OPNsense Forum

English Forums => Development and Code Review => Topic started by: mb on August 25, 2018, 03:38:14 am

Title: Sensei on OPNsense - Application based filtering
Post by: mb on August 25, 2018, 03:38:14 am
Hello,

I'm Murat, founder of Sunny Valley Networks, the company behind Sensei.

Very much pleased to meet the OPNsense community.

I've seen a thread about Sensei in the forum, so I thought it might be a good idea to start a dedicated topic to help people with the software.

Sensei is a plugin for firewalls which complement them with features like Application Filtering, Advanced Network Visibility and Cloud Application Control. Currently, Sensei community edition is available for OPNsense platform.

I've seen that some members have already downloaded and trying Sensei. Many thanks for that. We're grateful.

I've created this topic about Sensei to help you to try it out, and try to solve any problems you guys might have encountered.

Although we reached our target number of beta testers, we always have room for forum members.
If you're interested in trying it, please do not hesitate to contact me privately. I can share the URL to the latest installer.

Very much looking forward to reading your feedback and helping you with the software.

More information about Sensei can be found on the product web page: https://sunnyvalley.io/sensei

All the best
Murat
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marjohn56 on August 26, 2018, 12:05:21 pm
Thanks to @mb for sending me a link to test this. This is a quick summery of my first impressions, also to prevent any cross-contamination issues I did a clean install using zfs and then bootstrapped opnsense install. Firmware flavour is development and core upgrade carried out.


Installation was straight forward as was configuration. Initial configuration left me with zero information, this appears to be because I had selected the LAN as the interface to monitor, however, my LAN is a bridge, changing this to the OPT1,OPT2,OPT3 interfaces solved this and then it all started working well.


Note I am using this on a Qotom i5 with 8Gb RAM. It is recommended that this is the minimum requirement for a 100 user system. On my test system there is minimal extra load on the CPU, but my test system is limited to only two devices attached to the LAN.


My first impressions are that is a very impressive package, it will be interesting to see what the differences will be between the commercial and community editions are when that time arrives.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 27, 2018, 07:43:54 am
@marjohn56, many thanks for giving Sensei a try and providing feedback. This is very valuable for us.

Glad to hear that installation & configuration went smooth.

Sensei utilizes netmap behind the scenes, which does not play well with bridged interfaces. Netmap in FreeBSD 11.x, which OPNsense is based on is quite old.  I think we can also contribute to OPNsense team with an improved netmap support. I believe this will also help resolve some Suricata issues.

We'd love to hear about performance figures with a larger user base if you happen to have access to one. Currently the largest deployment we know of is 200 Mbps sustained WAN throughput with about 850 users. HW is an old HP DL360-g8 (xeon e5-2450L @1.8GHz) and 16GB RAM.

Delighted to see that product is up to the duty.

Enterprise <-> Community edition work is ongoing. For now I'm happy to tell that community edition for OPNsense will always be there and forever free.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mundan101 on August 29, 2018, 02:01:30 pm
I have sensei up at running and so far so good!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marjohn56 on August 29, 2018, 03:10:48 pm
I have sensei up at running and so far so good!


Just in case @mb has not told you, IPv6 is still WIP, so v4 only for now, still cool though  :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 30, 2018, 01:18:22 am
@Mundan101, thank you for testing and giving feedback.

@marjohn56, thank you for pointing it out. It's been FAQ'd now :)

To better support the software and help people who are having issues, we've created a Gitlab project.

Please feel free to send any bug-reports & enhancement requests there:

https://gitlab.com/svn-community/opnsense-sensei-plugin

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mimugmail on August 30, 2018, 09:16:18 am
@mb https://www.sunnyvalley.io/eastpect
What about TLS 1.3?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: svn on August 31, 2018, 01:10:20 am
Hi @mimugmail,

I am Hayati from SVN team.

As you probably know that TLS 1.3 has been finalized in this month after 28 drafts. TLS 1.3 will obviously dominate over other versions and most of the Linux/Unix distros and libraries should be giving support for it, sooner or later. This is no different for us.

We've been closely watching its progress and discussions on the TLS working group during our whole product development. So we expected and prepared for it, and Sensei's TLS inspection has been designed by taking TLS 1.3 into account. We'll be able to provide TLS 1.3 inspection without downgrading TLS version.

We expect the transition to TLS 1.3 in the field will start with the popular tls libraries following with the applications that are dependent on them. This will take some time. We target to be among the first network security providers to support TLS 1.3 with its most potential.

I've uploaded a video to SVN youtube channel illustrating TLS Inspection in action: https://www.youtube.com/watch?v=krG_VKt2_qk
Title: Re: Sensei on OPNsense - Application based filtering
Post by: samsonmcnulty on September 01, 2018, 12:12:45 am
Thanks you guys! I don't have a large userbase but I'll definitely report anything I come across. So far I really like it. My main goal at the moment is to see how it plays with squid and caching. I'm also using suricata and clamAV. I noticed a mention of some issues with suricata but that you were aware and working on a fix.
Edit I've seen a few people on 200Mb connections but I haven't seen many at 1Gb. Are you planning to add traffic shaping abilities? based on category?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 01, 2018, 03:46:59 pm
Hi @samsonmcnulty,

Thank you for testing & feedback. I'd very much appreciate if you can report any problems and/or issues you encounter.

Just like filtering based on application, shaping will also be there ;) Tentative plans is that we expect it to arrive in 2019.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sagem2004 on September 01, 2018, 04:37:58 pm
hello

can we block websites can be an integration in opnsense native

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 01, 2018, 07:58:14 pm
Hi @sagem2004,

Was your question about Sensei filtering based on web sites?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on September 03, 2018, 10:12:19 am
Great plugin so far.

On my machine running with 8GB RAM and an Intel I5 5250U (2x 1,6GHZ) the WAN throughput is at approx. 85 Mbps using IPS, Proxy + AV and around 8 active users.
Without Sensei my box can use the full 150 Mbps line (Cpu load is around 60 - 70%).
It takes a while to load on the first time and for some reason I cannot disable Sensei.
Due to the reduced internet speed I had to uninstall it and will give it another try once I have a faster router.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 03, 2018, 12:54:09 pm
Hi @sol,

Thank you for trying out Sensei and for the feedback.

A couple of questions:

Is this CPU usage (60-70%) for the configuration Sensei is not running? (e.g. IPS+Proxy+AV) ?

When you launch Sensei, how much did you see it changed? Does it top to 100%?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: krdhtet on September 04, 2018, 09:42:14 am
Dear mb,

Could you kindly provide Sensei link for me?

Thanks you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 04, 2018, 07:31:35 pm
Hi @krdhtet,

You got it in your inbox ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on September 05, 2018, 06:02:06 pm

A couple of questions:

Is this CPU usage (60-70%) for the configuration Sensei is not running? (e.g. IPS+Proxy+AV) ?

Yes

When you launch Sensei, how much did you see it changed? Does it top to 100%?
 It goes up to 95% and drops to ~50%. It also drops and peaks way more often


Furthermore I couldnt disable Sensei and I was only able to uninstall it right after a reboot. 
After a new try to install it again over the current system opnsense crashed and it had to reinstall Opnsense.
I guess some old settings made a clean reinstallation of Sensei impossible.
Lets hope that a new Sensei version will fix the option to stop it.

Looking forward to an update and will give it a try another time.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 05, 2018, 07:28:31 pm
Hi @sol,

Many thanks for reporting this and for the answer. This is very much helpful to understand what's going on.

Looks like a quite loaded system. I would not recommend running with a 60-70% cpu utilization if you're doing some kind of packet processing. Because packet processing requires dedicated resources and if the cpu is highly utilized and also shared with other applications, it's highly possible that you'll start losing packets. This is so, because at some point OS will fail to schedule the packet processing application to a CPU (because the CPU is already busy) and packets will be dropped in this timeframe. As a consequence,  this will create congestion, and finally you'll get lower throughput. This was what happened, lowering your throughput from 150 - 85 Mbps.

To remedy this kind of heavy load scenarios, there is one thing you can do, and one thing we can:

For you, as you wrote before, it'd be better if you can run the configuration with a more resourceful HW.
For Sensei, we'll pin it to a dedicated CPU core. This will help if you have a multi-core system. 

For not being able to stop Sensei, I'd guess it's related to the above scenario. Though it should stop anyway whatever the load is.

We'll try to reproduce this with your conditions in our lab. I'll let you know about our results.

For the sake of clarity: were you trying to stop it by clicking on the  "Stop" action button or by disabling "Start on Boot" option. Latter one controls whether Sensei should be run during boot time. If you disable it, it does not stop the engine, you'll need again to click on Stop. Most probably you clicked on "Stop", but just wanted to be 100% sure.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: krdhtet on September 07, 2018, 10:35:12 am
Dear mb,

I'm well received your link, thanks.

Currently, Sensei won't find out wifi interface.

Best regards,
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on September 07, 2018, 05:49:57 pm
@mb Thank you for your support.
The system only uses that much cpu power when I'm fully saturating my internet connection (150mbit).
Apart from using sensei I haven't experienced any issues. But this explains the drop in my throughput for sure.

I tried stopping it by using the stop button first. Which didnt work. I was able to stop the elastic search engine using the stop button though. Then I disabled start on boot and rebooted the machine. Unfortunately this didnt disable sensei after the reboot and somehow I was able to stop it and uninstall it after a few tries.
After that I tried the install sensei on the same machine again, which resulted in an crash after the final installation. The PC wasnt accessible via gui or shell anymore and I had to reinstall opnsense.

So it seams that a machine with underpowered resources might not be able to be stoped using sensei 0.6 right now.

Cheers
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nospam on September 07, 2018, 10:47:10 pm
Vapourware? Blackbox man-in-the-middle SSL password harvester?

No download links, no source code, no forums
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 07, 2018, 10:57:45 pm
Hi @krdhtet,

This is done on purpose. We have an unresolved issue with the wireless adapters, so we filter them out while scanning existing interfaces.

For now, the workaround would be utilizing an external AP which would be connected to one of your ethernet ports.

I'll post an update when we're done with it.

Thank you for pointing this out. Also added to the product FAQ.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 07, 2018, 11:58:12 pm
Hi @sol,

Thank you very much for further information. Yes, under heavy CPU utilization, it looks like we've been able to re-produce the issue. I'll update the thread about the resolution.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 08, 2018, 07:14:16 am
Hi,

Thank you for the straightforward feedback.

Vaporware?

No. Sensei is developed by Sunny Valley Networks. I'm Murat, founder of the company. Sunny Valley is a venture-backed, Delaware/US registered company, located in Sunnyvale,  California. Company website is https://sunnyvalley.io. I live in Bay Area. If you are around or will be one day, I'd very much like to meet you in person, grab a coffee and have a chance to get to know each other closer.

No download links?

Currently, we provide the download link for people who register for the BETA early access program. When we are done with the early issues reported by BETA users,  we'll release the final community edition, which will be downloadable directly from the website.

No forum?

We're quite new. We've released the BETA version in late July. We thought that it would be most efficient if we used the existing OPNsense forum for that purpose. Because the plugin is available for OPNsense, and this forum is where all the people discuss things around OPNsense.

No source code?

Sensei is closed source. We announce it on the product webpage. On the other hand, apart from Sensei community edition being available for free for the community, we have a list of open source contribution items, which we think will be of value to the whole project and the community.


Password harvester?

No. Sensei follows best practices implemented by Bro/Suricata; explicitly strips out and throws away octets that could be sensitive. For instance, it does not touch HTTP bodies,  and spends extra cpu cycles to strip out any parameter passed to GET/POST requests and cookies.

It is about our effort to tackle the increasing utilization of encryption by the recent cyber attacks to avoid detection:

https://www.wired.com/story/phishing-schemes-use-encrypted-sites-to-seem-legit/
https://www.thesslstore.com/blog/lets-encrypt-phishing/

However we also share your concern. We also agree that TLS code should be distributed in a more controlled way. This is why TLS will be part of the Enterprise edition.

Thank you for taking the time and comment.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 12, 2018, 05:51:59 pm
Hi @sol,

It looks like we've fixed the problem which in some cases leads to Sensei not stopping appropriately.

Fix will appear in 0.6.0-release, which will be released today US Pacific time.

Would be more than happy if you can give it a try.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Nekromantik on September 13, 2018, 12:17:52 am
im interested in trying this out
I only have a 80/20 connection and am using a Celeron dual core mini pc with 4GB RAM.
Will this be too much for my hardware?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 13, 2018, 02:12:38 am
Hi @Nekromantik,

Thank you very much for your interest in Sensei.

Yes, unfortunately this hardware configuration will be insufficient for running the software. Sensei installer will refuse to start. You'll need at least 8GB RAM and a more modern CPU.

Please see this blog post to get more information:

https://www.sunnyvalley.io/blog/sensei-hw-requirements
Title: Re: Sensei on OPNsense - Application based filtering
Post by: samsonmcnulty on September 13, 2018, 02:50:10 pm
I just replied to your email with the download link to v .6 and didnt realize that the hardware requirements had changed.
Code: [Select]
This is Awesome! But I have one small request. I use a system with 12 GB ram now for my opnsense install. Previously, I was using 16 GB since sensei requires it but I never noticed my ram usage go over 8 GB. My environment is only about 4 users with maybe 20 total devices connected at once but rarely being used all at the same time (think SOHO network). Is there any way to add an option for a smaller network like mine or is there some way I can bypass the 16GB minimum requirement?
Am I totally tripping here? have they always been 8GB minimum? I could have sworn when I tried to install the last version it stopped me since I only had 12 GB... I'm probably crazy lol
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 13, 2018, 06:21:44 pm
Hi @samsonmcnulty,

Great to hear that it worked at your second try :) Yes, the check in the installer was for 8GB minimum RAM. I guess it was something else which went wrong.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Alphakilo on September 15, 2018, 04:47:59 pm
Is it required to run the Elastic stack on the Firewall?
Why not split it into two packages: The "Firewall" part and then Elasticsearch, Logstash, etc...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 15, 2018, 07:24:13 pm
Hi @Alphakilo,

Many thanks for the input.

Currently it runs on the firewall. This was an important decision to make when we first started working on the plugin. All of the first users' feedback was to have it coupled with the firewall. Because the deployments were typical of a SOHO, SME, and they were not able to operate a separate deployment just for reporting.

So instead of starting with a distributed design, we started with this one, suggesting early users to increase the amount of memory they had. They were already using modern CPUs, so CPU was not a problem.

For a reference, with the current architecture, the largest deployment that we are reported is  700+ concurrent users and 500 Mbps/50 Mbps max, 300 Mbps sustained WAN throughput. HW: Dual-Core i5-2400 @3.10 GHz (4 threads) with 10GB RAM - OPNsense + Sensei. No IPS, No AV, No Caching. Use case is firewalling + application control + web security.

Looking forward, it looks like we'll offer this option. Since we see that more and more people want to see Sensei deployed in more large scale environments, with thousands of users.

For the time being, our focus is to have the software make super stable & make it cover the essential network security requirements of SOHO / SME users.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 16, 2018, 04:13:32 pm
Hi there,

Sensei 0.6.1 is released. This is a minor reliability release fixing a few issued reported for 0.6 release.


More on how to update to 0.6.1: https://www.sunnyvalley.io/blog/sensei-0-6-1



Title: Re: Sensei on OPNsense - Application based filtering
Post by: bulmaro on September 26, 2018, 12:00:18 am
Hi friends, thanks for the very interesting project work,
I'm testing version 0.6.1, my interface is vlan but I do not see Packets IN and Packets OUT, any settings I missed?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 26, 2018, 07:16:52 am
Hi @bulmaro,

@svn is working on your bug report. Hope to update you about this soon.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bulmaro on September 26, 2018, 03:45:52 pm
thanks for your attention
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hyralak on September 29, 2018, 07:25:46 pm
I tested Sensei for a couple weeks. In that time I observed some unexpected behavior. First i need to say that I have had zero issues with opnsense in the year that i have been running it, rock solid. I am running it at home, my internet speed is 300/80. The hardware is a Dell Optiplex 8gb ram Intel(R) Core(TM) i5-3475S CPU @ 2.90GHz. Memory usage never exceeded 35% with sensei running and cpu usage was minimal. 
Issues I encountered after installing Sensei included web interface locking up, and unable to access opnsesne via ssh. I could still interact with the console. After this occurred i had to uninstall the plugin.
 
Also, I run a pi-hole for DNS poisoning which logged Sensei as the top domain. I was seeing 25,000-35,000 connection attempts to updates.sunnyvalley.io. I turned off auto updates but it continued to hammer away at updates.sunnyvalley.io. The screenshot below is from the last 24 hours. I uninstalled Sensei about 13 hours ago.

(https://i.imgur.com/nYv8rJw.jpg)

I liked the visibility and functionality that Sensei offered, but the instability was not acceptable. Perhaps my hardware is not adequate for the plugin?
Hopefully the information that the plugin sent back to sunnyvalley will provide insight into my web/ssh issues.
Keep up the great work and thanks for letting me try out the plugin. Perhaps I will try again at a later date.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 01, 2018, 08:29:22 pm
Hi @hyralak,

Many thanks for taking the time and reporting your issue. If you find value in Sensei, than it's our job to make it super stable.

Your Hardware configuration is just fine. CPU/memory utilization seems to be low & as expected.

Do you remember which Sensei version you installed first? Because the symptoms you're seeing, we had an issue which might be causing them, and was fixed at 0.6.1 release. I'm suspecting an upgrade issue.

Updates.sunnyvalley.io is being used by two purposes:

1. If you enabled Automated health-checks, it collects these info and sends them to the updates server, which we run a monitoring service with alerting capability (It's actually nagios). This way we instantly know that some Sensei instance has a problem, and try to diagnose it. Information that's sent:
    a) Check whether the packet engine is currently running
    b) Check whether the packet engine crashed and created any core files
    c) Check whether the Sensei engine has any issues with packet forwarding
    d) Check whether Elastic Search is running & healthy
    e) Check whether Sensei is utilizing any SWAP memory
    f) Check disk free space has at least 20% free.
    g) Check if Sensei is using excessive cpu/memory
    h) Check if Elastic Search is using excessive cpu/memory
    i) Check if overall load average is within safe limits
    j) Check if overall cpu/memory consumption is within safe limits
    k) Check if Sensei is put onto bypass mode because of a problem.

System health checks are done once a minute. Instead of collecting the information and sending in batch mode, health script connects to the server for every one of the checks. So this makes 11 connections for a minute. This is why you see some many connections. Yep, this is inefficient & we have an open JIRA issue to address this.

2. Software update checks. If you enable update checks, they are done once an hour.

Though the number seems to be double the number we should be seeing. Our guess is that there is a runaway cron job from previous versions.

I'd love to explore more, I'll be writing to you via a private message. I'd like to find the root cause relating to this. Than fix is the easy part :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hyralak on October 01, 2018, 08:39:12 pm
It appears that I installed sensei_installer_opnsense_0.6.1-release.sh
Title: Re: Sensei on OPNsense - Application based filtering
Post by: rhyse on October 02, 2018, 10:55:41 am
Hi

I am seeing an issue where the "Sensei Packet Engine" keeps stopping, clicking start makes it come back to life.

Enviro: VMware 6.7, 10GB RAM, 2 x vCPU's (host CPU 2 x  E5-2670) , disk space 2.2 gb used out of 18Gb , Sensie deployment size Small (I have just enabled " Enable Generation of Support Data:" ), Sensei version 0.6.1-release (installed from this version)

This is a test infra, so doesn't have much traffic going through it

Any ideas ?

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 02, 2018, 04:00:12 pm
Hi @rhyse,

We did not have much users on VMware. Let's debug it together & make Sensei run there. I'm contacting you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 02, 2018, 08:58:01 pm
Dear Sensei users,

@rhyse helping us debug his issue, we've spotted a bug with Netflow output formatter. If you're using Sensei with Netflow, better to disable it for now.

For the resolution, we'll issue a fix. Hopefully as 0.6.2.

Many thanks @rhyse !.




Title: Re: Sensei on OPNsense - Application based filtering
Post by: Csykes27 on October 16, 2018, 12:29:16 am
I am having an issue of when I Enable Cloud Reputation & Web Categorization all web traffic stops. all services are running and stay running from what I can tell.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: svn on October 16, 2018, 12:49:50 am
@Csykes27 thanks for reporting. We've heard this issue for the first time actually. Let's debug what is causing this together.

I shall be contacting you soon to resolve the issue.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jjanzz on October 18, 2018, 10:48:08 am
During the initial installation, a dependency throws a 404 error:

Code: [Select]
pkg: https://updates.sunnyvalley.io/repo/libXtst-1.2.3.txz: Not Found
FAILED : Unable to install required packages. Please see install.log
Title: Re: Sensei on OPNsense - Application based filtering
Post by: svn on October 18, 2018, 07:11:19 pm
Hi @jjanzz,

We're currently working with OPNsense for the integration. As a part of this process, OPNsense started providing some of our dependencies. We'll update our installer and package to be compatible with the latest changes on OPNsense package repository, soon.

It seems that some of the dependencies not satisfied (namely, some configuration files of elasticsearch, and some java dependencies). We'll fix this urgently.

Right now, you can register for download and we'll send you a download link as soon as we fix the dependency issue.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: jjanzz on October 22, 2018, 04:10:32 pm
We're currently working with OPNsense for the integration. As a part of this process, OPNsense started providing some of our dependencies. We'll update our installer and package to be compatible with the latest changes on OPNsense package repository, soon.

Thank you for the reply. No problem; I'll gladly help you test it out as soon as it's possible :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2018, 12:09:10 am
@jjanz and community,

Elasticsearch5 was added to OPNsense packages as part of the 18.7.5 update. There was a problem in the FreeBSD elasticsearch package builds which was inherited by the OPNsense build system.

Because elasticsearch was problematic, Sensei installations were failing.

Today we fixed the problem. In the meantime, OPNsense will be removing the package from its repository in the upcoming release.

Starting 18.7.6, elasticsearch will be provided by Sunny Valley Package repository.

Long story short: We're resuming Sensei downloads. You can now download and install new Sensei version, which is 0.7.0-beta1 as of now.



Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2018, 12:10:55 am
Hello all,

As part of 0.7 release effort, we've launched Sensei Users' Manual & Documentation.

Please find it here:

https://guide.sunnyvalley.io/sensei/
Title: Re: Sensei on OPNsense - Application based filtering
Post by: wordsmith on October 25, 2018, 07:45:42 am
This plugin looks pretty interesting and I’d like to give you some non-technical feedback to consider. But first a question: will Sensei ever be open source?
See, the reason I ask is because to me it seems there is some confusing communication going on. I’m sure, some of it is non-intentional like:

Quote
For now I'm happy to tell that community edition for OPNsense will always be there and forever free.

"For now" and "always" don’t work well together. Basically, now you’re saying that this will always be the case, but later you might change your mind to “it isn’t free anymore”. I suspect that this was unintentional, but I just wanted to get it out of the way.

What rubs me a bit the wrong way is that the community edition is free, but not open source. According to your FAQ:
Quote
The Packet Engine coded in C++, and its source code is not open.

I think the reason there are community editions in the software space is precisely to indicate that a company/developer wants to build a trust model with others and, as a result, gives them the recipe so that they can build a community around it together. In short, it isn’t about getting something for free i.e. without having to pay, but to build trust.

Now, where your approach to marketing proofs to be rather problematic is with statements like this:

Quote
Empower your open source firewall with Next Generation features.

If you plan to keep parts of Sensei closed source, I’d suggest you’d drop the “open source” in your marketing, because it’s confusing at best, misleading at worst. Next, as long Sensei isn’t open source, I’d also reconsider the use of “community edition”: this is a rather well known way to describe the non-commercial version of a product that isn’t just for the community, but also by the community. If the community doesn’t have access to the code, it’s not a community edition, it’s a free edition.

The FLOSS community already suffers from a huge labeling problem (ever tried to explain to a non-technical user the difference between Free Software and Freeware?) so let’s not muddy the waters even more.

I don’t know about your business model, but for people who really care about open source it’s not about getting stuff for free, it’s to be able to verify the claims of company such as yours and, of course, to build a community around a solution that can be build by like-minded people without restrictions regarding code access.

Of course, at the end of the day there’s always the pragmatic side to consider and there will probably be a lot of users who are perfectly fine to run proprietary software on their open source OS, but for people like me who decided to use an open source solution not because it is free of charge, but precisely because it’s source code is available, Sensei won’t be the solution we’re looking for.

Now, with all that being said, I still appreciate your efforts.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 26, 2018, 08:33:09 pm
Hi @wordsmith,

Many thanks for taking the time and provide this valuable feedback. Now we become aware of a communication problem.

To clarify things:


As you’ve correctly pointed out, if there is any misunderstanding, it’s unintentional. Your comments shed a lot of light as to what needs to be adjusted in the messaging. We’ll be working on that.

Taking this chance, I’d like to give a little bit of background why we started with “open source firewalls”.

As Sensei team, we believe that we’ve created a powerful packet processing technology. We believe that better packet visibility means better decision making. Better decision making means better success rates in detecting malign traffic.

Sensei is the first of two products that we’re going to create for a large market.

We hope to make Sensei available for any network security equipment / product which needs application classification & web security features. L3-L4 firewalls, UTMs all fall into this category.

The thing we started with open source firewall space is that, it was a request by an MSP who was deploying open source firewalls onto customers and providing support services. Very happy with their current firewalls, they needed several features that we could provide. We quickly did an integration and voila! The resulting solution (OPNsense + Sensei) was found to be better than many of the current players in the UTM market.

This sparked a light for us. Why not deliver the product as a plugin instead of yet another full-blown firewall appliance? It’d be cost effective for us and we would than be able to relay this cost advantage for the benefit of our prospective users.

In this regard, open source firewalls is a delivery channel for us, though it’s not the complete target market. Via this initial channel, we learn very much from our users and improve Sensei. You can’t believe how much Sensei improved from the day we announced first beta up until this day. Then of course, we are looking for market visibility. It’s great to see people loving the solution and spreading the word.

A free of charge Sensei edition (maybe we should call this freemium edition) is a way of our giving back to the OPNsense community.

Having founded a local open source community (enderunix.org) and published some open source tools, I truly understand, appreciate and respect your stance.

Though we cannot make Sensei fully open source, I think the best we can do right now is to communicate what Sensei is and what it is not in a straight and open way. This way people would know what they will have and what they won’t; and will make an informed decision about using / not using it.

It's somewhat hard to figure out a way to communicate people that the current product is for “open source firewalls” without using the words “open source”. Because marketing wise, we would like to be as precise as possible so that people would know what it is for.

However I also see that it’s creating confusion. We’ll spend more time on this. I’d also like to consult you if you wouldn’t mind.

Again, many thanks for bringing this up to our attention.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 08, 2018, 02:24:10 pm
Dear Sensei users,

0.7.0-beta1 update is out for those who are on 0.6.x releases:

https://www.sunnyvalley.io/blog/0-7-beta1-update-available-for-0-6-x-users

0.7 Beta1 comes with the following functionality:
 
1. New Report - Blocked Connections Sessions Explorer and drill-down reporting
2. Reports enhancement: Daily executive reports. Selected reports delivered via a daily
    e-mail.
3. Customizable Landing Page for Blocked connections
4. Reports data retiring: disk space consumed by Elastic Search (Reports) is now
    configurable
5. Release Changelog is now displayed during Sensei updates
6. Shortcut to add Block/Allow rules based on fields (IP Address, Application, App
    Category etc.) via Session Explorer Reports. 
7. 350+ new applications identified.
8. Documentation: Sensei Users' Manual
9. Sensei speaks your language now, we added i18n support to match your OPNsense
    UI language. English & German are the two for now, more coming soon.
10. More performance & stability improvements


If you've downloaded & installed Sensei later than October 15, you should already be using 0.7.0 beta1. This is an update package for older versions.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: shrdlu on November 13, 2018, 06:15:37 pm
Not sure if this is the right place to post this, so if I am wrong please redirect me.

I have noticed with Sensei (BTW, it is working fine) that when I run a health audit in OPNsense I get the following (see attached screenshot) checksum mismatch for the nodes.csv file and was curious if this is normal or something is wrong.  Things appear to work fine and no matter what Cloud Threat Intel selections I make (not sure that is related but it might be) I get the mismatch and the Cloud Threat Intel is working fine regardless, or at least shows up and running.

And, on another note, in terms of processing when do the Sensei components process information in terms of order?  For example, I use the web proxy (squid) in OPNsense and was curious if Sensei process the packets before the proxy or after or somehow during, or frankly something completely different if I am misunderstanding the order of operations.

Thanks in advance.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 13, 2018, 06:27:42 pm
Hi @shrdlu,

You're in the correct place :) We're receiving feedback & comments and help requests here. You can also shoot a ticket if you think you've found an issue with the software:

https://gitlab.com/svn-community/opnsense-sensei-plugin/issues

The thing with Node.csv is not an issue. Web UI updates the contents of this file with the best servers available. I guess this creates a mismatch with the OPNsense File Integrity Checker. We'll handle that.

With regard to processing order: Sensei receives packets while they traverse from Network Adapter to the FreeBSD networking stack; which means it receives them before Squid and even before L3/L4 Filtering.

You're all welcome, and thanks for sharing your experience.

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: theq86 on November 15, 2018, 03:56:00 pm
I Installed sensei. When I was on the dashboard to configure the protected interfaces only my 2 vpn interfaces show up. Not WAN, not LAN, nor any other interface on my firewall.

current version as of writing (0.7.0-beta1)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mimugmail on November 15, 2018, 04:11:55 pm
Do you have IPS enabled on LAN or WAN?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: theq86 on November 15, 2018, 06:23:50 pm
Nope. Neither
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 15, 2018, 06:33:28 pm
Hi @nasq,

Any chances your LAN interface is virtio?

https://guide.sunnyvalley.io/sensei/support/faq#no-ethernet-interface-is-being-shown-in-the-interface-configuration

As quick workaround, select Intel E1000 as the adapter type.

As the final solution we're sponsoring a development which will ship the latest upstream netmap code into FreeBSD.

This will also fix lots of issues that you might be encountering with Suricata as well.

https://svnweb.freebsd.org/base?view=revision&revision=340436

It's us. Commit is done to HEAD, will be MFC'd to 11-STABLE in the following timeframe.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mimugmail on November 15, 2018, 06:36:53 pm
https://svnweb.freebsd.org/base?view=revision&revision=340436

It's us. Commit is done to HEAD, will be MFC'd to 11-STABLE in the following timeframe.

Really nice contribution Murat, thanks! :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 15, 2018, 06:44:59 pm
Hi @mimugmail,

Our pleasure. All welcome :) Super excited to see the changes land in 19.1.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: franco on November 16, 2018, 08:40:19 am
r340436 is indeed very nice. mb, please push these into my mailbox or open a src.git ticket for swift inclusion. we need the MFC for stable/11 to be committed first though.

for the csv, it's considered bad style to manipulate files shipped with the package. for that reason FreeBSD has the "sample" trick which creates a copy of the file and only checks in the unmodified file (suffix ".sample"). We use it in core in some places, too. Plugins don't support it yet, but they should eventually.


Cheers,
Franco
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 16, 2018, 05:24:23 pm
Hi @franco, thank you very much. I hope this will be of some help to the project.

We're still testing the code in HEAD. After we're confident, it's going to be MFC'd to 11-STABLE. I'll be pinging you once we're done with that. 

I've been informed that we actually have the unmodified file (.default) with the package. Engine reads a "processed" version of that file, which -indeed- do not need to be included with the package. We're removing it. I guess we're done then.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: franco on November 16, 2018, 06:33:35 pm
Yeah, that's all sorted then, great!  8)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: therec on November 18, 2018, 05:13:56 pm
Hello Murat,
I had a question around blocking. (i.e. adds, trackers, etc.). is there a way to allow a specific site? if i go to neweggs web site, the site is unreadable. if i disable the blocking, its ok again. i see the option to the right to unblock, but it wants to unblock the group (ad category) and not the site. forgive me if I've missed something simple. and thanks for the work, this is a wonderful product, I cant wait to see where you take it.

Thanks
Robert

If i posted this in the wrong place, let me know and ill move it

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 19, 2018, 02:51:31 pm
Hi Robert, @therec

Thank you very much for your feedback. Awesome to see you've found the plugin useful.

When you browse Reports -> Security->Session Explorer, see if the site is being blocked via Application filtering or Web filtering. You can differentiate it by looking at the "Block category" information. If by Application filter, it says "Application category", if via Web filtering, it reads "Web category".

To allow a specific "Application", just go to Application Control, find and expand the related category, find your specific application, and unblock it.

If the filtering is done via Web filtering, browse to Web Controls->User defined categories. Create a new category i.e. Whitelist, and put your websites which you want whitelisted here.

Click "Save Changes" and that should be it.

Thanks,
Murat
Title: Re: Sensei on OPNsense - Application based filtering
Post by: therec on November 20, 2018, 01:45:51 pm
Thanks, that makes a lot of sense. however it doesn't seem to be working. I've added

- https://www.newegg.com/
- secure.newegg.com/
- www.newegg.com/
- www.neweggbusiness.com/
- https://newegg.com

Maybe ive misses something?

as an alternate test i confirmed http://static.hotjar.com/ was blocked (webtracking site).
I added this to the web controls as requested (user defined group) and is had the green check (allow),
This site also remains blocked after whitelisting via web address.

I suspect im missing something, I have amatuer firewall skills at best. but i love this product and hope its a long term solution for me. thank you for the help

P.S. i just noticed https://flash.newegg.com works just fine.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 20, 2018, 09:42:23 pm
Hi @therec,

Let's dig a little deeper together. I'll be writing to you privately. I might need some logs. Let's see if there's something wrong or there is a configuration problem.

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on November 21, 2018, 08:04:50 am
Hi, Using Sensei plugin and its great. Need help in few thing:
1. Is there any live view to know which IPs are using the most bandwidth and then drill down to specific IP to check what sites / services it is using and which site / service is consuming the most. (I use ntopng and it has very nice view to tell which devices are consuming most bandwidth only)
2. I do not know why but when i check the "Table of Local / Remote hosts, it shows bytes in / out which is very low as compared to ntopng. and i have avg 25-30 devices running all the time out of 50 devices but it only show few so how can i list all of them.
3. Is there any way to get all the web history of a user or users ?
4. Is there any way to bind names to IP (local / LAN IP) as squid does in web proxy ?
5. It filter web traffic and works as transparent web proxy so is there any way to use it as cache server as well or if you are planning for it in future.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 21, 2018, 11:24:45 pm
Hi @manjeet,

Thank you for sharing your experience with Sensei. We very much appreciate that. Find the answer below:

Quote
Is there any live view to know which IPs are using the most bandwidth and then drill down to specific IP to check what sites - services it is using and which site - service is consuming the most

Yep. Navigate to Sensei -> Reports -> Connections. Look for the Chart named Top Local / Remote Hosts. But make sure to select the reporting criteria as "Volume" from the upper right hand corner of the reports page. Default is by sessions. You can do "Session based", "Packet based" or "Volume based" reporting.

When you left click on any IP, a submenu appears. Click "Drill-down" and all reports will be automagically filtered according to this IP address you've selected.


Quote
I do not know why but when i check the "Table of Local / Remote hosts, it shows bytes in / out which is very low as compared to ntopng. and i have avg 25-30 devices running all the time out of 50 devices but it only show few so how can i list all of them.

My guess is that you might be viewing the "Session" reports. Make sure you've selected "Volume" as the reporting criteria.

All devices currently active should be listed though. My guess would be that you might be viewing reports for the last 15 minutes. Make sure you've selected a longer time frame from the right hand corner.

 
Quote
Is there any way to get all the web history of a user or users ?

Yes. You can do that from the Web / TLS reports. You have the drill-down capability for every report type.


Quote
Is there any way to bind names to IP (local / LAN IP) as squid does in web proxy ?

Actually, packet engine automatically maps DNS names to IP addresses if it can find a matching DNS transaction. Soon there will be Active Directory / LDAP integration which you'll be able to see the user / group names.

Quote
It filter web traffic and works as transparent web proxy so is there any way to use it as cache server as well or if you are planning for it in future.

In theory, packet engine is capable of doing that. But we chose to focus on complementing features that are currently not existing. Squid is a great caching proxy. Indeed caching is its original reason of existence. That being said, Sensei roadmap does not have "caching" as a feature.

Many thanks for reporting your experience with us.



Title: Re: Sensei on OPNsense - Application based filtering
Post by: maekar on November 22, 2018, 02:09:46 pm
Hi,

The maximum of 1000 concurrent users is an approximation for better hardware performance or an strict software limit?

thanks

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 23, 2018, 02:02:50 am
Hi @maekar ,

This is the current field-tested maximum. Software arranges several tunables (e.g. cache sizes, connection table sizes etc.) according to the user size.

Current focus is to make the software super stable for SME use cases (which generally means user populations below 1000)

Looking forward, engine is able to scale to hardware resources, which makes it possible to secure thousands of users.

Hope this answers your question.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: johjoh on November 23, 2018, 11:57:10 am
Good morning, will Sensei one day consume less resources in terms of RAM and CPU?
For example an Atom CPU or a Celeron with 4GB or 8GB of ram?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 23, 2018, 02:47:31 pm
Hi @johjoh,

Yes :)

A big portion of the resource requirement come from the Reporting engine (Elasticsearch). The core packet engine has been tested to run on low resource systems: e.g. Celeron  < 1GB RAM.

A roadmap feature - remote reporting - allows to run packet engine on the firewall itself, and reporting on another more powerful server.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bobbythomas on November 24, 2018, 07:19:02 am
Hi Murat,

Couple of questions? Is there anyway to find the current installation or patch status? Where are the Sensei logs installation logs stored and how can we view that? I received an rc1 update and it's about 36MB, but it's been more than an hour since I started the installation, I would like to know the status. While installing Sensei some packages took a lot of time to get downloaded and I suspect something like that. I believe there is some latency reaching some of the repositories. Could you help me troubleshoot this issue?

Thank you,
Regards,
Bobby Thomas
Title: Re: Sensei on OPNsense - Application based filtering
Post by: shrdlu on November 24, 2018, 07:35:55 am
Not sure if this is just my setup but after upgrading to OPNsense 18.7.8 I get stuck in a loop that won't complete.  Because it reset my configuration of Sensei* after the OPNsense 18.7.8 upgrade, I have to go through the config wizard again and when I click finish, it attempts to configure everything but kicks out the attached error.  Essentially it tells me, "error indices could not be created," and I am stuck in that loop as it returns me to the beginning of the config wizard.

So, #1, is it just me?
and #2, assuming it is not me and before I simply try to uninstall/reinstall, any ideas?

Thanks
 
*Is it normal for an OPNsense upgrade to reset my Sensei configuration?  If the answer is yes, that is fine but also if there is a way to backup a config and restore it that would help me retain settings.  Either way, love the solution and reconfiguration is actually a minor thing in the grand scheme of things so if the answer is no here then that is fine as I still find huge value in the software.

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 24, 2018, 09:02:07 am
Hi @bobbythomas,

/tmp/sensei_update.progress should have more detail regarding the update process. 36MB download shouldn't take that long.

We rolled back rc1 update in case there is something we miss with the update process.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 24, 2018, 09:12:40 am
Hi @shrdlu,

It was unfortunate that both OPNsense & Sensei got updated at the same time. Looks like while OPNsense was upgrading, we shipped 0.7.0-rc1. OPNsense update manager also updated Sensei, a case which we did not handle.

Sorry for the inconvenience. We rolled back 0.7.0-rc1.

A final fix will be out shortly.

