:07 kernel: 667.875001 [1180] netmap_grab_packets bad pkt at 387 len 0
2020-09-09T04:31:07 kernel: 667.874992 [1180] netmap_grab_packets bad pkt at 386 len 0
2020-09-09T04:31:07 kernel: 667.874306 [ 277] vmxnet3_netmap_rxsync 130 skipped! idx 46
2020-09-09T04:31:07 kernel: vmx1: watchdog timeout on queue 0
2020-09-09T04:31:02 eastpect[8308]: nm1::vmx1^: permanently promiscuous mode enabled
2020-09-09T04:31:02 eastpect[8308]: nm0::vmx1: permanently promiscuous mode enabled
Shall I reinstall Sensei, would it help?
Post by: r4nd0m on September 10, 2020, 01:13:22 am
Hi @r4nd0m,
Yes, we are currently filtering out vmx/vtnet interfaces, because they cause OS to crash in netmap mode.
Stay tuned for 1.6, which is planned to be released this week/early next week. We enable these interfaces back; and instead of filtering out, you'll get a warning with a pointer to a netmap status page in case you're trying to use a problematic driver.
All these crash problems have been fixed in the test kernel, opnsense will be shortly shipping an official netmap kernel.
See here for the latest status: https://www.sunnyvalley.io/post/opnsense-kernel-netmap-status/
thanks for the heads-up so this is currently not applicable then for 1.5.2_1? https://help.sunnyvalley.io/hc/en-us/articles/360053347013-Deployment-Modes - I only see 2 modes Routed / Bridged ... Passive would be perfectly sufficient to test it out at the moment
Post by: mb on September 10, 2020, 03:50:05 am
Shall I reinstall Sensei, would it help?
Hi GreenMatter, I do not think this will be of help, since the problem is related to the kernel.
Are you able to start a new (test?) guest and see how the new test kernel is behaving?
Post by: mb on September 10, 2020, 03:52:00 am
thanks for the heads-up so this is currently not applicable then for 1.5.2_1? https://help.sunnyvalley.io/hc/en-us/articles/360053347013-Deployment-Modes - I only see 2 modes Routed / Bridged ... Passive would be perfectly sufficient to test it out at the moment
All welcome. Yes, 1.6 will re-enable them back. Passive mode is also introduced with 1.6. Stay tuned, almost there :)
Post by: GreenMatter on September 10, 2020, 04:31:36 am
No, I'm off premise and connect to Opnsense over VPN. I can't afford to demolish it :D remotely...
Hi GreenMatter, I do not think this will be of help, since the problem is related to the kernel.
Are you able to start a new (test?) guest and see how the new test kernel is behaving?
Post by: mb on September 11, 2020, 02:40:30 am
No, I'm off premise and connect to Opnsense over VPN. I can't afford to demolish it :D remotely...
Got it :) Unfortunately all our test systems are now running on 20.7 and testing new kernels... which makes it a bit harder to test a 20.1.x code. We'll give it a another look whenever we have a bit of time/resource.
Post by: DenverTech on September 15, 2020, 09:16:48 pm
Edit: On all of these, we've tested with both ix and igb drivers/nics.
Edit #2: Watching top -PCH, the load shows as eastpect and python3.7. Eastpect bounces between 50% and 99.97% utilization on any given core. Python3.7 bounces between 15% and 99.74%. Definitely feeling like something's running away with CPU time.
[20.1, Sensei 1.52, physical box, Xeon D-1528 CPU, 64gb memory] - ubench score ~160,000
- Sensei OFF: 900mbit
- Sensei BYPASS: 900mbit
- Sensei ON: 800mbit
- CPU never seems to show much load (<5% on average)
[20.1, Sensei 1.52, physical box, Xeon D-2123 CPU, 32gb memory] - ubench score ~180,000
- Sensei OFF: 900mbit
- Sensei BYPASS: 900mbit
- Sensei ON: 800mbit
- CPU never seems to show much load (<5% on average)
[20.7, Sensei 1.52, physical box, Xeon D-1528 CPU, 64gb memory] - ubench score ~160,000
- Sensei OFF: 900mbit
- Sensei BYPASS: 100mbit
- Sensei ON: 100mbit
- CPU load is VERY high at all times with Sensei (70%+)
[20.7, Sensei 1.6beta3, netmap test kernel, physical box, Xeon D-1528 CPU, 64gb memory] - ubench score ~160,000
- Sensei OFF: 850mbit
- Sensei BYPASS: 100mbit
- Sensei ON: 100mbit
- CPU load is VERY high at all times with Sensei (70%+)
*At this point, I was told that the D-1528 cannot handle inspection. It handled it fine on 20.1 and is one of the most recommended CPUs on all the vendor pages (D-1541 seems to beat it out slightly).