For a workaround, I'll be contacting you. We'll try to recover the old configuration.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 24, 2018, 11:26:30 pm
Dear Sensei users,

0.7.0-rc1 upgrade is back.

A quick update on 0.7.0-rc1 upgrade:

If you encountered any Sensei issues while upgrading your OPNsense to 18.7.8, this was due an unhandled case in our package updater when the upgrade process is triggered from the OPNsense firmware updater, not from the Sensei Status Page. This is fixed now in the upcoming 0.7.0-rc1.

But the fix will be in effect starting from 0.7.0-rc1.

So, If you’re on 0.7.0-beta1, and do NOT want to upgrade to 0.7.0-rc1 immediately we strongly recommend running the following command to avoid any issues with the OPNsense system updater.

pkg upgrade os-sensei-updater && pkg lock os-sensei

The command will upgrade your Sensei updater to the latest version and also put a lock on os-sensei package so that OPNsense package update utility will not try to update Sensei.

If you also want to upgrade  to 0.7.0-rc1: Navigate to Sensei -> Status -> Check Updates, and you’ll be guided to upgrade to 0.7.0-rc1.

pS: 0.7.0-rc1 introduces several minor bug-fixes both on the updater and the UI. If we do not hear any issues, we’ll hopefully release 0.7.0 in the coming week.

ppS: Thanks to increasing number of Sensei beta users, it looks like we need to increase bandwidth for Sensei Updates server (updates.sunnyvalley.io). Cool indeed  ;) This will be done in the following weeks. In the meantime, if you encounter slowdowns while installing / upgrading, we’d very much appreciate your understanding.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: samsonmcnulty on November 25, 2018, 08:54:10 am
Sounds fantastic! Good to see the adoption rate increasing at a healthy rate. I did encounter this error but it seems you are already aware of the issue:


***ERROR: Indices could not be created! Reporting may not work***



Is there a temp workaround? I assume uninstalling the package and reinstalling would work?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 25, 2018, 05:59:44 pm
Hi @samsonmcnulty

Yep, that would work.

Can you run the following commands. Basically it'll uninstall & install sensei

service eastpect onestop
service elasticsearch onestop
pkg delete elasticsearch5
pkg delete os-sensei
rm -rf /var/db/elasticsearch/nodes/*


You can also do that by selecting "Uninstall elasticsearch & Remove elasticsearch data" options while uninstalling from Web UI.

then to re-install it:

pkg install os-sensei

Sorry for the inconvenience.

One question: did that happen after you've done an OPNsense 18.7.8 upgrade? We're aware of this problem & hopefully fixed.

I wonder if there are other cases.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: dragon2611 on November 25, 2018, 10:05:50 pm
I'd like to try sensei but I suspect i'd run into problems with lack of RAM and also I have an opensense HA pair with one physical and one virtual (KVM) so I think i'd run into the KVM/VIRTIO issue.

I'm wondering if I'd be better off starting another virtual firewall and stuffing it in the traffic path for the machines i'd want to put behind sensei.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 26, 2018, 02:38:53 pm
Hi @dragon2611,

Good idea :) Let us know if you encounter any issues. On the virtual FW, you can use E1000 as network the adapter type:

https://guide.sunnyvalley.io/sensei/support/faq#can-i-run-sensei-on-a-virtualized-environment-like-proxmox-virtualbox-kvm

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on November 27, 2018, 07:42:10 pm
Hi, Sunnyvalley.

The first hit and miss: try to block youtube used via google chrome...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 28, 2018, 05:56:32 am
Hi @Antaris,

Thanks for reporting this.

It's because of QUIC: Google's new protocol suite, a replacement for TCP + TLS + HTTP/2. Chrome defaults to QUIC when you browse Google services. Other browsers use TCP so Sensei is be able to identify & block.

Sensei is able to identify QUIC, though its detailed protocol parser is under development. When we're done with it, it'll be able to identify protocols which are transported through QUIC. We hope to have it with 0.8.0 release.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 29, 2018, 04:03:49 pm
Dear Sensei users,

An update to: https://forum.opnsense.org/index.php?topic=9521.msg47488#msg47488 :

If you got stuck in Sensei Configuration Wizard,  here is a quick fix for you:

open /usr/local/sensei/scripts/installers/opnsense/18.1/sensei-init.sh file with an editor, and locate this part. It should be line 64.

if [ "$INDICES_COUNT" -lt 6 ]; then

Update this line to read like:

if [ "$INDICES_COUNT" -lt 5 ]; then

Save the file and re-run the configuration wizard.

0.7.0-rc2 will come with a more intelligent provisioning script which will try to diagnose any inconsistencies with the backend database and try to fix them automatically.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 30, 2018, 02:22:27 am
Dear Sensei users,

An update to: https://forum.opnsense.org/index.php?topic=9521.msg47653#msg47653

We've decided to merge some of the code from the QUIC branch to 0.7.0.

Looks like we have a working app identification & filtering for applications running through QUIC :) e.g. Google Services + Chrome browser.

Update will be introduced with 0.7.0-rc2.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 01, 2018, 11:16:31 am
Dear Sensei users,

An update to: https://forum.opnsense.org/index.php?topic=9521.msg47653#msg47653

We've decided to merge some of the code from the QUIC branch to 0.7.0.

Looks like we have a working app identification & filtering for applications running through QUIC :) e.g. Google Services + Chrome browser.

Update will be introduced with 0.7.0-rc2.

Thanks guys, looking forward to it. Can we hope for an optimisation to reduce hardware requirements, especially about RAM?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 01, 2018, 10:36:03 pm
Hi @Antaris,

Many thanks for bringing this into our attention. Looks like with 0.7.0-rc2, Sensei is one of the first in the industry to offer granular control for QUIC based applications.

Currently, big vendors are advising to completely block QUIC protocol, thus forcing browsers to fall back to TCP+TLS. This is slower.

As for memory requirements, actually yes. We're planning a limited reporting option, which will require way less memory than we require today. This will still provide reporting but most probably will lack some advanced features like Drill-down and per-connection details. Other than reporting, all features will be there.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on December 02, 2018, 08:13:37 am
when will sensei appear in opnsense as a plugin?
which hardware requirement is necessary?
Is the latest generation Atom processor (c3558) with 8 gb of ram sufficient for sensei?

thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 02, 2018, 03:15:16 pm
There is an update Engine: 0.7.0-rc2, but when trying to update it, the system returns:  "No update is available
There are no updates available for you. You are using the latest version. " and stays on 0.7.0-rc1
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 03, 2018, 05:04:26 am
Hi @noname12123,

when will sensei appear in opnsense as a plugin?
which hardware requirement is necessary?
Is the latest generation Atom processor (c3558) with 8 gb of ram sufficient for sensei?

thx

We have a few small items left for the final OPNsense integration.  Then Sensei will be an OPNsense plugin which can installed from the OPNsense Plugins menu. If anything big does not come up, I guess we'll all be finished with them by the end of this month.

I'd expect that latest generation Atom would be ok. Might be a little bit slow to start Elasticsearch but when it warms up, it should be all fine. Crucial thing is RAM and 8GB is perfectly fine.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 03, 2018, 05:08:21 am
Hi @antaris,

There is a small blog post coming related to that. We'll need to use the command-line updater for the rc2 update. GUI code is missing a "pkg update -f".

Can you try to update via command line?

As the root user, just run:

sensei-updater

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 03, 2018, 07:32:42 pm
Dear Sensei users,

After testing 0.7.0-rc2 update with a few of Sensei users, it looks like 0.7.0-rc2 is ready to go.

We'll need to use the command-line updater for this update. GUI code is missing a "pkg update -f".

Login to the firewall console as the root user; and run:

sensei-updater

It'll take care of the rest, and you'll be updated to 0.7.0-rc2. You'll need to manually start the Sensei engine from Sensei->Status.

0.7.0-rc2 introduces fine grained application identification & filtering for Google Services through Chrome browser (QUIC protocol update); as well as several other reliability fixes for the sensei-updater.

If we do not see any issues reported; 0.7.0 will be finally released Thursday this week :)


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 03, 2018, 07:33:50 pm
Thanks a lot:

"Sensei has been updated successfully."

Just have to start Sensei Packet Engine manually...

It's runnig as guest on Proxmox btw...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 03, 2018, 07:38:10 pm
Hi @antaris,

Glad that it went well. Thanks for the notice about starting Sensei. I've updated the message accordingly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 04, 2018, 06:25:33 pm
Do i miss Web 2.0 controls and TLS Visibility menus as seen on advertisement video?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 05, 2018, 03:12:55 am
Hi @Antaris,

Web 2.0 Controls / Cloud Application Controls depend on port agnostic TLS Inspection functionality. TLS Inspection will be made available with Sensei Premium Edition.

Should you like to give an early try, I'll be happy to provide a trial license for you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 05, 2018, 05:19:01 pm
It's too early i guess, and my Sensei is not ot production enviroment. When it's ready and the prices are known, will give it a try in one of the schools that i support. I can test it in network with up to 1500 devices and 1gbps symmetrical internet.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 06, 2018, 03:31:44 pm
Hi @Antaris,

Sounds great. Will get back to you when we have more progress with that.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 07, 2018, 01:21:42 pm
Hi, I just reinstalled the OPNsense and trying to install the Sensei plugin but script is timing out.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 07, 2018, 03:22:29 pm
Hi @manjeet,

Update server is operational again.

Make sure you're following the latest install instructions:

https://guide.sunnyvalley.io/sensei/getting-started/setup

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 10, 2018, 08:10:17 am
Thanks. It is installed and working.

I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sagem2004 on December 10, 2018, 04:02:06 pm
Good evening,
we can filter the site in safesearch " picture "
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 10, 2018, 06:15:16 pm
Hi @manjeet,

Glad that installation went smooth.

Thanks. It is installed and working.

I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??

Ah, now I see what you're trying to accomplish. All charts on the report tabs will show top 10 records. For table reports, I guess we can put an option to provide the full list.

Stay tuned. We'll pass an update.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 10, 2018, 06:19:32 pm
Good evening,
we can filter the site in safesearch " picture "

Hi @sagem2004,

I don't think I was able to fully understand the question. Can I request that you rephrase it?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sagem2004 on December 10, 2018, 06:41:06 pm
can have blocked pornographic images via safesearch

exemple : https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing

Merci.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Misant on December 10, 2018, 07:27:49 pm
Installed Sensei today on a Qotom. seems to be working fine. Setup is just for a small household with me and my girlfriend, but we are going to expand to a dog and 2 kids. So torture tests will have to wait for some time.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 10, 2018, 09:15:03 pm
Hi @sagem2004,

Thank you for the clarification.

Google Safesearch enforcement is in Sensei's short-term roadmap. Should arrive with Sensei 1.0, which is the first production release for Sensei (ETA Q1 2019).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 10, 2018, 09:16:33 pm
@Misant, Good to hear that :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sagem2004 on December 10, 2018, 09:34:59 pm
Hi @sagem2004,

Thank you for the clarification.

Google Safesearch enforcement is in Sensei's short-term roadmap. Should arrive with Sensei 1.0, which is the first production release for Sensei (ETA Q1 2019).

very Good news thank you :) :) :) :) :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 11, 2018, 11:12:54 am
Thanks for it..

Hi @manjeet,

Glad that installation went smooth.

Thanks. It is installed and working.

I still have one same issue as mentioned before.. In "Table of Local Assets" and "Table of Remote Hosts" i only see 10 devices / hosts. I have changed criteria to volume, time interval 24 hours. I have also checked it by increasing settings. I am currently running more then 30 devices. So is there a limit on no of showing hosts or anything ?? I need to provide bandwidth usage (upload / download / total) reporting of all the devices in network daily basis. Any other way to do so ??

Ah, now I see what you're trying to accomplish. All charts on the report tabs will show top 10 records. For table reports, I guess we can put an option to provide the full list.

Stay tuned. We'll pass an update.

I do not how it calculate the top 10 but i think you have an issue here.. I was looking at "Insight" for current network usage and find out that one of the system has consumed 4GB of data since morning. I checked it in Sensei and it showed the same 4GB data usage for that IP.

But when i checked the top 10 list in "dashboard" and in "reports" (No filters, cross-checked) (it showed me that same report), this IP with 4GB usage was not there. Even some other IPs which Insight showed were not also there.

It showed me list of top 10 which i think is better match with the last night usage but not since this morning. Its been 6 hours and i do not see those IP in this list.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 11, 2018, 03:58:09 pm
Hi @manjeet,

I see. Let's dig deeper. Can you reach us through sensei -at- sunnyvalley.io?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on December 11, 2018, 04:17:14 pm
Hello, mb

Is there a way to clear all the logs in Sensei?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 11, 2018, 08:52:23 pm
Hi @cgwork,

Use the following two scripts to delete and re-create all reporting indices:

/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py


This will be also a Web UI menu item with the upcoming Sensei update (0.7.0-rc3).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on December 12, 2018, 04:35:05 pm
Hi @cgwork,

Use the following two scripts to delete and re-create all reporting indices:

/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py


This will be also a Web UI menu item with the upcoming Sensei update (0.7.0-rc3).

Awesome Thank you ... also have you thought of getting the reports to be printed or converted to .pdf format? i also noticed when i get the emails and "click to download and view the detailed reports" are blank see attachment. Did i miss an check in the box so i get them? I'm currently selected only Sessions but it would be nice if i could get all of them or select the once i would like to have.

Thank you again for the hard work.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 13, 2018, 02:37:55 am
Hi @cgwork,

You're all welcome. We had introduced PDF export previously.  It's being re-worked and will be available shortly.

You shouldn't receive an empty html file. Looks like a problem. Can you share which e-mail provider you are using? It's been tested with major ones like Gmail & Outlook. Let's try with yours.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on December 13, 2018, 01:53:12 pm
sure i'm using gmail for this setup
Title: Re: Sensei on OPNsense - Application based filtering
Post by: kagou on December 13, 2018, 02:06:17 pm
Hi. I'v some problems with sensei (look at the picture).
I'v tried first with my system but after some problems i'v rebuilt my interface assignments, removing bridge system.
Now i'v a WAN/DMZ/WIFI/LAN on my 4 ethernet ports.
I'v stoped and used the "You can restore all Sensei packet engine configuration to their original defaults by clicking 'Reset' button."
Set just ma LAN to be supervised, but look at the picture
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 14, 2018, 05:51:11 pm
Hi @kagou,

Looks like a problem with the backend indexes.

Can you try these if they fix the problem?

/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py


It it does not, can you share your /var/log/elasticsearch/elasticsearch-2018-12-13.log log file to sensei - at - sunnyvalley.io ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 14, 2018, 06:45:57 pm
Hi @cgwork,

sure i'm using gmail for this setup

Gmail should be fine. Can you forward the email to sensei - at - sunnyvalley.io ? If you can forward as an attachment, that'd be perfect.

Are you using Gmail through a browser, or through an email client?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 14, 2018, 06:53:21 pm
Update to @manjeet's post: https://forum.opnsense.org/index.php?topic=9521.msg48451#msg48451

Spotted the problem. A typo avoided reporting criteria to be reflected for some reports.

Fix should arrive with 0.7.0 release.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 14, 2018, 07:15:33 pm
Dear Sensei users,

We know you’re looking forward to seeing 0.7.0 release. We also do indeed.

Yet, we decided to ship another release candidate before the actual release because some updates to the code base might have more impact than we originally planned. These code updates are preliminary work related to an effort to minimize external library dependencies and compiling Sensei engine as a Position Independent Executable (PIE).

Minimizing external library dependencies will allow Sensei to be able to run on embedded platforms which run on very low resources.

PIE is a nice feature which will be default for OPNsense@HardenedBSD and will provide mitigation capabilities against exploit attempts to the packet engine. (Note: PIE is not enabled yet)

So there we have 0.7.0-rc3 publicly available for you to test. This is the Changelog from rc2 to rc3:

New features (from 0.7.0-rc2 to 0.7.0-rc3).
* More lightweight core packet engine
* Option to delete all reporting data
* Mobile web browsers compatibility. You’ll be able to view Sensei reports through a mobile device.
* Prevented scheduled jobs from submitting unnecessary emails.
* HW requirements check has been made available for the UI initial configuration wizard.
* Some stability improvements. 

0.7.0-rc3 has been under testing for about a week now, but if you’re running Sensei on a more production like environment, you might want to wait till we ship 0.7.0 final release, which should arrive in a week if we do not see any issues with 0.7.0-rc3.

To update to 0.7.0-rc3, login to OPNsense UI, navigate to Sensei -> Status and click Check for Updates. You should see an update reported. Click Update to proceed with the update. Sensei updater should take care of the rest.

Best
Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on December 18, 2018, 02:12:03 pm
Great News mb,

In my personal opinion RC (Release Candidate) are like the actual gold image, as it progress and other clients testing it will become better with the final release.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 19, 2018, 08:08:22 am
Hello MB, I can see the option in "Table of local / remote assets" to select different top users. Can you also add another option to sort it ascending or descending so that we can check the top user in top list rather then going to the entire list to find one.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 19, 2018, 02:55:22 pm
Another idea about "Session details": give the user ability to restrict begin and end date and time fields to reduce search results to concrete time period.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 19, 2018, 07:17:09 pm
@cgwork, @manjeet, @Antaris,

Many thanks for the suggestions. Feature requests have been added to 0.8 workload. We'll do a more general re-visit to table reports. Please feel free to reach out for more ideas.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on December 19, 2018, 08:01:51 pm
a question from a maybe future sensei user:
since this elastic search module needs a lot of diskspace and sure does a lot of writing - is there a possibility to divide the installation into an "OS"-disk (binaries; usually on a SSD) and a "data"-disk (storage intensive data, lots of writes; usually on a HDD)?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on December 20, 2018, 12:13:10 am
Hi all,

After upgrading to version 0.7.0-rc3 none of my dashboards or reports are loading anymore

That's an error example:
{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "conn_all",
        "index_uuid": "_na_",
        "index": "conn_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "conn_all",
    "index_uuid": "_na_",
    "index": "conn_all"
  },
  "status": 404
}

Any clue?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 20, 2018, 06:23:27 am
Thanks @MB for considering this.

I have an another thing to ask. I am not if that is 100% possible or is it already implemented because i did not find it in any details.

In report we can see the source address, destination address or host, app category and protocol it is used. It gives us huge information about who has download / uploaded to where and how much data, also time stamp of session etc. But i do not see any ways to check what exactly the user has downloaded. For e.g one of my user used 5GB data in one day which is used by google services and it gives us the list of when and where, but no info about what exactly which for now we have to ask the user. This could be useful because if user is downloading / uploading something not allowed to server / account which they are allowed to access then they probably will deny it.

Also can you add option to export reports (excel or pdf) including custom / filtered reports so that we can provide report to management whenever needed rather then filling mail box with auto reporting.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: maekar on December 20, 2018, 02:25:15 pm
Hi,

Is there anything special to do with VLAN?

We have interfaces tagged and untagged. When I activated Sensei and configured just a few web categories to test, everything worked well with the untagged interface but all VLAN networks lost connectivity, devices in all VLAN not even get IP address by DHCP. And the problem persisted even when I deselected those interfaces to get managed by Sensei, I had to stop it and uninstall it to get VLAN networks working again.

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 20, 2018, 05:38:55 pm
Hi @the-mk,

Thank you very much for the suggestion: We get this request quite many times. People who’d like to see this functionality seem to be either running on the low end - the device is very weak and lack the resources to run reporting on the device itself, or they run on the high end - throughput & number of users are quite high (>1K users) and it makes  sense to put reporting on a separate device.

In addressing this requirement, we’ll offer an option - in the initial configuration wizard - asking the user whether s/he wants the reporting on the device itself, or on a remote server.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 20, 2018, 05:44:05 pm
Hi @nikkon,

Looks like alias indexes are messed up. By any chance, did you do any "reset to factory defaults" ?

We'd like to dig deeper. Can you share your /var/log/elasticsearch/elasticsearch-2018-12-19.log through sensei - at - sunnyvalley.io ?

For a workaround, you can run these two commands to reset the indexes: (beware: this will erase your reporting history)

/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py


Let us know if this does not fix the problem.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 20, 2018, 05:53:57 pm
@manjeet, you’re all welcome.

If the connection is clear-text (e.g. HTTP), you can see the individual downloaded files from Web Reports: Web - Table of URIs. For the TLS encrypted sessions (e.g. HTTPS), this will be possible with the all ports TLS Inspection feature - though it’s going to be available for Premium Subscriptions.

For the Table reports, development & tests have been completed, and it’s ready to ship with 0.7.0 release.
I’ve sent you a link today to try it and see if there are any more issues.

Reports - PDF export - its’ on the short term roadmap. Probably it will ship with 0.8.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 20, 2018, 06:07:27 pm
Hi @maekar,

Thanks for reporting this. Yes, we’re aware of this problem. Unfortunately part of the solution required some development on the Operating System itself (FreeBSD netmap implementation).

Good news is that hopefully it’ll be fixed with OPNsense 19.1. On the FreeBSD side, we’ve sponsored a development which fixes this and some other issues with the netmap implementation on FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=340436)

We’ve been testing the 11.2-STABLE MFC code for some time and it looks good to be finally integrated with OPNsense.

We’re working very closely with the OPNsense team on this. I’ll be posting an ETA after we sync with @franco.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on December 21, 2018, 02:57:34 pm
@mb thanks for replying
I did execute the 2 scripts.

please check the log below:

cat /var/log/elasticsearch/elasticsearch-2018-12-
elasticsearch-2018-12-16.log  elasticsearch-2018-12-20.log
root@Skynet:~ # cat /var/log/elasticsearch/elasticsearch-2018-12-20.log
[2018-12-20T01:05:36,849][INFO ][o.e.n.Node               ] [yCObJMR] stopping ...
[2018-12-20T01:05:36,889][INFO ][o.e.n.Node               ] [yCObJMR] stopped
[2018-12-20T01:05:36,889][INFO ][o.e.n.Node               ] [yCObJMR] closing ...
[2018-12-20T01:05:36,911][INFO ][o.e.n.Node               ] [yCObJMR] closed
[2018-12-20T01:07:19,550][INFO ][o.e.n.Node               ] [] initializing ...
[2018-12-20T01:07:19,707][INFO ][o.e.e.NodeEnvironment    ] [yCObJMR] using [1] data paths, mounts [[/var (tmpfs)]], net usable_space [1.9gb], net total_space [2.4gb], spins? [unknown], types [tmpfs]
[2018-12-20T01:07:19,707][INFO ][o.e.e.NodeEnvironment    ] [yCObJMR] heap size [1.9gb], compressed ordinary object pointers [true]
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node               ] node name [yCObJMR] derived from node ID [yCObJMRsQcSMKeQy7KNhyA]; set [node.name] to override
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node               ] version[5.6.8], pid[32322], build[688ecce/2018-02-16T16:46:30.010Z], OS[FreeBSD/11.1-RELEASE-p17/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_172/25.172-b11]
[2018-12-20T01:07:19,711][INFO ][o.e.n.Node               ] JVM arguments [-Xms2g, -Xmx2g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/local/lib/elasticsearch]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [aggs-matrix-stats]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [ingest-common]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [lang-expression]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [lang-groovy]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [lang-mustache]
[2018-12-20T01:07:21,817][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [lang-painless]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [parent-join]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [percolator]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [reindex]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [transport-netty3]
[2018-12-20T01:07:21,818][INFO ][o.e.p.PluginsService     ] [yCObJMR] loaded module [transport-netty4]
[2018-12-20T01:07:21,819][INFO ][o.e.p.PluginsService     ] [yCObJMR] no plugins loaded
[2018-12-20T01:07:25,240][INFO ][o.e.d.DiscoveryModule    ] [yCObJMR] using discovery type [zen]
[2018-12-20T01:07:26,419][INFO ][o.e.n.Node               ] initialized
[2018-12-20T01:07:26,420][INFO ][o.e.n.Node               ] [yCObJMR] starting ...
[2018-12-20T01:07:26,927][INFO ][o.e.t.TransportService   ] [yCObJMR] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2018-12-20T01:07:30,078][INFO ][o.e.c.s.ClusterService   ] [yCObJMR] new_master {yCObJMR}{yCObJMRsQcSMKeQy7KNhyA}{QHCtod64RcOkM74GkkvW-g}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2018-12-20T01:07:30,120][INFO ][o.e.h.n.Netty4HttpServerTransport] [yCObJMR] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2018-12-20T01:07:30,121][INFO ][o.e.n.Node               ] [yCObJMR] started
[2018-12-20T01:07:30,140][INFO ][o.e.g.GatewayService     ] [yCObJMR] recovered

in Gui i got this:
Error at /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php:74 - fsockopen(): unable to connect to 127.0.0.1:4343 (Operation timed out) (errno=2)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 21, 2018, 03:01:24 pm
Hi @Nikkon,

Is this the log after you executed the delete/create scripts, or the one with the errors?

Looks like the former? Did the scripts resolve the problem?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on December 21, 2018, 03:16:43 pm
yes. this is before i executed both scripts
it's not solved.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 21, 2018, 05:06:43 pm
Hi @nikkon, understood. Let's do some more debugging together. I'll contact you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 23, 2018, 06:02:32 pm
Very often i see remote hosts in local table and vice versa. Is something wrong with my setups?
And sometimes i see comunication between two local ip addresses and one of them is marked as remote...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 23, 2018, 08:03:06 pm
Hi @Antaris,

Do you have multiple interfaces configured for Sensei? Are these IP addresses multicast / broadcast addresses?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 23, 2018, 10:53:34 pm
I have only LAN selected in Sensei with only one IP and no VLANs on it. The adresses are known internal hosts. Not broadcast or net addresses.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 26, 2018, 09:56:25 pm
Dear Sensei & OPNsense users,

Happy new year to all. Here is a humble new year present from Sensei team.

We're happy to announce the availability of Sensei 0.7.0 release. It was ready since last Friday, but we wanted to make sure everyone had a calm Christmas holiday, spending time with friends and family instead of doing Sensei deployments :)
 
This is the full list of features that this release brings (from 0.6.x):

1. 350+ new applications identified.
2. Google applications browsed via Chrome are now being identified (QUIC over UDP protocol support).
3. Mobile browser compatibility: you can view reports from your mobile browser
4. Reports enhancement: Data retirement option introduced. With this option you can define how long to keep your reports (days)
5. Reports enhancement: Option to erase all reporting data
6. Reports enhancement: Drill-down in Security reports is now available
7. Reports enhancement: Daily executive reports. Selected reports delivered via a daily e-mail.
8. You can easily add block/allow rules within Session Explorer based on Application and Application Category or SNI / hostname
9. User's Manual in English.
10. More deployment options for Home and Large scale users
11. Changelog between updates
12. Fixed Rebellion Theme compatibility issues.
13. Better Cloud Nodes availability
14. Better & smoother updates
15. We speak your language now, we added i18n support to match your OPNsense UI language. English and German are there for now, more coming soon.
16. Removed some large dependencies in preparation for embedded devices & PIE (Position Independent Executable) support.More performance & stability improvements.

To update your installation, simply navigate to Sensei -> Status and you should see 0.7.0 update being reported and an option to install it. If you do not see the update notification, just click "Check for updates" and you'll be guided through the update process.
 
A quick note: Although this is marked "release", Sensei is still under BETA development. We strongly advise to test the software on one of your test-beds to see if it fits your requirements. When we finally release Sensei 1.0, the BETA program will cease and the software will be publicly available for all users. We expect to release Sensei 1.0 in Q1 2019.
 
If you find any issues or you want to reach out for comments and feedback, please do not hesitate to contact us through sensei -at- sunnyvalley.io or through this forum thread.
 
Happy new year to all

Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on December 27, 2018, 07:18:12 am
Thanks for the update @MB.

For Table Reports update is working as expected.

As @Antaris mentioned, i also see remote host in local table but no local host in remote table except OPNsense LAN IP which i think, in one way, is not an issue because firewall itself generates traffic for interface access etc..
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 27, 2018, 09:04:14 pm
Also thanks from me for the update.

"12. Fixed Rebellion Theme compatibility issues."

In session details the headers of the columns are still with white text on white background:

https://www.dropbox.com/s/0v72em2bch0rk0q/Reb.jpg?dl=0 (https://www.dropbox.com/s/0v72em2bch0rk0q/Reb.jpg?dl=0)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on December 28, 2018, 01:02:32 am
Can't tell if this is a new issue or not as I only installed of of .7.0-rc3. When the packet engine is running unbound overrides are being ignored.

My nslookup results show "UnKnown" in the server spot and are forwarding my overrides to public servers.
As soon as I stop packet engine this works again.
I was able to add my root domain to the "local domain to override" section and it fixed that one issue there but I have overrides for other hosts. Am I missing a setting where Sensei is overriding DNS?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 28, 2018, 03:18:43 am
Thanks for the update @MB.

For Table Reports update is working as expected.

As @Antaris mentioned, i also see remote host in local table but no local host in remote table except OPNsense LAN IP which i think, in one way, is not an issue because firewall itself generates traffic for interface access etc..

Hi @manjeet, you're very welcome. Can you share with me a screenshot of  the remote hosts table (you know my email). Would like to see how they look like. Normally you should only see local hosts behind the firewall there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 28, 2018, 03:20:06 am
Hi @Antaris,

You're all welcome & thx for the pointer. We'll fix it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 28, 2018, 03:32:44 am
Hi @donatom3,

Actually this is an expected behavior. We're utilizing DNS override for Web Reputation & Threat Intel. Since DNS occurs before the actual connection attempt, we gather prior threat intelligence & reputation about the remote IP & host.

For a quick workaround you can disable Cloud Reputation & Web Categorization from Sensei -> Configuration. Then you'll still have reputation data for the top 1Million domains from the local database, but not for +140M :(.

We're exploring ideas to do this in parallel. This way you'll still be able to do your DNS through your DNS server and Sensei will do a parallel query for its intelligence.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on December 28, 2018, 05:04:55 am
@mb this is good to know.
So if I'm in an environment where I'm using Windows domain controllers for DNS to get the full effect of Sensei would I need to have the opnsense router be the DNS forwarder?

Also does this mean if I just hand out public DNS servers via DNS am I not getting the full advantage of Sensei?

P.S. I do want to add that I am liking Sensei so far.
I am still able to download at 1gbps on my i5-5250u but thinking of picking up a box that has an i5-6500.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 29, 2018, 07:29:00 am
Hi @donatom3,

For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.

For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.

If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.

That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.

We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.

Very happy to hear that you've attained gigabit speeds and happy with the software ;)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: jinn on January 02, 2019, 09:17:50 am
I tested sensei last week. after I activated it, however, access to the internet was barely possible (eg google was not available at all). since it was a productive system, I deactivated sensei for now and did not continue to use it. Nevertheless, I would like to know why it was located, how should I proceed best for analysis here?

In addition, I wanted to ask whether it is even possible, what I want to achieve: I would like an evaluation for special services (social media, online gaming, ...). Is sensei able to give me an evaluation of how much time / data was used for special services?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on January 02, 2019, 12:03:23 pm
Hello @MB, I need another favor from you if possible.

Can you please work with OPNsense team to add an option for Sensei "Dashboard" and "Reports" in "Assigned Privileges" for users/groups. Well, I need to create few users/group so that they can only check the reports of team assigned to them. I do not want to provide root user access level to them to avoid them poking around and change my configuration or delete any logs or data..
Title: how to work with local hostnames?
Post by: the-mk on January 02, 2019, 07:45:19 pm
I finally decided to install Sensei on my box with several network interfaces.
I also have some servers running at those interfaces where I configured different hostname suffixes (configured with dhcp reservations and the checkbox to register the names in unbound dns). i.e. server1.lan, server2.home, server3.iot,...
before running sensei I was able to resolve all hostnames fine.
I guess the setting "local domain name to exclude" in the cloud threat intel tab has something todo with it? tried to enter here one servername for testing - did not work for me... is saving the setting enough or do I need to restart something?
how to tell sensei to honor local servernames when tried to resolve local hostnames?

EDIT: after reading the post of donatom3 and the suggestion of mb to turn off cloud threat intel I can resolve my local hostnames again!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on January 03, 2019, 06:54:05 am
the-mk,

In my case I left that feature turned on. All I did is put my domain in the local domain section of the cloud threat intel section.

Now my local domain is ad.xxxx.com, but I have entries for domain xxxx.com, so I put in xxxx.com into the local domain and all subdomains are passed through correctly to my custom names in unbound.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 03, 2019, 07:21:25 am
@manjeet,

This is a cool feature request. Thanks. Added to roadmap.

A quick note on remote IP addresses on "local assets table": We've had a look at the screenshots. 169.254.x.x is actually a local ip address. Your PC is automatically assigned an IP address, if it cannot get an IP address from a DHCP server. More on this: https://www.techrepublic.com/forums/discussions/where-did-ip-16925451183-come-from/

Screenshots show that some PCs (or a PC) wanted to communicate with the outside world, but it did not get any replies (Incoming packets all zero).

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on January 03, 2019, 11:00:29 am
Thanks @MB and Thanks for the update.

Can you also add one option in reports for looking a live reports without manually refresh time. When in Dashboard / Reports -> Filter (Reports Interval) -> When selecting Custom interval there is "Start time" and "End time".

It will be great if you can add another option or select box there to select "End time" as ongoing.

For e.g: If i want to see current reports from a specific time let says since morning and wants to check the reports after every 10 or 15 min gap then every time i have to select the option "Go to today" in End time. It would be better if there is an option as ongoing which will automatically change time in some specific interval of time or select "refresh interval" as time to refresh and update the time in 'Reports Interval"
Title: Re: Sensei on OPNsense - Application based filtering
Post by: dp on January 03, 2019, 08:02:06 pm
I see that shaping at layer 7 is on the roadmap for sensei. Is there any time table on that feature? Has it even started? I am looking to use it in a 1500-2000 user environment to replace some aging equipment if it is slated for the near future.

Also I have several ideas that I would like to see implemented as I have used application shapers for over 10 years in our environment.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 04, 2019, 06:09:15 am
@manjeet, you're right. They are already in the workload for 0.8 ;)

Hi @dp, correct. Shaping is on the roadmap. Our plan is to feed the currently existing shaping infrastructure on OPNsense. Sensei development is quite booked with IPv6 support nowadays. Though, you should see it implemented like Q2 or Q3 2019. We'd like to keep in touch about ideas on that ;)
Title: Sensei on OPNsense - Cloud Node Status
Post by: lmwalker71 on January 04, 2019, 07:44:40 pm
Under Cloud Node Status, The Nodes are always showing Down, with a count down runs with a 'Check Now" button. If the count down runs its cource the status changes to up for about 15 seconds or if I click 'Check Now' is this the normal??? :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 04, 2019, 08:01:18 pm
Hi @lmwalker71,

Not quite ;)

If you're based in USA, make sure you have the "US - Central" Cloud nodes checked & in green color (Sensei -> Configuration -> Cloud Threat Intelligence). (If in Europe, Europe nodes should be active)

If that's already the case, can you reach out to us through sensei - at - sunnyvalley.io so that we can dig deeper together?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on January 09, 2019, 09:26:35 am
Services are randomly (?) stopping.

I read somewhere that services will stop, when there is less performance, to save power for opnsense native tasks, but I run Sensei on a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (8 cores) with 24 GB ram which should be quite enough power.

Since I have lacp interfaces for lan (lagg0) and wan (lagg1), each with 2x1g and vlans on lan interface and due to some remarks in this thread that vlans are not supported yet (due to FreeBSD netmap) and will be fixed with OPNsense 19.1, I added an additional, plain interface and just connected 1 pc.

Then I added this single interface with 1 pc as protected interface in Sensei. I even reduced the deployment size from x-large (what I would need if vlans would work) to small in hope that memory footprint will be reduced (actually just 1 user/pc is connected).

But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.

Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.

Any hints what could be the reason for the stopping services.

The service crashes pretty soon. 1-2 minutes after starting up.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jinn on January 09, 2019, 09:52:04 am
Quote
I tested sensei last week. after I activated it, however, access to the internet was barely possible (eg google was not available at all). since it was a productive system, I deactivated sensei for now and did not continue to use it. Nevertheless, I would like to know why it was located, how should I proceed best for analysis here?

In addition, I wanted to ask whether it is even possible, what I want to achieve: I would like an evaluation for special services (social media, online gaming, ...). Is sensei able to give me an evaluation of how much time / data was used for special services?

currently sensei works with deactivated cloud threat intel.
Unfortunately, "Egress New Connections by APP Over Time" and "Egress New Connections by Source Over Time" show no data:"no egress new connection" what do I have to configure to make it work?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 09, 2019, 03:56:00 pm
Hi @jinn,

Thank you for giving Sensei a try. I see your quoted message did not get response. Sorry for that. I looks like we missed it.

I guess you've been able to figure out the first part yourself. But I wonder why Cloud Threat Intel did not work for you. I'll write to you about this.

For reporting about application categories, yes you can do it. I guess you've started using it.

As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 09, 2019, 04:34:43 pm
But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.

Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.

Any hints what could be the reason for the stopping services.

The service crashes pretty soon. 1-2 minutes after starting up.

Hi @hbc,

Thanks for reporting this. After services stop, and when you look at Status-> Services page, do you also see that both services are disabled at boot time?

If yes, most probably this is because Sensei's Health Check subsystem. Because Sensei is in BETA now, checks are more sensitive to problems. Even if it finds a small problem it disables both services in an effort to keep  network connectivity up & running.

Can you try disabling Health Check and see if services are running persistently?

If they do and it turns out because of Health checks, I'd still recommend investigating this. While running Sensei & ES, can you do 'top' on OPNsense console and see if any processes (not necessarily Sensei (eastpect) processes) are consuming much CPU/Memory?

Performance-wise, your system looks pretty decent. We've been reported a similar system handling 700 concurrent users.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on January 10, 2019, 07:52:01 am
Hi @mb,

you are right, I just set ElasticSearch to start on boot and left packet engine disabled for auto-start. I'll try to set both to start on boot.

But I already had try with health check disabled and after a while, no traffic passed at all. But I'll re-check it again.
First with both starting on boot and then with health check disabled.

Update:
The start on boot was not the reason. Whenever packet engine stopped for unknown reason, the option was automatically disabled. I tried it 3 times and reenabled start on boot. But within 5 minutes service stopped again.

As next option I disabled Health Check. Currently the service runs for 20 minutes which is 4 times longer then ever before. I'll keep an eye on it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 11, 2019, 02:38:11 am
Hi @hbc,

Thank you for further information. Let us know if anything weird comes up.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on January 11, 2019, 07:50:52 am
Hi @MB, I had a similar issue for "Sensei Packet Engine" stops within 5min everytime I enable it. It didn't fix with the reboot as well. But since "health check" is disabled (its been more than 24 hours and reboot few times), service is running without an issue.

I only faced this issue after updated OPNsense to 18.7.10.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jinn on January 11, 2019, 01:47:37 pm
hey mb, ty for reply!

Quote
For reporting about application categories, yes you can do it. I guess you've started using it.

Not yet. At least not as detailed as I would like (facebook, online shopping, ...)


Quote
As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.

in fact, several do not work: Egress New Connections by App Over Time, Egress New Connections by Source Over Time, Egress New Connections Heatmap, Top Destination Locations Heatmap, Table of Apps (maybe this one is what im really looking for?), Table of Local Assets, Table of Remote Hosts
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on January 11, 2019, 02:59:16 pm
Good Morning, mb

is it possible to incorporate and additional "TAP" for  Hostname in your tab-bar see picture attachment
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on January 13, 2019, 10:25:38 pm
What are the plans between sensei and opensense? it will be embedded in opnsense or it will be available as a pluging at some point?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 14, 2019, 06:09:04 am
@hbc, @manjeet: thanks for your update. We're fine-tuning health check auto-bypass.

@cgwork, how about this: likewise destination hostnames, the default will be hostnames for source addresses, and when you move the mouse over the src hostname field, IP address is displayed as a tooltip. Adding another column would make the table more crowded. We'd like to use the space allowance for the new-coming "username" column.

@jinn, are you running Sensei on your LAN? Any chances that it might be on your WAN interface?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 14, 2019, 06:13:58 am
What are the plans between sensei and opensense? it will be embedded in opnsense or it will be available as a pluging at some point?

Hi @l0rdraiden,

It'll be a plugin.

Currently, we're working together to address some issues related to netmap (e.g. virtio). Once it's done, whole integration will be completed, and you'll be able to install it from OPNsense plugin manager.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgwork on January 14, 2019, 07:17:53 pm
Quote
@cgwork, how about this: likewise destination hostnames, the default will be hostnames for source addresses, and when you move the mouse over the src hostname field, IP address is displayed as a tooltip. Adding another column would make the table more crowded. We'd like to use the space allowance for the new-coming "username" column.

That sound even better thank you
Title: Re: Sensei on OPNsense - Application based filtering
Post by: OPNsenseN00b on January 15, 2019, 09:36:30 am
Hello there,
Shortly I've registered on the beta program to obtain the required Downloadlink but ssh is rejecting the provided download link after I login into opnsense. The link is slithly different than in the tutorial.
Could you update the Installer-URL please. Many thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jinn on January 15, 2019, 09:39:33 am
@jinn, are you running Sensei on your LAN? Any chances that it might be on your WAN interface?

it is currently on LAN. The WAN interface is not displayed to me under available interfaces.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 15, 2019, 02:45:44 pm
Hi @OPNsenseN00b,

The command to install Sensei is:

curl https://updates.sunnyvalley.io/getsensei | sh

I checked again. It should be the same both Users' guide (https://guide.sunnyvalley.io/sensei/getting-started/setup) and Website.

Can you copy/paste the error message you get when you run the command on the OPNsense console?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 15, 2019, 02:46:48 pm
Hi @jinn,

Got it. Will send you a few commands to diagnose the issue.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: OPNsenseN00b on January 16, 2019, 02:04:57 pm
Hi mb,
Thanks for your respnose. This time the firewall comes with the message of not having enough memory (8GB required, I have only 4 GB). Yesterday it said something different. I'll come back to you when I can replicate the previous error.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on January 17, 2019, 06:45:10 am
Hi mb,
Thanks for your respnose. This time the firewall comes with the message of not having enough memory (8GB required, I have only 4 GB). Yesterday it said something different. I'll come back to you when I can replicate the previous error.

8GB is currently required to run Sensei. It checks for that when you first initialize it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xames on January 17, 2019, 02:18:41 pm
ssl_error_syscall

I attach
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 17, 2019, 06:33:08 pm
ssl_error_syscall

I attach

Hi @xames,

Looks like everything is ok on the server side. Can you try with fetch:

# fetch https://updates.sunnyvalley.io/getsensei
# sh getsensei


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Space on January 27, 2019, 10:18:35 pm
Hi,

I have Sensei running on my OPNsense and I wondered why big part of the traffic did not show up and I see in the FAQ that IPv6 support is still work in progress.

Do you have an ETA for that feature already?

Thanks and looks great so far!

Space
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 28, 2019, 09:16:05 pm
Hi @Space,

Many thanks for trying Sensei. Yep, 0.7 is IPv4 only.

Good news is that IPv6 will be coming very shortly with 0.8. It's been under testing for the past months. Looks like it's good to go for a test ride by BETA users.

We'll ship 0.8-beta1 this week or early next week :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 02, 2019, 10:20:23 am
19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520 (https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 02, 2019, 10:27:54 am
Hi @Antaris,

Thanks for reporting this. Looking into it now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 02, 2019, 11:24:53 am
19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520 (https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520)

Looks like there was a typo in that command. Correct command should be: (from https://forum.opnsense.org/index.php?topic=11400.msg51521#msg51521)

For OpenSSL:

# opnsense-update -fp -n "19.1\/latest"

Or LibreSSL:

# opnsense-update -fp -n "19.1\/libressl"



Just did an OPNsense 19.1 upgrade on two of our firewalls. Looked good. 

Anyone who had any other issues upgrading to 19.1 ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on February 04, 2019, 09:08:21 am
Quote
Anyone who had any other issues upgrading to 19.1 ?

Update did not work with sensei nor without. Update started and just installed two kernel/base files, then restarted with 18.7.10. Even when sensei was uninstalled, update did not work. I tried GUI and console.

So I saved config, installed 19.1 clean from image and restored backup and reinstalled sensei.

Now with 19.1, sensei finally works with tagged vlan interfaces  8)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 06, 2019, 02:55:31 am
Hi @hbc,

Thanks for sharing you experience. We're looking into the upgrade problem if it's something related to Sensei repository.

Glad to see that you're enjoying it now :)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on February 06, 2019, 02:23:14 pm
Yes, works pretty nice. Just the cloud nodes seem a bit flappy. Most time at least one is displayed down.

One hint:

Traffic to local squid proxy on port 3128 is categorized as "Generic TCPIP". I think it is intention that not labeled as 'Proxy' which would properly cause problems when blocking 'Proxy' category.

But maybe you can label it category 'Web Browsing', application 'Squid Proxy'
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 07, 2019, 02:43:32 am
Hi @hbc,

Thank you very much for the feedback. With regard to Cloud servers, we have a fix for that in 0.8.

Thanks for the suggestion. You're right, and suggestion sounds good ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 07, 2019, 05:48:33 pm
Dear Sensei users,

Regarding https://forum.opnsense.org/index.php?topic=11477.0;

To be able to utilize the new functionality that comes with the new netmap - enabled kernel, we'll need to ship Sensei 0.8-beta1 which will re-enable virtio interfaces.

Actual ETA was this week. Still working on a few issues reported. Stay tuned for updates. 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on February 12, 2019, 10:28:26 am
Hi!

Quote
utilize the new functionality that comes with the new netmap - enabled kernel

One question. I had opnsense 19.1 (fresh install) active with shipped kernel and tagged vlans already worked in sensei (what they did not with 18.7). I assume the new c4ec367c3d9(master) kernel is just for virtio interfaces?
Well, I updated kernel and it still works.

Will there ever be the possibility to set different policies for different interfaces? I have interfaces where I would like to be more restrictive and just allow productive things and interfaces where social media, gaming, etc. would be ok.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 13, 2019, 02:38:07 am
Hi hbc,

Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.

Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 13, 2019, 09:42:35 pm
Hi hbc,

Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.

Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.

My advice is to consider exchange "Source Interface/Network Address/IP Address/VLAN/" for volume of users above 1000 or so... It's vital for usability and development at all IMHO.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 14, 2019, 03:22:24 am
@Antaris, Thanks for your input. We'll definitely make use of your feedback.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Kruemel on March 01, 2019, 11:39:29 am
Hi,

greetings from germany.  :)
Great so see such a powerful addon for OPNSense. It was the reason to migrate my APU2C4 to VMWare on HPE ProLiant Xeon CPU, to fulfill the Sensei requirements.

However, it's working great. But I miss a feature: If something is blocked, it's just not loading, right? But the user is not aware, if it's a not working webpage (or parts on it) or if it's blocked. It would be great, if Sensei delivers some kind of block page, something like "This page has been blocked - block category is xxx. Please contact abc@def.de for further information".

Did I miss something in the settings or this feature currently missing?

Keep on the good work!
Cheers
Marco
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 02, 2019, 02:38:46 pm
Hi Kruemel,

From Sunnyvale, California, greetings to you too :) Glad to hear that Sensei is of value to your OPNsense installation. Many thanks for sharing your experience.

We hope to bring some news with regard to less demanding hardware requirements. We're planning to employ an alternative less resource-intensive database engine for reporting.

Quote
But I miss a feature: If something is blocked, it's just not loading, right?

Yep. This is so because, your Sensei policy configuration hits a TLS SNI or application rule. TLS and some app detection jump into the scene way too early before the HTTP protocol starts being conversed back and forth between your browser and the server. 

So when we decide that we need to apply filtering, neither server nor client does not yet know how to talk HTTP. They just know how to talk TCP. This is why we just do a TCP RST, and you see a blank page in your browser.

We'll have a feature called "delayed action" (requires TLS inspection) where we'll flag a particular connection as being blocked and will let them talk a little bit more so that they can handle a HTTP response. As soon as we get a HTTP request from the client, we'll send the landing page and just close the connection at that particular time.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: astoklas on March 03, 2019, 10:27:51 am
Hi,

I just installed Sensei on my OPNsense and I think it's working great.
I found in the dashboard an interesting "HotSpot" I'd like to investigate further. However, the "Top Destinations Locations Heatmap" does not allow for a Drill Down, nor is there a geo location filter available.

Can you please advise on how to investigate on such hotspots?
Is it possible to retrieve DNS/IP for a certain geo location hotspot?

Regards
Alexander
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 04, 2019, 06:46:19 am
@astoklas,

Many thanks for the feedback. Currently, drill-down is not possible with the map. We'll take this as a feature request. Will get you updated.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 04, 2019, 06:56:07 am
Dear Sensei users,

After several months of field testing, we are super happy to announce the availability of Sensei 0.8.0 Beta.

Release 0.8 introduces long awaited support for IPv6 and virtual ethernet adapters. Below is the full list of features that are coming along with this release (from 0.7.0)


For more information: https://www.sunnyvalley.io/blog/sensei-0-8-beta1-is-released

Currently we're shipping 0.8.0 beta1 from a separate package repository. So, if you are on 0.7, you'll not be able to see the software update as of now. When 0.8.0 rc1 is released, we'll move the packages to the main repository and you'll then be able to update to 0.8.0.

The reason behind this is that we want to allow 0.8.0 a bit more field testing before we make it an update for 0.7 stable users.

ETA for 0.8.0.rc1 is March 18, 2019.

If you don't want wait and want to see 0.8 in effect now, just uninstall Sensei from the UI and use the following one-liner command to re-install:

# curl https://updates.sunnyvalley.io/getsensei8 | sh
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on March 04, 2019, 08:46:19 pm
Thanks, mb, and keep up with good work!

Is "VLAN child interfaces support *with OPNsense 19.1.x" means that filtering on VLANs work without netmap kernel?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 04, 2019, 09:15:24 pm
Hi @antaris,

Many thanks. You're correct. It looks like FreeBSD 11.2 default kernel had some fixes with regard to that.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on March 06, 2019, 06:45:49 am
I'm having a problem where elasticsearch won't start after a reboot. I have to clear the settings completely and re setup sensei to get elasticsearch to start.

Just seeing the below in the general log.

Code: [Select]
root: /usr/local/etc/rc.d/elasticsearch: WARNING: failed to start elasticsearch
This is in the backend log and it keeps adding to it.
Code: [Select]
Mar 5 21:44:55 configd.py: [7d62e2b1-bcce-48d3-a80b-4b665aed6cb4] read sensei stats
Mar 5 21:44:54 configd.py: [a4351d00-f929-466b-a18d-1752f72e0a8c] read sensei stats
Mar 5 21:44:53 configd.py: [40ea2e8d-6574-4662-a135-a4c817bf7f0c] read sensei stats
Mar 5 21:44:52 configd.py: [86399ab0-e991-4493-b62f-d6a2b29d88b3] read sensei stats
Mar 5 21:44:51 configd.py: [b8bfc148-83a2-407f-91d3-7091c77b7832] read sensei stats
Mar 5 21:44:50 configd.py: [baf1dddc-39c6-49e4-aad3-f6d87d29a0da] read sensei stats
Mar 5 21:44:49 configd.py: [f08d4d14-f236-4d25-8011-8b25a848eeec] read sensei stats
Mar 5 21:44:48 configd.py: [571d2e9b-d0cb-402c-b5ac-8bf7ff72d811] read sensei stats
Mar 5 21:44:47 configd.py: [e77883ce-8f8b-4a2b-aebb-7c4125ed7e17] read sensei stats
Mar 5 21:44:46 configd.py: [18dd5adf-9437-4e15-90ba-1ee6e08c4bff] read sensei stats
Mar 5 21:44:45 configd.py: [105c9ddc-960b-4bff-98fa-3e202c9ac49e] read sensei stats
Mar 5 21:44:44 configd.py: [87cb6f2f-e3ca-42b0-8040-4cfacd647de8] read sensei stats
Mar 5 21:44:43 configd.py: [4228579b-7e43-4138-8ea8-414fc9ec1c1a] read sensei stats
Mar 5 21:44:42 configd.py: [a755740c-45d8-438c-99e4-a232bd02c661] read sensei stats
Mar 5 21:44:41 configd.py: [024f64e4-2fa6-4558-8482-d8330cbc7742] read sensei stats
Mar 5 21:44:40 configd.py: [327c339b-b0b2-484c-92f9-3c9e9364820e] read sensei stats
Mar 5 21:44:39 configd.py: [396bb45c-c1f1-4728-91d0-e33bbcaea1f5] read sensei stats
Mar 5 21:44:38 configd.py: [d6b674d1-dd2f-494b-927d-ad55791063e4] read sensei stats
Mar 5 21:44:37 configd.py: [40338097-db55-4b60-b45f-877a1ae76b7c] read sensei stats
Mar 5 21:44:36 configd.py: [304857d4-7d26-45aa-ae75-6c520958fba9] read sensei stats
Mar 5 21:44:35 configd.py: [13675e7f-5dc6-4457-b5c9-c4b4c21e8a58] read sensei stats
Mar 5 21:44:34 configd.py: [4f0f6ae9-f39f-48ae-a799-876c86cb3164] read sensei stats
Mar 5 21:44:33 configd.py: [f4a1bb7f-8d12-47bd-b7d3-403d159450b4] read sensei stats
Mar 5 21:44:32 configd.py: [9c67445c-4ffe-444e-ba3c-a5f444ffbf21] read sensei stats
Mar 5 21:44:31 configd.py: [1cfc4b5a-c263-4240-b627-938197d72afe] read sensei stats
Mar 5 21:44:30 configd.py: [adbefd78-9c10-45e9-9cad-8d6495388773] read sensei stats
Mar 5 21:44:29 configd.py: [ad4176d3-1c8a-4890-a90c-c9b734979673] read sensei stats
Mar 5 21:44:28 configd.py: [22ff41e4-fc8f-4ba7-9f27-63d6c2b23b7e] read sensei stats
Mar 5 21:44:27 configd.py: [1fe553d1-06c5-4db6-b950-7a71e5af7bd4] read sensei stats
Mar 5 21:44:26 configd.py: [c3252f98-b238-448a-af02-d311a6f75e49] read sensei stats
Mar 5 21:44:25 configd.py: [09153632-0bff-46ad-ad98-c45319cd5ff8] read sensei stats
Mar 5 21:44:24 configd.py: [0bbec0b1-6e86-4930-a57c-f57be9e83008] read sensei stats
Mar 5 21:44:23 configd.py: [dcf30e51-763b-4df9-9f53-239615912384] read sensei stats
Mar 5 21:44:22 configd.py: [49c214e7-9b60-44c8-9ded-b22ac257f02c] read sensei stats
Mar 5 21:44:21 configd.py: [463b3e7f-c8d6-48ae-8064-08a414fa7e5d] read sensei stats
Mar 5 21:44:20 configd.py: [6ead17e8-53b9-48aa-a6b7-a644d5f170d2] read sensei stats
Mar 5 21:44:19 configd.py: [12378048-9b6d-4c5c-852d-6575fab78706] read sensei stats
Mar 5 21:44:18 configd.py: [bc415b0c-fe6c-404e-a5fb-a99e6b2646bc] read sensei stats
Mar 5 21:44:17 configd.py: [2b46da7d-1325-4e1c-aba0-20bc12e7e4b3] read sensei stats
Mar 5 21:44:16 configd.py: [720bebee-2387-4735-b794-085b94f5b505] read sensei stats
Mar 5 21:44:15 configd.py: [829b4c54-6629-4ae1-81fc-5a3255ba1c91] read sensei stats
Mar 5 21:44:14 configd.py: [80d84ec1-5cee-4f60-9290-bcaba50a351d] read sensei stats
Mar 5 21:44:13 configd.py: [6b233cd4-81d2-4569-99f6-2989332cb14b] read sensei stats
Mar 5 21:44:12 configd.py: [31706105-d805-41bf-b201-8f75e72fe5b3] read sensei stats
Mar 5 21:44:11 configd.py: [e0f1c395-db7e-4ee1-bdd7-e20ee8ff1dfa] read sensei stats
Mar 5 21:44:10 configd.py: [3f704530-859b-4e1f-95dd-136f85219d4b] read sensei stats
Mar 5 21:44:09 configd.py: [ab29e24e-2146-49e3-9bb6-fb6064233ff2] read sensei stats
Mar 5 21:44:08 configd.py: [645ca172-5629-4ea5-ad1f-8538c1b1ea06] read sensei stats
Mar 5 21:44:07 configd.py: [f8b70f86-0bee-4880-9306-bb4450d7db4d] read sensei stats
Mar 5 21:44:06 configd.py: [8bd95d71-bd13-4ec0-8f27-ed3932579bd3] read sensei stats
Mar 5 21:44:05 configd.py: [be4feb64-ef8e-4756-9e0c-0bbe00f5d4d0] read sensei stats
Mar 5 21:44:04 configd.py: [1aa6cf3a-da0e-473c-b710-553aa1287d69] read sensei stats
Mar 5 21:44:03 configd.py: [12d70d27-8724-477b-a274-99e795bcac42] read sensei stats
Mar 5 21:44:02 configd.py: [91adebc2-e1ee-4cf8-87c2-e1d8a5e8eee1] read sensei stats
Mar 5 21:44:01 configd.py: [ac505fe1-4ebb-4c68-99a7-a684c7f43a99] read sensei stats
Mar 5 21:44:00 configd.py: [7acfc145-9a17-40eb-be37-841d034621e7] read sensei stats
Mar 5 21:44:00 configd.py: [92b767af-81f1-4a5e-9e00-25219f89c715] check sensei engine health
Mar 5 21:43:59 configd.py: [d32f3278-e509-4969-b4a8-7ae7c79c700c] read sensei stats
Mar 5 21:43:58 configd.py: [ad2a102f-b1e0-4bb5-a593-09df77d04bac] read sensei stats
Mar 5 21:43:57 configd.py: [b92813e9-1cef-4b7f-8480-87b49d02d4f6] read sensei stats
Mar 5 21:43:56 configd.py: [d54e5bf2-f367-428a-a8d6-831488f4023e] read sensei stats
Mar 5 21:43:55 configd.py: [189af746-8852-4feb-bc24-2a13da1ff032] read sensei stats
Mar 5 21:43:54 configd.py: [dc2193ce-51c2-451e-917e-ebd56814ad1a] read sensei stats
Mar 5 21:43:53 configd.py: [08950c34-f59e-4fa5-95d5-0af61c02bdd1] read sensei stats
Mar 5 21:43:52 configd.py: [ea882489-9044-4768-b09c-ed6a0d5edd6d] read sensei stats
Mar 5 21:43:51 configd.py: [a4beae9e-0848-46df-bfd2-9e884d455d64] read sensei stats
Mar 5 21:43:50 configd.py: [66bc19f1-867a-4cff-bd31-e21221374c82] read sensei stats
Mar 5 21:43:49 configd.py: [1cff607f-dfba-4adb-8839-82dc49b1b83f] read sensei stats
Mar 5 21:43:48 configd.py: [7fee0851-b848-48d8-8d26-bc84b8bdce1b] read sensei stats
Mar 5 21:43:47 configd.py: [a5261abd-d409-4b27-921c-4f7f7ec41b90] read sensei stats
Mar 5 21:43:46 configd.py: [b8b7127a-5d56-408d-b7dd-902dd95e9ea2] read sensei stats
Mar 5 21:43:45 configd.py: [48a32138-cf91-4641-be4f-045f04ec7af6] read sensei stats
Mar 5 21:43:44 configd.py: [8c4ef497-2b33-4144-ba5b-4ef31a654070] read sensei stats
Mar 5 21:43:43 configd.py: [37cfb408-8ef5-408b-9348-53bcbb5bd089] read sensei stats
Mar 5 21:43:42 configd.py: [939282e0-234c-4b5f-ab00-9113bd803c96] read sensei stats
Mar 5 21:43:41 configd.py: [2989a365-034b-4aa6-b69f-a11ad3bd61c9] read sensei stats
Mar 5 21:43:40 configd.py: [5264a79b-1cf0-4d63-83a7-01129eead1ce] read sensei stats
Mar 5 21:43:39 configd.py: [3a8b90d3-46eb-494f-a19f-78817048cd12] read sensei stats
Mar 5 21:43:38 configd.py: [950f188d-26bd-4e9c-ac76-d65cdb48e212] read sensei stats
Mar 5 21:43:37 configd.py: [cea553fe-507d-492d-ab6d-f4318a600400] read sensei stats
Mar 5 21:43:36 configd.py: [f5b111b5-b585-4843-83bb-0a1bbfb2c1cd] read sensei stats
Mar 5 21:43:35 configd.py: [606ca68b-d3c0-4331-b410-afd4fef1a96c] read sensei stats
Mar 5 21:43:34 configd.py: [995954f6-fa00-4a3a-b32a-5638fa5eaffc] read sensei stats
Mar 5 21:43:33 configd.py: [3a856c39-6a60-4c23-83d7-15e7a00c2472] read sensei stats
Mar 5 21:43:32 configd.py: [3cfda134-4227-4c55-bcca-8ee10229e527] read sensei stats
Mar 5 21:43:31 configd.py: [9e43feed-c461-47fa-b692-8d445f317f4f] read sensei stats
Mar 5 21:43:30 configd.py: [02568a2b-6285-4431-bd2e-081b6bc3d77e] read sensei stats
Mar 5 21:43:29 configd.py: [72dbb649-88a3-4991-b51a-47c698256ce4] read sensei stats
Mar 5 21:43:28 configd.py: [1473e74d-fce9-4173-a6fa-bf54eb577778] read sensei stats
Mar 5 21:43:27 configd.py: [4a6222fc-465d-4528-9dcc-c906a5de1855] read sensei stats
Mar 5 21:43:26 configd.py: [b82dd2a5-8c9a-4a02-be10-6ad52bbaac5e] Show system activity
Mar 5 21:43:26 configd.py: [670749ac-91e3-4643-a9c4-5b9fd44f94da] read sensei stats
Mar 5 21:43:25 configd.py: [30d3970c-86fe-4d91-bca6-7353c654df63] read sensei stats
Mar 5 21:43:25 configd.py: [9a8daded-b8e5-4f51-bc56-d016e8ac7c02] read sensei stats
Mar 5 21:43:24 configd.py: [ebb18255-5159-4ab9-b641-b88821bf1e7d] read sensei stats
Mar 5 21:43:24 configd.py: [5120fa8d-e8ef-48a4-96e9-ffe553f81d30] read sensei stats
Mar 5 21:43:23 configd.py: [b727b40c-13ef-4d1e-b251-bf71c98a5b2f] read sensei stats
Mar 5 21:43:23 configd.py: [3634a274-5368-48a6-8867-b9932cd4809d] read sensei stats
Mar 5 21:43:22 configd.py: [0fb20dcf-c03b-4582-9c36-535207c9fa7f] read sensei stats
Mar 5 21:43:22 configd.py: [7d93ab3c-e1d8-452a-9863-c048ca11e7ff] view elasticsearch disk size
Mar 5 21:43:22 configd.py: [f09b62e6-cbf1-41be-97ae-56cce24ed05f] control services
Mar 5 21:43:22 configd.py: [e52be1cb-68be-4eea-b9e1-6c7b0f4e583c] check sensei ui version
Mar 5 21:43:22 configd.py: [02277005-468d-418c-aeea-5f26e03a016a] check sensei db last modified
Mar 5 21:43:22 configd.py: [5d851b8a-fda4-41cc-9967-7fe8ac178622] check sensei db version
Mar 5 21:43:22 configd.py: [99541288-f562-4f59-aa05-8a9b326cac81] check sensei db last modified
Mar 5 21:43:22 configd.py: [a29ac723-7f8f-41c0-8f73-26d60fc2493e] check sensei db version
Mar 5 21:43:22 configd.py: [37de4a96-014a-47fb-b12c-9c6c6aef5f37] check sensei last modified
Mar 5 21:43:22 configd.py: [7b58d2c8-5505-4df3-8a36-c4a6cf63c70b] check sensei version
Mar 5 21:43:22 configd.py: [9f2677fa-a66d-4e81-9d48-3191f60db682] control services
Mar 5 21:43:21 configd.py: [271b39f0-44fd-4ca1-9a0d-57e074e2ac8c] read sensei stats
Mar 5 21:43:20 configd.py: [8be4d78e-c447-4ff4-92b9-8d2de2a0b9a1] view license
Mar 5 21:43:20 configd.py: [ed3ffc6c-13a6-4468-b09d-2c2cba7469d6] read sensei stats
Mar 5 21:43:19 configd.py: [8483e0c4-6b9e-4cb6-a9ff-ac0cceed2488] read sensei stats
Mar 5 21:43:19 configd.py: [eb9e9a55-1aa1-4ece-a8cb-f71a0b1e3d0c] control services
Mar 5 21:43:18 configd.py: [caaf4bb7-d2af-4258-bba1-960e1b3b3bcb] read sensei stats
Mar 5 21:43:17 configd.py: [77b7f220-2a12-4238-a4f4-622639abb5a2] read sensei stats
Mar 5 21:43:16 configd.py: [fbb0669d-a17f-4918-b158-f28d2cc86aae] read sensei stats
Mar 5 21:43:15 configd.py: [f22ac12a-fdbe-45aa-9e2e-cd75abbc5c68] read sensei stats
Mar 5 21:43:14 configd.py: [04bf4e69-7021-48d4-a14c-429bad0bcd9e] read sensei stats
Mar 5 21:43:13 configd.py: [7f0bca65-1c34-45a5-9816-192eedcadc21] read sensei stats
Mar 5 21:43:13 configd.py: [cde48204-6443-48be-93b8-5c57c8d3cb4b] read sensei stats
Mar 5 21:43:12 configd.py: [d9669127-1ec6-482b-9800-34bf1090604d] read sensei stats
Mar 5 21:43:12 configd.py: [9fd1971a-e907-4704-b0b6-9ef8c193b4a0] read sensei stats
Mar 5 21:43:11 configd.py: [7e084ad4-bd04-40b7-a269-f86b030d470b] read sensei stats
Mar 5 21:43:11 configd.py: [e2f40c45-1449-4eaa-adad-392535ab65b9] read sensei stats
Mar 5 21:43:10 configd.py: [c06c00d0-29c3-424c-805a-624b8bb86c2c] read sensei stats
Mar 5 21:43:10 configd.py: [d44777a5-aede-4403-9963-65f5caf835f8] read sensei stats
Mar 5 21:43:09 configd.py: [5d031005-ce3b-4ddb-b119-c15818b64d7c] read sensei stats
Mar 5 21:43:09 configd.py: [4aaab29d-dd26-499b-8a94-114f728d447c] read sensei stats
Mar 5 21:43:08 configd.py: [32811901-60a5-41fb-8a70-23df003b409a] read sensei stats
Mar 5 21:43:08 configd.py: [e7f2cf0d-5ba4-4b5e-bb0f-6483884c55a7] read sensei stats
Mar 5 21:43:07 configd.py: [7e830b6f-f83d-417e-ad4c-a9ed577644dc] read sensei stats
Mar 5 21:43:07 configd.py: [997cb509-1145-43ea-a461-ed291432856c] read sensei stats
Mar 5 21:43:06 configd.py: [54e86060-313f-4c37-b7c8-ce55f24c5363] read sensei stats
Mar 5 21:43:06 configd.py: [b580155d-f96d-4c35-a94a-19b784208558] read sensei stats
Mar 5 21:43:05 configd.py: [eeddf8f5-89b1-491e-a627-aa879133e63a] read sensei stats
Mar 5 21:43:05 configd.py: [4beb04bf-4103-48ae-86ed-98c9ee7f96d0] read sensei stats
Mar 5 21:43:04 configd.py: [08eac025-5388-4807-9da7-f1d6004c4926] read sensei stats
Mar 5 21:43:04 configd.py: [106e18d5-ee88-4dba-b5e7-6d0d4921d065] read sensei stats
Mar 5 21:43:03 configd.py: [3532ac59-95e9-4439-9837-7a1ab5188a8a] read sensei stats
Mar 5 21:43:03 configd.py: [966fa7d7-c5f7-4809-b72f-fafd7e230bf0] read sensei stats
Mar 5 21:43:02 configd.py: [c87d2a2b-3b5c-44be-8e78-5fc89b1ee7b4] read sensei stats
Mar 5 21:43:02 configd.py: [fbc26fe4-dfc6-4991-bf26-6fa726d28c13] read sensei stats
Mar 5 21:43:01 configd.py: [2cfd5f28-21ce-4651-8a6f-68d7bc4ee5bf] read sensei stats
Mar 5 21:43:01 configd.py: [ad503b54-302c-4534-961b-7f4ffd830022] read sensei stats
Mar 5 21:43:00 configd.py: [edd42365-060e-4e8f-8bfb-9022ae8630e2] read sensei stats
Mar 5 21:43:00 configd.py: [9dc39d58-07bd-443d-bd2d-781a88573d10] read sensei stats
Mar 5 21:43:00 configd.py: [bf2bdcc2-2775-40c7-98c9-512ff7032409] check sensei engine health
Mar 5 21:42:59 configd.py: [ef64a92c-1456-4c26-92fd-72d259adfb70] read sensei stats
Mar 5 21:42:59 configd.py: [bd987828-89f8-46c4-8104-1f78e2c395da] read sensei stats

I attached the elasticsearch log. This only happens after a reboot with sense .8 beta 1 installed.

Here is the error I get when I start elasticsearch from the shell

Code: [Select]
root@OPNsense:~ # service elasticsearch start
Starting elasticsearch.
Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME
/usr/local/etc/rc.d/elasticsearch: WARNING: failed to start elasticsearch


Looks like the java env variable isn't being saved in the elasticsearch file or getting overwritten on a startup.

I ran this part of the sensei-init.sh script manually and elasticsearch started with no error now.

Code: [Select]
echo -n "Setting up elasticsearch..."
mkdir -p /usr/local/lib/elasticsearch/plugins
chmod -R 755 /usr/local/lib/elasticsearch/plugins
sysrc elasticsearch_login_class="root" >/dev/null 2>&1
sed -i '' -E '/auto_create_index/d' /usr/local/etc/elasticsearch/elasticsearch.yml
echo "action.auto_create_index: false" >> /usr/local/etc/elasticsearch/elasticsearch.yml
/usr/bin/sed -i '' 's/opt\/eastpect\/run\/elasticsearch/var\/run\/elasticsearch/g' /usr/local/etc/rc.d/elasticsearch
/usr/bin/sed -i '' 's/Xms512m/Xms2g/g' /usr/local/etc/elasticsearch/jvm.options
/usr/bin/sed -i '' 's/Xmx512m/Xmx2g/g' /usr/local/etc/elasticsearch/jvm.options
echo 'elasticsearch_enable="YES"' > /etc/rc.conf.d/elasticsearch
echo 'elasticsearch_env="JAVA_HOME=/usr/local/openjdk8"' >> /etc/rc.conf.d/elasticsearch
echo "done"
I'm fairly certain it's the second to last line that's fixing elasticsearch. Just why that isn't surviving past a reboot is beyond my skill set with this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 06, 2019, 02:09:11 pm
donatom, thanks for the detailed report.

You are right, it's:

echo 'elasticsearch_env="JAVA_HOME=/usr/local/openjdk8"' >> /etc/rc.conf.d/elasticsearch

that's fixing it. JAVA_HOME variable should be set to openjdk8 directory.

We're having a look at it why it is not persisting.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on March 06, 2019, 03:57:19 pm
Mb,

Beyond the elasticsearch issue everything else is working so far. IPv6 is definitely working and blocking categories.
With .7 my ram usage would hover around 4.8gb. With .8 it started around 4.8 but when I went in this morning dropped down to 2.7gb. The only time ram dropped on .7 was when elasticsearch had crashed.

I don’t know if it’s from enabling ipv6 again on my lan or something with .8 but web pages are loading quicker by a noticeable margin as well. I did also turn on cloud threat intel so it could be that too.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 07, 2019, 02:28:48 am
Hi donatom3,

Many thanks for the detailed feedback. Very good to see 0.8 with IPv6 is running good.

We've fixed a bug with regard to the Elasticsearch rc script. Our configuration manager was overriding it under a condition. Now elasticsearch starts on boot with no problem.

Wait for 0.8.0.beta2 update. It should be arriving momentarily.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: cfsl1994 on March 09, 2019, 02:27:36 am

Good day to all  :),

Recently I'm trying out the sensei package at OPNsense and I thought it was very good, it left me surprised. My questions are:

I would like to know if the primium subscription option is available?

How can I apply filtering for certain IPs?

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 09, 2019, 02:46:22 am
Hi cfsl1994,

Many thanks for sharing your feedback. Great to see that Sensei is up to your expectations.

Yep, premium subscription will be available and will come with source IP/network based filtering. You'll be able to create custom policies and apply them to different user groups.

We expect to have Sensei 1.0 in early April and will start offering Premium subscription beginning early May.

Beginning with 1.0 version, Sensei will be directly instalable from OPNsense plugin manager.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on March 09, 2019, 10:10:53 am
Hi cfsl1994,

Many thanks for sharing your feedback. Great to see that Sensei is up to your expectations.

Yep, premium subscription will be available and will come with source IP/network based filtering. You'll be able to create custom policies and apply them to different user groups.

We expect to have Sensei 1.0 in early April and will start offering Premium subscription beginning early May.

Beginning with 1.0 version, Sensei will be directly instalable from OPNsense plugin manager.

I would wish to incorporate a function that may have fewer features, but also works on low end cpu's better or at all works.
Because in order to really use sensei you need a cpu that consumes a lot of electricity and therefore generates a lot of costs for the private user.
I would be very happy about such a feature and certainly others as well.

Thanks for the great product! Regards rené
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 09, 2019, 02:22:25 pm
Hi rené,

Many thanks for sharing your suggestion.

I'd like to happily tell that we have two ongoing projects which involve:

1. To make Sensei run on very low end devices, which have weak CPU and memory under 1GB. 
2. To make Sensei run on very large deployments e.g. sites with thousands of users.

For the former, the hurdle is the backend database. Although it's very efficient for medium to large settings, Elasticsearch is heavy for small deployments. It simply does not successfully run under 4GB memory. We're currently evaluating and testing several other databases which will do the job for small settings.

Expect to hear more on this late fall this year.

With regard to the latter, also this year, we'll announce a solution which will be able to handle many thousand concurrent users.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on March 09, 2019, 04:03:52 pm
Hi rené,

Many thanks for sharing your suggestion.

I'd like to happily tell that we have two ongoing projects which involve:

1. To make Sensei run on very low end devices, which have weak CPU and memory under 1GB. 
2. To make Sensei run on very large deployments e.g. sites with thousands of users.

For the former, the hurdle is the backend database. Although it's very efficient for medium to large settings, Elasticsearch is heavy for small deployments. It simply does not successfully run under 4GB memory. We're currently evaluating and testing several other databases which will do the job for small settings.

Expect to hear more on this late fall this year.

With regard to the latter, also this year, we'll announce a solution which will be able to handle many thousand concurrent users.

if you really want to do that and really do it, some users would be very grateful to you. Me too of course! ;-)

How can I or how can others keep an eye on the development of this feature?
Is there a kind of roadmap or something similar?

Greetings René
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 10, 2019, 12:27:05 am
Quote
if you really want to do that and really do it, some users would be very grateful to you. Me too of course! ;-)

How can I or how can others keep an eye on the development of this feature?
Is there a kind of roadmap or something similar?

Hi René,

We will do it :) You're all welcome.

To keep up with the development, roadmap etc, best is to keep following this forum thread and also following company web site and twitter account:

https://twitter.com/sunnyvalley

Beginning April, we'll share more information about the upcoming feature set and more about the technology.

For now, I can tell that the technology at the heart of Sensei is a powerful packet analysis engine which is aimed at providing contextual network visibility, protection at all ports for all devices and also protection against encrypted threats which are gaining momentum.

Utilizing this core tech, our mission is to provide enterprise grade cyber protection for everyone, let it be a household, a small business or an enterprise with thousands of users.

From this perspective, making Sensei run on any scale is our priority.

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on March 10, 2019, 05:20:55 am
And you start working on getting it to run on lower end machines after I order the new qotom case with 6 built in intel nics and a lga 1151 slot for 6th of 7th gen core desktop processors.

It's the Qotom Q600G6 for anyone interested.
https://www.aliexpress.com/item/Qotom-DIY-Powerful-Firewall-Router-Appliance-Q600G6-Barebone-System-Support-6th-7th-Gen-Processor-DDR4-RAM/32967092263.html?spm=a2g0s.9042311.0.0.154d4c4d2CNERH
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on March 16, 2019, 01:44:03 pm
HI, I Can not open report in either Dashboard or Reports giving me an error "An error occurred while report is being loaded!".

In view error message it says:
{
  "error": {
    "root_cause": [],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": []
  },
  "status": 503
}

Both "Sensei Packet Engine" and "Elasticsearch" are running. I have restarted the system and error is still there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 16, 2019, 04:41:36 pm
Hi manjeet,

Thanks for reporting this. Are you on 0.7?

We've got two more reports for the same problem and currently investigating it.

We'd like to dig deeper. Can you share your relevant elasticsearch.log ( located at /var/log/elasticsearch/ ) through sensei - at - sunnyvalley.io ?

For a workaround, you can run these two commands to reset the indexes: (beware: this will erase your reporting history)

/usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
/usr/local/sensei/scripts/installers/elasticsearch/create_indices.py

Let us know if this does not fix the problem.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ltb76 on March 17, 2019, 04:41:31 pm
Hi,

I'm new to OPNsense and Sensei, testing it to replace my soon expering PaloAlto home firewall.

Just did a default install and it seems to be working well (I see several blocked add sites under "Blocked Sites Explorer").
I might be missing something though. I tried adding "Bing" under "App Controls" - however I can still access bing.com. (I then tried adding Facebook - and that blocks Facebook). might the "bing" app be broken or am I missing something?

Another question, I looked in the manual but did not find the answer. Initially I added all my interfaces (WAN, LAN, LAN2 and DMZ) under "Protected Interfaces". dooing that seems to block DNS.
With the WAN interface protected, DNS trafic seems to be blocked with "Network Management category is administratively restricted" - even if does not appear to be blocked under "App Controls". Should I only add "LAN" interfaces to "protected"?

Is there a way to "not protect" an IP on a protected interface? Lets asume I have a device / client on the LAN interface that I for some reasone want to bypass all checks - is that posible?

I'm running
Sensei: 0.8.0.beta4
OPNsense: 19.1.4
Running ontop of VMware, 4 vCPU (D1540), 12GB RAM, vmxnet3 NICs
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on March 17, 2019, 05:58:19 pm
Quote
Should I only add "LAN" interfaces to "protected"?
AFAIK Sunnyvalley recommends not to block WAN and use suricata for this instead.

Quote
Is there a way to "not protect" an IP on a protected interface?
Not in the free version. That is a feature of the premium edition.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on March 19, 2019, 09:08:30 am
Thanks @MB. This fixed the issue.