[20.7, Sensei 1.6beta3, netmap test kernel, virtual box, Xeon E5-2620 CPU (4 cores granted to the VM and 100% reserved), 64gb memory] - ubench score ~220,000
- Sensei OFF: 800mbit
- Sensei BYPASS: 100mbit
- Sensei ON: 100mbit
- CPU load is high at all times with Sensei (30-40%)
[20.7, Sensei 1.6beta3, netmap test kernel, virtual box, Xeon E5-2620 CPU (8 cores granted to the VM and 100% reserved), 64gb memory] - ubench score ~220,000
- Sensei OFF: 800mbit
- Sensei BYPASS: 200mbit (drops to 125mbit with 300-500 users)
- Sensei ON: 200mbit (drops to 60mbit with 300-500 users)
- CPU load is moderate at all times with Sensei (10-25%)
[20.7, Sensei 1.6b3, netmap test kernel, physical box, Xeon D-2123 CPU, 32gb memory] - ubench score ~180,000
- Sensei OFF: 900mbit
- Sensei BYPASS: 250mbit
- Sensei ON: 225mbit
- CPU load is high at all times with Sensei (40-50%)
*** EDIT 9/17/20 ***
Wow, the new kernel has made WORLDS of difference. The majority of our users aren't in yet, so I'm testing on a low number of people, but am already seeing a change.
[20.7.2, Sensei 1.6, netmap final kernel, virtual box, Xeon E5-2620 CPU (8 cores granted to the VM and 100% reserved), 64gb memory] - ubench score ~220,000
- Sensei OFF: 800mbit
- Sensei BYPASS: 750mbit (will update based on when people are using it heavily)
- Sensei ON: 750mbit
- CPU load is moderate at all times with Sensei (5-20%)
- This is a drop of 5% CPU utilization and an increase of 550mbit on our speedtests! WOW! I'll be curious to see what happens under load, but this is an amazing improvement regardless. Good job SunnyValley
Post by: mb on September 16, 2020, 09:48:13 pm
As promised, long-awaited official netmap kernel fixing issues and bringing support for vpn and lagg interfaces:
https://forum.opnsense.org/index.php?topic=19175.0
PS: Sensei 1.6 will follow shortly.
Post by: mb on September 17, 2020, 03:30:39 am
https://www.sunnyvalley.io/post/sensei-1-6-for-opnsense-is-out/
Enjoy :)
Post by: DenverTech on September 17, 2020, 08:54:32 pm
*** <10 users ***
[20.7.2, Sensei 1.6, netmap final kernel, virtual box, Xeon E5-2620 CPU (8 cores granted to the VM and 100% reserved), 32gb memory] - ubench score ~220,000
- Sensei OFF: 800mbit
- Sensei BYPASS: 750mbit
- Sensei ON: 750mbit
- CPU load is moderate at all times with Sensei (5-20% with only 1-2 cores at the upper end at one time)
- This is a drop of 5% CPU utilization and an increase of 550mbit on our speedtests from previous kernel
*** ~800 users ***
[20.7.2, Sensei 1.6, netmap final kernel, virtual box, Xeon E5-2620 CPU (8 cores granted to the VM and 100% reserved), 32gb memory] - ubench score ~220,000
- Sensei OFF: 710mbit
- Sensei BYPASS: 625mbit
- Sensei ON: 590mbit
- CPU load is moderate with Sensei (20-30% on all cores)
- This is a drop of about 30% CPU utilization and an increase of 350mbit on our speedtests from previous kernel
I'm definitely liking what I'm seeing. It still won't run well on a D-series Xeon, but it looks to be a lot more usable on most other hardware. This was a huge improvement.
Post by: marcri on September 18, 2020, 12:25:01 pm
Code: [Select]
[f26d747d-5635-45b5-8b14-103a9c50cc69] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' --server 'xxxx' --port '587' --secured 'TLS' --username 'xxx' --password 'xxx' --sender 'xxx' --to 'xxx' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' [...xxx...] returned non-zero exit status 1.Post by: mr.yx on September 18, 2020, 01:15:26 pm
Thanks for Sensei 1.6., but reports via E-Mail are not working anymore:Code: [Select][f26d747d-5635-45b5-8b14-103a9c50cc69] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' --server 'xxxx' --port '587' --secured 'TLS' --username 'xxx' --password 'xxx' --sender 'xxx' --to 'xxx' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' [...xxx...] returned non-zero exit status 1.
same for me, with a local mailsrv (without auth).
Post by: DenverTech on September 18, 2020, 03:54:23 pm
Thanks for Sensei 1.6., but reports via E-Mail are not working anymore:Code: [Select][f26d747d-5635-45b5-8b14-103a9c50cc69] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' --server 'xxxx' --port '587' --secured 'TLS' --username 'xxx' --password 'xxx' --sender 'xxx' --to 'xxx' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/report-gen/send.py --pdf 'false' [...xxx...] returned non-zero exit status 1.
Post by: mb on September 18, 2020, 04:17:34 pm
Post by: mb on September 19, 2020, 04:07:34 pm
Code: [Select]
# pkg install -f -y os-senseiPost by: mr.yx on September 20, 2020, 03:37:27 am
Version : 1.6
Installed on : Thu Sep 17 13:40:13 2020 CEST
also mellanox connectx3 LAN (no surricata) + vlans are still not working, defaults to emulated netmap driver, non vlan traffic flows, vlan traffic gets blocked/denied.
sys.device.mlx4_core0.hw.fw_version: 2.42.5000 (newest firmware)
dev.mlx4_core.0.%desc: Mellanox driver (3.5.1)
Post by: GreenMatter on September 21, 2020, 03:48:07 am
2020-09-09T04:31:07 kernel: 667.875025 [1180] netmap_grab_packets bad pkt at 390 len 0@mb just to let you know that above issue must be caused or triggered by Sensei. I can reinstate LAN communication by simply stopping Sensei Packet Engine (fyi OPNsense is still on 20.1.9 and Sensei 1.5.2).
2020-09-09T04:31:07 kernel: 667.875016 [1180] netmap_grab_packets bad pkt at 389 len 0
2020-09-09T04:31:07 kernel: 667.875008 [1180] netmap_grab_packets bad pkt at 388 len 0
2020-09-09T04:31:07 kernel: 667.875001 [1180] netmap_grab_packets bad pkt at 387 len 0
2020-09-09T04:31:07 kernel: 667.874992 [1180] netmap_grab_packets bad pkt at 386 len 0
2020-09-09T04:31:07 kernel: 667.874306 [ 277] vmxnet3_netmap_rxsync 130 skipped! idx 46
2020-09-09T04:31:07 kernel: vmx1: watchdog timeout on queue 0
2020-09-09T04:31:02 eastpect[8308]: nm1::vmx1^: permanently promiscuous mode enabled
2020-09-09T04:31:02 eastpect[8308]: nm0::vmx1: permanently promiscuous mode enabled
What surprising me is that all has been working fine for months, I had done no changes in setup, no new packages were installed and all of sudden this problem appears. I know it's net map but could it be triggered somehow by Sensei which inspects parent interface vmx1?
Shall I reinstall Sensei, would it help?
I'm writing this to ask whether this issue has been addressed in new release?
Post by: mb on September 21, 2020, 05:09:48 am
i have the package reinstalled several times since 1.6 release because i thought something was broken with mailreports, is there any change to the package since then?
Yep, we've uploaded a new package.
Quote
also mellanox connectx3 LAN (no surricata) + vlans are still not working, defaults to emulated netmap driver, non vlan traffic flows, vlan traffic gets blocked/denied.
It's expected that vlan interfaces use emulated driver.
Question: If you do not run anything on the parent mlx interface, are you still experiencing problems with the child interfaces?
Post by: mb on September 21, 2020, 05:13:01 am
@mb just to let you know that above issue must be caused or triggered by Sensei. I can reinstate LAN communication by simply stopping Sensei Packet Engine (fyi OPNsense is still on 20.1.9 and Sensei 1.5.2).
I'm writing this to ask whether this issue has been addressed in new release?
20.7.2-netmap kernel looks fine. I've just seen your correspondance with our support team. I guess you'll be waiting for the release kernel ;)
Post by: mb on September 21, 2020, 05:22:27 am
As some of you might have noticed, Sensei now has a dedicated board on the OPNsense forum. This thread has been moved under the new main board: https://forum.opnsense.org/index.php?board=38.0
We'll be following up with all of the discussions here. Feel free to join the discussions.
We'd like to thank OPNsense team for this. It'll help a lot in the sense that new conversations around Sensei will be better organized.
Post by: DenverTech on September 21, 2020, 03:51:56 pm
@marci, @mr.x.y, @denvertech, can you try re-installing the package and see if this fixes the problem:Code: [Select]# pkg install -f -y os-sensei
Looks to be working. Thanks again!
Post by: marcri on September 21, 2020, 07:07:58 pm
@marci, @mr.x.y, @denvertech, can you try re-installing the package and see if this fixes the problem:Code: [Select]# pkg install -f -y os-sensei
that worked for me, thank you!
Post by: GreenMatter on September 21, 2020, 10:22:50 pm
20.7.2-netmap kernel looks fine. I've just seen your correspondance with our support team. I guess you'll be waiting for the release kernel ;)Exactly 8) , I would have tried out test kernel but in such a case I need physical access to router. Will all changes be included in 20.7.3 or rather later updates?
And for now I removed completely Sensei and have it reinstalled. Maybe DB had been corrupted during unsuccessful update to 20.7 and following VM's snapshot restoration?
Post by: mb on September 21, 2020, 10:50:39 pm
Will all changes be included in 20.7.3 or rather later updates?
It looks like, OPNsense will land them on 20.7.4 at the earliest. I've heard from @franco that there'll be another netmap test kernel based on 20.7.3. So, not for 20.7.3 for sure.
Quote
And for now I removed completely Sensei and have it reinstalled. Maybe DB had been corrupted during unsuccessful update to 20.7 and following VM's snapshot restoration?
Yes, this is the reason. Both Mongo and Elastic do lots of buffered I/O for performance reasons. In case of an abrupt shutdown, they have no way of recovering in-memory data which is not yet written to disk.
Sensei -> Configuration -> Reporting & Data -> Reset Reporting will try to recover broken indexes, if not, they'll reset broken indexes.
Post by: GreenMatter on September 22, 2020, 11:25:04 pm
It looks like, OPNsense will land them on 20.7.4 at the earliest. I've heard from @franco that there'll be another netmap test kernel based on 20.7.3. So, not for 20.7.3 for sure.Thus it means all users with vmx interfaces must wait at least until 20.7.4 is released?
Quote
Both Mongo and Elastic do lots of buffered I/O for performance reasons. In case of an abrupt shutdown, they have no way of recovering in-memory data which is not yet written to disk.
Sensei -> Configuration -> Reporting & Data -> Reset Reporting will try to recover broken indexes, if not, they'll reset broken indexes.
Since I did complete reinstallation, I don't need to reset DB once again?