I am currently running 0.7 & I am sending you the email for logs and screen shot error.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on March 19, 2019, 09:35:04 pm
I have a question about the VLAN feature.
I use some VLAN on OPNSense and added all my interfaces to the "protected interfaces".
After that all connected VM´s inside the VLAN´s are offline and unable to access the opnsense (which means they are offline for all networks)

If i remove the "LAN" interface from the "protected interfaces" which is my physical interface,
the access from the VM´s inside the VLAN´s is ok again.
I have clients connected to "LAN" as well and would like to protect them, too.

Here is a overview:

LAN (em0) is my physical device and all VLAN are added to this interface:

Code: [Select]
10_DMZ (em0_vlan10) -> v4: 172.16.10.254/24
                    v6/t6: 2003:f2:63c9:63e1:4c1f:32ff:fe6d:4ae/64
 20_VPN (em0_vlan20) -> v4: 172.16.20.254/24
 30_Pentest (em0_vlan30) -> v4: 172.16.30.254/24
                    v6/t6: 2003:f2:63c9:63e3:4c1f:32ff:fe6d:4ae/64
 40_WifiGuest (em0_vlan40) -> v4: 172.16.40.254/24
                    v6/t6: 2003:f2:63c9:63e4:4c1f:32ff:fe6d:4ae/64
 50_IoT (em0_vlan50) -> v4: 172.16.50.254/24
                    v6/t6: 2003:f2:63c9:63e5:4c1f:32ff:fe6d:4ae/64
 60_Dev (em0_vlan60) -> v4: 172.16.60.254/24
                    v6/t6: 2003:f2:63c9:63e6:4c1f:32ff:fe6d:4ae/64
 70_WiFi (em0_vlan70) -> v4: 172.16.70.254/24
                    v6/t6: 2003:f2:63c9:63e7:4c1f:32ff:fe6d:4ae/64
 80_Server (em0_vlan80) -> v4: 172.16.80.254/24
                    v6/t6: 2003:f2:63c9:63e8:4c1f:32ff:fe6d:4ae/64
 90_Clients (em0_vlan90) -> v4: 172.16.90.254/24
                    v6/t6: 2003:f2:63c9:63e9:4c1f:32ff:fe6d:4ae/64
 LAN (em0)       -> v4: 172.16.17.254/24
                    v6/t6: 2003:f2:63c9:63e0:4c1f:32ff:fe6d:4ae/64
 PIA_VPN (ovpnc1) -> v4: 10.56.10.6/32
 WAN (igb0)      -> v4: 192.168.217.2/24
                    v6/DHCP6: 2003:f2:63c9:6300:6eb3:11ff:fe1b:aedf/64


I´m on Sensei 0.8.0.beta4 and OPNsense 19.4.1

Do you need some more informations ?
Thank you!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 19, 2019, 09:41:29 pm
Hi BeNe,

We're aware of this issue. There's another Sensei deployment exactly the same setting with yours and experiencing the same problem.

Looks like something weird with em-vlan-netmap trio. We're on this. Will update the thread when it's done.

One question: are you fine when you remove the trunk interface and just protect vlan child interfaces?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on March 19, 2019, 10:21:31 pm
Hi mb,

thanks for that fast information.

Yes, if i remove the trunk Interface (LAN em0 in my case) from the protected interfaces list, the machines inside the VLAN 's are reachable again.

Gesendet von meinem Pixel 2 mit Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 20, 2019, 06:12:34 pm
Hi Bene,

All welcome. Thanks for the information. Can I ask a favor? Can you try the new netmap kernel to see if your current setup works? (child interfaces protected, trunk not protected).

Here's how to do it:

https://forum.opnsense.org/index.php?topic=11477.msg55261#msg55261


Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on March 20, 2019, 08:09:48 pm
Hello Murat,

of course  ;) But the problem is still the same. I installed the new Kernel:
Code: [Select]
# uname -a
FreeBSD surtur.my-network.de 11.2-RELEASE-p9-HBSD FreeBSD 11.2-RELEASE-p9-HBSD  4ea457eb7b8(master)  amd64
If i add "LAN (em0)" to the protected interfaces, the VLAN´s are offline.
So revert back to the stock kernel. Added a screenshot from my OPNsense Console after adding the interface.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 21, 2019, 08:57:19 pm
Hi Bene,

Messages in the screenshot are ok: netmap telling you it was able to open the ethernet port.

I can confirm that there's something weird with the trunk interface when we bridge hw <-> sw rings. After a while packet transmission stalls for the child interfaces:

Code: [Select]
658.955704 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048
683.531482 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048

Looking into that.

For now our advise is - if you're using VLANs -:


Our plan is to be able to process the trunk interface directly and for all VLANs and you'll not need to separately select child interfaces. Will get you updated on this.

For now, if you can carve out the untagged traffic from the trunk port, you're ok.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 23, 2019, 01:05:46 am
Dear Sensei users,

An update on broken Elasticsearch indices:

After digging together with users who have reported the issue, it looks like the indices were broken because some index file integrity got broken.

This is usually because of abrupt shutdown of the firewall. If power goes off suddenly, before Elastic does a full write of its in-memory buffers, than we have a broken index.

So, not to experience this issue try to turn off your system gracefully.

If in any case this happens, Sensei 0.8.0.beta6 has a "Fix Elastic indices" button under Sensei -> Configuration -> Reporting & Data menu. Just click on the button and Sensei will reset only the broken indices.

0.8.0.beta6 is available for update for 0.8 users.

0.8 looks stable enough to offer as an update for existing 0.7 installations. If we do not see any outstanding issues, we'll move 0.8 to the general repo in a few days.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on March 23, 2019, 02:21:56 am
MB,

I'm using dhcpv6 with track interface. Anytime Sensei starts after a reboot or an upgrade my ipv6 stops working until I do a release and renew of the entire WAN interface. It just did it to me again on the beta 6 upgrade.


Code: [Select]
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: updatedns() starting
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv4 default route
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'opt4'
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: On (IP address: X.X.X.X) (interface: XXXXX[opt4]) (real interface: ovpnc2).
Mar 22 18:13:25 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpnc2'
Mar 22 18:13:25 kernel: ovpnc2: link state changed to UP
Mar 22 18:13:24 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: (Success) X.X.X updated to X.X.X.X
Mar 22 18:13:24 opnsense: /usr/local/etc/rc.newwanipv6: Dynamic DNS: updating cache file /var/cache/dyndns_wan_X.X.X_0.cache: X.X.X.X
Mar 22 18:13:21 kernel: ovpnc2: link state changed to DOWN
Mar 22 18:13:21 opnsense: /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface WAN.

Code: [Select]
Mar 22 18:15:55 dhcp6c: dhcp6c REQUEST on igb0 - running newipv6
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:36:1de7:22c5:7284:90a5/128 on igb0
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a900:4262:31ff:fe00:7873/64 on igb1
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a9ec:4262:31ff:fe00:7874/64 on igb2_vlan55
Mar 22 18:15:55 dhcp6c[89888]: add an address 2605:X:X:a9ef:4262:31ff:fe00:7874/64 on igb2_vlan200
Mar 22 18:15:55 dhcp6c[89888]: Received REPLY for REQUEST
Mar 22 18:15:55 dhcp6c[89888]: Sending Request
Mar 22 18:15:55 dhcp6c[89888]: Sending Solicit
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv4 default route
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: no IPv6 default gateway set, assuming wan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'lan'
Mar 22 18:15:54 dhcp6c[89888]: failed to remove an address on igb1: Can't assign requested address
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:a9ec:X:31ff:fe00:7874/64 on igb2_vlan55
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:a9ef:X:31ff:fe00:7874/64 on igb2_vlan200
Mar 22 18:15:54 dhcp6c[89888]: Sending Release
Mar 22 18:15:54 dhcp6c[89888]: Start address release
Mar 22 18:15:54 dhcp6c[89888]: remove an address 2605:X:X:X:1de7:22c5:7284:90a5/128 on igb0
Mar 22 18:15:54 dhcp6c[89888]: Sending Release
Mar 22 18:15:54 dhcp6c[89888]: Start address release
Mar 22 18:15:54 dhcp6c[89888]: restarting
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface lan
Mar 22 18:15:54 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
Mar 22 18:15:54 kernel: igb1: link state changed to UP
Mar 22 18:15:50 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
Mar 22 18:15:50 eastpect[42809]: nm2::igb1^: permanently promiscuous mode enabled
Mar 22 18:15:50 eastpect[42809]: nm1::igb1:1: permanently promiscuous mode enabled
Mar 22 18:15:50 kernel: 750.076995 [2219] netmap_ioctl got 10000 extra buffers
Mar 22 18:15:50 kernel: 750.069849 [ 736] netmap_extra_alloc allocate buffer 24583 -> 24582
Mar 22 18:15:50 kernel: 750.062915 [ 736] netmap_extra_alloc allocate buffer 24582 -> 24581
Mar 22 18:15:50 kernel: 750.055985 [ 736] netmap_extra_alloc allocate buffer 24581 -> 24580
Mar 22 18:15:50 eastpect[42809]: nm0::igb1:0: permanently promiscuous mode enabled
Mar 22 18:15:50 kernel: 750.049074 [ 736] netmap_extra_alloc allocate buffer 24580 -> 24579
Mar 22 18:15:50 kernel: 750.042410 [ 736] netmap_extra_alloc allocate buffer 24579 -> 0
Mar 22 18:15:50 sshlockout[10974]: sshlockout/webConfigurator v3.0 starting up
Mar 22 18:15:50 kernel: 750.035617 [2216] netmap_ioctl requested 10000 extra buffers
Mar 22 18:15:50 kernel: igb1: link state changed to DOWN
Mar 22 18:14:06 dhcp6c[89888]: no responses were received
Mar 22 18:14:06 dhcp6c[89888]: no responses were received
Mar 22 18:14:04 dhcp6c[89888]: no responses were received
Mar 22 18:14:03 dhcp6c[89888]: no responses were received
Mar 22 18:13:49 dhcp6c[89888]: Sending Release
Mar 22 18:13:49 dhcp6c[89888]: Sending Release
Mar 22 18:13:48 dhcp6c[89888]: Sending Release
Mar 22 18:13:48 dhcp6c[89888]: Sending Release
Mar 22 18:13:41 dhcp6c[89888]: Sending Release
Mar 22 18:13:41 dhcp6c[89888]: Sending Release
Mar 22 18:13:40 dhcp6c[89888]: Sending Release
Mar 22 18:13:40 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Mar 22 18:13:37 dhcp6c[89888]: Sending Release
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 23, 2019, 05:12:06 am
Hi donatom3,

Thanks for reporting this. Having a look now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on March 24, 2019, 01:23:42 am
MB,

Another issue I've been having is the pan interface randomly disconnecting completely and I have to reboot to ping the interface again.

This is something that started since opnsense 19.1 for me. It happened on sensei 7.0 as well.

It happened on my old hardware and new. Both bare metal installs with Intel nics using the igb drivers. I can't find anything meaningful in the logs.

Im using the stock kernel now. Not sure if the test kernel will help with this lockup of the interface.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 24, 2019, 04:39:02 pm
Hi donatom3,

Thanks for reporting the issue in detail. I'll reach out to you to investigate further together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: astoklas on March 25, 2019, 04:48:53 pm
Dear Sensei users,

An update on broken Elasticsearch indices:

After digging together with users who have reported the issue, it looks like the indices were broken because some index file integrity got broken.

This is usually because of abrupt shutdown of the firewall. If power goes off suddenly, before Elastic does a full write of its in-memory buffers, than we have a broken index.

So, not to experience this issue try to turn off your system gracefully.

If in any case this happens, Sensei 0.8.0.beta6 has a "Fix Elastic indices" button under Sensei -> Configuration -> Reporting & Data menu. Just click on the button and Sensei will reset only the broken indices.

0.8.0.beta6 is available for update for 0.8 users.

0.8 looks stable enough to offer as an update for existing 0.7 installations. If we do not see any outstanding issues, we'll move 0.8 to the general repo in a few days.

I just had a power outage on my opnsense, after the reboot the reports could not be displayed. The "Fix Indices" shows all good, but the report still does not show up. I still have the system in a "broken" state if you want to investigate further...

OpnSense 19.1.4
Sensei 0.8beta6
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 25, 2019, 05:07:08 pm
astoklas,

Thanks for the report. Reaching out to you now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on March 26, 2019, 05:04:01 pm
Hello Murat,

is there an option to sync/export the collected data to another ELK Stack ?

Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.

Benefit:
- long time archive
- own correlations searchs with other logs from the network/apps/devices
- build own dashboards and searches
- faster results than on the firewall itself

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on March 27, 2019, 09:53:49 pm
Hi!

I use Sensei in couple of opnsense system. Works well so far.
I was wondering is there any way to run in a low memory board?
I have a pcengine APU2 board with 2GB memory, but i have a fast V-NAND msata SSD.
I setup 8GB swap file on the opnsense so i have 2GB physical and 8GB swap. The access speed not much differ since the SSD is very fast.
Im removed the memory checking row from the installation script so sensei installed succesfully.
I can configure too, it warns me the physical ram is low but i can continue.
However when i try to start the engine it says: Sensei detected swap usage is too high
And its stopped. Yes i know the swap usage is high but i dont think it can cause any issue since i use the fast ssd. Is there any way to override this? Let sensei use the swap file, i take the risk.

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on March 28, 2019, 07:22:20 am
SunnyValley evaluating lightweight backend database engines to provide a lighter version for home users with low spec hardware. When they are ready, there will not be a need of such swap tricks...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 29, 2019, 02:12:04 am
Hello Murat,

is there an option to sync/export the collected data to another ELK Stack ?

Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.


Hi BeNe,

Many thanks for your suggestion. This feature - along with syslog and netflow streaming - is in the roadmap.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 29, 2019, 02:23:18 am
SunnyValley evaluating lightweight backend database engines to provide a lighter version for home users with low spec hardware. When they are ready, there will not be a need of such swap tricks...

Hi Archanfel80,

As Antaris recommends, you might think of waiting for the alternative db backend work.

Sensei uses in-memory caching so I would worry that swap usage might degrade your system performance bad -- even if you are using SSD.

Still, if you want to go for it, Disable Health Check from Sensei: Configuration: Updates & Support, and you're all set.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on March 29, 2019, 05:35:52 pm
Thank You!
Both of you :)
I probably wait for the light version but i give it a try for the ssd swap just for testing. Its a low bandwidth system, just a few users, it might will be no problem. If yes we know its no good :)
Regards, Peter
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mdurkin on March 30, 2019, 09:05:01 am
Anyone having problems blocking YouTube using 0.8.0.beta7? I used app control but it has no effect. Other controls seem to work fine. It's a shame as its the reason I installed was to try this out!
Anyone else tried blocking YouTube?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mayo on March 30, 2019, 12:32:18 pm
Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on March 31, 2019, 11:10:35 pm
Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!

Hi!

On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mayo on April 01, 2019, 12:16:16 pm
Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!

Hi!

On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.

Thank you so much! Will try in the afternoon!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on April 01, 2019, 06:23:07 pm
In version 0.8 beta 7 on netmap kernel i experience tremendous slowdown in DNS resolving and packet loss to internet resources.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ict-guy on April 02, 2019, 11:05:24 am
i have the same problem for over a week now, at the moment i'm using sensei in xlarge mode and have set dhcp lease time for 8 hour default and 10 hour max.

this seems to help stablilize the occurends
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on April 03, 2019, 07:55:42 pm
What common on earth have DHCP lease time with packet loss ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: SchylgeICT on April 03, 2019, 09:03:14 pm
I just started testing and noticed the slowdown. In my case disabling cloud threat intel solved this.
maybe this helps.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 03, 2019, 09:08:10 pm
I just started testing and noticed the slowdown. In my case disabling cloud threat intel solved this.
maybe this helps.

I can confirm that, cloud threat intel cause noticable delay in the dns query. Its seems the cloud servers not stable enough, since i see packet loss. In a workaround use the opnsense builtin intrusion detection with ET Pro telemetry (can be installed as a plugin). Its free if you let your firewall send anonymous statistics (why not?).
Other than that sensei is an amazing product!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 04, 2019, 12:10:02 am
I just started testing and noticed the slowdown. In my case disabling cloud threat intel solved this.
maybe this helps.

I can confirm that, cloud threat intel cause noticable delay in the dns query. Its seems the cloud servers not stable enough, since i see packet loss. In a workaround use the opnsense builtin intrusion detection with ET Pro telemetry (can be installed as a plugin). Its free if you let your firewall send anonymous statistics (why not?).
Other than that sensei is an amazing product!

I can confirm too ;) We'll be shipping 0.8.0.beta8 tomorrow. It has several fixes which we expect to address this issue.

Plus, it has tagged (trunk) vlan interface support :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 04, 2019, 12:12:46 am
Anyone having problems blocking YouTube using 0.8.0.beta7? I used app control but it has no effect. Other controls seem to work fine. It's a shame as its the reason I installed was to try this out!
Anyone else tried blocking YouTube?

Hi mdurkin,

Many thanks for reporting this. I checked with several deployments now. It looks like it's blocking. Let me contact you, there might be something in your environment which might trigger this.

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: OPNsense4ever on April 04, 2019, 04:00:20 am
Hello! 4 of my graphs are suddenly showing nothing. "Egress New Connections by App Over Time" and "Egress New Connections by Source Over Time" say "No Egress New Connection." "New Connections & Unique Remote Hosts" says "No New Connection & Unique Remote Host" and "Unique Local Hosts over Time" says "No Local Host." I just updated to 0.8.0.beta7 as well as stopping and starting the Sensei Packet Engine and Elasticsearch services. Any thoughts on what might have gone wrong or how to fix it?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 04, 2019, 07:02:19 am
Hi OPNsense4ever,

Many thanks for trying Sensei & reporting the issue.

We changed a field type in Elasticsearch. New query format is not compatible with the data type in old indexes. This is why you cannot see any data with those "histogram"s.

When you have some activity over time, they'll get back to normal, at most in a couple of days.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 05, 2019, 02:57:41 pm
Dear Sensei users,

We've shipped 0.8.0.beta8 yesterday. This update brings vlan tagged interface support and fixes several issues with beta7. All beta7 users are encouraged to update to beta8.

With regard to Cloud infrastructure, we decided to take following steps to improve the availability:

1. Independent cloud queries:

Currently we're utilizing DNS infrastructure to communicate with our Cloud backend systems. Since we're redirecting dns traffic, this means for the cloud systems, we have to also act like a DNS recursive server. On the recursion side, since this is not within the scope of Sensei project, we cannot always guarantee the best DNS response time.

This is why, starting with 0.8.0.beta9, we'll be doing the cloud threat intelligence lookups with an independent to-the-purpose query. 

2. New cloud servers for US-West, US-East and Asia.

To improve cloud response time and distributing load, we'll be introducing new servers for Asia, US-West and US-East regions.

This change will have the following benefits:

1. Improved the availability
2. Improved response times (from avg 100ms to as low as 5ms)
3. You'll be able to continue using your local DNS servers.
4. You'll be able utilize other DNS based solutions (like Pi-hole) - in conjunction -  with Sensei.

We plan to have this before 0.8 rc1 so, hopefully we'll ship this with beta9 in two weeks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 05, 2019, 06:25:57 pm
Hi!

Just a curious question. Did you consider using Apache Lucene as the db backend instead of Elasticsearch?
I use lucene in several projects (mostly bitnami) and its a very scalable and fast backend. There is an option to use as a "lightweight" scenario and also like as an "enterprise". It may solve the low memory hw problem.
Im just thinkin loudly :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 06, 2019, 03:15:29 pm
Hi Archanfel80,

Many thanks for the suggestion. Actually didn't consider this as an option - wasn't aware that lucene had a lightweight option.

Currently we're evaluating Timescaledb and Influxdb. We'll also have a look at lucene lightweight option. Any pointers on this for me?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 07, 2019, 09:21:15 am
Hi!

I mostly played with heap sizes and buffer sizes. Lower values results lower memory usage in the cost of performance (slower queries) because the increased disk IO.
TimescaleDB is a good choice too. Im not sure about the Influxdb, i had to use it in the past but cause too much headache. Its not easy to operate.
Elasticsearch memory consumption also can limited. If i use in a low users <100 scenario and does not store more than 3 days data, the whole system memory usage is below 2GB. I run sensei in a 2GB board for almost a week now, small office 8 user only stored 3 days. The boss just want to see what the workers do so he check sensei reports in the end of the day. The whole system memory consumption is below 2GB. I use the default 2GB swap in opnsense but not a single byte used on that. I had to disable the sensei health check because its stopped the engine from time to time, but no issues so far. Also i have a bigger system, college with students, much more user much more data, stored 3 days history, the memory is just a bit above 4GB. I think the 8GB minimum recommended ram is a bit high. I dont have any system what eat this much.

What if sensei will detect the available system memory with the optional swap file too and gray out the big scenarios like 500 user and limit the maximum data history time limit, etc. So the user cant use a big scenario what break down the system?
For example with 2GB system, 25 users max, 3 days history
4GB system 100 users max, 7 days history
etc. And you can limit elasticsearch memory usage too.

And a quick report, after the beta8 the cloud threat query time a bit better but still cause delay what the user noticed.

Keep up the good work :)

Hi Archanfel80,

Many thanks for the suggestion. Actually didn't consider this as an option - wasn't aware that lucene had a lightweight option.

Currently we're evaluating Timescaledb and Influxdb. We'll also have a look at lucene lightweight option. Any pointers on this for me?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 08, 2019, 06:48:31 am
Hi Archanfel80,

Many thanks for sharing your experience. Indeed, we found this very helpful.

Now I'm thinking we might be over optimizing. We were trying to keep the memory usage for the Sensei and DB below 1GB for small deployments, like 25 users. And also we are trying to provide at least a month of history.

If the median minimal RAM size for OPNsense small deployments are 2GB, your suggestion looks very viable.

Let's do a quick twitter poll:

https://twitter.com/sunnyvalley/status/1115109250479476737

With regard to beta8, glad to hear that it looks better. We've received similar feedback from several other users. Hopefully, we will be solving the remaining issue with Cloud with beta9.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 08, 2019, 09:12:03 am
Hi!

I think keep the ram usage below 1GB would be a bit hard.
This is my smallest scenario, very low activity, sensei active only in one IF, around 8-10 users.

https://imgur.com/a/t8Bk8qg

This is a VM actually, the ram usage is below 2GB, but higher than 1GB. I cant keep below that. Of course this is the OS+Sensei RAM usage together. OPNSense eat 300-800MB RAM depending on scenario, so the 2GB usage with sensei means sensei use 1-1.5GB RAM with a low end settings.
A 2GB board should handle this, even with a swap file.
I think you can try to reach the ~1GB ram usage for a small scenario, that should be satisfy the low end HW users :)

Hi Archanfel80,

Many thanks for sharing your experience. Indeed, we found this very helpful.

Now I'm thinking we might be over optimizing. We were trying to keep the memory usage for the Sensei and DB below 1GB for small deployments, like 25 users. And also we are trying to provide at least a month of history.

If the median minimal RAM size for OPNsense small deployments are 2GB, your suggestion looks very viable.

Let's do a quick twitter poll:

https://twitter.com/sunnyvalley/status/1115109250479476737

With regard to beta8, glad to hear that it looks better. We've received similar feedback from several other users. Hopefully, we will be solving the remaining issue with Cloud with beta9.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: SchylgeICT on April 09, 2019, 09:18:48 pm
Hi MB,

With beta7 i was able to add OPT1(vlan interface) to the protected interfaces. I can still do this with beta 8. What did actually change with
Quote
"We've shipped 0.8.0.beta8 yesterday. This update brings vlan tagged interface support and fixes several issues with beta7. All beta7 users are encouraged to update to beta8."
. I think I'm overlooking something.
It would be nice to add different Sensei rules for different Vlans. I was hoping this was one of the things that changed in beta8.
I can confirm faster DNS lookups now with cloud threat intel enabled!
Best regards.
Ruud

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 11, 2019, 09:47:13 am
Yeah, different rules on different interfaces would be a great feature, as also a scheduling function.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on April 14, 2019, 12:28:43 pm
a nice feature would be synonymous if you could install the plugin as standalone on an external bsd or linux computer and could use the plugin as an analyzer.

The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.

is there any news on the topic sensei for low power hardware optimization?

Thank you

Regards, rene
Title: Re: Sensei on OPNsense - Application based filtering
Post by: thg0432 on April 15, 2019, 08:27:42 pm
Hi,

Is it possible to have parental controls or per device/group filtering?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: rb_newbie on April 18, 2019, 09:49:44 pm
Just installed 0.8.0.beta8 and did an audit of the packages and found that an outdated library is being used that is vulnerable.  Any way I can manually update this w/o breaking anything or will it be fixed in the stable release?

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
libXdmcp-1.1.2_2 is vulnerable:
libXdmcp -- insufficient entropy generating session keys
CVE: CVE-2017-2625
WWW: https://vuxml.FreeBSD.org/freebsd/1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335.html

1 problem(s) in the installed packages found.
***DONE***
Title: Re: Sensei on OPNsense - Application based filtering
Post by: timota on April 22, 2019, 09:30:27 pm
Im keen to check your plugin, but installer complains on

"Unfortunately Celeron is not supported by Sensei."

i cant say that my CPU is weak, it peforms good on most of tasks.

What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on April 23, 2019, 02:14:23 pm
Yes! If you have less than 4GB ram the installer will also fail. You can remove this check too. The ram is not problem, i have sensei with 2GB apu board without problem, but that board have a quad core intel processor, and the cpu usage is kinda heavy. Im not sure the celeron processor can handle this.

Im keen to check your plugin, but installer complains on

"Unfortunately Celeron is not supported by Sensei."

i cant say that my CPU is weak, it peforms good on most of tasks.

What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: timota on April 24, 2019, 04:45:47 pm
great thanks.

will try anyway.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 09, 2019, 06:17:52 pm
Hi,

is anyone using the scheduled reports in reports&data section of the configuration (Sensei 0.7)?
Is it just me or is the "click to download and view detailed reports" link not working within the email (getting a blank html file with 0 bytes)?
It does not work for me in MS Outlook (Office 365) and Thunderbird.
If I access that mails through the webmail of my GMX (my mail provider) I can see that there's a html file attached. I can see the attachment in the app on my iPhone, but that's not my favorite "view that report" device.

Are there any updates on Sensei 0.8? since that thread fell asleep ;)

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 09, 2019, 06:35:18 pm
@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!

Hi Bene,

Messages in the screenshot are ok: netmap telling you it was able to open the ethernet port.

I can confirm that there's something weird with the trunk interface when we bridge hw <-> sw rings. After a while packet transmission stalls for the child interfaces:

Code: [Select]
658.955704 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048
683.531482 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048

Looking into that.

For now our advise is - if you're using VLANs -:

  • Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to VLANs
  • Do not put any untagged traffic to your VLAN trunk port and you should be able to protect vlan child interfaces just fine

Our plan is to be able to process the trunk interface directly and for all VLANs and you'll not need to separately select child interfaces. Will get you updated on this.

For now, if you can carve out the untagged traffic from the trunk port, you're ok.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on May 11, 2019, 06:32:35 pm
Hi @donatom3,

For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.

For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.

If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.

That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.

We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.

Very happy to hear that you've attained gigabit speeds and happy with the software ;)


Would be great if i could use Cloud database & local dns!

Do you have a pricing idea for premium edition for home user?

thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 07:43:48 pm
Dear Sensei users,

An update on the low-resource systems:

Below is the results of the poll "How much memory do you have on your OPNsense firewall"

Many thanks to those who attended the poll. According to the results, 2/3 of the OPNsense users have either 4GB or more memory.

So, as per Archanfel80's suggestion, enabling for 4GB will allow another 40% to be able to start using Sensei. We thought that this is a huge number and lowered the minimum memory requirement to 4GB (Elastic is configured accordingly).

So, practically, if you have 4GB RAM, than starting with beta9 (coming this weekend), you'll be able to enjoy Sensei for up to 100 users.

I'd like to thank Archanfel80 for his awesome suggestion. It's in the works now.

Alternative database backend work (which will enable Sensei for 2GB or less memory) is continuing, but might take a little longer than we originally planned -- most probably post 2019. (due to other high priority work).

Note: I see that we missed some messages unanswered here. Apologies for that: we're recovering quite a loaded timeframe, and will be getting back to you shortly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 07:54:34 pm
a nice feature would be synonymous if you could install the plugin as standalone on an external bsd or linux computer and could use the plugin as an analyzer.

The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.

Yes, we have some good news about this. Part of our overload was due to this feature actually. With 0.8.0.beta9 (coming this weekend), you'll notice in Configuration page that we have introduced another deployment option:

L2 transparent bridge.

In this mode, Sensei literally bridges two of your ethernet interfaces.

This way, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.

We introduced this to be able to support sites which have thousands of users.

This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.

A live deployment for 5000 users was done; and looks quite promising.

is there any news on the topic sensei for low power hardware optimization?

Yep, please see my above answer: https://forum.opnsense.org/index.php?topic=9521.msg58741#msg58741
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 07:59:34 pm
Would be great if i could use Cloud database & local dns!

Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.

Do you have a pricing idea for premium edition for home user?

Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on May 11, 2019, 08:07:27 pm
Would be great if i could use Cloud database & local dns!

Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.

Do you have a pricing idea for premium edition for home user?

Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.

GREAT!!! looking forward...THX
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 08:10:15 pm
@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!

Hi @the-mk,

Yes, we have updates on this. Sensei is is now able to process VLAN trunk interfaces.

So, if you're using VLANs -, the latest advise is:

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 08:15:30 pm
Just installed 0.8.0.beta8 and did an audit of the packages and found that an outdated library is being used that is vulnerable.  Any way I can manually update this w/o breaking anything or will it be fixed in the stable release?

libXdmcp-1.1.2_2 is vulnerable:
libXdmcp -- insufficient entropy generating session keys
CVE: CVE-2017-2625
WWW: https://vuxml.FreeBSD.org/freebsd/1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335.html

Hi rb_newbie, many thanks for pointing this out. This is a dependency package required by Elasticsearch/java. We'll go ahead and update it.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 11, 2019, 08:19:07 pm
@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!

Hi @the-mk,

Yes, we have updates on this. Sensei is is now able to process VLAN trunk interfaces.

So, if you're using VLANs -, the latest advise is:

  • Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to netmap
  • You can now protect untagged (trunk) vlan interfaces. Sensei will process both tagged and untagged frames at the same time. This is the advised & performant method.
  • Or, you can still choose to protect vlan child interfaces or vlan parent interfaces. The important thing to be careful here is do not have them at the same time, or you'll hit a bug present in current netmap code
MB,

Are you saying if I move my 2 vlans off their own interface back to my main trunk I should stop seeing that netmap crash that was causing sensei to stop all traffic?

Sent from my Pixel 3 XL using Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 08:59:12 pm
Hi Ruud,

With beta7 i was able to add OPT1(vlan interface) to the protected interfaces. I can still do this with beta 8. What did actually change with beta8? I think I'm overlooking something.

Correct. The difference is; beta7 did not actually process tagged frames, they were just forwarded; whereas beta8 does process both tagged and untagged frames.

It would be nice to add different Sensei rules for different Vlans. I was hoping this was one of the things that changed in beta8.

We're addressing this with Policy based filtering (Interface, VLAN, Subnet based policies) which will appear in Premium subscription.

I can confirm faster DNS lookups now with cloud threat intel enabled!

Many thanks for this update. 0.8.0.beta9 should be slightly better.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2019, 09:07:44 pm
is anyone using the scheduled reports in reports&data section of the configuration (Sensei 0.7)?
Is it just me or is the "click to download and view detailed reports" link not working within the email (getting a blank html file with 0 bytes)?
It does not work for me in MS Outlook (Office 365) and Thunderbird.
If I access that mails through the webmail of my GMX (my mail provider) I can see that there's a html file attached. I can see the attachment in the app on my iPhone, but that's not my favorite "view that report" device.

Hi @the-mk,

Gmail web/iPhone looking good. It looks like a problem embedding the report for Office365/Thunderbird,

Having a look at it. Many thanks for reporting.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 12, 2019, 11:21:45 am
@mb - thanks!
tested adding the trunk interface only to the protected interfaces - and it processes all VLANs that are on that trunk interface - that's ok for me!
looking forward to beta9! I guess we get a notification here in the forums as soon as it is available?
scheduled reports - the embedded report problem also exists in 0.8 beta8...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 12, 2019, 05:53:00 pm
Hi @tk-mk,

Glad to hear that vlans are working for you. beta9 is reporting vlans & interfaces. Final tests are run for it & should arrive late today (PST) or tomorrow.

Got it. Not able to make the fix for beta9, hopefully with the next beta.
Title: Sensei on OPNsense - Application based filtering
Post by: shijo on May 13, 2019, 04:19:59 pm
Hi there,

Is there any possible way to block  Ultrasurf client proxy by using Sensei. Ultrasurf sets up a local proxy on the user’s computer, and then configures Internet Explorer’s proxy settings to run all Internet requests through that local proxy. The default port is 9666. Since the traffic between Ultrasurf and IE is entirely on the localhost, it never goes to the network and can’t be blocked by a firewall. Ultrasurf then sets up an encrypted connection with a remote server in its network of proxy servers. The connection to the remote proxy server is made over port 443. Hopefully someone out there can help me with this.

Thanks in advance !  :)  :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 13, 2019, 07:36:04 pm
Hi @shijo,

Thank you very much for trying out Sensei.

The pre-requisite for filtering an application is the identification of that application in the first place. Once its traffic is correctly identified, filtering is the easiest part.

It looks like we're not able to identify this traffic as Ultrasurf Proxy.

We've had requests for Ultrasurf and its identification is on the roadmap.

In the meantime, if you'd like to give that a pace, you can share pcap of a "test" ultrasurf session, that would be really helpful.

Then it'd be faster for us to write the signature for identifying the application.

And once it's identified, filtering is automatically in place.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 14, 2019, 12:57:45 am
Dear Sensei users,

0.8.0.beta9 is out now. Below are the updates against 0.8.0.beta8:

Support for Large Settings (More than 1000 users)

Thanks to the newly introduced L2 Transparent Bridge Mode, you can run Sensei for thousands of users.

In this mode, where Sensei literally bridges two of your ethernet interfaces, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.

This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.

Practically, what this means is that, if you deploy Sensei on an 8-core server with a --say 64GB of memory, you can serve 8000 users behind this configuration.

Please be noted that we'll need a small integration with OPNsense to be able to fully provide this functionality. We'll keep you posted.

Support for 4GB RAM

In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM.

Please note that if you have 4GB memory, maximum number of users will be 100.

Improved application signatures


Cloud

New Cloud Query Infrastructure

Filtering

Fixed a bug where auto-whitelisting a host does not immediately take effect / requiring a restart of engine.

Integrations


Better Reporting



How to update?

For 0.8 users, in the OPNsense Web UI, you should have already seen Sensei reporting 0.8.0.beta9 update. Just click on "Update" and Sensei will take care of the rest.

For 0.7 users, please wait for an announcement for 0.8.0.rc1; when it's out, you should also see 0.8 update in the OPNsense UI. We'll announce it from here and our twitter page.

Hope you enjoy this one.

--
Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: shijo on May 14, 2019, 12:46:17 pm
Hi @mb,

Thank you very much for the reply. As you suggested I'm attaching the pcap file for your reference.

Thanks in advance !
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 14, 2019, 01:58:45 pm
Hi @shijo,

That's awesome. Thank you. This'll help a lot.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on May 14, 2019, 02:53:39 pm
Im glad i can help :)

Dear Sensei users,

0.8.0.beta9 is out now. Below are the updates against 0.8.0.beta8:

Support for Large Settings (More than 1000 users)

Thanks to the newly introduced L2 Transparent Bridge Mode, you can run Sensei for thousands of users.

In this mode, where Sensei literally bridges two of your ethernet interfaces, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.

This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.

Practically, what this means is that, if you deploy Sensei on an 8-core server with a --say 64GB of memory, you can serve 8000 users behind this configuration.

Please be noted that we'll need a small integration with OPNsense to be able to fully provide this functionality. We'll keep you posted.

Support for 4GB RAM

In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM.

Please note that if you have 4GB memory, maximum number of users will be 100.

Improved application signatures

  • Browsec VPN
  • Microsoft Updates
  • Office Updates
  • Fixed a bug in Web based applications classification module which -in some cases- might lead to a crash.

Cloud

New Cloud Query Infrastructure

Filtering

Fixed a bug where auto-whitelisting a host does not immediately take effect / requiring a restart of engine.

Integrations

  • Improved CLI access API
  • First bits of Active Directory Integration

Better Reporting

  • New report: Ethernet interface reports. You can now see which ethernet interfaces carry the most bandwidth and drill down to per-interface detailed reports.
  • New report: VLAN reports. You can filter out a VLAN and drill down as deep as session details.
  • New report: User reports. When the OPNsense captive integration is finished, you’ll be able to view user-based reports.
  • All live session reports now have VLAN, Interface, Username columns.
  • All live session reports now have auto-refresh / refresh interval options
  • Fixed a bug where charts were refreshed randomly causing excessive page loads
  • Fixed a bug where setting Elasticsearch not to start at boot causing reporting to cease.
  • Introduced an option to be able to reset all Elasticsearch Indexes.
  • Introduced Elasticsearch Index Health Checker, where you can check and do a fix-up on an index basis
  • Elasticsearch shards are now single. Not requiring a replica. All indexes can be seen green now.
  • Fixed a bug in Elasticsearch data retiring module, which -in some cases- would result in more disk space consumption


How to update?

For 0.8 users, in the OPNsense Web UI, you should have already seen Sensei reporting 0.8.0.beta9 update. Just click on "Update" and Sensei will take care of the rest.

For 0.7 users, please wait for an announcement for 0.8.0.rc1; when it's out, you should also see 0.8 update in the OPNsense UI. We'll announce it from here and our twitter page.

Hope you enjoy this one.

--
Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on May 14, 2019, 02:56:37 pm
Hi updated from beta8 to 9, everythings looks fine so far.
Also local DNS an Cloud Threat Intel is working, GREAT!

Only: I cannot set deployment size, drop down is empty....but thats it
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on May 14, 2019, 04:24:26 pm
Im glad i can help :)

How does it help to just quote the complete previous text without any sensful addition?  ::)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on May 14, 2019, 04:36:01 pm
I referred for this: "In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM."

Im glad i can help :)

How does it help to just quote the complete previous text without any sensful addition?  ::)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ruffy91 on May 15, 2019, 09:38:45 am
I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on May 15, 2019, 09:52:15 am
Login to the firewall through SSH:
mkdir -p /usr/local/sensei/log/active
mkdir -p /usr/local/sensei/log/archive

reboot

I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 15, 2019, 02:04:01 pm
The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

Hi ruffy,

Having a look at log folder creation. Thanks for reporting this.

As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on May 15, 2019, 02:40:48 pm
Im using tagged vlan interfaces and all shown correctly. See attached image.

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

Hi ruffy,

Having a look at log folder creation. Thanks for reporting this.

As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on May 15, 2019, 04:34:03 pm
Im using tagged vlan interfaces and all shown correctly. See attached image.

Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.

mb:
Quote
[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]

You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on May 15, 2019, 06:01:53 pm
True!
I can confirm that, i dont see the vlan interfaces unless i add manually to the config.xml (Sensei section) or do the same what you mentioned.

Im using tagged vlan interfaces and all shown correctly. See attached image.

Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.

mb:
Quote
[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]

You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on May 15, 2019, 10:57:37 pm
Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 16, 2019, 03:03:29 am
@opnip,

As a private message, can you share your firewall's IP address with me? Let's do a trace.

Hi updated from beta8 to 9, everythings looks fine so far.
Also local DNS an Cloud Threat Intel is working, GREAT!

Only: I cannot set deployment size, drop down is empty....but thats it

@holger, fixed for beta10.

I get the following error when accessing the Dashboard or any sensei page:
73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

@ruffy, fixed for beta10.


@Archanfel80, @hbc, @ruffy,

Please watch for beta10. We removed the filter for VLAN child interfaces.

So the latest situation:

You can either

- Add the parent/tagged ethernet interface and protect the whole tagged/untagged
   traffic passing through the interface

or

- Add each vlan child interface seperately to the protected interfaces. The thing
  to note here is do NOT add both the parent and the child interfaces at the same
  time, or you'll hit a netmap bug.

Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 16, 2019, 03:49:12 am



Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Sent from my Pixel 3 XL using Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 16, 2019, 03:50:13 am



Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Sent from my Pixel 3 XL using Tapatalk
Just saw you said more than 2 I can add a third one just for fun.

Sent from my Pixel 3 XL using Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on May 16, 2019, 06:11:22 am
Hi MB, In App Control, we can block an entire protocol / type of service. Is there any way to block one user and allow everyone else OR allow one user and block rest in network either by IP or MAC address. Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on May 16, 2019, 06:26:46 am
Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?

i have exact same behavior!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 16, 2019, 02:16:38 pm

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Just saw you said more than 2 I can add a third one just for fun.

Hi @donato,

Thanks, much appreciated. Please note that problem seem to arise when you add more than two "child" vlan interfaces. Haven't beed reported of a problem with tagged/trunk interfaces, although curious to know if there are any.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 16, 2019, 02:22:48 pm
@manjeet,

This is addressed via policy based filtering coming up with Premium subscription. Details almost complete. Hope to announce it very soon.

@malac,

Please send your public IP address to sensei - at - sunnyvalley.io. We'll run a trace.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on May 17, 2019, 06:31:17 am
Thanks @MB for the update. Looking forward to it.

Also, Yesterday i enabled the email reporting and today i got this message "Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually."

Elastic search is working fine, reports in dashboard and reports section looks all good. Do not understand what could be the issue..
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 17, 2019, 03:52:32 pm
Hi @manjeet,

We're having a look at Scheduled Reports now, let's also check this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 18, 2019, 12:55:13 pm
@mb: when I look to the reporting mail - how is that number of "unique local hosts" of the "quick facts" derived? I do not have that many hosts in my network...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: N0_Klu3 on May 18, 2019, 01:05:41 pm
So would this work at replacing pfblockerng?
As in AD Blocking?

Also I read stuff about VLANs, basically I have 2 VLANs running on my main LAN Ethernet port.
Would Sensei work?

I'm planning on rebuilding to OPNSense hopefully today, but I'd really like some sort of ad blocking to replace pfblockerng.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 18, 2019, 02:04:53 pm
Hi @the-mk,

Do you see different statistics in the UI, or are they the same?

If they are: we saw this happen when Sensei was being run for a WAN interface. In that, LAN/WAN directions are being reversed for Sensei. So you see remote host count in place of locals and vice versa.

If not, let's have a look if we're missing something.


Hi @N0_Klu3,

You can try for yourself. It's easy to try out Sensei.

Yep, if you just add the parent LAN interface to the protected interfaces, than you're good to go.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: N0_Klu3 on May 18, 2019, 06:14:01 pm
@mb do you still need an invite or install link?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 18, 2019, 06:16:04 pm
Hi @N0_Klu3,

You can use this command to install 0.8:

curl https://updates.sunnyvalley.io/getsensei8 | sh

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Space on May 19, 2019, 10:15:09 am
Hi,

are these files needed? Took most of my disk space ...

Code: [Select]
root@OPNvirt:/usr/local/sensei/log # du -sm * | sort -n
1 active
14156 archive

These logs contain statistics for all interfaces per second ... but I did not find an option to disable these logs ...

Thanks and best regards,

    Space
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on May 19, 2019, 11:54:43 am
@manjeet,

This is addressed via policy based filtering coming up with Premium subscription. Details almost complete. Hope to announce it very soon.

@malac,

Please send your public IP address to sensei - at - sunnyvalley.io. We'll run a trace.

Have you found something?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 19, 2019, 04:16:50 pm
are these files needed? Took most of my disk space ...
These logs contain statistics for all interfaces per second ... but I did not find an option to disable these logs ...

Hi @Space,

Within this beta period, in times of troubleshooting, they can be very valuable for us to point out the location of some of the problems.

Nearing 1.0, we'll cease  to archive logs. In the meantime, adding a functionality to automatically purge logs older than 10 days.

Thanks for pointing this out.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 19, 2019, 04:19:02 pm
Have you found something?

Hi @malac,

Yep, it looks like engine is still a little bit too sensitive for response times. We've lowered the thresholds a bit. Coming with beta10.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 19, 2019, 04:48:13 pm
Hi @the-mk,

Do you see different statistics in the UI, or are they the same?

If they are: we saw this happen when Sensei was being run for a WAN interface. In that, LAN/WAN directions are being reversed for Sensei. So you see remote host count in place of locals and vice versa.

If not, let's have a look if we're missing something.

when comparing the quick facts from the last report mail with the conns facts from the dashboard - they are pretty much the same when having the report interval set 05/18/2019 00:00 to 05/19/2019 00:00.
I'd expect that the number of unique local hosts are about the same numbers as IP-addresses are listed in the table of local assets from the dashboard.
protected interfaces on the firewall in question with sensei 0.7.0 are 6 vmx-network cards to different LANs and one vmx to WAN.
but maybe my understanding if unique local hosts is wrong here?
could it be that i.e. a host talking on the network of interface #1 is talking to another host on the network interface #2 and the same source hosts also talks to the internet (WAN)?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 20, 2019, 05:49:22 pm
Hi @the-mk,

Thank you very much for providing additional information.

Whether we decide if some IP address is local or remote depends on the flow direction.

A little bit of background info how Sensei works & decides the flow direction:

Sensei deploys between the ethernet adapter and the host operating system, bridging the two, forwarding packets back and forth, and at the same time doing the inspection. Typically we are deployed on inner-facing interfaces.

It assumes that ethernet side of the bridge is LAN and Operating System side is WAN. So flows initiated from the LAN side is considered they are egress, and flows which are initiated from the WAN side are ingress.

For eggress connections, the source IP address who initiated the connection is tagged as "Local", whereas for ingress connections, it's the destination IP address.

So, in your scenario, I'd expect that you having a protected interface on the WAN side might complicate things, since this time sensei will regard all outgoing connections as Ingress (for that interface) and regard the remote IP addresses as local.

Might worth removing that interface from protected interfaces and try to see if this changes things.

If that's not the case, please let us know so that we can have a look at it together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: kaviraj on May 21, 2019, 09:26:44 am
Hello,

Been testing sensei 0.8.0.beta9 since some days now and since yesterday am facing some strange problems. Some clients are unable to resolve DNS. If i change the client IP everything start to work again. I tried to uninstall and reinstall but still the same.

OPNsense is running over virtualised environment (Proxmox) with kernel 19.1.4 having netmap support as am using virtio.

Test case:
1. I have a client with IP 10.249.10.228/24. When i run a dig it returns a timed-out. A tcpdump on the hypervisor shows that the request was forwarded over the OPNsense interface but a dump on OPNsense interface shows nothing.

2. I stop sensei engine dig starts to work. But as soon as i start it, the client is unable to resolve DNS.

3. Same client but i change IP to 10.249.10.11/24. Dig works.

I may provide remote access if needed.

Thanks for your help.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 21, 2019, 01:46:56 pm
Hi @kaviraj,

Many thanks for reaching out. Please watch for 0.8.0.beta10 which will be coming out today. We have a fix for this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 21, 2019, 06:15:02 pm
Dear Sensei users,

Sensei 0.8.0.beta10 is out. This brings back VLAN child interfaces and fixes a bug with Cloud Threat Intel. You should now see much better uptimes.

Also addressed: libXdmcp, an Elasticsearch dependency package, is updated to version 1.1.3, fixing a security issue.

Complete list is as follows:

Enjoy :)

Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on May 21, 2019, 08:51:30 pm
@mb: thanks for the clarification - I need to do a deeper check it on the weekend...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: OPNsense4ever on May 22, 2019, 07:10:28 pm
elasticsearch shut down because it started to run out of disk space. How do I tune that? I've got a little over 300GB available for a family of 4 and a few guests a week.

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 22, 2019, 07:58:03 pm
Hi @OPNsense4ever

You can use the following guide to determine for how many days you can have your reporting data.

https://guide.sunnyvalley.io/sensei/getting-started/getting-ready#disk-space

Then navigate to Sensei -> Configuration -> Reporting & Data

and set the maximum number of days to store reporting data.

When you set this number to a value smaller than the current one, Sensei will confirm with you if you want the surplus data to be deleted.

For this you need Elasticsearch to stay open, temporarily disable Health check to prevent Sensei from shutting it down again.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: OPNsense4ever on May 25, 2019, 12:34:38 am
Sweet! Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on May 28, 2019, 05:28:35 pm
I'm new to Sensei, but I'm loving it so far!  Great work!

I do occasionally get a "crash report" notification though.

Here is the sequence of events:

0) Sensei was not installed.
1) Upgraded OPNsense from 18.7.10_4 to 19.1.8.
2) Installed Sensei 0.8.0.beta10.
3) Successfully completed the initial Sensei configure wizard.
4) Noticed a "crash report" when I went to the OPNsense Dashboard.

Unfortunately, I don't have the crash report in front of me at the moment, but I *did* submit it, so hopefully you'll get it from the OPNsense team eventually.  It was something about PHP crashing with bad data related to the "TCP Service Security" password.  I'll keep you posted if I see it again.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 28, 2019, 05:30:41 pm
Hi @JohnDoe17,

Thanks, great that you found Sensei useful for you.

One question: did you install Sensei 0.7 or the new 0.8 version?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on May 28, 2019, 05:35:02 pm
Quote
2) Installed Sensei 0.8.0.beta10.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 28, 2019, 05:36:56 pm
Thanks JohnDoe17, I missed that.

Having a look at it if we're missing something. In the meantime, if you encounter it again, feel free to email the screenshot to sensei - at - sunnyvalley.io.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on May 28, 2019, 06:11:31 pm
I got the crash to happen again.

Note that "Rainbow#Bicycle" is the password I was using for the test.  Does Sensei handle the "#" symbol in a password?

Code: [Select]
[28-May-2019 11:08:17 America/Chicago] PHP Fatal error:  Uncaught Error: Class 'OPNsense\Sensei\Exception' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(151): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4346, 1, '', 1)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(134): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4346, 'Rainbow#Bicycle', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(89): OPNsense\Sensei\Sensei->runCLI(Array)
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php on line 111
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 29, 2019, 02:10:25 am
Dear Sensei users,

Sensei 0.8.0 Release Candidate 1 is out. This marks the first step into releasing 0.8 and towards 1.0. There will be no 0.9 :)

Change log is as follows:

We're running 0.7 to 0.8 upgrade tests. As soon as they show that we're good to go, 0.7 users will be reported of the new 0.8 update.

Enjoy :)

Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 29, 2019, 01:42:31 pm
Just reinstalled OPNsense and the RC1 on APU2C4 with 2GB Swap - so far so good!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 29, 2019, 01:48:31 pm
@patcsy88, thanks for sharing your experience. Glad to hear that.

@JohnDoe17, can you have a look and see if 0.8.0.rc1 is solving your issue?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on May 29, 2019, 03:36:27 pm
@mb: Any news concerning CARP? As soon as I start sensei on CARP master, I have split communication. Cannot ping between CARP members and both nodes are master, dhcp service is communication-interrupted.

Sensei just on backup node seems to works, but except for proxy there is no traffic passing.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 29, 2019, 03:43:13 pm
Hi @hbc,

Since running the netmap bridge application produces the same result, we suspect this to be a netmap issue. I've been trying to get Chelsio adapter to see if we can re-produce this.

In the meantime, any chances you can try the same setup with a different adapter -- preferably em or igb?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on May 29, 2019, 03:53:08 pm
Not in our CARP HA cluster. We have 12 chelsio ports, so sensei needs to run with it.
Title: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 29, 2019, 05:33:35 pm
Dear Sensei users,

Sensei 0.8.0 Release Candidate 1 is out. This marks the first step into releasing 0.8 and towards 1.0. There will be no 0.9 :)

Change log is as follows:
  • Per-process health monitoring. Sensei engine now checks heartbeats from its packet processors and taking the corrective action in case of trouble.

We're running 0.7 to 0.8 upgrade tests. As soon as they show that we're good to go, 0.7 users will be reported of the new 0.8 update.

Enjoy :)

Sensei team

@mb Just checking if that is the fix we were talking about to the issue I was seeing with Sensei/netmap crashing causing all traffic to stop until I rebooted the whole firewall.

The last times it happened restarting Sensei from the GUI did not let traffic resume. I had to restart the whole firewall with the auto start of the packet engine turned off.

I did the upgrade to rc1 yesterday so I'll let you know if I still see the issue.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on May 29, 2019, 06:18:58 pm
Hello @mb.

Yes, I can confirm the fix in rc1 did resolve the error I saw with the Sensei CLI API and OPNsense Crash Reporter.

Thank you!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 29, 2019, 07:31:30 pm
Great to hear that @JohnDoe17, thanks for letting us know.

@donatom3 hi,

Yes, it's also netmap related but a different issue. After many trials, I was able to reproduce your situation. Doing a ifconfig down/up seem to resolve the problem.

After Sensei 1.0, we'll have another dive at netmap. It's a great tool, but certainly needs some industry help to get to a super stable state.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 30, 2019, 02:49:48 am
Just reinstalled OPNsense and the RC1 on APU2C4 with 2GB Swap - so far so good!

So Sensei detected high Swap usage over the last 10+ hours and shut itself down. On prompt, I restarted ES. I have now also disabled the Health Check and on the Configuration page started Sensei Packet Engine and the overlay on the page says it is waiting for the service to startup. After 10 or so minutes, nothing happens on the page but vmstat in a shell suggest it is back up. Refreshing the OPNsense page and then going to the Configuration page again shows Sensei is up and running. Not sure if it is the OPNsense framework or Sensei page that is not polling for refresh of content/data...

Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 30, 2019, 03:40:04 am
Great to hear that @JohnDoe17, thanks for letting us know.

@donatom3 hi,

Yes, it's also netmap related but a different issue. After many trials, I was able to reproduce your situation. Doing a ifconfig down/up seem to resolve the problem.

After Sensei 1.0, we'll have another dive at netmap. It's a great tool, but certainly needs some industry help to get to a super stable state.

@MB

I believe I just had one of the crashes again but looks like it reconnected on it's own. I noticed it while browsing my apple tv that streaming stopped working and my harmony showed it was offline then was online a few seconds later. This was in the main log file

Code: [Select]
2019-05-29T18:28:37 ERROR: Watchdog: Worker [0] failed to send heartbeat for 6 seconds
2019-05-29T18:28:37 ERROR: Watchdog: Killing Worker [0]
2019-05-29T18:28:37 CRITICAL: Sending TERM signal to worker pid 98083
2019-05-29T18:28:38 CRITICAL: WaitWorkers: processing dead child: pid: 98083
2019-05-29T18:28:38 CRITICAL: WaitWorkers: Child worker0, [pid: 98083] terminated with signal: 11
2019-05-29T18:28:38 CRITICAL: WaitWorkers: Child worker0, [new pid: 60913] re-spawned

And here is the matching time stamp from the worker log.

Code: [Select]
2019-05-29T18:28:38 INFO: Packet Processor [60913] started working
2019-05-29T18:28:38 INFO: Packet Processor [60913] sleeping a while since we're respawned
2019-05-29T18:28:50 INFO: Worker [pid:60913] Pinning to CPU #1
2019-05-29T18:28:50 INFO: Worker [60913] started working


If this was your fix it did it's job very fast. I wouldn't have noticed it unless I was doing some realtime traffic
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2019, 04:22:00 pm
...overlay on the page says it is waiting for the service to startup. After 10 or so minutes, nothing happens on the page but vmstat in a shell suggest it is back up. Refreshing the OPNsense page and then going to the Configuration page again shows Sensei is up and running. Not sure if it is the OPNsense framework or Sensei page that is not polling for refresh of content/data...

@patcsy88, we have been reported a similar case. Now, it looks like, if the system is under load and not responsive enough, Sensei UI might be waiting for the response for a long time.

Thanks for your input, this would be helpful in diagnosing the root cause.

One question: I guess you have like 4 GB of memory. For how many devices are you running Sensei for?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2019, 04:29:11 pm
If this was your fix it did it's job very fast. I wouldn't have noticed it unless I was doing some realtime traffic

Hi @donatom3, yes, chances are high that it might be fixing yours.

We implemented the heartbeat mechanism for any cases where packet engine might hang for more than 5 seconds.

If the main process senses that the packet processor process is not feeling well enough, it simply restarts the process.

This is to keep network availability high in case anything goes wrong.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 30, 2019, 04:32:17 pm
One question: I guess you have like 4 GB of memory. For how many devices are you running Sensei for?

@MB only 4 devices with normal web browsing
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2019, 04:38:27 pm
@MB only 4 devices with normal web browsing

@patcsy88, what does the following tell?

Code: [Select]
cat /usr/local/libexec/elasticsearch/config/jvm.options  | grep "^\-Xm"
ps awxu | grep elastic | grep -v grep
ps awxu | grep eastpect | grep -v grep
Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 30, 2019, 04:44:24 pm

@patcsy88, what does the following tell?

Code: [Select]
cat /usr/local/libexec/elasticsearch/config/jvm.options  | grep "^\-Xm"
-Xms2g
-Xmx2g

ps awxu | grep elastic | grep -v grep
elasticsearch  4875   2.2 46.6 3878304 1927928  -  I    08:22     74:00.13 /usr/local/openjdk8/bin/java -Xms2g -Xmx2g -XX:+UseConcM

ps awxu | grep eastpect | grep -v grep
root           7417   0.5  4.5 3094852  185100  -  S<   08:35      8:29.81 eastpect: Eastpect Instance 0 (eastpect)
root          66470   0.0  0.0 1270428       0  -  IW<  -          0:00.00 eastpect: Eastpect Streamer Instance (eastpect)
root          80093   0.0  2.2 1270428   92760  -  S<   08:35      0:04.70 /usr/local/sensei//bin/eastpect -D
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2019, 04:50:50 pm
Code: [Select]
cat /usr/local/libexec/elasticsearch/config/jvm.options  | grep "^\-Xm"
-Xms2g
-Xmx2g

There it is. Edit this file, change these line to read:

Code: [Select]
-Xms512m
-Xmx512m

and stop/start elasticsearch service. You should be good to go.

For fresh installs we adjust this setting. Any chances you had a prior Sensei installation in this device?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 30, 2019, 04:57:50 pm


For fresh installs we adjust this setting. Any chances you had a prior Sensei installation in this device?

No it was a fresh install!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 31, 2019, 12:57:38 am
@patcsy88, got it. We'll have a check for that whenever sensei is update/installed.

How is the system doing after you adjusted Elastic memory?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: alelnr on May 31, 2019, 11:01:39 am
Hi All,
in our environment OPNsense 19.1.8 + Sensei 0.7, sensei cloud reputation is completely blocking OPNsense unbound DNS service. To allow unbound dns answer to queries on sensei protected interfaces, i had to disable cloud reputation service.
Thank you
Title: Re: Sensei on OPNsense - Application based filtering
Post by: patcsy88 on May 31, 2019, 10:17:05 pm
No it was a fresh install!

Running "ps awxu | grep elastic | grep -v grep" shows the following output:-

elasticsearch 18938  30.9 61.1 3897508 2528480  -  I    04:09       6:49.91 /usr/local/openjdk8/bin/java -Xms2g -Xmx2g -XX:+UseConc

"cat /usr/local/libexec/elasticsearch/config/jvm.options | grep 512" gives me

-Xms512m
-Xmx512m

I restarted ElasticSearch via the UI.

Is there a default setting it is picking up instead of from usr/local/libexec/elasticsearch/config/jvm.options?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 01, 2019, 03:13:01 am
Hi @alelnr, service should be restored as of today. This was due to a BGP configuration problem . Sorry for the inconvenience.

@patcsy88, that should be the file elasticsearch is getting the settings from. Let's try to reproduce the issue here. I'll update you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: spetrillo on June 01, 2019, 10:17:31 pm
Is Sensei available from the plugins section or do we need to do a CLI install? I would very much like to try it out.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 01, 2019, 10:29:57 pm
Is Sensei available from the plugins section or do we need to do a CLI install? I would very much like to try it out.

Hi @spetrillo,

Thanks for your interest in Sensei. You'll need to install it from OPNsense CLI.

Please see here:

https://guide.sunnyvalley.io/sensei/getting-started/prepare-your-firewall
https://guide.sunnyvalley.io/sensei/getting-started/setup
Title: Re: Sensei on OPNsense - Application based filtering
Post by: spetrillo on June 01, 2019, 10:41:17 pm
Thanks @mb.

What does Sensei replace?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 02, 2019, 04:25:58 pm
Hi @spetrillo,

OPNsense is already a great firewall. Nothing to replace indeed.

Sensei is augmenting the firewall with commercial grade next generation features like:


And yet many to come...

It integrates in such a way that it makes it possible for you to continue to use all of the existing OPNsense functionality.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: spetrillo on June 02, 2019, 04:37:27 pm
@mb does Sensei augment what Suricata brings to the table or are they aimed at totally different things. It seems to me there is overlap and I am trying to understand if I should use one or the other or both.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ruffy91 on June 02, 2019, 06:34:50 pm
They do different things but they overlap a bit.

Both do Deep Packet Inspection but with other targets.
Suricata is only an engine, you have to select the rules yourself to reach your target.
You can use abuse.ch SSL Blacklist to block known bad Certificates or ET Pro Trojan Rules to block and detect network traffic from trojans and many more. It's there to defend against known exploits, vulnerabilities and threats mostly. You can enhance it yourself by adding the right rules.

Sensei classifies Traffic into application + web categories and allows you to specify what to block.
For example block File-Upload/Sharing sites to enforce the policy that employees have to use your in-house file sharing system etc. which would be very hard to do using suricata.
As addition they provide a blacklist of sites they see spreading malware.

So I see it like this: Block known threats using suricata and use Sensei for defense-in-depth by disabling apps you do not need or do not want in your network.

Also sensei has usable reporting, suricata just shows alerts, sensei shows relations and also what is happening in your network even if it's not an alert.

Gesendet von meinem MI 9 mit Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: spetrillo on June 02, 2019, 07:05:56 pm
I would agree on what Suricata shows. I am actually trying to find some kind of front end that visualizes the Suricata data. Working with Elastic Search right to see where it can get me.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 04, 2019, 01:02:34 am
Is there a default setting it is picking up instead of from usr/local/libexec/elasticsearch/config/jvm.options?

Hi @patcsy88, it turns out that the correct jvm.options path should be:

Code: [Select]
/usr/local/lib/elasticsearch/config/jvm.options
Fix is also included in 0.8.0.rc2. Many thanks for bringing this into our attention.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on June 04, 2019, 06:08:42 pm
@mb

Looks like this issue wasn't completely resolved afterall...

Code: [Select]
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1) amd64
OPNsense 19.1.8 dff8692b8
Plugins os-arp-scan-1.1 os-ftp-proxy-1.0_1 os-sensei-0.8.0.rc1 os-sensei-updater-0.8.0_21 os-vmware-1.5
Time Tue, 04 Jun 2019 11:05:35 -0500
OpenSSL 1.0.2r  26 Feb 2019
PHP 7.2.18
PHP Errors:
[04-Jun-2019 11:02:51 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
[04-Jun-2019 11:03:24 America/Chicago] Exception: Cannot connect to 127.0.0.1 on port 4343 in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php:111
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Telnet.class.php(75): OPNsense\Sensei\Telnet->connect()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(155): OPNsense\Sensei\Telnet->__construct('127.0.0.1', 4343, 1, '', 0.5)
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php(138): OPNsense\Sensei\Sensei->runTelnetCommands('127.0.0.1', 4343, 'ballyhoo#Recons...', Array, Array)
#3 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(93): OPNsense\Sensei\Sensei->runCLI(Array, 'ballyhoo#Recons...')
#4 [internal function]: OPNsense\Sensei\Api\EngineController->cliAction()
#5 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'cliAction', Array)
#6 [internal function]: Phalcon\Dispatcher->dispatch()
#7 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#8 {main}
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 05, 2019, 07:14:02 am
@JohnDoe17, got it, thanks for the update.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on June 05, 2019, 04:24:07 pm
Hello Murat,

one question. The problem with the VLAN Interfaces should be fixed since two versions what i saw.
I'm on 0.8.0.rc1 and still have the same problem as in version 0.8.0.beta4.

Problem was described here in this topic -> https://forum.opnsense.org/index.php?topic=9521.msg55463#msg55463
Should this case also be fixed with the current version ?

Thank you!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 05, 2019, 05:58:39 pm
Hi @BeNe,

Yes, you should be able to protect your VLAN interfaces now. You have two options:

1. If you add the VLAN parent interface to the protected interfaces list, then you should be all set. Sensei processes all VLANs as well as the untagged packets for that interface.

2. If you want to add vlan child interfaces one by one, you should also be able to do that provided that you do not add the parent interface at the same time. (due to a netmap issue). We also have a check in the UI for that.

I've heard from people running both of the options fine, though option number #1 should be more preferable performance-wise. Since in that mode we're using the netmap mode natively for a variety of interfaces (em, igb etc).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on June 05, 2019, 09:41:22 pm
@mb Thank you for your answer.

If i add the VLAN parent interface to the protected interfaces list, all VLAN child are unable to connect to the OPNsense anymore. I can see entries in the Firewall Live-Log, that all packets are denied.
If i stop the Sensei Packet Engine everything works fine again and there are no more denied packets.

Is there something i can debug ?
Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on June 05, 2019, 10:01:30 pm
@mb Thank you for your answer.

If i add the VLAN parent interface to the protected interfaces list, all VLAN child are unable to connect to the OPNsense anymore. I can see entries in the Firewall Live-Log, that all packets are denied.
If i stop the Sensei Packet Engine everything works fine again and there are no more denied packets.

Is there something i can debug ?
Thanks
Bene you're only adding the parent interface right?

I had this problem before when adding both parents and vlan.

Sent from my Pixel 3 XL using Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on June 05, 2019, 10:11:44 pm
Yes, ONLY the parent interface. One interface at all is added.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 05, 2019, 10:19:12 pm
Hi @BeNe,

A few questions:

1. I'm assuming you're on the latest 0.8.0.rc1, correct?
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same?
3. Which ethernet adapter are you using? Intel, Broadcom or any other?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on June 05, 2019, 10:52:18 pm
1. I'm assuming you're on the latest 0.8.0.rc1, correct? -> Yes
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same? -> Still the same
3. Which ethernet adapter are you using? Intel, Broadcom or any other? ->Intel

OPNsense is running inside a KVM (Virtual Maschine on a Proxmox Host).
The WAN Interface is a Intel Card with PCI Passthrough directly to the VM
The LAN is virtual Network Interface

(https://i.ibb.co/tcnX7Jy/block.png) (https://ibb.co/tcnX7Jy) (https://i.ibb.co/n1gwh6f/bypassed.png) (https://ibb.co/n1gwh6f) (https://i.ibb.co/yqvRm94/lan.png) (https://ibb.co/yqvRm94) (https://i.ibb.co/G7GGVJn/interfaces.png) (https://ibb.co/G7GGVJn)

There is the traffic blocked on the "LAN" interface from 172.16.50.0/24 that is normaly on VLAN_50.
On the LAN is 172.16.17.0/24. Of course is this traffic source blocked on that interface. Did i missed something that i need to adjust ?


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 05, 2019, 11:07:55 pm
Hi @Bene,

I think there is something else in your configuration that needs attention. I'll reach out to you. Let's have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on June 07, 2019, 01:23:11 pm
Hi Murat,

thanks for your help! I changed my interface from "em" to "igb" as you said.
Now it works.

So i can confirm a problem with "em" interfaces. In my case, i let the "igb" interface  ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 07, 2019, 05:46:38 pm
Hi @BeNe,

Thank you very much for your update. Now it's clear for me.

When an interface is opened in netmap mode, ARP packets destined for vlan child interfaces do not make its way to their destinations.

This seems to be fixed in FreeBSD 11.2-stable.

We'll sponsor another round of netmap work which is specifically focused on fixing known problems.

For now a bit of advise who are using Sensei or Suricata (IPS mode):

1. Last thing I'd want would be to endorse a brand/model, however for us, igb(4) based adapters seemed to be the ones which gave the best results in terms of reliability / performance (with regard to netmap support).

2. If you're using igb(4) and experiencing high interrupt utilization, you can set:

    a) hw.igb.rx_process_limit: -1 (default is 100)
    b) machdep.hyperthreading_allowed: 0

We've seen these settings help improve the performance for igb(4) based systems.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 11, 2019, 11:09:18 pm
Dear Sensei users,

Sensei 0.8.0 Release Candidate 2 is out. This marks the final step into releasing 0.8 and towards 1.0

This version is also available for an update for 0.7 users.

Change log is as follows:

Enjoy :)

Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: adel_xf on June 14, 2019, 01:18:30 pm
Hello,

I tried to go with Sensei, when selecting the network interfaces I have no interface proposing networks.

My OPNSense configuration:

OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s May 28, 2019

OPNSense is a VM Proxmox
2 virtio network cards
100 GB disk
8 GB of RAM

I tried both versions of Sensei (0.7, 0.8 ).
Thank you for your attention.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: adel_xf on June 14, 2019, 01:37:37 pm
I tested the following command that seems to work your opinions?

Code: [Select]
opnsense-update -fbkr 19.1.4-netmap
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 14, 2019, 06:25:41 pm
I tested the following command that seems to work your opinions?

Code: [Select]
opnsense-update -fbkr 19.1.4-netmap

Hi @adel_xf,

Many thanks for giving Sensei a try. OPNsense created 19.1.4-netmap kernel to integrate the latest improvements and bug fixes including the Sunny Valley sponsored virtio/vmx work.

It should be ok to use that. However make sure you're not missing anything important with the newer stock kernels

After Sensei 1.0, we'll do another round of netmap work to complete upstream netmap import process.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on June 15, 2019, 11:51:56 am
Hi MB, I am facing few issue after updating the sensei package.

1. Do not see deployment size above 25 (Using routed mode)

2. Disabled the health check in previous version and now if i enable it then do not see the save options. Disabled / grayed out.

3. Email reports not working: After update it generated the report once and it was working i.e. showing the result but after that one report didn't receive any new email.
If i reenter the mail server details and click test then it is working and sends  a notification email. but do not receive the report email generated at night.
Also why it happens i.e. if i test email and save it. Then refresh the page and retest it, it just give me an error:
Your mail configuration is invalid!
Response: (535, '5.7.8 Authentication rejected')
Meaning we can only test it once and then save details and leave it that way. It works and emails works, but why receive error when try to test again until we reenter the password before clicking the test.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 15, 2019, 10:45:04 pm
Hi @manjeet,

Thanks for the report.

Looks like #2 and #3 are buggies. We fixed them today. Should be arriving with 0.8 release next week.

#1, if your RAM is 4GB, this is the expected behavior, since we were reported of swap utilization with deployments of around 70-80 users and 4GB RAM.

So we thought that it would be safer to restrict deployment size to 25 users or less if the device has 4GB of memory.

If it's not the case for you, then it's probably a browser issue. Let's have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on June 17, 2019, 06:41:22 am
Hello MB,

As per your email and post, here are the details you asked:
1. Did you udpate from 0.7 or from an earlier 0.8 beta/rc?
---> Updated from 0.7
2. How much memory do you have?
---> 8GB
3. Which browser are you using? Anything changes if you switch to Google Chrome?
---> Chromium
4. Does your email account password include any special characters e.g. "&" ?
---> It does contains special characters
5. What happens if you invoke the report manually ? command is as follows:
---> Command ( /usr/local/sbin/configctl sensei mail-reports) gave me OK and received the email report

Update: Ever since i reconfigured the email reporting from Saturday (IST), i am receiving the report email. I think i must be the update which somehow messed something.
b> My System is Intel Core i5-7400 CPU @ 3.00GHz with 8 GB RAM and 8 GB SWAP.
c> I use Chromium. But tested it on Google Chrome and firefox and deployment size is still the same.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: thg0432 on June 17, 2019, 03:19:47 pm
Hi @mb,

Can you tell us if/when users/groups will be implemented within Sensei?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: ruffy91 on June 17, 2019, 08:34:51 pm
For comparison I get the following throughput with/without sensei on a pcengines APU3A4:
The interface is just the LAN interface which is a igb NIC without VLAN or LAGG.

Without Sensei 250/50 Mbps
With Sensei 140/40 Mbps

I enabled some security features of sensei and I blocked the malware Web category.

I do not use any other features which do have an impact on throughput like IDS or traffic shaping.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on June 17, 2019, 11:41:06 pm
@ruffy91, it's good that enterprise addon even works on APU3A4s CPU(and on top of that - it's free). If you want fluent Sensei, remember few things: full blown Xeon or desktop i5-7 CPU, 8 ram, SSD. For energy efficient platforms will always be heavy performance loss.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 18, 2019, 04:00:08 am
@thg0432, yes, currently working on it. We'll provide more info on the timing and details early next month.

@manjeet, glad that your problem with the e-mail report is resolved.  it looks like re-configuring the e-mail server settings proved to be a workaround.

However, for the root cause, if anyone out there who has upgraded from 0.7 and experiencing the e-mail reporting problem, we'd like to dig together.

Regarding deployment size, it looks like that sometimes physical memory size is reported less than exact 8GB (e.g. 7.8GB). So we've adjusted the minimum threshold a bit to accommodate that case.

We'll ship 0.8 release tomorrow morning PST. Hopefully it will resolve your situation.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on June 18, 2019, 09:40:32 am
Hi,
some questions about sensei:
- is it possible to use  an existing elasticsearch instance on a dedicated server?
- if it's possible, can I use one elastic-server for two opnsense instances (failover-setup)?
- where can i get information about using sensei on a corporate network? Prices?
Best
Marc



Title: Re: Sensei on OPNsense - Application based filtering
Post by: aimdev on June 18, 2019, 11:03:08 am
Issues I encountered after installing Sensei included web interface locking up, and unable to access opnsesne via ssh. I could still interact with the console. After this occurred i had to uninstall the plugin.
Hopefully the information that the plugin sent back to sunnyvalley will provide insight into my web/ssh issues.

I have the same issue, no access to ssh (an operational requirement) however by enabling bypass mode I can access ssh.

I am running the latest beta version, downloaded today.

Fine Tuning the Remote access option (tediously disable all except the Secure Shell option) gets access back.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 18, 2019, 11:05:42 pm
Fine Tuning the Remote access option (tediously disable all except the Secure Shell option) gets access back.

@aimdev, many thanks for the feedback. I guess the confusing thing is we also have a "ssh" application under "General TCPIP" category. We're fixing this with the upcoming 1.0.

@marcri,

For the main database, you cannot use an external database at the moment. Though premium subscription is offering an option to stream reporting data to an "additional" elastic search database via either syslog or native elasticsearch REST API. 

From time to time we get this request. I guess we should start planning on having the database on an external system. When we do that, it should be trivial to have one elastic instance (either clustered or not) serving many Sensei deployments.

Imagine you're an MSP serving multiple clients or you are a corporate having multiple OPNsense deployments. With such a setup, you should be able to have an aggregate big picture view of whole assets in a centralized system. This way, you could also benefit from Kibana and other 3rd party reporting tools.

Today we're releasing 0.8. Next month, we'll ship 1.0, integrated with OPNsense; and with the details of Premium subscription. Stay tuned :)




Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 19, 2019, 02:38:53 am
Dear Sensei users,

After six months of ongoing effort & field testing, it's our pleasure to announce that Sensei 0.8 is finally released.

For some of you who were using 0.7, this version brings quite a loaded set of features:
https://www.sunnyvalley.io/post/sensei-0-8-is-released

We will be releasing Sensei 1.0 next month, in July 2019, which will also cease the BETA program and the software will be publicly available for all users.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on June 19, 2019, 02:33:45 pm
Wow! This is great! One of the bests and most wanted missing feautures added to our belowed opnsense firewall. Sensei is one of a kind software for sure! Keep up the good work! :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 20, 2019, 02:30:08 am
@Archanfel80,

Many thanks for your feedback. With its open, flexible, extendable architecture; and its great community of users, we love working with OPNsense.

We will do our best to keep adding more value.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on June 20, 2019, 06:21:47 am
HI MB, everything works fine as mentioned after the update.

Now i have 1 issue and 1 feature request (If its not already there)

Issue: I am not able to update sensei package from command line when using the autoupdate of opnsense i.e. option 12. Same thing happened when i upgraded from 0.7 and now same for yesterday's update. I can only update sensei package from sensei dashboard in web gui.

Feature: Is there any way to for an single or multiple websites / app / category to only put in alert mode. For example if i want my network users to allow access to certain websites but also want to know who access the website or protocol and when AND for specific blocked contents i.e. when someone tried to access it and rather then looking for access logs or block logs just simply have a different tab for alerts only to check easy and fast. I know we can filter it on reports but it will be easy to have an alert tab for both allowed and blocked for that specific alert mode. AND Can we also send alerts via email ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on June 20, 2019, 09:27:21 am
Just a quick report about an issue what i see.
If you installed sensei from the cli first while in the beta and updated since then for some reason the search data not deleted and consumed the disc space after the final 0.8 upgrade. I cant delete the date from the webui it just says simply 'error'.
I cant figured out why but removed the sensei completely, deleted the '/usr/local/sensei' folder and reinstall sensei from the plugins. Now everything works and the disc usage reduced dramatically. So if you're like me, so installed sensei while in the beta probably the best to backup the config remove sensei, delete the sensei directory, reinstall sensei and restore the config which is restore your custom sensei settings.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on June 20, 2019, 11:25:11 am
will do a reinstall of sensei 0.8 too
looked at the /usr/local/sensei directory - mine was about 44 gigabytes - most of it in /usr/local/sensei/log/archive
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 21, 2019, 12:14:57 am
@Archanfel80, @the-mk,

With regard to archived logs, you can use the following commands to get rid of very old logs:

find /usr/local/sensei/log/active -type f -mtime +15d  | xargs rm -f {}\;
find /usr/local/sensei/log/archive -type f -mtime +15d  | xargs rm -f {}\;


Sensei health check system should have had this handled. Looks like a commit which did not end up in the release. Will integrate for 1.0.

For the elasticsearch data, along the way to 0.8, we changed the naming scheme for the indexes. This should be the reason why some indexes were not purged.

We'll also handle that with 1.0. For now, the workaround would be resetting reporting data (Sensei -> Configuration -> Reporting & Data) (be aware: this will delete all reporting history).


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 21, 2019, 03:54:26 am
@manjeet,

Currently, we're locking the os-sensei package. This is why OPNsense autoupdate do not update Sensei package. This was done for the period of integration to the OPNsense and for a more controlled software delivery. Lock will be removed shortly and Sensei will get updated along with other OPNsense packages.

Your feature request sounds cool; though we'll need to think a bit more on the correct implementation and also try to see how many other users would also be interested in this feature.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bulmaro on June 28, 2019, 04:28:12 pm
Sensei has detected swap was usage high (21 -- 13831872% usage) and has shut down Sensei services in order to prevent a network outage.