Post by: mb on September 23, 2020, 12:43:01 am
Thus it means all users with vmx interfaces must wait at least until 20.7.4 is released?
Unfortunately, yes; if you do not want to use the beta kernels.
Quote
Since I did complete reinstallation, I don't need to reset DB once again?
Yes, if you're fine. No need. If you still have problems, I'd suggest resetting the DB again.
Post by: mb on September 23, 2020, 11:34:22 pm
https://forum.opnsense.org/index.php?topic=19266.msg88593#msg88593
Post by: GreenMatter on September 24, 2020, 02:38:31 am
A good discussion on why you might consider offloading Elasticsearch reporting:In some scenarios it makes sense to offload DB, but also would be very convenient if Sensei runs periodical checks of DB and if required, some basic auto repair plus reports any inconsistency... 8)
https://forum.opnsense.org/index.php?topic=19266.msg88593#msg88593 (https://forum.opnsense.org/index.php?topic=19266.msg88593#msg88593)
Post by: mb on September 24, 2020, 03:34:02 am
This is being done for Mongodb. Elasticsearch will be next for 1.7. Thanks for the suggestion.
Post by: GreenMatter on September 24, 2020, 04:31:48 am
This is being done for Mongodb. Elasticsearch will be next for 1.7. Thanks for the suggestion.Thanks @mb.
Thus which DB is recommended?
Post by: mb on September 24, 2020, 05:40:38 pm
Index checks were implemented for Mongodb since we were reported more index problems for Mongodb than for Elasticsearch.
Post by: SoWhat! on December 04, 2020, 11:26:51 am
I've been searched the whole forum, but I cannot find an post fit's to my "problem".
I bought a Home License to run different Policies for my kids and our devices, which isn't possible with the Free License. So I configured the Default Policy with the most restrictive settings which works fine and without any issues. So far so good. A new Policy was configured with less restrictions and I configured the IP address of my PC, but it doesn't work.
When I configure the IP address of my PC under Configuration in Exempted VLANs & Networks section, Sensei ignores my Requests and everything that is denied in the Default Policy is accessible.
My OPNsense is Version 20.7.5 running as VM on vSphere assigned 3 vCPUs (i5-4590T CPU @ 2.00GHz) and 6GB vRAM. My main network is LAN and WiFi on VLAN1, which is untagged on interface em0. IDS/IPS is currently disabled, so there should no issues happened with that.
Does somebody have an idea what I did wrong?
Thanks & Cheers,
Stefan
Post by: sy on December 04, 2020, 11:40:21 am
Policies work with and condition. So if you select any option except IP, It has to match all conditions then apply the policy. Can you share your policy configuration?
Post by: SoWhat! on December 05, 2020, 10:34:23 am
There is nothing else configured execpt the IP address.
I also tried only with one IP as well, but no success.
Cheers,
Stefan
Post by: sy on December 06, 2020, 07:10:11 pm
So your sessions match the test policy on Reports - Connection - Live Session Explorer? Please check the policy column.
Post by: SoWhat! on December 07, 2020, 03:34:36 pm
No, it doesn't. Just the Default Policy match.
Cheers
Stefan
Post by: sy on December 07, 2020, 03:37:31 pm
Can you send a Bug report from the upper right corner of Sensei GUI? Please select all checkboxes.
Post by: SoWhat! on December 07, 2020, 04:11:21 pm
The Bug report is on the way.
The GUI didn't acceppt .info TLD, this schould be fixed als well. :)
Thank's and Cheers,
Stefan
Post by: sy on December 07, 2020, 04:26:49 pm
Thanks, got it. I will get back on ticket.
Post by: Julien on December 21, 2020, 02:49:09 pm
how to fix this ?
Post by: sy on December 21, 2020, 03:30:38 pm
I guess your firstly seen site block feature is on in Security rules. You can add the sites to the whitelist (Web Controls - Auto Whitelist) or request categorization (https://www.sunnyvalley.io/site-classification/) or disable that feature.
Post by: marshalleq on December 23, 2020, 11:46:44 pm
Post by: flushell on January 03, 2021, 10:42:59 pm
Post by: RamSense on January 10, 2021, 04:41:32 pm
Anybody else having this issue? Know how to solve?
Post by: Nekromantik on January 11, 2021, 05:43:52 pm
Can we have a free edition for devices less then 15?
I dont have 50 so spending $10 a month on home seems a lot when max I have 5 devices.
Post by: sy on January 11, 2021, 10:37:54 pm
You can use the free edition for your network. Home and other licenses provide extra features. But if you ask a license type for fewer devices, unfortunately, the basic license is Home 100.
Post by: Nekromantik on January 11, 2021, 10:40:51 pm
Hi @Nekromantik,
You can use the free edition for your network. Home and other licenses provide extra features. But if you ask a license type for fewer devices, unfortunately, the basic license is Home 100.
ok
Post by: mb on January 12, 2021, 05:33:15 pm
Post by: RamSense on January 13, 2021, 06:56:17 pm
That is a good question. I tried with my MacBook outside of my network with vpn connection, and the adds appear, no blocking.
When I am on my MacBook on wifi at home, no vpn, adds are being blocked.
At home iPhone wifi - vpn -> no adds getting blocked.
At home iPhone wifi - no vpn -> adds are being blocked
Post by: mb on January 16, 2021, 06:33:19 pm
We want to send you a test kernel. Can you reach out to support? Let's take it from there.