Any suggestions for my case?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 28, 2019, 05:40:31 pm
Hi @bulmaro,

The reason is most likely Elasticsearch consuming all memory and OS begins swapping. When the OS does swapping overall system performance is significantly degraded and this in turn affects Sensei doing its job.

To avoid a connectivity problem, we shut down Sensei with a warning like this (numbers seem weird, need to look at that)

How many devices do you have behind sensei and what is your hardware configuration?

https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements

This will give you an overview of the recommended HW configuration according to the size of your deployment.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: bulmaro on June 28, 2019, 09:37:11 pm
I have two servers
physical equipment with 30 connected clients, equipment characteristics:
CPU 3-2105 CPU @ 3.10GHz (4 cores)
RAM memory: 8GB

Azure server, 3 clients connected
CPU E5-2673 v4 @ 2.30GHz (2 cores)
4GB RAM

it's exactly the same message for both
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 28, 2019, 09:43:46 pm
@bulmaro,

Thanks for the swift reply. These configurations look perfectly ok for the deployment size. Let me reach out to you; and we can have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 29, 2019, 01:28:22 am
These configurations look perfectly ok for the deployment size. Let me reach out to you; and we can have a look together.

Dear Sensei users,

Out of @bulmaro's case, I think it's important to give a heads-up on this:

The hardware recommendation we provide is calculated based on the fact that the system runs OPNsense with Sensei. We did not take other services which might be already running on the firewall (IDS, Proxy etc.) into consideration.

We highly recommend that you also oversee the requirement of those services and do your own sizing according to that.

In @bulmaro's specific case, 1/2 of the memory was already consumed by the squid service. And the system was swapping even Sensei and Elasticsearch were not active.

@bulmaro, many thanks for your help to diagnose the issue.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 01, 2019, 06:42:14 am
@MB

Not sure if this has ever been brought up. It's something I've seen for a while.

On any of the live session explorers or drill down of traffic if I do a whois for the record that is the domain name it always only resolves the top level domain. For example US.lgtvsdp.com does a whois for domain COM thus always giving me the same result for any .com address.

Shouldn't it be doing the whois query on the second level domain?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on July 01, 2019, 07:44:22 am
Hi @MB,

Few days back we had power issue and after that "Elasticsearch" is not working. I have tried start the service many times, rebooted and tried but didn't work. "Sensei Packet Engine" is working.

I have tried "Perform health check for indices" and it kind of stuck and does not do anything. "You can erase reporting data" option is grayed out. I also tried to run these command from terminal and got the error:
1. /usr/local/sensei/scripts/installers/elasticsearch/delete_all.py
2. /usr/local/sensei/scripts/installers/elasticsearch/create_indices.py
ERROR: ***ERROR: Connection could not be established with elasticsearch server.**

Also tried reset the package but it didn't fix the issue. Haven't delete / uninstall and reinstall the package yet. kindly help.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 01, 2019, 11:13:51 pm
@donatom3, checking that one.

@manjeet, "Reset reporting" will be enabled even if Elasticsearch is not running. Fixing for 1.0.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: thg0432 on July 02, 2019, 02:52:03 pm
@mb

I was wondering if there's a setting for rotating the logs that are in /usr/local/sensei/log/archive ?  or is that something that needs to be cleaned out manually? 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 03, 2019, 07:24:47 am
@donatom3,

You're right. Currently we run the whois query the for the whole FQDN. We should be doing for the domain part only. Fix is implemented today and shipping with 1.0.

@thg0432,

Engine logs older than two weeks are to be automatically deleted. 0.8 had a glitch doing the actual delete. Fix is implemented for 1.0.

In the meantime, you can get rid of them by running this command:

find /usr/local/sensei/log/archive -type f -mtime +15d  | xargs rm -f {}\;
Title: Re: Sensei on OPNsense - Application based filtering
Post by: zyon on July 03, 2019, 10:36:11 pm
Just installed Sensei and just awesome.
All i need in one application :)

For my information sensei work with squid ? if yes it's possible to use it like a proxy server ? ( for mobile for example )

Thanks for your hard work :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 04, 2019, 04:15:42 am
hi @zyon,

Thanks for your feedback. Glad that you found Sensei useful for you. All welcome.

Sensei plugs kind of transparent to the system. So it does not change the way other services like Squid are operating.

I think I did not completely get your question.

Do you want to learn if Sensei can act like a proxy, for instance, for caching?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: manjeet on July 04, 2019, 06:20:02 am
Hello @MB, Is there any way to bypass a user from sensei filter
OR
More accurately for my case, bypass anyone which goes from a particular gateway.

Actually, i have 2 ISPs which are in load balancing mode on opnsense, i want anyone connected to gateway 2 to just bypass any filters or blocking or logging.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 09, 2019, 02:30:29 am
Hi @manjeet,

Actually, i have 2 ISPs which are in load balancing mode on opnsense, i want anyone connected to gateway 2 to just bypass any filters or blocking or logging.

I believe - in your case - the outbound route selection is done randomly and not through a policy decision based on source IP address, am I correct?

If that is so,  and it's not something related to the source IP/network address, I'm afraid there is no way we can correlate the user with the outbound ISP. This is because we jump into the scene way too early, without routing/NAT'ing logic comes into the scene.

If it's source IP related, it's possible, and along with user/group based filtering, this is one of the features of the premium edition:

https://help.sunnyvalley.io/hc/en-us/articles/360025173953-Sensei-Editions
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 10, 2019, 01:34:29 am
@mb

This probably isn't Sensei since it affects Suricata to. But since I upgraded to 19.7 RC1 suricata won't start because it can't find my interface and Sensei says no interface selected in the status page. I can change to any of my interfaces and they all say the same.

Here is a portion of the worker thread when I started this morning. From it it looks like everything points to netmap being the issue. I started a thread in the 19.7 release candidate forums about it. Just a warning to anyone relying on Sensei.

Code: [Select]
2019-07-09T07:38:49 INFO: Packet Processor [39794] started working
2019-07-09T07:38:49 INFO: Worker [pid:39794] Pinning to CPU #1
2019-07-09T07:38:49 INFO: Worker [39794] started working
2019-07-09T07:38:49 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:38:49 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:38:49 INFO: Created a new Worker Instance pid: 39794
2019-07-09T07:38:49 INFO: Requested Single Threaded Stack
2019-07-09T07:38:49 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:38:50 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:38:50 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:38:50 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:38:50 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:38:50 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:38:50 INFO: Initializing for BRIDGE Mode
2019-07-09T07:38:50 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:38:50 ERROR: Failed Initializing Interfaces, bailing out
2019-07-09T07:38:51 INFO: Packet Processor [19965] started working
2019-07-09T07:38:51 INFO: Packet Processor [19965] sleeping a while since we're respawned
2019-07-09T07:39:03 INFO: Worker [pid:19965] Pinning to CPU #1
2019-07-09T07:39:03 INFO: Worker [19965] started working
2019-07-09T07:39:03 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:39:03 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:39:03 INFO: Created a new Worker Instance pid: 19965
2019-07-09T07:39:03 INFO: Requested Single Threaded Stack
2019-07-09T07:39:03 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:39:04 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:39:04 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:39:04 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:39:04 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:39:04 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:39:04 INFO: Initializing for BRIDGE Mode
2019-07-09T07:39:04 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:39:04 ERROR: Failed Initializing Interfaces, bailing out
2019-07-09T07:39:05 INFO: Packet Processor [18480] started working
2019-07-09T07:39:05 INFO: Packet Processor [18480] sleeping a while since we're respawned
2019-07-09T07:39:17 INFO: Worker [pid:18480] Pinning to CPU #1
2019-07-09T07:39:17 INFO: Worker [18480] started working
2019-07-09T07:39:17 INFO: License file /usr/local/sensei//etc//license.data not located (No such file or directory) assuming FREEMIUM
2019-07-09T07:39:17 INFO: Created Syn Filter Context Table [mask: 16383]
2019-07-09T07:39:17 INFO: Created a new Worker Instance pid: 18480
2019-07-09T07:39:17 INFO: Requested Single Threaded Stack
2019-07-09T07:39:17 INFO: Inline operation mode selected! Bridging br1 (netmap@igb1 <-> netmap@igb1^)
2019-07-09T07:39:18 INFO: Created Enrichment Service @127.0.0.1:4343
2019-07-09T07:39:18 WARNING: loadUserCache: file /usr/local/sensei//userdefined/db/Usercache//userauth_cache.db is not a regular file
2019-07-09T07:39:18 INFO: Number of Queues for interface: igb1: 2
2019-07-09T07:39:18 INFO: LAN: igb1[igb1] Queue: 0, #Queues: 2, Packet Device: Netmap
2019-07-09T07:39:18 INFO: WAN: igb1^[igb1], Queue: 0, #Queues: 1, Packet Device: Netmap-Host-Bridge
2019-07-09T07:39:18 INFO: Initializing for BRIDGE Mode
2019-07-09T07:39:18 CRITICAL: Failed to create LAN interface (igb1:0(igb1:0): 6(Device not configured)
2019-07-09T07:39:18 ERROR: Failed Initializing Interfaces, bailing out
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 10, 2019, 02:19:07 am
Hi @donatom3,

Many thanks for the heads-up.

Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new (https://forum.opnsense.org/index.php?topic=13436.msg61861#new), I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.

Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.

This is the setting which is working for us for 19.7.r1

If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on July 10, 2019, 08:25:06 am
Hello,
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.
Best,
Marc
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 10, 2019, 10:48:28 am
Hi @donatom3,

Many thanks for the heads-up.

Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new (https://forum.opnsense.org/index.php?topic=13436.msg61861#new), I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.

Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.

This is the setting which is working for us for 19.7.r1

If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.

MB,

Looks like Franco saw my post and sees that a merge for the ring size didn't make it to the 19.7 netmap kernel.

https://forum.opnsense.org/index.php?topic=13436.msg61879#msg61879

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 10, 2019, 06:52:06 pm

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.

@donatom3, perfect. Thanks for your help. This would cause some headache.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 11, 2019, 01:27:59 am
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.

Hey Marc,

Yes, it is possible. In Web Controls menu, put the whitelisted URL in a user defined custom category. And mark the category as allowed.

Than you should be good to go.

More info:

https://help.sunnyvalley.io/hc/en-us/articles/360025100393-Web-Control

Look for User Defined Categories.

Title: Sensei on OPNsense - Spelling errors
Post by: aimdev on July 12, 2019, 12:54:22 pm
Configuration, select Bridge mode.

Please select the interface paris from below boxes to create your protected L2 pridge

change paris to pairs
change pridge to bridge
Title: Enhancements?
Post by: aimdev on July 12, 2019, 12:56:23 pm
1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net
Title: Re: Enhancements?
Post by: mb on July 12, 2019, 08:25:52 pm
change paris to pairs
change pridge to bridge

1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net

Hi @aimdev,

Thanks for the corrections. They had been fixed for 1.0.

You should be fine putting domain.com into a user defined category and it should also match subdomain.domain.com.

Didn't it work for you?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: aimdev on July 12, 2019, 08:31:29 pm
I didn't try it as the UI seemed to intimate a site (www.google.com)   not a domain, (google.com)
Can you confirm that entering google.com will work, or does it need wildcard character/regex?
Tks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 13, 2019, 08:43:57 pm
Hi @aimdev,

Yep, it should work that way. Just put google.com there and it'll match all subdomains.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 17, 2019, 04:29:45 am
Anyone experiencing any issues with VMware deployments?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 18, 2019, 04:14:19 am
@mb

So after the upgrade to 19.7 release I was able to change my tunables back to 4096 for rx and tx.

Here is the issue. And I've seen this on a few upgrades with no changes but firmware or sensei upgrades.

After the unit reboots after the upgrade I can reach the firewall until Sensei's engine starts. At that point it drops all traffic on my protected interfaces. I've been keeping an unprotected interface that I can easily swap to for these times. All I have to do to fix this is to disable "Enable engine heartbeat monitoring". Once I do packets start flowing again and I can re enable it without issue. I'll pull the worker logs and send them to you if that helps.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on July 18, 2019, 01:58:09 pm
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on July 18, 2019, 05:23:53 pm
quote author=opnip link=topic=9521.msg62264#msg62264 date=1563451089]
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
[/quote]

same error on my setup
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 18, 2019, 07:05:00 pm
@opnip @malac, thanks for the pointer. Having a look at it.

@donatom3, please go ahead and e-mail the logs to me. Does that happen in every reboot, or was it after the 19.7 upgrade reboot?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Space on July 18, 2019, 09:05:12 pm
Hi MB,

where can I configure the retention time for the worker logs? Shouldn't they be compressed somehow?
On my system the worker logs takes about 13GB ...

Thanks and best regards,

    Space
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 20, 2019, 03:05:49 am
@opnip, @malac, @space,

A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.

You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.

@space, can you check whether old logs are pruned?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Space on July 20, 2019, 12:04:03 pm
@mb Thanks for the quick response ... I have updated to 0.8.1. When are the logfiles usually pruned? At some specific time?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on July 20, 2019, 12:18:09 pm
@opnip, @malac, @space,

A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.

You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.

@space, can you check whether old logs are pruned?

great!!
does it also fix:
Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Space on July 20, 2019, 01:25:31 pm
@mb Thanks for the quick response ... I have updated to 0.8.1. When are the logfiles usually pruned? At some specific time?

Yes, it's fixed now ... I just checked and it only kept the last 14 days ... now it's using only 2GB ...

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: biomatrix on July 21, 2019, 03:49:58 am
I just registered to post this (as opposed to on github)
the 0.8.1 hotfix fixed the first error I was having - now I get this error :

(http://i.imgur.com/z4S9ymY.png) (https://imgur.com/z4S9ymY)

my settings are :

(http://i.imgur.com/kkh7oWv.png) (https://imgur.com/kkh7oWv)


I have restarted the device - I have reset the config - I have uninstalled and reinstalled 0.8.1.

let me know if there is any other steps or information I need to proceed.

EDIT : had the #'s of the versions wrong.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on July 21, 2019, 12:52:16 pm
@opnip, @malac, @space,

A hotfix release 0.8.1 is available fixing these problems. It also fixes a compatibility issue with OPNsense 19.7.

You can update your installation through Sensei -> Status -> Check for updates. An update should have been reported already.

@space, can you check whether old logs are pruned?


great!!
does it also fix:
Scheduled reports could not be generated. Probably elasticsearch service is not running or not working properly. Please check elasticsearch service manually.

i still get this error after upgrading to 0.8.1 (occuring since upgrade to 19.7)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: fiterzs on July 22, 2019, 11:33:56 am
How can I return to version 0.8.0? I upgraded to version 0.8.1 and found it unstable. Now I want to go back to version 0.8.0. How do I change it? Many thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 22, 2019, 09:20:08 pm
Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention

I'd appreciate if you can share the these oddities so that we can address them.

For now we are aware of:

1. elastic search stopping - so scheduled reports not generating
2. engine not being able to open interface in netmap mode
3. UI not recognizing already selected interface

These seem to pop up in limited use-cases, still trying to understand the exact root causes.

We'll reach out to @malac, @biomatrix to diagnose.

@fiterzs, you can do (thorough OPNsense shell)

Code: [Select]
service eastpect onestop
pkg unlock os-sensei
pkg remove os-sensei
fetch https://updates.sunnyvalley.io/repo/All/os-sensei-0.8.0.txz
pkg add os-sensei-0.8.0.txz
pkg lock os-sensei

But I'm not sure if the problems you're seeing are related to 0.8.1 since there are very minimal changes. I'm inclined to think that they might be related to sensei -> 19.7 compatibility. Would be happy if you can report back if anything is better with 0.8.0.


@space, glad that logs are pruned now. With 1.0 we are disabling log archiving at all. Logs will hold very minimal disk space.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: fiterzs on July 23, 2019, 04:58:33 am
Hi MB
Thank you for your help, but when I run this command, System prompted to find the file.

fetch: https://updates.sunnyvalley.io/repo/All/os-sensei-0.8.0.txz: Not Found
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 23, 2019, 09:01:48 am
@fiterzs, please try again. 0.8.0 should be there now. But I'd suggest you try the recently released 0.8.2 since this has an important fix that might be responsible for some weirdness.

If you've uninstalled os-sensei, just type

# pkg install os-sensei

and it'll install 0.8.2.

If you still want to revert back to 0.8.0 you can do so by resuming the commands batch i've shared earlier.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 23, 2019, 09:10:16 am
Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention

Dear Sensei users,

Issues which arose after 19.7 upgrade seem to be the result of OPNsense python 3.7 migration. Removal of unused Python 2.7 modules caused issues since they were required by some Sensei scripts.

We just released 0.8.2 addressing this. While you're upgrading to 0.8.2 missing python dependencies will be automatically installed.

Sorry for the inconvenience this might have caused.

Please feel free to share any further problems you've encountered.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: fiterzs on July 23, 2019, 11:38:15 am
Hi Mb
Thank you for your help
 now I am back to version 0.8.
It still looks stable at the moment, I will try version 0.8.2 later, thank you
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 23, 2019, 08:48:39 pm
@fiterzs, glad to hear that worked for you.  Feel free to try at your convenience.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: abraxxa on July 23, 2019, 10:23:03 pm
0.8.2 still doesn‘t start for me on 19.7.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 24, 2019, 02:31:54 am
0.8.2 still doesn‘t start for me on 19.7.

@abraxxa, just sent a private message to you. Let's have a look at it together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on July 24, 2019, 08:02:33 pm
Ok, looks like in some cases people still experience some more 19.7 compatibility issues that need attention

Dear Sensei users,

Issues which arose after 19.7 upgrade seem to be the result of OPNsense python 3.7 migration. Removal of unused Python 2.7 modules caused issues since they were required by some Sensei scripts.

We just released 0.8.2 addressing this. While you're upgrading to 0.8.2 missing python dependencies will be automatically installed.

Sorry for the inconvenience this might have caused.

Please feel free to share any further problems you've encountered.

Scheduled Reports are working now with 0.8.2! Thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: abraxxa on July 24, 2019, 09:20:08 pm
mb fixed the issue on my OPNSense 19.7 running Sensei 0.8.2 by dis- and enabling Cloud Reputation & Web Categorization and saving the configuration.

The /usr/local/sensei/log/active/main_20190724T000000.log logfile showed the error:
Code: [Select]
019-07-24T20:54:57 ERROR: CloudReputationNodeManager:loadNodes: cannot access file /usr/local/sensei//db/Cloud//nodes.csv: No such file or directory
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 25, 2019, 03:28:51 am
mb fixed the issue on my OPNSense 19.7 running Sensei 0.8.2 by dis- and enabling Cloud Reputation & Web Categorization and saving the configuration.

@abraxxa, thanks for your help to diagnose this.

Sensei users,

After 19.7 migration and even after you update Sensei 0.8.2, if you cannot start sensei engine, please follow these steps:

 

This will trigger a configuration re-write and previously failed scripts will re-configure the necessary configuration files.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: thg0432 on July 29, 2019, 03:13:41 pm
hey @mb,

You mentioned you had some updates on potential Users/Groups due out this month...any word on that by chance?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 29, 2019, 10:10:07 pm
Hi @thg0432,

Yep. With 1.0, you'll start seeing user information being reported in reports. We can now poll users from OPNsense captive portal authentications.

On this occasion, a little update on 1.0 release schedule:

Due to 19.7 integration efforts, 1.0 release schedule got delayed by 10 days. Currently running latest integration tests. If all goes well new ETA is this Thursday.

Also you can expect to hear more on Premium Subscription and the related launch schedule later this week.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on July 31, 2019, 11:16:59 am
Will there be an option to add external sources of Thread Intelligence to sensei?

Like new URL's or IP's to block?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 31, 2019, 06:23:55 pm
Hi @l0rdraiden,

You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.

Would that work if we added a bulk list add functionality to User Defined Categories?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Csykes27 on August 01, 2019, 06:34:32 am
I am having an issue when I reboot the firewall and it reloads I get the following error and it will no longer pass traffic.

Starting elasticsearch
s: /usr/local/sensei//output/active/*.ipdr: No such file or directory



Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on August 01, 2019, 07:16:11 am
Hi,

SNMP-Traffic (161/UDP) seems to be categorized as Quic protocol / Streaming.


Best
Marc
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on August 01, 2019, 08:35:59 am
Hi @l0rdraiden,

You can now do custom categorization with the help of Web Controls -> User Defined Categories. I'm guessing you'd need a bulk adding functionality for this to happen.

Would that work if we added a bulk list add functionality to User Defined Categories?

Hi @mb,

Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.
https://www.netgate.com/resources/videos/pfblockerng-on-pfsense.html

BTW the cloud threat intelligence that you add for bad sites or ip's is based on free lists or paid?

Why don't you include TSL inspection in the freemium version? at least for home use.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on August 01, 2019, 01:23:11 pm
Regarding pricing premium Version: are you sure it is on a monthly basis, or yearly?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on August 02, 2019, 12:56:44 pm
Hi @all,

how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 03, 2019, 12:27:18 am
I am having an issue when I reboot the firewall and it reloads I get the following error and it will no longer pass traffic.

@cykes, I'm reaching out to you. Let's investigate this together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 03, 2019, 01:03:48 am
Hi @l0rdraiden,

Sensei's Cloud Threat Intelligence is proprietary and commercial.  License permitting, we're also utilizing few lists from the community.

Many thanks for the clarification. Technically, it would be trivial for us to utilize these local lists. The thing is we need to be careful about the licenses under which these lists are distributed.

I guess if the lists are not distributed by the sensei package itself; but instead sensei utilizes already downloaded lists, this should be permissible. We'll have a look at this.

We're indeed evaluating the option to have TLS for up to some number of users.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 03, 2019, 01:08:39 am
Hey Marc,

We'll look into SNMP/QUIC identification.

Quote
how can I block TLS-encrypted Traffic on Port 80 with Sensei? Or should Squid do it? See attachment...

Actually, this is some roadmap item which we call "Protocol anomaly detection". With this feature, you'll be able to lock specific ports to some allowed protocols/applications.

So now, we have a POLL:

Which protocols/applications would you like implemented first?

https://www.surveymonkey.com/r/YCMNBGN

Title: Re: Sensei on OPNsense - Application based filtering
Post by: jjanzz on August 05, 2019, 04:21:54 pm
If I try to update Sensei (engine version 0.8.0) to the stable release, it throws the following error:

Code: [Select]
OPNsense version later than 19.7.2, activating Sunny Valley Networks Sensei packet repository via "os-sunnyvalley"...Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sunnyvalley' have been found in the repositories
Repo package "os-sunnyvalley" installation failed!
***ERROR***

This is on OPNsense 19.7.2

EDIT: I was able to install the engine version 1.0, by removing os-sensei and reinstalling it via the package tools. Though, sensei-updater continues to throw the same error.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 05, 2019, 04:57:23 pm
@jjanzz, many thanks for the heads-up. Lookin into it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 05, 2019, 08:06:46 pm
Thanks to @jjanz, we were able to spot the cause.

It's because of the fact that we don't -yet- have a os-sunnyvalley package for OPNsense LibreSSL. We have a workaround for this for now, and will be shipping it shortly.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 06, 2019, 04:11:54 am
Dear Sensei users,

We're super excited to announce that Sensei 1.0 for OPNsense is finally out and available for everyone to enjoy.

This release is considered stable and marks the end of the BETA program. We’d like to take the time to convey our gratitudes to all beta users for testing the software and giving feedback to us.

A special thanks go to the OPNsense team for their precious time & help in integrating the software to OPNsense.

During BETA period, product received very quality feedback from the community and improved a lot. We're looking forward to continuing the collaboration and providing more value to the community.

Comparing to 0.8.x, below are the features that are introduced with 1.0:


More information on Installing, Updating:

https://www.sunnyvalley.io/post/sensei-1-0-out



Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 07, 2019, 04:14:46 am
Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.

Hi @l0rdraiden, a quick update on this. We've decided to bring this functionality to the freemium edition of sensei.

Will post another update on the timing.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Marcel_75 on August 07, 2019, 09:33:12 am
Hi,

installed Sensei today (latest version 1.0.1) on my OPNsense and wondering, why some manual filters work and some not?

I've created a new "User Defined Category" inside "Web Controls" called "Mac-Warez" and added the following three mac warez domains to it:

cmacapps.com
macwarez.net
nmac.to

UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.

Is this normal?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 07, 2019, 03:38:23 pm
@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 07, 2019, 09:30:59 pm
UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.

Is this normal?

Hi Marcel, not indeed. Restart should not be required. New configuration is handed over to the packet engine on the fly.

Though we're fixing an issue which might cause occasional problems for the rule reload. Can you test with the upcoming 1.0.2? (should arrive this week).

@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Marcel_75 on August 07, 2019, 11:24:14 pm
Hi mb,

sure, will give it a try with the upcoming version 1.0.2, thanks for the fast answer and all the best.

Marcel
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 08, 2019, 04:02:29 pm
Quote
@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.

thx very much!

by the way. there are a few css classes in sensei that need to be customized!
i think you didn´t use the default css classes of opnsense.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mty620 on August 09, 2019, 05:37:41 am
Does Sensei have similar feature?

Shella List has a URLs where you can:

1. Search what category a specific URL falls under. so I see that "porn.com" category "porn/domains"

    http://www.shallalist.de/search.html

2. submit or revise URLs

    http://www.shallalist.de/search.html

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 10, 2019, 04:48:46 am
@opnsenseuser, we'll be revisiting css/jscript codes.

@mty620, not yet. Both are on the roadmap. #2 should be coming up sooner.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 10, 2019, 10:05:30 pm
Dear Sensei users,

We've just released 1.0.2 to address below issues and introduce a few enhancements:

Enjoy your weekend :)

- Sensei team

Note: The fix for LibreSSL install/update is temporary. In the coming week, we plan to deploy a separate repo for the LibreSSL build.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 11, 2019, 01:27:42 pm
@opnsenseuser, we'll be revisiting css/jscript codes.

Thx. If you need help just ask!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ctr on August 11, 2019, 05:06:11 pm
I have two VLAN-related issues with Sensei (installed via plugin selection on "fresh" 19.7.2). My internal network "Trust" is on ix1 (native VLAN / untagged) and I have some special zones as tagged VLAN also on ix1 which are represented as ix1_vlan2 and so on in OPNsense.

When "protecting" Trust (the main interface) in Sensei, I have intermittent packet loss for about 3-4 seconds, every 10-15 seconds. No data is seen by Sensei (according to live view and reports) at all.

When trying to select Trust and a DMZ I get an error message:
"You cannot protect both parent and its child VLAN interface"
Technically OPNsense doesn't really see them as parent and child interface though, at least the report always shows sth like interface "ix1_vlan2" and vlan "0" when activated *on a VLAN interface only*.


It seems to work fine though when only "protecting" VLAN interfaces without the main interface. Only the interface naming is not consistent: for some of my VLANs the "friendly" name is displayed (i.e. "DMZ" or "voice") for some the subinterface name, i.e. ix1:3


This could be observed both with versions 1.0.1 and 1.0.2

Unrelated to the VLAN issues:
My RFC1918 IP address range 172.17.2.0/24 is recognized to be from Australia in the Geo IP view (Top Destination Locations Heatmap).
"Network interfaces" on the status page is not showing what is configured. Sometimes it shows nothing, sometimes an interface that has not been configured.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Marcel_75 on August 11, 2019, 08:31:43 pm
Hi,

thx for the update, also checked the behaviour again – but this time not with my "Mac-Warez" blocking sites, but with an own whitelisting area:

Sensei | Web Controls | User Defined Categories

"Whitelisted-Sites"

I've added all these sites to have the Ookla Speedcheck from https://www.speedtest.net/ working (not sure if all of them are needed for the Speedtest, but with the help of the uMatrix-plugin I could see they are accessed when you open speedtest.net)

1    *.cdnst.net    
2    *.cronon.net    
3    *.gtt.net    
4    *.ooklaserver.net    
5    *.speedtest.net    
6    *.wittenberg-net.de

But again it was only working like expected after a complete restart of my OPNsense …  :-\

Not a big issue for me, as it's fine if it's working as expected after a restart, but of course it would be nicer if these filters will be active when you change them without an extra restart …  ;)

PS: Strange, it worked after the restart – but as I was posting this, now it's not working again, Firefox can't open the site.

So it was working for some minutes after the restart but is now blocked again by Sensei? (if I switch sensei off, it's working fine … tested this of course)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 12, 2019, 04:10:32 pm
@opnsenseuser, we'll be revisiting css/jscript codes.

Thx. If you need help just ask!

@mb one more thing

for popup´s you also need to use the original opnsense classes. so it´s easier for the sensei plugin to work with all themes. see my screenshots! thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 12, 2019, 09:25:37 pm
Hi @ctr,

Thanks for the detailed feedback and trying out Sensei.

If you do not have a preference, we suggest you have the main interface for the VLANs. When you configure the main interface (e.g. ix1 in your case), it will be effective for all of the VLANs on this interface.

Because of a netmap-bug we deliberately prevent both parent/child interfaces configured at the same time.

Can we have a look at your installation? Non-routable IP addresses shouldn't be enriched with GeoIP data.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ctr on August 12, 2019, 09:27:12 pm
I tried to add ix1 (on it's own). This is the situation where I have significant packet loss as Sensei is enabled.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 12, 2019, 09:28:38 pm
1    *.cdnst.net    
2    *.cronon.net    
So it was working for some minutes after the restart but is now blocked again by Sensei? (if I switch sensei off, it's working fine … tested this of course)

Hi Marcel,

Thanks for the update. Can you try them without the leading "*." characters? That might be the thing. cdnst.net/cronon.net should match for all subdomains.

If it's not working, just PM me so that we can have a look together. 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 12, 2019, 09:29:29 pm
@ctr, ah, this is a bummer. I'll PM you so that we have a look at it together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 12, 2019, 09:32:15 pm
for popup´s you also need to use the original opnsense classes. so it´s easier for the sensei plugin to work with all themes. see my screenshots! thx

Yep, we'll need a work there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: samsonmcnulty on August 13, 2019, 06:28:20 pm
@mb any chance you'll provide a lifetime pricing model that would work to provide some of the more advanced features to home labbers with a small number of users instead of the monthly subscription model?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 13, 2019, 10:19:34 pm
Hi @samsonmcnulty, thanks for your interest. Can't promise for a lifetime licensing, but we'll make sure we provide a "home" edition, which will have a relevant affordable pricing as soon as we have some progress with the current offering.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: seitzbg on August 14, 2019, 01:52:49 am
Trying to install Sensei 1.0 on OPNsense 19.7.2 and it will not let me pick the WAN interface to protect.  Any ideas?

(https://img.bsd-unix.net/screenshots/user1/611143de0.png)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xpendable on August 14, 2019, 03:01:52 am
Hello,

I recently installed Sensei in my home environment, here is my experience with it so far and thoughts/requests for the product.

Sensei does not seem to install properly on LibreSSL with the current fix (v1.0.2) as os-sunnyvally plugin is unavailable and does not get installed. Also after selecting the LAN interface, even though it is in the selected list in the configuration tab... Sensei packet engine fails to start indicating that you must select at least 1 interface and no Cloud nodes are listed in the status page as well as no selected interfaces. After switching back to OpenSSL, installing the os-sunnyvalley plugin and doing a factory reset in Sensei, I was able add the LAN interface and Sensei then works as expected.

While talking about interfaces, I am unable to add my VPN (WireGuard) interface to Sensei successfully. Once added the status page says that there are no interfaces selected and the cloud nodes are also no longer listed, however the Sensei packet engine continues to run. I created an interface (OPT1) and assigned (wg0) network port to it with no additional settings, and this is the interface that I added to Sensei with no success. Are there plans to add support for assigning a WireGuard VPN interface within Sensei?

So far I am quite happy with Sensei's overall performance and the features that it provides, but I was hoping that it would completely replace my previous suricata/pihole setup that I had before for the LAN with one of the main functions being to block ads network wide. However I have noticed that the current ad blocking provided by Sensei does not appear to be quite as good when compared to the pihole, but it's hard to say for sure. Also since the VPN interface is currently unprotected, no VPN clients receive the benefits of Sensei as I did before with the pihole setup.

I did see the announcement of supporting community filter lists in a future update, so that will more then likely provide more ad blocking coverage along with providing additional block lists for other categories which will be great for the community edition.

Some nice things that I would like to see change would be to make the health checks based locally and to have an option to provide statistics back to Sunny Valley. I don't see why these checks need to be run/verified on a remote Nagios server. I believe most cpu/memory/disk checks... etc. can be run on the local server via either a local script and/or using Monit for these checks and alerts.

I'm sure this is probably in the works, but adding a widget for Sensei Status would be great to be able to have a quick look available right from the OPNsense dashboard.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 16, 2019, 05:04:13 pm
Trying to install Sensei 1.0 on OPNsense 19.7.2 and it will not let me pick the WAN interface to protect.  Any ideas?

Hi @seitzbg, thanks for trying out Sensei.

We filter out the WAN interface. Reason is Sensei grabs the packets after the network stack is done with them in the outbound packet flow.

In the practical sense, in case of NAT (nearly all of the use cases), when we deploy on WAN interface, we loose local IP address information.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 16, 2019, 07:14:16 pm
Hi @xpendable,

Many thanks for trying out Sensei and providing a detailed review. This is one of the things we love for making Sensei available in an open source community. We receive very quality feedback. I strongly believe quality feedback helps build great products.

Sensei does not seem to install properly on LibreSSL with the current fix (v1.0.2) as os-sunnyvally plugin is unavailable and does not get installed....

We're building a separate repo for LibreSSL. As a workaround for now, 1.0.2 can install onto a LibreSSL deployment with the old method where we do not configure our repository with the help of a package.

Starting with 1.0.2, this workaround should actually be solving this. I'm guessing that you might have tried a bit earlier before we updated the getsensei script.

Quote
While talking about interfaces, I am unable to add my VPN (WireGuard) interface to Sensei successfully.

Can you try this command to see if you are reported any errors and packet transmission is ok during the test. Make sure sensei and suricata is not using this interface during your test.

Code: [Select]
# ifconfig wg0 up -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6
# /usr/local/sensei/bin/nmbridge -i netmap:wg0 -i netmap:wg0^

If you experience any problems here, then the issue here is netmap,  the I/O subsystem that we are utilizing to access the raw packets off the wire, and it does not play well with some interfaces. Last year, we sponsored a development effort to add support for virtio and vmx interfaces and this also came along with some reliability fixes.

Budget permitting, this year, we'll sponsor another development effort which will just focus on interface support and reliability fixes.

When it's done, I expect that more issues should have been addressed, including better interface support.

Quote
So far I am quite happy with Sensei's overall performance and the features that it provides, but I was hoping that it would completely replace my previous suricata/pihole setup that I had before for the LAN with one of the main functions being to block ads network wide.

We'll do a more thorough check with a special emphasis on ad blocking.

Quote
I did see the announcement of supporting community filter lists in a future update, so that will more then likely provide more ad blocking coverage along with providing additional block lists for other categories which will be great for the community edition.

Yep, we're looking forward to delivering this asap.

Quote
Some nice things that I would like to see change would be to make the health checks based locally and to have an option to provide statistics back to Sunny Valley. I don't see why these checks need to be run/verified on a remote Nagios server. I believe most cpu/memory/disk checks... etc. can be run on the local server via either a local script and/or using Monit for these checks and alerts.

During beta period, these statistics have proven to be lighthouses for us in spotting some issues. We have an open development item to make this optional.

Quote
I'm sure this is probably in the works, but adding a widget for Sensei Status would be great to be able to have a quick look available right from the OPNsense dashboard.

Yes, along with a more dynamic Sensei dashboard, this is in the works.

Again, thanks for taking the time to provide this detailed feedback.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xpendable on August 17, 2019, 03:34:43 am
Hi mb,

Per my main issue below, I disabled suricata, left the VPN unassigned in Sensei and tried to run the below commands. However the ifconfig command gave me an error straight away saying "ifconfig: -txcsum: Invalid argument".

Taking away any option such as -txcsum to start with -rxcsum results in the same error but on the next switch, in this case -rxcsum

So I'm guessing this is a netmap issue? fyi, I have OPNsense running in a VM on ESXi using the vmxnet3 vNIC. I have also enabled the following tunable (vmxnet3.netmap_native = 1) as I believe netmap was updated in v19.7 with support for this option.

Hopefully this can be resolved at some point as I would really like to protect the VPN interface using Sensei. Thanks for getting back to me and I look forward to future updates, especially the community filter lists ;D

UPDATE:
So I decided to do the nmbridge test even though the offload settings could not be disabled via the ifconfig command. See attached for the results, I did one test with an active VPN connection and one with no VPN connection.

Quote
Can you try this command to see if you are reported any errors and packet transmission is ok during the test. Make sure sensei and suricata is not using this interface during your test.

Code: [Select]
# ifconfig wg0 up -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6
# /usr/local/sensei/bin/nmbridge -i netmap:wg0 -i netmap:wg0^

If you experience any problems here, then the issue here is netmap,  the I/O subsystem that we are utilizing to access the raw packets off the wire, and it does not play well with some interfaces. Last year, we sponsored a development effort to add support for virtio and vmx interfaces and this also came along with some reliability fixes.

Budget permitting, this year, we'll sponsor another development effort which will just focus on interface support and reliability fixes.

When it's done, I expect that more issues should have been addressed, including better interface support.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 18, 2019, 12:35:22 am
@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.

@mb menu problem solved!!
working on the "css code" fixes for sensei now!! this will come later this week!!

https://github.com/opnsense/core/pull/3653 (https://github.com/opnsense/core/pull/3653)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 18, 2019, 07:30:14 pm
@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.

@mb menu problem solved!!
working on the "css code" fixes for sensei now!! this will come later this week!!

https://github.com/opnsense/core/pull/3653 (https://github.com/opnsense/core/pull/3653)

@mb css code fixes for tukan and cicada
https://github.com/opnsense/plugins/pull/1456 (https://github.com/opnsense/plugins/pull/1456)

Everything is done.
One last css thing i found in the css code of sensei. i will tell you by email!

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 18, 2019, 07:52:17 pm
@mb sensei widget would be great!!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 19, 2019, 06:28:42 am
UPDATE:
So I decided to do the nmbridge test even though the offload settings could not be disabled via the ifconfig command. See attached for the results, I did one test with an active VPN connection and one with no VPN connection.

Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?

If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.

We're also giving wireguard a try here. Will keep you updated.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 19, 2019, 06:29:22 am
Hi @opnsenseuser, that's great news. Looking forward to your e-mail.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xpendable on August 20, 2019, 03:03:55 am

Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?

If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.

We're also giving wireguard a try here. Will keep you updated.


Hi @mb,

I did a quick test during the netmap command in which a website loaded correctly, google news was checked, and I even played a youtube video with no issues.

I would imagine that it is a pseudo interface as by default WireGuard does not show up as an actual interface under interfaces within OPNsense. I manually create a new interface in OPNsense under interfaces and assign "wg0" to it, and then enable that newly created interface with no other settings because the IP address is already being assigned by WireGuard. This allows me to see the netflow/insight data for the VPN connections, because by default the "WireGuard" interface that is shown in netflow/insight always shows no data.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 21, 2019, 03:50:00 am
Hi @xpendable,

Thanks for further analysis. This tells us that a wireguard interface can be used with netmap. That's very good news.

We did a quick wireguard install. Looks like it's a tun interface instead of a tap interface. If it was tap, than if would be as easy as tweaking the offloading settings, since tap is identical to a virtual ethernet interface.

tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xpendable on August 22, 2019, 04:15:37 am

tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.