Post by: RamSense on January 16, 2021, 09:36:14 pm
I have just submitted a support ticket.
Post by: Miheerwa on January 17, 2021, 09:45:38 am
I am having an issue with policy rank. It seems that only the default policy works. Any new policy does not work. If set the default to permissive and restrict the new policy, web traffic I expect to be blocked is allowed.
I want to be able to toggle a working policy instead of updating the default each time I need to turn off filtering.
I tried searching the forum however it doesn't seem I can only search this thread?
I have the home licensing.
Side question: would it be possible to automatically upload block lists or upload lists larger than 100? Or is anything larger only available via the API? (I find the ad blocking and ad tracking 70% effective, and there are lists large lists I would like to import.)
Post by: sy on January 20, 2021, 02:52:45 pm
The policies work with and condition. Please just be careful about the criteria that you added. For example, if you add an IP and username in the same policy, a session must belong to the IP and username. If one of them doesn't match with the session, Sensei tries to match another policy and if none of them match, the Default policy is applied.
- API support will be added in 1.8
Post by: RamSense on January 23, 2021, 08:36:17 am
Thank you for the help. support has made a test kernel to solve the (opnsense) netmap problem.
In the first tests it looks like the problems being solved and all is working. Have do to some more testing, but feeling very confident that it is working now! great! thank you/sensei
Post by: mb on January 24, 2021, 08:39:16 pm
https://github.com/opnsense/src/pull/97
Post by: RamSense on January 24, 2021, 10:02:05 pm
Great to hear it is on the list to being implemented / corrected.
In the meantime, I am very happy with this test kernel, and all is working great now!
Post by: Antaris on March 20, 2021, 08:39:07 pm
Hi Murat,Hi faisal,
Than it must be the cpu score. There is a 300.000 minimum cpu score requirement for Elasticsearch.
Here's a quick hack:
1. Remove /usr/local/sensei/etc/.configdoneCode: [Select]rm /usr/local/sensei/etc/.configdone
3. Edit /usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh file and locate these lines:Code: [Select]if [ $CPU_SCORE -le 300000 ]; then
CPU_PROPER="false"
else
CPU_PROPER="true"
fi
Change 300000 to a lower value, like 200000.
4. Do a browser refresh on the OPNsense UI, and click on any sensei menu. It'll re-run the config wizard. Now it should select Elasticsearch.
Now I'm thinking: for cpu scores between 200K and 300K and if there is enough memory (>=8GB) I think we should let the user decide on the database backend.
This solution no longer works on fresh install today. And i can't find from where to choose Elastic engine...
One year later i have the same headbang :) This time for other reason, but i can't use mongodb on this system and the database have to be internal.
Can i ask for current method to select database engine manually?
Post by: mb on March 20, 2021, 09:22:44 pm
Post by: Antaris on March 21, 2021, 12:00:00 am
Hi @Antaris,
This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).
We hope to release 1.5 late this month.
By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)
https://www.sunnyvalley.io/site-classification/
Post by: mb on March 21, 2021, 01:51:20 am
No worries. I saw that you also have created a support request. Team will help you out.
Post by: cgone on March 21, 2021, 02:30:09 pm
Post by: franco on March 21, 2021, 03:17:09 pm
Please take new feature visibility with a grain of salt that it's been like that before it displayed the repository in that view...
Cheers,
Franco
Post by: mb on March 21, 2021, 07:41:23 pm
Reason was we wanted to allow the users to move back and forth between appdb releases, not just the latest release.
We saw that it was confusing so starting with 1.9, os-sensei-db will not be delivered as a package.
As for the new plug-in compatibility, expect 1.8.1 to be shipped tomorrow; which will deliver the new packages.
Post by: pvols1979 on October 05, 2021, 04:29:06 pm
Post by: spetrillo on October 22, 2021, 10:19:01 pm
I am looking at possibly using Zenarmor with OPNsense, but I have some concerns. I am hoping someone has bumped up against some of these:
1) I am using Suricata to handle my WAN, so its my first line of defense. I want Zenarmor to handle everything on the LAN side, as the second line of defense. Has anyone implemented it in this way?
2) I am concerned about the load Zenarmor could put on the OPNsense device. I am running an i7-8700 with 16 gig of RAM. If I implement the OPNsense plugin do I need to bump up the memory to accommodate Zenarmor?
3) Where does Zenarmor write its data to and has anyone added a second HDD to OPNsense and remounted the Zenarmor data to this partition?
I hope you all can help.
Thanks,
Steve
Post by: johndchch on October 23, 2021, 04:47:47 am
1) I am using Suricata to handle my WAN, so its my first line of defense. I want Zenarmor to handle everything on the LAN side, as the second line of defense. Has anyone implemented it in this way?
2) I am concerned about the load Zenarmor could put on the OPNsense device. I am running an i7-8700 with 16 gig of RAM. If I implement the OPNsense plugin do I need to bump up the memory to accommodate Zenarmor?
3) Where does Zenarmor write its data to and has anyone added a second HDD to OPNsense and remounted the Zenarmor data to this partition?