Hi @mb,

That's great to hear, thanks for looking into this and putting it on the roadmap. Just another great feature to look forward to in Sensei ;D
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donald24 on August 22, 2019, 07:34:56 pm
I am new to Sensei - I have just installed it and I wander around the menu.

Is it normal that there are no web-categories in web-controls, no entries in app-controls and security? I cannot even add something in security or app-controls?

Thanks for clarification!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 22, 2019, 08:23:29 pm
Hi @donald24,

Many thanks for trying out Sensei.

This is not normal. Can you PM a screenshot of your screen to me? Also please share a screenshot of "Lobby -> System Information"

Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on August 23, 2019, 02:55:12 pm
Hi Murat,

is there a bug?
Code: [Select]
[23-Aug-2019 14:33:30 Europe/Berlin] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:335 - Undefined offset: 50 (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:85
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(335): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Undefined offse...', '/usr/local/opns...', 335, Array)
#1 [internal function]: OPNsense\Sensei\Api\EngineController->licenseAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'licenseAction', Array)
#3 [internal function]: Phalcon\Dispatcher->dispatch()
#4 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#5 {main}

Best
Marc
Title: Re: Sensei on OPNsense - Application based filtering
Post by: h311m4n1 on August 23, 2019, 03:22:16 pm
Hello,

Been an OpenSense User for a few months now, switched from pFsense. Love it so far.

Maybe like others here, I'm a cryptocurrency enthusiast and I need to strengthen the security of my machine where my wallets run on. I'm planning on moving it to a separate VLAN and authorize only specific ports for the wallets that need them. I want no web trafic on it. However while checking the traffic to list the ports I need to let through, I see two of the wallets I have (which are multiasset) use 443 and I want to avoid just opening 443 on that VLAN.

Where I work we use a PaloAlto firewall and the application based filtering is really handy. I just discovered Sensei and I'm playing around with it. I assume you could let 443 through for a specific application.

One question: is there a way to add custom application to the app control that aren't in the list?

I think this answers it: https://help.sunnyvalley.io/hc/en-us/articles/360025098033

But still wanted a confirmation.

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 24, 2019, 07:13:03 am
A quick follow-up on @donald24's issue: It looks like having ntopng on the same interface messes things up. When he moved it to another interface & re-installed everything back to normal.  Thanks @donald24 for helping diagnose the issue.

@marcri, we had an update on the licensing API, might be that this fell into the same window. It should be all ok now.

@h311m4n1, many thanks for trying out Sensei. User-defined application signatures are not here yet. This is one of the most wanted features, and will be implemented in near future.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yukaia on August 25, 2019, 10:01:59 pm
It appears that the CDN for Escape From Tarkov is being miscategorized as malware/virus and is therefore being blocked. Can we get this fixed? The URLs are as followed.

http://cdn-11.eft-store.com

Here's a download for the game launcher.

http://cdn-11.eft-store.com/LauncherDistribs/0.7.2.569_a332f4f4-2fcb-43cb-bc8a-cd0d1692a6a8/BsgLauncher.0.7.2.569.exe
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 26, 2019, 06:12:08 am
Hi @yukaia,  sure, done. In the meantime, you can whitelist this site from Web Controls -> User Defined Web Categories.

We'll be launching a web re-categorization feedback service soon.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on August 26, 2019, 08:20:15 am
@mb i replied to a few emails from your colleague! (html/css)
but i think he didn´t get my mails?
Any Problems on your/his email Server?

anyway..

1. i only found one margin problem in the sensei html/css code.
For the main color modification i made a pr on github for Tukan/cicada themes which will be released in the next opnsense Firmware update!
2. the active menu problem i fixed and i made a pr too. this is already merged. it will be also released in the next firmware update!

regards rené

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 26, 2019, 06:15:56 pm
Hi @rene, looks like they ended up in the spam box. I have them right now. Thanks.

We'll be incorporating the suggested change with the next upcoming release (1.0.3)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on August 27, 2019, 06:25:31 pm
quick questions:

I cannot see a feature to resolve local hostnames in reports.
"show hostnames" does not show me names, just ips.
In Reporting / Insights opnsense will show names when using reverse lookup.
Do I miss a setting for this? Or is this not implented yet?
All local users have static ips with

Furthermore is there any way to show in a simple report how long a local ip has used the internet each day; e.g. a chart / graphic ip online from 2pm till 4 pm on Monday, online 5pm till 8pm on a Sunday or something

Cheers
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 28, 2019, 12:56:44 am
Hi @sol,

I cannot see a feature to resolve local hostnames in reports.
...
All local users have static ips with

Sensei does an in-flight enrichment of ip addresses with hostnames when it sees a related DNS transaction. Or, in the case of local nodes, Sensei also keeps track of MDNS messages for this purpose.

If the IP addresses are not resolved to hostnames, my first guess would be that you're running a local DNS server and most of the DNS messages are transported without Sensei in the scenes.

We also do not do an in-flight explicit DNS call for IP address resolution because of performance reasons.

What we can do is during reports viewing, we could try to resolve the IP address, when you have your mouse on one of them in the charts or grid reports. Actually this is what we do for remote addresses currently, we can do the same for local addresses if we see that it's not resolved beforehand.

Would that work?

Quote
Furthermore is there any way to show in a simple report how long a local ip has used the internet each day; e.g. a chart / graphic ip online from 2pm till 4 pm on Monday, online 5pm till 8pm on a Sunday or something

Not yet. In the roadmap  ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on August 28, 2019, 07:21:49 pm
Thank you mb.
I use unbound.
But only 1 local ip shows the hostname - even when I do not hover over it. See attachment.



Looking forward to the update on "online time". Will it be included in the free version?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Wyrm on August 28, 2019, 10:42:52 pm
I have installed opnsense 19.7.1 and installed sensei by guide on web.
In installation in SSH was all ok and success. In web gui all the settings were ok and after finishing and refreshing it says in status the service is not running. I correctly selected interfaces and all the settings.
When I click on start of service it says it does not have selected any interfaces, but they were selected in configuration!
HW is quad-core Xeon and 8GB RAM. It is VMWARE ESXI 6.7 virtual, but it should work.
I have also upgraded to actual production version which is 19.7.3

I have another installation where is opnsense 19.1 and it is running well.

Could you help me what is wrong ?

There is status screenshot included

Thanks very much
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 29, 2019, 04:47:08 am
Hi @sol,

This is most probably since Sensei was able to spot a dns transaction and get a hint for that IP. We'll introduce lookup of local IP's in the coming release (1.0.3).

We haven't yet thought about the edition of "online time" reporting.

As for @Wyrm's issue, it turned out that two python dependencies did not get installed although they are configured as the plugin's dependencies and the packages are available in the OPNsense LibreSSL package repository.

We couln't reproduce this in our lab.

Are there any other LibreSSL users  experiencing the same problem?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on August 29, 2019, 12:54:24 pm
Hi!
I have an error in my Logfile - every minute.
The strange thing is -> Sensei is complete disabled - but there are still jobs running ?!

There is also one with an Error:
Code: [Select]
Aug 29 12:46:00 configd.py: [5413e5ea-0d25-4052-8b5f-8d2a1f09b02b] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:46:00 configd.py: [5413e5ea-0d25-4052-8b5f-8d2a1f09b02b] captive login logout enrich
Aug 29 12:46:00 configd.py: [c12694fb-94c0-434c-8723-fefad2299514] check sensei engine health
Aug 29 12:46:00 configd.py: [c0c97d1e-9572-4363-9944-503805f19016] Runing periodical scripts
Aug 29 12:45:27 configd.py: [b1408ad6-4305-45ba-99aa-89785b7e1d38] view license
Aug 29 12:45:06 configd.py: [656dcab2-ba0a-4284-8bda-4eb63b4379e3] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:45:05 configd.py: [656dcab2-ba0a-4284-8bda-4eb63b4379e3] captive login logout enrich
Aug 29 12:45:00 configd.py: [6826b4d8-a469-4409-a06f-f9e2bae21679] check sensei engine health
Aug 29 12:45:00 configd.py: [0128a6ba-9005-4456-831c-8d5da47a1362] Runing periodical scripts
Aug 29 12:45:00 configd.py: [d9b4c8b8-6ffa-4a65-bbfc-1586848bc494] check sensei engine health
Aug 29 12:44:51 configd.py: [dfb2ad02-35ea-407e-839d-2c789acbd715] control services
Aug 29 12:44:29 configd.py: [a752df4d-1f04-4295-9e52-3aba5ddd37ea] check sensei updates
Aug 29 12:44:29 configd.py: [edbf53e3-085a-40ad-ab35-be0bcbccf271] view elasticsearch disk size
Aug 29 12:44:29 configd.py: [66a74d51-8631-4897-b52f-82e6d6cfebc6] control services
Aug 29 12:44:29 configd.py: [a76246b9-cbc1-40ac-816c-1cb8a6ffc2d8] check sensei ui version
Aug 29 12:44:29 configd.py: [2977d7e6-1d94-483f-9df6-3454b38f623c] check sensei db last modified
Aug 29 12:44:29 configd.py: [05bccd05-3e71-45fa-bb7f-79c365d8b60c] check sensei db version
Aug 29 12:44:29 configd.py: [275abcbd-a41b-4a55-aa04-b855946124fe] check sensei db last modified
Aug 29 12:44:29 configd.py: [cb42810a-74a8-4b3c-a5b3-30a06fbfbec4] check sensei db version
Aug 29 12:44:29 configd.py: [c636a48c-393a-4fcc-9ec8-821475effd62] check sensei last modified
Aug 29 12:44:29 configd.py: [6606bf25-295f-49d9-974c-3c45551f7d03] check sensei version
Aug 29 12:44:29 configd.py: [f66b94cc-138d-4a33-9d61-f0623205cd8f] control services
Aug 29 12:44:26 configd.py: [ebaf16ea-7086-4663-9e93-41268042a8a8] view elasticsearch disk size
Aug 29 12:44:26 configd.py: [b6248966-ac6d-4c33-ae11-86f3ef503415] control services
Aug 29 12:44:26 configd.py: [9b585355-19fd-4cfb-85a1-6a216f5ed7a1] check sensei ui version
Aug 29 12:44:26 configd.py: [d9b79260-5dfb-4b8f-b3e0-c69fe24d91ff] check sensei db last modified
Aug 29 12:44:26 configd.py: [bd339ddb-6073-407f-a17e-8318214e5b21] check sensei db version
Aug 29 12:44:26 configd.py: [77e95c98-9e7a-4186-8793-740dd19a654a] check sensei db last modified
Aug 29 12:44:26 configd.py: [9e789111-39b2-41b9-b85c-d4b00a42e771] check sensei db version
Aug 29 12:44:26 configd.py: [eaa3f74c-bb21-41a1-a7ed-678bbe16124c] check sensei last modified
Aug 29 12:44:26 configd.py: [4d463eb5-95d6-4437-a9c2-02326b8efdec] check sensei version
Aug 29 12:44:26 configd.py: [edc50189-fd8f-4e08-ad76-bb2843227fc3] control services
Aug 29 12:44:24 configd.py: [63f5b4df-30a0-4678-a0f2-a9e577bba2ed] check sensei updates
Aug 29 12:44:23 configd.py: [83b1e0cc-8cd6-42a0-a08f-d8ba551a4814] check hardware
Aug 29 12:44:22 configd.py: [061a0e97-d2ef-4859-885d-d80f82fb9b39] view license
Aug 29 12:44:00 configd.py: [af175a5c-bee8-4eab-93c2-d80969cbc6ff] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:44:00 configd.py: [af175a5c-bee8-4eab-93c2-d80969cbc6ff] captive login logout enrich
Aug 29 12:44:00 configd.py: [c043869a-d6ec-4a5e-9ed0-939262d08cce] check sensei engine health
Aug 29 12:44:00 configd.py: [e408fbac-3585-451f-97d6-0c8f02978f23] Runing periodical scripts
Aug 29 12:43:54 configd.py: [eede6a57-4704-4642-9e90-4337e9e4526e] request pfctl byte/packet counters
Aug 29 12:43:49 configd.py: [2baa7185-8ae9-4127-ab7c-9886ef7d10c8] request pfctl byte/packet counters
Aug 29 12:43:43 configd.py: [54f33596-62e2-43ec-89bd-3e1e809db62c] request pfctl byte/packet counters
Aug 29 12:43:00 configd.py: [f92788bb-fd0c-4177-a4f1-ad1f6568d204] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:43:00 configd.py: [f92788bb-fd0c-4177-a4f1-ad1f6568d204] captive login logout enrich
Aug 29 12:43:00 configd.py: [5c7c03be-071f-4914-b050-7895ce71974a] check sensei engine health
Aug 29 12:43:00 configd.py: [894347ec-50c4-4de6-85a3-3ef60b32c32b] Runing periodical scripts
Aug 29 12:42:00 configd.py: [735dad9a-a836-4f62-a8db-aaac917ea1bb] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/Sensei/userenrich.py' returned non-zero exit status 1.
Aug 29 12:42:00 configd.py: [735dad9a-a836-4f62-a8db-aaac917ea1bb] captive login logout enrich
Aug 29 12:42:00 configd.py: [e83fd212-4ac4-4da3-9347-a964882163b7] check sensei engine health
Aug 29 12:42:00 configd.py: [9b10878e-3fe5-4acf-9424-2c11e29a533e] Runing periodical scripts
Searched in the Forum, but threre was not hit with userenrich.py. Does anyone else have the same errors ?

My Versions:
Engine Version:   1.0.2
App DB Version:   1.0.3
Rules DB Version:   1.0.3

Versions   OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
LibreSSL 2.9.2

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 29, 2019, 07:12:48 pm
Hi @BeNe,

Batch jobs like userencricher (health check, updates check) continue to run in the background if you have Sensei installed. Stopping the packet engine just stops packet processing. Elasticsearch and background bookkeeping jobs will continue to run.

The duty of the Userenricher is to feed captive portal user/group information to Sensei so that it can map the ip addresses to users/groups.

In your case, you do not have Captive Portal enabled and this triggered this error (indeed a test code which tests this case),

Fixed as of now and for 1.0.3. Many thanks for reporting this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on August 29, 2019, 08:58:51 pm
Thanks for you quick reply and the fix in Version 1.0.3
The Status e-Mail is also sent out if Sensei is disabled (packet engine and elasticsearch)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 31, 2019, 04:04:34 am
Dear Sensei users,

We are aware of an issue affecting LibreSSL users. A few package dependencies, which are important for the operation of the plugin, do not get installed. This results in initial configuration being not written into configuration files.

As a workaround, for now, we advise that you install the dependencies manually:

Code: [Select]
pkg install py27-dnspython
pkg install py27-Jinja2
pkg install py27-sqlite3
pkg install os-sensei-updater

We'll issue the fix with 1.0.3.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donald24 on September 02, 2019, 12:10:49 pm
Hi,

I have a problem after having upgraded to 19.7.3.

My configuration is still fairly out of the box, my LAN-side is using two separate VLANs next to its untagged main-traffic. I got notification, that my telephone is dead, my VOIP-vlan was not letting packets to the inside. I checked the VOIP-VLAN and no traffic was going to the internet. LAN was okay. I rebooted the firewall and afterwards I could not reach the firewall even from LAN-area anymore.
So I needed to hook the machine to a monitor and ran the uninstall steps, I have found in this thread:

Code: [Select]
service eastpect onestop
service elasticsearch onestop
pkg delete elasticsearch5
pkg delete os-sensei
rm -rf /var/db/elasticsearch/nodes/*

Though I remember that one pkg wasnt found, might be another name, but afterwards I had immediate access and running internet to all interfaces.

Is there still something missing for uninstallation? The configuration files is also having a lot of sensei parts in it, would I have to reinstall sensei, to run its uninstallation from the GUI, or is there even a manual way?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 02, 2019, 09:52:00 pm
Hi Donald,

Here are the manual steps to be able to remove Sensei from the system:

Code: [Select]
# service eastpect onestop
# pkg remove elasticsearch5
# pkg autoremove -y
# rm -rf /usr/local/sensei/
# rm -rf /var/db/elasticsearch/nodes/

On the other hand, I'm very much curious about what went wrong there. I'll be reaching out to you to see if we can have a look at your system together.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: tusc on September 03, 2019, 01:50:13 am
I also experienced the same situation as donald24 under 19.7.3. I lost complete access to the firewall and the Internet after running through the wizard. I had to stop service and uninstall the packages to reinstate connectivity.

I only have 4GB of ram on my OPNsense server so assumed I'm running into something related to that.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 03, 2019, 02:04:04 am
Hi @tusc,

Your case looks more like you have a netmap-incompatible ethernet device. Let's have a look at your system together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tusc on September 03, 2019, 02:32:20 am
Really? I'm using a quad port Intel GigE card so wasn't aware this was netmap-incompatible:

Code: [Select]
root@OPNsense:~ # dmesg |egrep igb
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> mem 0xfe880000-0xfe8fffff,0xfe90c000-0xfe90ffff irq 27 at device 0.0 on pci1
igb0: Using MSIX interrupts with 5 vectors
igb0: Ethernet address: xx:xx:xx:xx:xx:xx:xx
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: Bound queue 2 to cpu 2
igb0: Bound queue 3 to cpu 3
igb0: netmap queues/slots: TX 4/2048, RX 4/2048
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 03, 2019, 02:40:50 am
Really? I'm using a quad port Intel GigE card so wasn't aware this was netmap-incompatible:
Code: [Select]
...
igb0: netmap queues/slots: TX 4/2048, RX 4/2048

Nope, you're right. Actually this is the best one in terms of inter-operability. I notice you have 2048 tx/rx descriptors.

Can you try setting tx/rx descriptors to 1024 and see if you still have the problem?

Code: [Select]
hw.igb.txd: 1024
hw.igb.rxd: 1024
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 09, 2019, 07:20:52 am
Dear Sensei users,

Some of you who uninstalled/re-installed Sensei might have noticed: with 1.0.2, we introduced a feedback form in which you could provide as a feedback for why you're uninstalling the plug-in.

Looking at the results, it looks like more than %80 of the time the reason is low hardware resources.

Seeing that, we have accelerated our efforts to be able to run Sensei on low-end devices (like 2GB RAM, embedded CPUs etc.)

Our test device is a Qotom having an Intel Celeron j3060 @1.60 Ghz. This device has a ubench score of 170.000. Looks like Sensei is running fine /w most of the reporting on this device.

We are wondering how your devices compare to our test device.

For those of you who could not run Sensei due to hardware limitation, any chances that you can run:

Code: [Select]
# ./ubench -c -s
on your device and report the results to us? You can PM me or shoot an e-mail to sensei at sunnyvalley.io. We need the cpu information and ubench single core cpu score.

Any help on this is greatly appreciated.


pS: OPNsense repo does not have ubench, you can download the binary from https://updates.sunnyvalley.io/downloads/ubench
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on September 11, 2019, 04:26:33 pm
There is an issue with the interfaces since the latest opnsense upgrade. No matter if i select any interfaces sensei said: "You must select at least one interface to start or restart sensei service!" and the packet engine not start. Tried a complete reinstall of sensei, including deleting the corresponding part in the config.xml. It did not help.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 11, 2019, 05:44:56 pm
Hi @Archanfel80,

Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on September 11, 2019, 07:29:25 pm
Hi!

It seems only the fresh install affected, or if i change the interface config in the exsisting one. That is also break something.

Hi @Archanfel80,

Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 11, 2019, 10:23:16 pm
Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on September 11, 2019, 10:30:31 pm
I had the 19.7.3 upgraded 19.7.4 now but same issue.

Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Archanfel80 on September 11, 2019, 11:15:28 pm
Its Solved!
Thank You for the help! :)
It was the libressl package issuse.

I had the 19.7.3 upgraded 19.7.4 now but same issue.

Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 11, 2019, 11:20:08 pm
@Arhanfel,

You're all welcome. For any LibreSSL users, who might experience the same, resolution is here:

https://forum.opnsense.org/index.php?topic=9521.msg64618#msg64618

1.0.3, which will ship next week, will also be solving this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bunchofreeds on September 16, 2019, 09:46:56 am
Hi,

Does Sensei aim to supercede IPS in OPNsense?

I cannot run both (IPS and Sensei) as I use PPPoE on the WAN and cannot run both IPS and Sensei on the LAN.
Sensei looks awsome and provides amazing insights into the network traffic, but does it protect against emerging threats in a similar way to IPS using Suricata?

Thanks

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 17, 2019, 12:26:42 am
Hi @bunchofreeds,

With OPnsense, Sensei does not replace IDS. We recommend using both of them.

We have a solution for co-existing Suricata and Sensei on the same interface. Hope to ship the functionality this year. Basically we'll have a virtual device between Sensei and the IPS engine. We have initial thoughts to provide TLS decryption for the IPS engine through this integration.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: bunchofreeds on September 17, 2019, 06:17:38 am
@mb

Thanks for confirming that and I'm looking forward to you and your teams future efforts with Sensei.
It really is quite an excellent addition to the already amazing Firewall/Router/Swiss Army Knife OPNsense.

Thanks again for providing this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nullinger on September 17, 2019, 10:41:50 pm
Hello @mb,

i am on my third day with sensei, and i like it very much. Today, i tried to setup reports by mail and got some problems because the system sets "autoreports@sunnyvalley.io" as sender. As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.

Thanks !
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on September 18, 2019, 07:39:00 am
As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.
Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: karl047 on September 19, 2019, 09:55:37 am
Hi Murat, & thanks a lot for the good job with Sensei...
The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription? because 499,00€ a year is too heavy with the small plan for 25 Devices! Another Firewall solutions are free for Home Users (or for a small price a year) with the most benefits of different policies & another Services like Sensei!.

Regards;

Karl
Title: Re: Sensei on OPNsense - Application based filtering
Post by: lfirewall1243 on September 19, 2019, 11:22:01 am
Hi,

first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.

But a integration of ClamAV or CICap would be very cool (if its possible).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 19, 2019, 06:59:08 pm
As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.
Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.

@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 19, 2019, 07:14:24 pm
The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription?

Hi @karl047, many thanks for trying out Sensei and glad that you've loved it.

We have plans to have Home edition. We have a two step acion plan for this:

Step 1. We're currently working on a project, where we'll be able to make Sensei available to run on low-end devices (many home users seem to be running these). Initial tests look very good, we're able to run Sensei with reporting on a low-end Qotom device (Celeron J1900 @1.6GHz, 2GB RAM). Deciso's lowest-end device has a powerful CPU compared to this. So, when we're done with this project, theoratically, we should be able to cover nearly all of the x86-based hardware out there.

Step 2. Sunny Valley sales team is working on home-user licensing. Our aim here is to make it competitive and affordable.

As for timing, current plan is to have step 1 available by mid-October. Latter one, I guess it'll be early 2020.

And one more note: we're just starting, this is going to be a hell of a solution ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 19, 2019, 07:29:34 pm
Hi,

first of all i am very happy about the Sensei Plugin, its amazing :) Thank you.

But a integration of ClamAV or CICap would be very cool (if its possible).

Hi @lfirewall1243, many thanks for trying out Sensei and providing feedback.

You should be able to do this with Suricata + ClamAV. Did you try that? If so, what were you missing with the solution?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: BeNe on September 20, 2019, 04:55:48 pm
Hi Murat,

will you add the Status for Sensei Service and the Elasticsearch Service also to the Dashboard in future Version ?
Would be handy to have all need Services in the status Dashboard.

A cheaper Home-License for Sensei would be awseome! Btw. How do you calculate the exact amount of IP's in Sensei ?
Because my Unique amount of Host that i see in the daily e-Mail which i recieve from sensei has a range from 61 Host up to 74 Hosts. I never have that amount on host at home  :o  Maybe it has something todo with IPv6 and the temporary IPv6 addresses ?

Thank you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 20, 2019, 07:06:46 pm
Hi BeNe,

Yep, we'll be adding a widget to the OPNsense dashboard, it's in the roadmap.

It's the number of unique local IP addresses within a day. Since normally IPv6 is used dual-stack, we don't count IPv6 addresses for license.

To check, filter the connection reports for a day and filter TCP and UDP as the Transport Protocol.   (TCP6 and UDP6 implies IPv6, whereas TCP and UDP means IPv4 was being used)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: nullinger on September 22, 2019, 11:42:12 pm
@marcri, thanks for the feedback. @nullinger, then it looks like if you have just the username, we have an issue. We were just about to do a code freeze for 1.0.3. Good timing :) Looks like an easy fix.

That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 23, 2019, 12:45:43 am
That's true, i am using a local mail relay which allows mail without authentication from specific IPs. Thank you very much !

Got it. All welcome. Fix is applied for 1.0.3. Final tests ongoing. Shipping mid next-week.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on September 24, 2019, 12:52:08 pm
what might be wrong if the OPNsense dashboard diskusage shows 29G of 115G while the status of Sensei displays a disk usage of 39 GB?
"df -h" and zabbix report about 29G disk usage...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 24, 2019, 10:57:29 pm
what might be wrong if the OPNsense dashboard diskusage shows 29G of 115G while the status of Sensei displays a disk usage of 39 GB?
"df -h" and zabbix report about 29G disk usage...

Hi @the-mk,

Thanks for reporting this. Yep, this was a bug, which got fixed with 1.0.3.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on September 25, 2019, 03:51:35 pm
thanks @mb

I'd like to ask again BeNe's question how the number of hosts is calculated - but for a different reason.

On my OPNsense host I have 7 different interfaces/networks (where one of them is the WAN interface), based on my Ubiquiti UniFi Management WebUI I have 50 different hosts connected to my switches and APs, while my daily mail report always shows a much higher number for the last 24 hours (around double the amount of hosts I have based on my UniFi information). And I do not understand why that number is so high.

Side informations:

which information do you need besides the lines above to explain the higher number of hosts reported by Sensei?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 25, 2019, 07:31:01 pm
Dear Sensei users,

It's our pleasure to announce the availability of Sensei 1.0.3 release.
This release comes with the below feature set.

You can update your Sensei through Sensei -> Status menu or through OPNsense updater.

What is new in Sensei 1.0.3

Application control & filtering

Reporting

Performance

Cloud Threat Intelligence

UI/UX

Misc


Enjoy,

Your Sensei team.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on September 26, 2019, 06:36:38 am
after upgrading to Sensei 1.0.3 the automatic report mail broke...
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on September 26, 2019, 01:51:00 pm
Thx for the new version 1.0.3

"Reverse DNS lookups for local IP addresses" translates some IPs into names in "Sensei -> Reports -> Connectios" e.g.
But not all IPs are translated into there names. Manual reverse lookup of IPs via dig or nslookup are fine.

Do Sensei need more time for reverse lookups?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 26, 2019, 07:40:08 pm
after upgrading to Sensei 1.0.3 the automatic report mail broke...
checked the settings and noticed that the connection security was set to no security (while I need SMTPS).
I am curios how the reverse dns lookup in report mail works... need to wait another 17 hours and 30 minutes to see it ;-)
reporting of disk usage in status page looks better now!

Hi @the-mk, sorry about that. Yes, since we changed the input method, you'd need to re-configure connection reports.

Let me write a detailed post about how we do reverse dns mapping for ip addresses.

Glad to hear that disk usage got fixed. I'll reach out to you for local host report.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on September 26, 2019, 08:00:09 pm
A small note on how we do dns enrichment for ip addresses:

Engine doing the mapping realtime:

Engine keeps track of all dns transactions that it can see flowing over itself. When it detects an IP address resolution (either an A/AAAA/CNAME or PTR), packet engine caches the IP addresses and the corresponding fully qualified domain name.

All charts/tabular reports and live session reports display this cached hostname when you view the reports.

UI doing mapping during reports viewing:

This applies to live session reports only: When you view a live session report, while you're browsing over records, UI runs a background job to see if a particular record has its hostname resolved. If it detects an unresolved IP address, it runs a background query to resolve the IP address via the name server you've configured on Sensei -> Configuration -> Reporting and Data.

@the-mk, since daily reports are making use of realtime cached hostname resolutions, newly introduced feature will not have effect on them. 

@opnip, you should see them being resolved, while you're walking your mouse over them. Does that happen?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on September 30, 2019, 10:34:18 pm
Thx for the hint. Yes, if i mouse over a IP address in "Live Sesssions Explorer" they would be resolved now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: DeathWingMT on October 01, 2019, 01:50:53 pm
Hi I would like some guidance on how to enable the web filtering feature. I have disabled the Adult site category for testing purposes and pointed my DNS to the OpnSense box running DNSMasq as the DNS server. Unfortunately, the adult site still loads. The manual does not provide any details on how to enable the service from a clients perspective or whether HTTPS is also filtered.

Note that I am using VLANs and have added the physical port as a sensei protected interface
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mucflyer on October 01, 2019, 11:47:02 pm
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Ralf_s on October 02, 2019, 07:37:11 am
exclude devices?

Hi,

is it possible to bypass/exclude internal devices from scanning? i.e. there are streaming devices like Amazon FireStick  or Roon Rock that have issues with content.

I'm settimg all filters to allow - there are issues
I'm settimg the sensei engine in bypass mode - there are no issues

OpnSense are running on LANNER hardware with Intel C2558, 8GB RAM and server SSD.

best regards,

Ralf
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on October 02, 2019, 02:38:28 pm
is it possible that the daily report mail is broken somehow since the upgrade to Sensei 1.0.3?
I've already checked the settings and performed to send a testmail (which arrived), as well as disabling and reenabling it did not help.
After the upgrade-process to Sensei 1.0.3 was successful one report mail arrived since then, but after that no more mails :(
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on October 02, 2019, 02:54:18 pm
@mb i thought atom c3558 is ok with sensei. but i get this (screenshot) if i try to configure sensei

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 12:20:08 am
Hi @opnsenseuser,

It should be ok for you. You can just click on "Continue" and install Sensei. Your CPU looks almost good.

With 1.0.3, we've introduced this cpu benchmark, where we are measuring how powerful the cpu is. This was the first step to the upcoming 1.1 release where we'll have an alternative methodology for providiging Sensei for low-end devices like Deciso A10 / APU systems.

So the upcoming release will use Elasticsearch as the database if RAM is at least 4GB and more and CPU ubench score is higher than 300000.

If the amount of RAM is below 4GB and CPU is less powerful Sensei will use Mongodb as the database backend.

This way, we will be able to provide Sensei for low-end systems where cpu and RAM resources are limited.

We're only days away from creating the first BETA. If anyone interested to try out before the release, just PM me  ;)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 12:24:29 am
... Unfortunately, the adult site still loads. The manual does not provide any details on how to enable the service from a clients perspective or whether HTTPS is also filtered.

Note that I am using VLANs and have added the physical port as a sensei protected interface

Hi DeathWingMT,

VLANs should be ok. HTTPS/QUIC traffic is also filtered. We'll add this to the manual and make it more specific.

On the other hand, We'd like to diagnose as to what is going on during filtering in your case. First guess is loss of cloud connectivity.

I'll PM you, then we can have a look together.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 02:17:16 am
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3

Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 02:22:59 am
@the-mk, let's do a check, we'll update you.

@Ralf_s, whitelisting according to ip/vlan/user is available in the premium subscription.  The thing that you're not having any issues when in bypass mode make me thing we need to have a look at this.

I'll PM you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on October 03, 2019, 01:43:55 pm
Unfortunately sensei chrashed after 3 to 5 days of usage:

Either is was high cpu usage or yesterday this happened:

Sensei has detected a problem during operation and has shut down Sensei services in order to prevent a network outage.

It is because we detected high SWAP (21 -- 13821280% usage)

I run sensei on OPNsense 19.7.4_1-amd64
Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz (4 cores)
8 GB Ram
and also use proxy and ips
Connection is a 100/40 mbit line
and there are about 10 users

Restarting sensei works though, it just crashes after 3 - 5 days.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on October 03, 2019, 01:49:39 pm
And another question. How can I use sensei for my openvpn network. I cannot select it at the interface selection.

And local hostname resolution does not work for me or I'm not using the right configuration.
Opnsense runs unbound and dnscrypt proxy.

Which server do I have to use?
DNS server IP addresses to do reverse IP lookups:
127.0.0.1,192.168.1.1
is the current setup.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Ralf_s on October 03, 2019, 05:45:38 pm
@mb:
thank you for your answer. But the premium edition is to expensive for home use - only for the feature excluding IP addresses. I looking forward to your next releases. In the meantime, I'll use my Sophos XG home on an APU for transparent content/security filtering.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 06:19:33 pm
Hi @Ralf_s,

Thanks for the feedback. Sunny Valley sales team is working on home use. Expect an announcement early 2020.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 03, 2019, 06:56:15 pm
Hi @sol,

And another question. How can I use sensei for my openvpn network. I cannot select it at the interface selection.

They utilize tun interfaces, which Sensei does not have support at the time being. Support is planned for early 2020.

See: https://help.sunnyvalley.io/hc/en-us/articles/360025100613#no_tun

Quote
And local hostname resolution does not work for me or I'm not using the right configuration.
Opnsense runs unbound and dnscrypt proxy.

Which server do I have to use?
DNS server IP addresses to do reverse IP lookups:
127.0.0.1,192.168.1.1
is the current setup.

127.0.0.1 would be the best bet since I'm guessing it would be the best knowledgeable one in terms of local name resolutions.

When you open live session explorer and hover over src hostname fields,  you should see them being resolved, isn't it the case?

See: https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In terms of SWAP, normally this configuration should easily handle your scenario. Does turning off squid help? We have seen some cases where web cache was already using more than half the memory, so Sensei couldn't fit in.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: giovanit on October 04, 2019, 01:53:12 pm
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3

Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?

Same problem here. Started after upgrading to version 1.0.3

WAN adapter: Intel
LAN adapter: tp-link
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on October 04, 2019, 03:37:00 pm
is it possible that the daily report mail is broken somehow since the upgrade to Sensei 1.0.3?
I've already checked the settings and performed to send a testmail (which arrived), as well as disabling and reenabling it did not help.
After the upgrade-process to Sensei 1.0.3 was successful one report mail arrived since then, but after that no more mails :(
strange... did not change anything since the last post, I didn't even reboot or something like that... but today I received a report... lets see what happens tomorrow...
is there somewhere a log that tells me that the mails were sent and I have a problem with my mailaccount?
mail is sent from a gmail.com address and received from a GMX address - but there was nothing in a spamfolder...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 04, 2019, 05:39:11 pm
WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 04, 2019, 05:39:57 pm
WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: giovanit on October 04, 2019, 06:34:05 pm
WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?

@mb, tp-link is re.
The firewall is running in production and I don't have another adapter at the moment. I disabled Sensei, as crashes are becoming frequent.

Is it possible to go back to the previous version?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ErkDog on October 04, 2019, 08:07:09 pm
Why does your website no longer load?  What's going on with this addon?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ErkDog on October 04, 2019, 08:08:30 pm
Fix your DNS Please - https://puu.sh/EoNKU/6320b7e5d5.png
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 04, 2019, 08:36:15 pm
@ErkDog, website is operational. DNS is working. Might be a local problem on your side.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mucflyer on October 09, 2019, 11:54:59 pm
Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3

Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Tubs on October 12, 2019, 04:38:53 pm

Somehow Sensei is not filtering on my machine. But I cound not yet figure out if it is because of LAGG interface, running squid webproxy or IPv6 GIF tunnel.

I started here before I found this thread.
https://forum.opnsense.org/index.php?topic=14649.0
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Ralf_s on October 12, 2019, 06:38:46 pm
Hi MB,

creating a new interface for a child wifi and installing SENSEI again as a content filter fonly for this interface and block the categories "child porn", "adult", "pornography" and some more. Connecting with an iPAD, switching to private mode in safari and searching for "porn" at google. 60% of listed results are accessible. The rest are blocked by the Sensei splash screen.

Are the content filter under development? What about the other categories?

best

Ralf
Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on October 24, 2019, 10:47:40 pm
Sorry if this has been answered before, I havent read all 38 pages. Sensei is working pretty good, very detailed reporting. I have a few questions about the plugin.

When browsing the session explorer, I wanted to block a website directly from the session explorer, is it possible block single websites without blocking the whole web/app control from the session explorer ? 
Is it possible to bulk import websites into the "white/black-list" ?
Can I add my own webcontrols/appcontrols ?
Redirect to the "block page" doesnt work when connecting over https. Do I need TLS inspection for this ?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2019, 12:10:27 am
@Ralf_s,

This looks like the result of a combination of factors:

With increasing number of Sensei users, 2 weeks ago, we experienced a performance issue, which persistent 2-3 days. This looks to be overlapping the time you experienced the problem.

In the Free Edition, the blocking feature is limited to 20 Million sites. If the queried site does not fall in this cloud, the site is not blocked.

If Sensei cannot correlate the hostname to the connection it's inspecting, (i.e. missing dns transaction) it wouldn't block.

But for your case, looking at the ratio and the nature of your particular test, I'm guessing the first one might be the primary problem.

For the second item, with 1.1, we're changing how we are handling the free/paid database queries. Since we could not measure if we really missed a site or it was a limitation of the free edition; we've removed the site limit and it'll be unlimited. The differentation of will be based on the number of web categories blocked.

For the third item, 1.1 does send a cloud query even after later stages in the connection (i.e. when TLS SNI seen, HTTP Hostname is seen etc.). So this allows the engine to be able to have further policy decision even if the cloud answer does not come very fast and early in the connection.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2019, 12:12:09 am
@Tubs,

Yes, that's because of the lagg interface. Since it's a software interface, netmap cannot find any hw rings. Solution is that we're introducing the option to be able to protect lagg/bridge members interfaces (which are real interfaces with hw/sw rings).

This functionality is coming with 1.1. When that ships, go to Sensei -> Configuration -> Interface Selection. There you'll see "Unasigned" interfaces. Select the ones which constitutes your lagg / bridge, and you should be good to go. For the lagg interfaces, you might want to select an algorithm which does a symmetric load balancing - i.e. avoid roundrobin).

1.1 is scheduled for early November.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2019, 12:19:34 am
Hi @actionhenkt,

When browsing the session explorer, I wanted to block a website directly from the session explorer, is it possible block single
websites without blocking the whole web/app control from the session explorer ? 

Good catch!. We'll add this to the upcoming release. Hopefully will ship with 1.1.

Quote
Is it possible to bulk import websites into the "white/black-list" ?
Can I add my own webcontrols/appcontrols ?

Not yet. Both roadmap items.

Quote
Redirect to the "block page" doesnt work when connecting over https. Do I need TLS inspection for this ?

Correct, since TLS session preceeds the HTTP session. Yes, with TLS, this would be possible.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 25, 2019, 12:29:24 am
Dear Sensei users,

Some good news from a super-busy month working on the upcoming 1.1 release. Here are some of the major goodies that are shipping with 1.1.

The most notable one is the support for low-end devices. We're now able to install on low-end devices with weak CPUs and with memory as low as 2GB. Yes!, with reporting.

Please find the detailed list below.

We're targeting early November for the release.

In the meantime, just PM me if you'd like to test drive before it's made publicly available.

What will be coming up with Sensei 1.1

Better low-end device support

More interface support

New Cloud Servers Infrastructure goes live

Reporting
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on October 25, 2019, 09:18:34 am
Dear Sensei users,

Some good news from a super-busy month working on the upcoming 1.1 release. Here are some of the major goodies that are shipping with 1.1.

The most notable one is the support for low-end devices. We're now able to install on low-end devices with weak CPUs and with memory as low as 2GB. Yes!, with reporting.

Please find the detailed list below.

We're targeting early November for the release.

In the meantime, just PM me if you'd like to test drive before it's made publicly available.