ZenArmour on the LAN side ( and suricata on the WAN side ) is actually what the zenarmor docs suggest, I'm running that way and it works just fine. It's not so much a 'second line of defence' - zenarmor is aimed at blocking access to both malicious sites and managing your devices access to sites ( think things like active filtering for kids etc)
I'm running on an i7-6700 with 32gb and it's total overkill - even 16gb would be more than I've ever seen allocated, but my personal feeling is 8gb would be a little too tight. The more important thing is that you have enough cpu for your connection - I'm driving gigabit fibre wan and the i7-6700 is just enough ( zenarmor is single threaded - and heavy loads on the connection will see the core running zenarmor sitting about 80% load )
The zenarmor database is neither huge nor particularly demanding in terms of IOPS - I was originally running on a 250g hdd and it was able to easil keep up, however the speed running reports mean I ended up rebuilding on a 256gb m.2 nvme, again it's almost certainly overkill but I had it around and it's nice having nearly instantaneous reports
Post by: JRC on November 25, 2021, 08:05:23 am
When I add my VLAN interface into the Protected interface list I get a popup about the driver having known incompatibilities with Netmap, and gives me a link to an old post these forums, and from digging around it seems that this issue should be taken care of in this version of opnSense?
I am running this on a Dell R610, with the Broadcom NICs (bce) and I have two interfaces configured as an LACP LAGG for the LAN interface, with VLANs using that as their parent interface. I am only trying to filter the internet on a single VLAN, the others need not be filtered.
So is this a concern? Or am I doing something wrong here?
Thanks in advanced for the help!
Post by: IsaacFL on November 25, 2021, 05:52:29 pm
Post by: sy on November 25, 2021, 06:18:06 pm
Zenarmor warns due to you try to add a LAGG interface. Zenarmor uses netmap that is an Operating System subsystem to grab packets off the wire and netmap is not fully compatible with LAGG interfaces yet. The netmap team works about it but we don't have a date yet about when will it be fully compatible.
Normally we advise adding the parent interface if you have child interface(s) but for LAGG interfaces it could be caused by a Network outage. So you do the correct way by adding a child interface.
We have Zenarmor users that are using with LAGG interfaces. So please try it and contact to us if you have any problem.
Post by: annih on February 03, 2022, 02:54:46 pm
I have a LAN interface with 1 native VLAN and a tagged VLAN and then two WAN ports. I have added on the physical LAN interface, not the child ones. The NIC is a 340-T4. I am on opnsense 22.1.
Any starting points?
Post by: sy on February 03, 2022, 03:49:23 pm
Are the options are selected as in the attached picture (Interface - Settings)?
Post by: annih on February 03, 2022, 08:40:03 pm
Post by: almodovaris on February 03, 2022, 08:53:58 pm
Post by: thefunkygibbon on February 10, 2022, 12:34:46 pm
I'm running on a 4core atom / 8gb ram appliance and am trying to set up sensei.
my question is, which db to choose? i know it says high end /low end get different options, but that doesn't really go any distance to explaining the pros and cons of using either. I see if you have 8gb+ you can choose elastic locally. But does that mean you should? if a low end system can get away with mongo, would that not be overall better to use unless you have oodles of ram?
I can set up elastic on a docker container too on my server (connected via gigabit), would that be better for overall firewall/sensei performance ?
also , is it just for reporting/logging or is it constantly in use whilst Sensei is being used? I guess if it's just for logging and reporting then performance is probably not an issue in terms of throughput of traffic
thanks in advance
Post by: mb on February 10, 2022, 02:45:50 pm
According to the reports we receive from Zenarmor users; if you have many devices (100+) to protect/report, Elasticsearch seems to be appearing as a better alternative as the backend database. Yes, you'll need at least 8GB of RAM to be able run ES along with Zenarmor.
Having said that, if this is a home/small office installation with like at most 50-100 devices, mongo should work equally well.
Yes, Mongo/ES is only used for reporting and for throughput, they won't be an issue overall. However, if the system is producing a lot many logs that the databases cannot keep up with, than it'll come back and hurt system performance which in turn will impact throughput.
With 1.11, we'll also be adding sqlite backend option. It might also be worth trying if you're using zenarmor for your home/small office.
Post by: thefunkygibbon on February 10, 2022, 03:40:42 pm
As long as i'm getting my line speed, I'm happy. although I noticed that I cannot do any per user settings using this unless I pay $99 a year. Unfortunately that's unlikely to happen with budgets like they are. So its all pretty much testing to see what works best for our needs right now.
I've came from a mesh system that had user based url/risk blocking and so on, and have moved to a hardware router/firewall and controller based AP's, so i'm trying to get the most of what i can
Post by: mb on February 11, 2022, 02:55:05 am
Post by: chrismccracken on March 10, 2022, 07:33:46 pm
**edit to add**
I've since found another post indicating that Sensei does not currently support pppoe interfaces.. Disappointed :(
(also, why is there no delete button for this reply?)
Post by: skywalker007 on March 10, 2022, 08:02:01 pm
Post by: chrismccracken on March 10, 2022, 08:10:57 pm
Why wouldn’t you not run it on the LAN Interface like recommended?
I have not seen a recommendation in any of the docs I've read so far about which interface to run it on. Every IDS I've used in the past binds to the WAN to get proper pre-filtering threat intel. I'll test it out with LAN, but that seems backwards ???
Post by: nikkon on March 11, 2022, 07:51:41 am
If you need more, use suricata on wan
Post by: badkuk on March 14, 2022, 03:08:32 am
I've literally just installed ZenA rmor just now; seems that only IDS/IPS or Zen Armor can be enabled for any particular interface. And Zen Armor doesn't seem to have any configuration options that deals with IPS signatures, rules and such.
I'm getting the impression that Zen Armor is best suited for the user segment, where you protect your users from accessing malicious sites and such....or is there more to it? Can it protect servers? How exactly?
Should i enable IDS/IPS on the server and WAN segment, then enable Zen Armor on the user segment?
tia
Post by: sy on March 14, 2022, 04:59:00 pm
You need to use Zenarmor on the LAN side and an IPS/IDS on the WAN side. Zenarmor has no IPS/IDS features yet.
Post by: BlackJub on March 24, 2022, 04:47:55 am
I'm a long time user, but never used some features within Zenarmor.
I'm trying to send regular reports to my e-mail address. However, there's a problem when I set things up:
My SMTP server needs a known "from-address", but Zenarmor seems to give a blank one, even though I filled the "Send mail from" option.
I tried using SMTP and SMTPS with and without TLS certificate check: same results.
The mail server is configured without authentication when queries come from known IP addresses: works fine from Monit within OPNsense, Nextcloud server, and so on.
(Please see attached screenshots: my configuration tab, the error message from Zenarmor side, and the SMTP logs from the mail server side)
Is there something I am missing that allows Zenarmor to fill correctly the from-address when using SMTP services?
Any hint would be much appreciated!
In advance, thanks to anyone who can help me!
Post by: Vazmuten on March 24, 2022, 09:11:02 pm
I just updated to the latest updated version of OPNSense:
OPNsense 22.1.4-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
then following the excellent Zenarmor (Sensei) instructions installed the sensei plugins and even before starting configuring them ... all my VLANs disappeared. In stead in listed VLANs in "Interfaces: Other Types: VLAN" there is a line/note "No results found!". I rebooted the OPNSense and guess what - all VLANS were missing for real and did not appear at all in ifconfig command on OPNSense SSH console. After I uninstalled the Zenarmor (Sensei) all my 12 VLANs appeared again. What's going on and how to fix this bug?
Post by: almodovaris on March 25, 2022, 06:44:04 am
Post by: franco on March 25, 2022, 08:29:30 am
The change was on the development version for a bit which just makes it seem nobody using Zenarmor is using the development version. It is what it is. ;)
Cheers,
Franco
Post by: jeekee on April 03, 2022, 10:54:53 am
I got some trouble with sensei. I've got OPNSense 22.1.4.1 running without any problem so I thought. But I just found out that sensei is hanging at the initializing screen. Reinstalled it twice to no avail. One thing I did notice during reinstall is the message: peg: no package(s) matching os-sensei-agent. Not sure if this is new\unrelated or the problem. Any ideas or something I am missing here? Worked fine until now...
Thanks for the help!
Jay
Post by: hfvk on April 03, 2022, 11:58:30 am
https://forum.opnsense.org/index.php?topic=27744.0
Do you have a similar issue?
Post by: mb on April 03, 2022, 06:57:01 pm
If you're using Safari browser, try with another browser. A newly introduced JS code was incompatible with Safari.
We will be shipping a patch release early next week.
Post by: jeekee on April 03, 2022, 07:40:05 pm
Post by: sy on April 04, 2022, 06:36:41 pm
Please reinstall the package with the following command to solve the Safari browser issue.
pkg install -fy os-sensei
Post by: hfvk on April 04, 2022, 07:42:44 pm
Hi all,
Please reinstall the package with the following command to solve the Safari browser issue.
pkg install -fy os-sensei
I can confirm that this works on iOS Safari now. Thanks, great work!
Post by: andrewoliv on May 27, 2022, 08:44:37 pm
Whenever is install the Sensei repository PlugIn it orphans all of my other PlugIns. The sensei plug in never appears. I have to delete the Sensei PlugIn and then the other plugins return to normal.
Anyone else have this problem?
Post by: walkerx on May 28, 2022, 03:46:41 pm
See Attachment.
Whenever is install the Sensei repository PlugIn it orphans all of my other PlugIns. The sensei plug in never appears. I have to delete the Sensei PlugIn and then the other plugins return to normal.
Anyone else have this problem?
go to firmware, status then choose check updates and it will resolve that issue, but yes I had the same when I installed Sensei today, it reported all my currrent plugins were orphaned, rechecked for updates resolved the problem
Post by: andrewoliv on May 28, 2022, 05:26:34 pm
Post by: lilsense on June 04, 2022, 11:51:51 pm
May I ask the thought behind the 2 policy for home use? what are the design guides that satisfies all things home with 2 policies, when you have kids under teen, teen, adults and guest...
I guess default is deny all for guests, but what about others... :)
Post by: SuperMiguel on September 10, 2022, 03:01:22 am
Post by: lilsense on September 10, 2022, 03:58:33 am
Post by: Antaris on October 25, 2022, 06:33:55 pm
whats the recommended DB type? mongodb? ES? remote ES? i have a home lic with around ~100 users (mostly IoT)
Depends on the hardware used for OPNsense.
Post by: Jppp on December 10, 2022, 12:35:31 pm
whats the recommended DB type? mongodb? ES? remote ES? i have a home lic with around ~100 users (mostly IoT)
Depends on the hardware used for OPNsense.
When I installed Sensei, it selected ES as default for me, with no possibility to change it manually from the gui. It has been running fine for about 4 days, but since yesterday, after starting Sensei RAM usage linearly grows until the machine is out of ram and crashes (OPN IDS does that too).
I’m running OPNsense on an Optiplex 3070 sff, i5-9500, 8GB ram, 128gb nvme. At most concurrent 2 users, ~15 devices of which ~7 iot. 1000/50 down/up, no external connection/vpn or publicly available content.
My hardware meets OPNsense’s recommended requirements and Sensei’s minimum requirements (constrained by ram), should I just add another 8GB ram stick or could there be some other culprit or known bug I don’t know about?
Is it possible to manually set the database to Mongo? I’ve seen some threads where it’s suggested to change some of the values in the script which selects the db based on hardware, but the posts are 3+ years old and aimed at going from Mongo to ES on hardware which was not recommended
Post by: sy on December 10, 2022, 04:41:16 pm
You can reinstall database by following the below document. Can you share a bug report before DB reinstall to look into the elasticsearch issue?
https://www.sunnyvalley.io/docs/troubleshooting/reporting#how-do-i-reinstall-the-reporting-database
Post by: Jppp on December 11, 2022, 10:53:05 am
I believe I had followed the contents of that guide, but I will try it again this afternoon.
Will look into the logs as well and share them here
Post by: Jppp on December 11, 2022, 04:16:40 pm
Hi,
You can reinstall database by following the below document. Can you share a bug report before DB reinstall to look into the elasticsearch issue?
https://www.sunnyvalley.io/docs/troubleshooting/reporting#how-do-i-reinstall-the-reporting-database
Send the bug-report via Sensei plugin, was happy to see that logs can be included really easily! (Added a link to my comment in the report)
There are quite a lot of logs in /urs/local/sensei/active ***, do you want them all here too?
To make sure it wasn't a one off crash, I enabled Sensei without enabling the ES service. After ~3 minutes the network had a small crash of ~1 minute, came back up and the system crashed ~2 minutes later (although I can't find anything in the logs).
I shut the system off via the hardware button, waited for a few minutes and booted it up again. Ram usage after boot was ~4gb and reached 6gb when I stopped the Zenarmor engine. ES is still running and ram seems stable ~4gb.
I have removed the database manually, doing the wizard again now. Will update my comment afterwards.
Configuration
WAN: re0, Realtek RTL8111HSD-CG
LAN: lagg0(), 2-port LACP on intel i340-t2
OPNsense community-repo: mimugmail [update1]
ZenArmor
General:
Mode: Routed with native netmap driver
Interface: LAN
DB: ES
size: Small II (< 51 devices), sensei's doc [1] estimates a throughput of 500 Mbps for this setup with a min. of 4gb.
Cloud Threat intel:
Enabled: yes
Updates & Health:
Max. Swap Util: 60% *
Reporting & Data:
Size of the Fast Temporary Memory Disk: 48% **
Real-time DNS reverse queries for local IP: Disabled
OPNsense Host aliases for DNS enrichment: Disabled
Maximum number of days to store reporting data: 7 days
* SWAP is disabled on OPN, does this setting interfere with that? (I assumed the setting is being ignored)
** The default setting. This metric does not include the ES service itself right? (as in, the whole sensei service memory usage). My system uses 1.5gb avg, so ~2gb, add 4gb for fast temp mem disk and I've got only ~2gb left for Sensei?
*** main_, periodical_, seneigui, idpr*_,streamer_, worker_ and update_check.
1. https://www.sunnyvalley.io/docs/introduction/hardware-requirements#cpu--memory (https://www.sunnyvalley.io/docs/introduction/hardware-requirements#cpu--memory)
UPDATE 1: Wizard: reporting & database.
During database selection I got the following notification
Quote
It looks like you also have mimugmail community repo enabled. Please be advised that this repo is also serving Elasticsearch and Mongodb packages with their dependencies. In this regard sunnyvalley and community repositoriees (spelling error in modal, if a Sensei dev is reading this) are not compatible when enabled at the same time.
If you would like to continue using both repositories, we advise to install Elasticsearch from the community repository and point zenarmor to this database as a "Remote Elasticsearch" database.
My dashboard shows that ES is still running, so I'm going to remove ZenArmor, add mimugmail-ES, install ZenArmor, external source for ES. Will update again.
Also, for my usecase e.g. low user count, relatively low usage, is ES that beneficial compared to Mongo? I'd like to also run OPNsense IDS (suricata) which doesn't really feel feasible right now.
UPDATE 2: ZenArmor ES & community plugins
An existing issue in the plugin repo, https://github.com/mimugmail/opn-repo/issues/116 (https://github.com/mimugmail/opn-repo/issues/116).
I'm already using AdGuardHome & speedtest from the repo, I'm going to offload it to another machine, remove the community repo and try again (bummer that they don't work together though, I was thinking of using some of his plugins)
Post by: Jppp on December 13, 2022, 06:10:31 pm
https://forum.opnsense.org/index.php?topic=24015.0 (https://forum.opnsense.org/index.php?topic=24015.0)
To be sure I
- removed lagg, moved LAN to igb0 (netmap issue)
- Moved WAN from re0 to igb1 (realtek driver history)
Everything seems to work as normal again