What will be coming up with Sensei 1.1

Better low-end device support
  • Support for low-end devices with weak CPUs. Try Sensei on your Deciso A10 / Pcengines APU devices: Yes! with reporting :)
  • Minimum RAM requirement lowered to 2GB

More interface support
  • lagg(4) and bridge(4) interface members can be protected now

New Cloud Servers Infrastructure goes live
  • New less-latency cloud servers for US-West, US-East, Asia and Australia regions
  • New web category/threat intelligence database
  • Improved/faster cloud query mechanism
  • Better availability
  • Status screen now shows uptime in a prettier format

Reporting
  • Reporting Performance Improvements (Reports load faster (a lot faster ;))

great news :-) an sensei widget would be also great! thx regards rené
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mayo on October 25, 2019, 09:32:46 am
Great!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 29, 2019, 12:44:56 am
great news :-) an sensei widget would be also great! thx regards rené

Hi rené,

What would you like to see in the widget?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tong2x on October 29, 2019, 02:53:28 am
great news :-) an sensei widget would be also great! thx regards rené

Hi rené,

What would you like to see in the widget?

network interface with the throughput
(as a scale of time of possible)

maybe...
recent security blocks
(no idea yet if in graph or test)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 29, 2019, 05:29:38 pm
I guess throughput is already available in OPNsense widgets?

Quote
recent security blocks

Got it. Any other ideas?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on October 29, 2019, 05:58:56 pm
great news :-) an sensei widget would be also great! thx regards rené

Hi rené,

What would you like to see in the widget?

maybe some of the status informations of sensei as widget?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on October 29, 2019, 06:16:12 pm
Quote
maybe some of the status informations of sensei as widget?

Good idea. Got it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 03, 2019, 04:30:12 am
Dear Sensei users,

We've made release 1.1 available for LibreSSL users. LibreSSL flavor users can now do a fresh install for / update to Release 1.1.

Tests underway for OpenSSL flavor. Hope to ship this one on Tuesday.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mow4cash on November 05, 2019, 04:53:54 am
Just wanted to say it's a very nice interface and works well. Very user friendly. Ran into an issues where the reports are getting corrupted and I have to fix them. How far away on the roadmap is importing custom whitelist/blacklist and will it be on the free tier? Maybe even a page to add url's to pull our favorite lists and a few popular ones preloaded to enable? With the new update taking away more control I'm going to have to whitelist some porn sites ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on November 05, 2019, 03:47:52 pm
I just updated from 19.1.10 to 19.7.6.  Now I'm getting the following message every time I click on the Dashboard:

Quote
Elasticsearch service is not running!  In order to view reports, you need to start Elasticsearch service. Do you want to start it?

And when I click "Yes," it doesn't seem to start.  I just get a

Quote
Waiting for database service to come up
bar.

This used to work fine.  Any ideas?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on November 05, 2019, 03:55:32 pm
I just noticed some messages on the console that don't look good either.  I don't know if they are related to my Sensei issue or not, but I thought I'd post them in case they were.

See attachment.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 05, 2019, 04:47:41 pm
I just updated from 19.1.10 to 19.7.6.  Now I'm getting the following message every time I click on the Dashboard:

Quote
Elasticsearch service is not running!  In order to view reports, you need to start Elasticsearch service. Do you want to start it?

This used to work fine.  Any ideas?

@JohnDoe17,

Messages on the console are related to HardenedBSD's SEGVGUARD. It detected that syslog-ng process crashed several times. This does not seem to be related to Sensei.

There was a major python upgrade from 2.7 to 3.7 in OPNsense 19.7. We have mechanisms to handle this, though it's possible to miss something.

Can we have a look at your system together? I'll be contacting you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 05, 2019, 06:12:48 pm
Dear Sensei users,

Can anyone who is experiencing Elasticsearch issue contact me? We can't reproduce this in our test/PoC systems.

Any help is much appreciated.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 05, 2019, 08:31:13 pm
Just wanted to say it's a very nice interface and works well. Very user friendly. Ran into an issues where the reports are getting corrupted and I have to fix them. How far away on the roadmap is importing custom whitelist/blacklist and will it be on the free tier? Maybe even a page to add url's to pull our favorite lists and a few popular ones preloaded to enable?

Hi @mow4cash, glad to hear that Sensei is of use for you.

The thing about reports might be due to abrupt shutdown of the firewall or /var directory being mounted as a tmpfs directory. Former breaks database indexes and latter one resulting in loss of indices after a reboot.

You can currently create user defined black/white lists and custom categories with user-defined web categories.

I guess what you're looking for is bulk addition, am I correct? I guess we can provide a functionality to bulk import URLs/Domains in the free edition. This could be an enhanced version of the current functionality where you can not only input a single domain but a batch of domains to any user defined category.

Would that work?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 05, 2019, 09:35:41 pm
Thanks to @JohnDoe17's help, we figured out what's causing the Elasticsearch issue.

With 1.1 release, we had removed Elasticsearch package dependency (Because from now on, Sensei can also run with other databases).

With prior installation of Sensei, this means, elasticsearch is now an orphaned package.

OPNsense update triggered a pkg autoclean, which resulted in orphaned elasticsearch5 package being removed.  Reports data is not deleted and safe.

For the workaround, you'll need to re-install elasticsearch with this command;

Code: [Select]
pkg install elasticsearch5
1.1_2 is on the way to handle the new updaters.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 05, 2019, 11:00:16 pm
Dear Sensei users,

1.1_2 hotfix is out. This addresses the Elasticsearch issue.

Make sure you have Health Check enabled. It will take care of the rest and re-install the database for you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mow4cash on November 06, 2019, 02:35:58 am
Just wanted to say it's a very nice interface and works well. Very user friendly. Ran into an issues where the reports are getting corrupted and I have to fix them. How far away on the roadmap is importing custom whitelist/blacklist and will it be on the free tier? Maybe even a page to add url's to pull our favorite lists and a few popular ones preloaded to enable?
You can currently create user defined black/white lists and custom categories with user-defined web categories.

I guess what you're looking for is bulk addition, am I correct? I guess we can provide a functionality to bulk import URLs/Domains in the free edition. This could be an enhanced version of the current functionality where you can not only input a single domain but a batch of domains to any user defined category.

Would that work?

That would be great to be able to bulk import lists. Would it be possible to have imports from URL?

When I use the live session report viewer I noticed there is only a blacklist action and not a whitelist action. Is this by design?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tong2x on November 06, 2019, 03:14:31 am
would be even great if it can also regularly import/update daily or weekly if not to much to ask.

@mow4cash
would all/most blacklist have the same format? like Shalla's Blacklists, the free ones.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ckishappy on November 06, 2019, 09:39:06 pm
thanks this helped to fix it

Thanks to @JohnDoe17's help, we figured out what's causing the Elasticsearch issue.

With 1.1 release, we had removed Elasticsearch package dependency (Because from now on, Sensei can also run with other databases).

With prior installation of Sensei, this means, elasticsearch is now an orphaned package.

OPNsense update triggered a pkg autoclean, which resulted in orphaned elasticsearch5 package being removed.  Reports data is not deleted and safe.

For the workaround, you'll need to re-install elasticsearch with this command;

Code: [Select]
pkg install elasticsearch5
1.1_2 is on the way to handle the new updaters.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 06, 2019, 11:38:55 pm
thanks this helped to fix it

@ckishappy, all welcome.

A quick note: we are aware of a problem with vlans. Looks like an ABI issue, and a re-compile is fixing. Will post an update soon.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on November 07, 2019, 09:52:27 am
How can I downgrade sensei back to 1.0.2? Or can anybody provide me an old package or download URL?

Version 1.1. patronizes me what I have to find moderate.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on November 07, 2019, 02:59:33 pm
I can block per host now with this update, nice. Are there plans for a "home use" subscription ? When deploying sensei I get the option to deploy for home use (10 devices), 25 devices etc. On the site where I can order a subscription it starts at 25 devices..
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 07, 2019, 05:42:21 pm
@actionhenkt, happy to see that it worked well. Yes, we'll announce a home/small office subscription with an affordable pricing, very soon. (Hopefully late November/early December)

@hbc, just replied to your e-mail.

@tong2x, @mow4cash; we gave a bit of thought to this. We can provide an interface to process bulk domain/url imports. On the other hand, trying to pull the lists from list source URLs have multiple challenges. As @tong2x wrote, they have different formats, and trying to do that in the firewall itself; this looked like a seperate project, which required additional resources from the team. If someone is willing to handle that, we are happy to provide an interface in Sensei's UI so that they can be easily managed (i.e. they appear as third party community categories, and can be checked in/out).


Title: Re: Sensei on OPNsense - Application based filtering
Post by: xpendable on November 07, 2019, 07:07:40 pm
Hello,

I just upgraded to version 1.1 of Sensei and and find the new category presets in web controls to limiting as I am now locked in to the presets defined by Sunny Valley. I know the pricing for home versions will be coming shortly, however perhaps a better solution for restricting the web controls would be to limit the amount of categories selected to say 8-10 categories instead of predefined categories within set profiles.

Other then that I look forward to the subcription pricing for home users.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: giovanit on November 08, 2019, 01:09:47 pm
Hello,

I just upgraded to version 1.1 of Sensei and and find the new category presets in web controls to limiting as I am now locked in to the presets defined by Sunny Valley. I know the pricing for home versions will be coming shortly, however perhaps a better solution for restricting the web controls would be to limit the amount of categories selected to say 8-10 categories instead of predefined categories within set profiles.

Other then that I look forward to the subcription pricing for home users.

I agree.

In my case, I use only 3 categories.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on November 10, 2019, 11:39:18 pm
@mb

I just upgraded my firewall from 19.1.10_1 to 19.7.6 again, and I'm having the same problem with elasticsearch.  It's not starting.  In fact, I don't think it's even installed.  It looks like engine 1.1_3 is used, so I assumed the issue would be fixed.

Are you aware of this?  Did I misunderstand the fix?

Also, if I just upgrade the 19.1.10 components (and not go to 19.7.x), it seems to break Sensei too in the same way.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bunchofreeds on November 11, 2019, 01:07:42 am
Hello,

Apologies if this has already been covered.

Can Sensei and Suricata co-exist on the LAN interface yet?

Thanks for any update on this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 11, 2019, 05:32:49 am
@giovanit, @xpendable we'll release home subscription this week.

@JohnDoe17, elastic issue has been addressed with 1.1_3. Health check does the elasticsearch5 re-install if it was removed. Make sure health check is turned on. If it does not do the job, just run

Code: [Select]
# pkg install elasticsearch5
and you are good to go. Your data is safe, after reinstall you'll have your old reports.

@bunchofreeds, yes this is not addressed yet. This is now one of the things in the top of our list. Hope to have it end of this year or early next year.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 11, 2019, 05:49:03 am
Dear Sensei users,

With 1.1_3, we think it is safe to officially declare 1.1 release is out.

@opnsenseuser, we were able to add Sensei Dashboard Widget to this release.

List of new features that have been shipped with 1.1:

Better low-end device support

Better Security
New security features for the Premium Edition:

More interface support

New Cloud Servers Infrastructure goes live

Reporting

Related Blog Post:

 https://www.sunnyvalley.io/post/sensei-1-1-released-providing-support-for-low-end-devices-deciso-a10-opnsense-pcengines-qotom  (https://www.sunnyvalley.io/post/sensei-1-1-released-providing-support-for-low-end-devices-deciso-a10-opnsense-pcengines-qotom)

Enjoy ;)

Your Sensei team.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Supergiovane on November 12, 2019, 11:09:19 am
Hello.
First of all, thank you very much for this plugin.
I tried installing it on Pondesk hardware and on a Supermicro server (in a VM).
On both, i can only achieve Small II (Max 50 users).
I've a home net with more than 50 devices (homekit devices, Konnex devices, Hue bulbs, IP Phones, 3 robot cleaners, a robot mower etc...). All of this requires a gateway to be able to update software and to be controlled on cloud.

My question is: after the first 50 devices Sensei sees, what happens to the others? How can i check what are the first 50 devices handled by Sensei?

Thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on November 12, 2019, 11:24:18 am
Don't use dual stack or multiple ips per device. Sensei counts every ip address and sees ~60 devices in my lan, but there are only 18 real devices ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on November 12, 2019, 07:49:32 pm
Hi there,

I have a few questions:

Custom interval selection does not let me select any date later than August 7th although the selection of 24h, 7 days, 30 days in the drop down menu does work.

Furthermore show hostnames still keeps showing ip's only although this has been added to the reverse lookups. Opnsense shows hostnams in insight.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 13, 2019, 02:19:05 am
@Supergiovane, many thanks for trying Sensei and for your feedback. For now, we do not enforce hard limits with regard to device count. Currently, it's Ethical License. However, for memory efficiency, internal data structures are adjusted according to the deployment size, which means, if there's a sustained higher usage, it's probable that you might lose data.

@marcri, thanks for the answer. Asset Discovery is on the way ;) With Asset Discovery, Sensei will be able to associate IP addresses with a single device. This will also provide information about the specific device (Operating System, Hardware Vendor, Device Type etc.)

@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

Title: Re: Sensei on OPNsense - Application based filtering
Post by: puddles on November 16, 2019, 10:07:29 pm
I can block per host now with this update, nice.

Would you mind showing us how this works?  I have looked in the (sparse) documentation and I didn't find this per-host functionality (in the Free Edition).  I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.

I'd really love the ability to apply blocking policies per-device basis.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 17, 2019, 02:44:04 am
I tried to drill down into the list from reports and it seems to apply the block to all hosts in a given subnet.

I'd really love the ability to apply blocking policies per-device basis.

Hi @puddles, many thanks for trying Sensei.

What @actionhenkt is referring to is the ability to whitelist individual destination hostnames/domain names via a shortcut from Live Blocked Sessions Explorer.

You're able to create policies per ip/subnet/vlan/interface/user/group with Policy Based Filtering which is available in Premium.

We'll also be announcing Home Premium Subscription the coming week. It'll have suitable pricing for the Home users.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 19, 2019, 09:04:41 am
@mb
Since Sensei now also officially supports low end hardware, I have now installed it on my live environment. but it does not work if i want to block facebook for example. I have attached all settings as a screenshot. what am I doing wrong? Can it be due to the firewall rules? Unfortunately, a restart did not help either. The sensei widget says, that everything is stopped and according to sensei status, it should work. strange

see my screenshots

thx
regards rené
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 19, 2019, 08:12:48 pm
Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 19, 2019, 08:16:41 pm
Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.

thx the "active" folder has 122 mb. how should i send this to you?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 19, 2019, 08:21:18 pm
Hi rene,

If blocking is not working, I would suspect that engine is not running. So Dashboard widget might be correct. Any chances that you can send /usr/local/sensei/log/active directory to me? You can PM me. Let me see what's going on.

i have zipped it. now it has 8 mb.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on November 19, 2019, 09:26:52 pm
@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.
Although the fixed intervals (15 mins, 1h, ...) show me actual data.

In regards of dns: is it maybe dnscrypt proxy which interfers here?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 19, 2019, 09:30:30 pm
@sol, did a quick check on the time interval issue, and could not reproduce it. In which screen does this happen? With regard to dns, it's most probably due to sensei engine not being able to see dns transactions. See:

https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In all reports
I did update sensei engine to 1.1_ before I updated opnsense to 19.7.6 and had to do a reboot to make sensei work again.

In regards of dns: is it maybe dnscrypt proxy which interfers here?

I´m using unbound with DoT.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on November 19, 2019, 09:31:47 pm
and you can see resolved hostnames?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 19, 2019, 09:32:36 pm
rene, i was able to reproduce the issue. thanks for the hand. 1.1_4 coming up shortly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on November 19, 2019, 09:33:20 pm
Thank you!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 19, 2019, 09:34:24 pm
rene, i was able to reproduce the issue. thanks for the hand. 1.1_4 coming up shortly.

that is fast. what´s the problem?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 19, 2019, 09:35:44 pm
In regards of dns: is it maybe dnscrypt proxy which interfers here?

sol, the issue with rene is different. yes, if you have dns encryption most probably this is the reason.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 19, 2019, 10:48:54 pm
that is fast. what´s the problem?

rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.

sol, we're thinking of implementing "lazy dns resolution" for these cases like dns encryption. This will allow Sensei to do realtime dns query for any ip addresses for which it does not have a dns mapping in its cache. Most probably it'll ship Q2 2020.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 20, 2019, 09:28:46 am
that is fast. what´s the problem?

rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.

sol, we're thinking of implementing "lazy dns resolution" for these cases like dns encryption. This will allow Sensei to do realtime dns query for any ip addresses for which it does not have a dns mapping in its cache. Most probably it'll ship Q2 2020.

you are the best. thx for your really fast response.i´ll test this later!. :-)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 20, 2019, 04:04:57 pm
that is fast. what´s the problem?
rene, it was a sanity check going wrong because of a missing if condition ;) Fix was easy, 1.1_4 hotfix is out. Enjoy.

works. thx very much!! :-)

2 more questions:

1. is there a way to make a custom block html template? and perhaps upload it?
2. i get this error message in System: Firmware: Reporter
Code: [Select]
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning:  explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 175
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 176
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning:  explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 181
[20-Nov-2019 15:50:33 Europe/Vienna] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 182
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 21, 2019, 03:53:50 am
Hi rene, you're all welcome. custom landing page is available within Premium Features. SOHO Edition is coming this week.

Dashboard widget error got already fixed in 1.2, which will also ship this week :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 21, 2019, 05:00:07 am
Hi rene, you're all welcome. custom landing page is available within Premium Features. SOHO Edition is coming this week.

Dashboard widget error got already fixed in 1.2, which will also ship this week :)

is there no standard block template in the free edition ?. because the message that I get when blocking a page is a connection error page. It is therefore difficult to determine if this is a real connection error or not.
the html block template that I found did not work. or is it intended?

best regards, rene

supplement:
I noticed now, if I use "app controls" and block for example, facebook, then there is no html block template but only a connection error page (see my screenshot). if I block a page under "web control", then comes the block template. Is it wanted like that? best regards, rene

Title: Re: Sensei on OPNsense - Application based filtering
Post by: tusc on November 21, 2019, 10:49:20 pm
So I'm still experiencing issue where traffic completely halts shortly after the engine service is started. I never could figure out the problem so didn't use this for a while. I'm now on the latest version and it's still happening. I have a 4 port intel card where igb0 is LAN and igb1 is WAN. There's an onboard Realtek I'm not using (re0).

Searching in /usr/local/sensei/log/active I see this in the logs
Code: [Select]
root@OPNsense:/usr/local/sensei/log/active # egrep igb main*
main_20191119T000000.log:2019-11-19T10:45:28 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1
main_20191119T000000.log:2019-11-19T21:18:49 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1
main_20191120T000000.log:2019-11-20T19:16:42 INFO: Worker [@0,Bridged,Lan=netmap@igb0,Wan=netmap@igb0^,Queue=0,Cpu=1

Why is WAN referencing igb0^? Shouldn't it be igb1?

If I grep for igb1 in the directory nothing comes back.

Here's another output from a worker logfile:

Code: [Select]
root@OPNsense:/usr/local/sensei/log/active # egrep igb worker0_20191120T000000.log | tail
2019-11-21T14:57:19 INFO:               Stats LAN igb0:0 [ 4024 pkts, 0 drp, 610.74 KB]
2019-11-21T14:57:19 INFO:               Stats LAN igb0:1 [ 109564 pkts, 0 drp, 150.78 MB]
2019-11-21T14:57:19 INFO:               Stats LAN igb0:2 [ 27493 pkts, 0 drp, 2.00 MB]
2019-11-21T14:57:19 INFO:               Stats LAN igb0:3 [ 33916 pkts, 0 drp, 2.54 MB]
2019-11-21T14:57:19 INFO:               Stats WAN igb0^ [ 239646 pkts, 0 drp, 177.91 MB]
2019-11-21T14:57:20 INFO:               Stats LAN igb0:0 [ 4024 pkts, 0 drp, 610.74 KB]
2019-11-21T14:57:20 INFO:               Stats LAN igb0:1 [ 109564 pkts, 0 drp, 150.78 MB]
2019-11-21T14:57:20 INFO:               Stats LAN igb0:2 [ 27493 pkts, 0 drp, 2.00 MB]
2019-11-21T14:57:20 INFO:               Stats LAN igb0:3 [ 33917 pkts, 0 drp, 2.54 MB]
2019-11-21T14:57:20 INFO:               Stats WAN igb0^ [ 239646 pkts, 0 drp, 177.91 MB]

Let me know what else I can provide to help troubleshoot this as I've noticed others have posted a similar problem. Thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 22, 2019, 01:20:22 am
Hi Rene,

Yes, customizable block page is available in Premium.

1. With regard to how we display block page: we display Block Page only if it is an HTTP connection.
2. For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display.
3. For Application control, we do not display since it might be a connection which does not speak HTTP.

For the third item, I think there is a window of improvement there; since we can still detect if it is HTTP
and therefore we can display a block page.

For HTTPS connections, block pages will be available along with TLS feature.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 22, 2019, 01:32:43 am
Hi @tusc,

WAN in that file is an internal Sensei terminology and it is different from general firewall terminology. Sensei acts like a bridge connecting hardware rings of the ethernet driver and the Operating System network stack (with the help of netmap). Taking into account the fact that we're protecting LAN-facing interfaces, Sensei considers the Operating System side of the "virtual bridge" as WAN since packets going to/coming from that way is Internet-bound.

It is expected that packet flow can pause a 2-5 seconds during engine restarts. This is because once sensei starts running it initializes the interfaces in netmap mode which -in turn- causes them to go down/up.

If it halts the packet flow permanently, this is very interesing, which I would definitely want to have a look. Can you PM me so that we dive into this?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on November 22, 2019, 04:56:21 am
@MB

How does soho work with the 15 device limit for those of us with well over that on our home networks?
Do we pick and choose what's protected or is it any device that's on the protected interface?
Title: index not found exception?
Post by: robvanhooren on November 22, 2019, 06:52:47 am
hi, fresh install, and I'm getting a ton of 'index not found exception' errors, with a lot of sensei panels displaying a red error box.

"An error occurred while report is being loaded!"

details and log excerpt below.

thoughts?

thanks.


Code: [Select]
{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "alert_all",
        "index_uuid": "_na_",
        "index": "alert_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "alert_all",
    "index_uuid": "_na_",
    "index": "alert_all"
  },
  "status": 404
}


 -----8<-----{snip}-----8<-----
/usr/local/sensei/log/active

ipdr_streamer.log:2019-11-22T00:43:47.637231 response: {"took":0,"errors":true,"items":[{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}},{"index":{"_index":"http_write","_type":"http","_id":null,"status":404,"error":{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_expression","resource.id":"http_write","index_uuid":"_na_","index":"http_write"}}}]}


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Quetschwalze on November 22, 2019, 11:46:10 am
Love the plugin!
Will there be a monthly option for paid home use?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on November 22, 2019, 02:52:56 pm
Hi Rene,

Yes, customizable block page is available in Premium.

1. With regard to how we display block page: we display Block Page only if it is an HTTP connection.
2. For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display.
3. For Application control, we do not display since it might be a connection which does not speak HTTP.

For the third item, I think there is a window of improvement there; since we can still detect if it is HTTP
and therefore we can display a block page.

For HTTPS connections, block pages will be available along with TLS feature.

thx for your information. this plugin is really really great!. great work! :-)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 23, 2019, 02:52:30 am
@donatom3, which devices would be out-of-scope is random and dependent on the memory state buffers. With device identification we'll enable user to select which devices to cover. For now, a higher tier would be more suitable. Also note that only IPv4 addresses  count, so if you have a dual stack, it won't affect memory buffer limits.

Having said that, as a gratitude to our BETA users like you, we'll be providing a suitable discount for higher tiers so that it would still be in the lower tier price range. More on this next week.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 23, 2019, 02:56:41 am
@robvanhooren, can you try Sensei -> Configuration -> Reporting & Data -> Reset Reporting and see it that solves your problem. Make sure you don't have tmpfs enabled for /var directory.

rene, thank you very much for the feedback. We hope sensei will add more value in the future.

@Quetschwalze, many thanks for the feedback, glad that you loved Sensei. Yes, home subscription is coming late this week/early next week.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: robvanhooren on November 23, 2019, 05:01:44 pm
@mb, yes I had to wipe the database.

question: now that there is data to review, I see some sites are miscategorized.

how would you like to deal with reporting that, so it can be corrected? e.g., centos mirrors being declared malware/virus; opensubtitles.org being declared warez; etc....


Title: SOHO device count Re: Sensei on OPNsense
Post by: robvanhooren on November 23, 2019, 05:25:06 pm
@mb (again) .....

just saw the SOHO pricing, $99/yr is very competitive.

the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.

for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.

per the current structure, that would cost ~$1200/yr, which is completely unreasonable.

no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.

security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.

while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.

would you consider raising the paid SOHO plan limit to 50?

 -- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).

LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)

thanks!

(likely a big thanks from everyone!!  :) )
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on November 23, 2019, 08:20:39 pm
Engine Version:    1.1_4    
App DB Version:    1.1.1    
Rules DB Version:    1.1.1    

Reports / Security
Code: [Select]
{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "alert_all",
        "index_uuid": "_na_",
        "index": "alert_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "alert_all",
    "index_uuid": "_na_",
    "index": "alert_all"
  },
  "status": 404
}

Errors also occure at Reports / Web
Although I cannot open view erro message.

Furthermore since the update of sensei yesterday some sites aren't displayed fully with a running sensei.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on November 23, 2019, 08:44:27 pm
After taking out the custom option in web controls  from our hands, youtube not loading video after added in Auto Whitelist Hosts.
May be it's not good idea to take feature after feature from the free version with every update after all...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on November 24, 2019, 09:29:46 am
After taking out the custom option in web controls  from our hands, youtube not loading video after added in Auto Whitelist Hosts.
May be it's not good idea to take feature after feature from the free version with every update after all...

Same problem here, can't control anything anymore and have to allow everything. that's really bad!


And SOHO with 15 devices/ip addresses means 7 dual stack "devices" is really much too low, even for a one-person household.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: chemlud on November 24, 2019, 02:25:52 pm
If it's for free, you are not the customer, you are the product (or the beta tester...).

It's the Google principle: make them addictive for free, then start taking money for your stuff. That's the way it is these days.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: robvanhooren on November 24, 2019, 05:16:06 pm
@chemlud, not to distract from your rhetoric ..... I can't tell whether it was aimed @mb for Sensei, at Sophos for XG, at Deciso for opnsense itself, at Google because Evil(™), or just at everything and everyone in general :)

that said, the free = product is exactly what we have with the etPro-telemetry IPS option plugin here already (for example).

it's a consensual, opt-in model, and the quid pro quo is user data, in exchange for a better sigset from the vendor. the (hopefully GDPR-compliant?) data being exfiltrated to ProofPoint serves as substitute for an exchange of fiat currency in the transaction.

getting back on-topic to the thread ...

for the case of Sensei for home users, while the proposed price point is viable for that market segment, the SOHO paid version in the present circumstance is worse than the free version, due to a device cap that's way too low. so low as to be unusable in practice for anything other than non-serious demonstration purposes.

home users inclined to pay at all won't have issues paying $99/yr for a device count that's realistic for the current era.

15 was alright for 2004.
50 is reasonable for 2019.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on November 26, 2019, 02:45:57 am
@donatom3, which devices would be out-of-scope is random and dependent on the memory state buffers. With device identification we'll enable user to select which devices to cover. For now, a higher tier would be more suitable. Also note that only IPv4 addresses  count, so if you have a dual stack, it won't affect memory buffer limits.

Having said that, as a gratitude to our BETA users like you, we'll be providing a suitable discount for higher tiers so that it would still be in the lower tier price range. More on this next week.

@MB Can't wait for the home/discounted licensing.

Once Sensei can be integrated with firewall and routing rules I'll be able to start selling management on OPNSense + Sensei as an alternate offering for our customers. So it will be good if I can show them what it can pick up and report on.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 27, 2019, 03:34:56 am
@donatom3, @robvanhooren and others, many thanks for the suggestion & feedback. All noted, and being worked on.

1.2 is almost there. Running final tests. Hope to ship it this week. Will be back with more news this week.

Here's what will be coming with 1.2:

Home Premium Subscription

Performance

Reporting

Other
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 29, 2019, 09:53:10 pm
Dear Sensei users,

As promised, 1.2 is out.  With this release, you can purchase Home Subscription through Sensei User Interface. Monthly or Annual subscription is possible. You'll also be able to purchase the annual home subscription from the OPNsense webshop in a few days.

Other important improvements with 1.2:


For a full feature list, please see: https://www.sunnyvalley.io/post/sensei-home-for-opnsense (https://www.sunnyvalley.io/post/sensei-home-for-opnsense)

We've received many feedback about how we could be structuring the Home Edition. I would like to thank all of you. Thanks to these feedback including @robvanhooren's comments, we've increased the device limit to 50 devices valid till January 1, 2020.

It looks like we need to work more on this. Please feel free to reach out to us at sensei -at- sunnyvalley.io and provide feedback.

At Sunny Valley Networks, our vision is to provide advanced persistent protection for everyone and everything. I hope this marks another milestone in realizing our objective.

Enjoy :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: robvanhooren on November 29, 2019, 10:29:58 pm
thanks @mb

@admins, has Sensei grown enough to graduate to its own (sub)forum here? perhaps under the IDS category. :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on November 29, 2019, 10:33:48 pm
@mb this is great. The 50 device home limit should work for me depending on how sensei handles things. Even better that I can purchase right through the interface and use google pay to pay.
Title: Re: SOHO device count Re: Sensei on OPNsense
Post by: l0rdraiden on November 30, 2019, 10:26:08 am
@mb (again) .....

just saw the SOHO pricing, $99/yr is very competitive.

the issue I see here is that with the explosion of IoT and other things in a household, 15 devices is just much too low for a home environment in 2019.

for example, my device count ('Unique Local Hosts' in the last 24hrs, according to the Sensi Dashboard) is 41.

per the current structure, that would cost ~$1200/yr, which is completely unreasonable.

no one in their right mind is going to spend two mortgage payments every year just to keep the Chinese out of their lightbulbs, the Russians out of their Alexas, the local stalkers and thieves out of their home security systems, and successfully divert accidental Japanese donkey porn away from their kids' surfing sessions, too; they shouldn't have to choose which subset of these goals can be achieved due to an arbitrarily-low device cap.

security is only as good as its weakest link, and if a home user has to pick which devices to cover with Sensei's gaze, and which ones to leave exposed to armageddon, then invariably they will be outfoxed.

while ad-hoc device coverage makes for good eye-candy, it's not particularly better than no coverage at all, because human beings are fallible and will inevitably pick combinations that leave attack vectors available.

would you consider raising the paid SOHO plan limit to 50?

 -- this would put you at parity with e.g. the device cap of SophosXG Home (which is free, fwiw).

LOL maybe even one-up the Sophos folks & make it 51 -- just because you can. ;)

thanks!

(likely a big thanks from everyone!!  :) )

@mb

He is totally right I have IoT at home so I have more thant 50 IP's to control and we are 3 in the house and one of them is a kid 3 yeras old, so the home plan is not for me.
The home version is aready limited in features to consider it for an enterprise use, in fact is hard to consider opnsense for enterprise use. So I wouldn't limit the home version based on number of devices, it's already limited in must have enterprise features.

In addition I consider the price a little bit high considering you have sophos XG home edition for free or that you can build something similar in terms of protection with pfblockerng.

By the way Sophos XG Home edition has no limit in IP's or devices, the only limit is that only uses 4 Cores and 6 GB of RAM.

For less than 30$ per year I would think about it but considering that Sophos XG home edition is free...., or maybe 100$ for a lifetime plan for home users.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on November 30, 2019, 01:36:59 pm
@mb: I do have a few questions regarding Sensei:

how is decided how big the environment can be during setup (with 6 GB of RAM it offers me Home 10 users, Home 15 users and Small 25 users; with 8 GB of RAM I get the full list offered until Xlarge with 1000 users)?

when uninstalling Sensei (and Sensei was installed with MongoDB) - why is the MongoDB not removed even if those two checkboxes are checked during uninstall? (the checkboxes are named "Remove Reports data" and the "Remove all install directories")
how can MongoDB be uninstalled? because the security check in the OPNsense update area tells me that there are security vulnerabilities with MongoDB...

during uninstall and reinstall a few settings are remembered (i.e. TCP service security password in Configuration>General) - seems like the "remove all install directories" switch is not working properly?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on November 30, 2019, 03:07:37 pm
Analysis of sensei 1.1:
Equipment:
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8GB
Sensei: good
Sensei plus Suricata: bad
(opnsense blocking)
netmap suricata error
For when compatibility sensei - suricata?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 30, 2019, 03:34:13 pm
@l0rdraiden, thanks for further input. We're having an active discussion with people who are providing feedback on pricing / features. Current final picture of the Home Edition has been shaped with this feedback. Feel free to jump into the conversation by sending an e-mail to sensei - at - sunnyvalley.io. Though I do not expect much change with regard to Home Edition, since there's also a maintenance overhead on the vendor, which is much higher with smaller numbers of deployments. 

@robvanhooren, @donatom3 you're all welcome. Thanks for the feedback.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 30, 2019, 04:03:04 pm
@the-mk, for mongodb, it should be up to 50 actually (fixed for 1.2.1).

The threshold for running Elastic Search is whether RAM is below or above 8GB. Under 8GB, mongodb provides a lot better results. With a resourceful hardware, Elastic Search is the way to go. Under 8GB and with mongodb, we have not yet tested Mongodb with larger workloads, so for now we keep it up to 50 devices.

For a hint: we have been reported of deployments  with 16GB RAM protecting around 1000 devices, using Elastic Search.

You're right. mongodb/elastic should also be removed during uninstall. (fixing for 1.2.1) You can manually uninstall it via System -> Firmware -> Packages.

We're shipping mongodb 4.0.12 which has proper fixes for OpenSSL flavor. LibreSSL flavor looks fine.

Remaining configuration is the one which we place in config.xml. Yep, that should be removed as well if user wants everything deleted. (fixing for 1.2.1).

Thanks for the heads-up.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 30, 2019, 04:15:41 pm
@yeraycito, Suricata <-> Sensei interoperability is in short-term roadmap and should appear in early next year.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on November 30, 2019, 06:01:54 pm
@mb - thanks for the feedback, looking forward to 1.2.1!

since I wanted to reduce the RAM footprint of my OPNsense installation on my VMware host, I tried running it with 6 GB (coming from 8 GB; target is 4 GB) - so the MongoDB got installed during Sensei installation. With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?

uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...

BTW: I like it that the available views are now configurable on the Sensei dashboard!

another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on November 30, 2019, 06:12:44 pm
With the release of 1.2 today I did a reinstall of Sensei and there was only the option with "small 25 users", which might be too few when having around 40-50 devices in my network... so the option "small 50 users" will be offered when reinstalling Sensei on a box with 4 GB RAM when 1.2.1 is ready?

Correct. 50 should be there. 1.2.1 will address this. Since 1.2.1 is a hotfix, we will ship it quick. It should arrive early next week.

Quote
uninstall MongoDB - with OPNsense 19.7.7 under System>Firmware>Packages I can't uninstall anything - just view the license, reinstall or lock the package...

You're right. Alternatively you can just remove it from the ssh console:

Code: [Select]
# pkg remove mongodb40
Quote
BTW: I like it that the available views are now configurable on the Sensei dashboard!

Glad to know that :)

Quote
another "issue" - sometimes when I look at the "top local hosts" on the dashbaord, I can see hosts with duplicate entries - one time mentioned with the hostname, the other time mentioned with its IP address. How can this be avoided?

This will get resolved with device identification. We will track devices with their MAC addresses and associate IPv4/6 addresses with a unique device. Hoping to have this for 1.3 since this also has implications with regard to licensing.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on December 02, 2019, 09:51:41 am
Hello @mb,

some small findings:

1. Filter on Policy Id  (from pie-graph -> Sessions Detail) in Reports (created a new policy before) shows only a rotating circle.
Home Edition bug?

2. Block a URL via Action from Reports -> Connections -> Live Session Explorer results in the following message:
Code: [Select]
Error
Could not find: msmetrics.ws.sonos.com

In Version 1.1 a new Category "Auto Blacklist Hosts" are created. In version 1.2 (Home Editon) the category would not be created. And message above appears.
Home Edition bug?

3. Under Reports -> Security -> Live Blocked Sessions Explorer the coulmn "source ip" (my LAN IPs) shows also the different country flags of the "Dest Hostname" coulmn.
General bug?

Edit: I also did a reset of the config and started from scratch. Same results.

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 03, 2019, 12:03:54 am
Hi @opnip, thanks for the heads up. Quikcly checking if we are able to reproduce thse. Will update the thread soon.

Update: all bugs confirmed and fixed. Fixes will appear in 1.2.1. this week.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jf2001j on December 04, 2019, 07:53:55 am
Hi,

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

It is possible to see the packages in "Firewall: Log Files: Live View" for example.

=> How would I do this in Sensei?

In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.

Best regards,
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on December 05, 2019, 02:39:08 am
@mb I'm running into that bug that I reported back during beta again. The one where after a reboot of OPNSense once the Sensei Packet Engine starts it cuts off all traffic to protected interfaces. I have to use another interface to restart the Sensei Packet engine. I also verified it did this again with "Enable engine heartbeat monitoring:" turned off or on.

I did submit a report through the interface with logs. Hopefully that helps.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: stephan79 on December 05, 2019, 07:17:44 am
Hi,

Got a question about subscription key/code: can you use that on multiple firewalls?
(haven’t found any info on this)

I’m running 2 FW’s with HA for production and 1 in LAB for testing purposes.
But if I must buy a subscription per FW then the cost would be too much for me.  :(
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 05, 2019, 07:29:25 pm
@jf2001j, many thanks for trying Sensei and your suggestions.

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

This would be a cool feature, though not trivial to implement. Reason is that Sensei deploys on inner-facing interfaces; and to be able to inspect firewall's own traffic, we'll need to also deploy on WAN interface, which would mean we would produce duplicate logs (since the traffic has already got inspected on the inner-facing interfaces).

Quote
In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.

I guess you mean Sensei Menu on the left. Well noted.

Quote
@mb I'm running into that bug that I reported back during beta again.

@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 05, 2019, 07:36:17 pm
@stephan79, we're planning a scheme on the HA license. Will keep you updated.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 05, 2019, 10:02:38 pm
Hi again, mb. Another minor bug or "feature":
In Web Controls, Auto Whitelist Hosts, there is a field "Send this re-categorization as a feedback to Sensei Team to improve web categorization. " that wont remember his setting. Every time when i logon and go to this menu to add another site, it's ticked on. I turning it off every single time before save.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 05, 2019, 10:10:07 pm
Hi @Antaris, thanks, well noted. This will ship with the next release.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: JohnDoe17 on December 06, 2019, 05:57:02 pm
@mb

Please consult the attached picture...

Is this message normal?  What does it mean?

Thanks.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 07, 2019, 03:30:39 am
Hi @JohnDoe,

This is HardenedBSD's SEGVGUARD. Message means, sensei engine terminated once and SEGVGUARD tracked the application for some time to make sure someboady is not trying to do a memory-guessing brute-force attack.

If it was, the mechanism would have stepped in and prevented further restarts of the process.

Although, this does not have a practical effect on your traffic, we would like to analyze these to find the root cause and fix the root problem.

When for any reason sensei engine is terminated, it is automatically restarted; and traffic flow resumes.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jf2001j on December 08, 2019, 09:42:00 am
I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

Privacy is my concern. I use Sensei for getting an overview over iOT devices, but also want to trust that Sensei itself does not do unwanted connections. For this i have disabled all settings inside Sensei for connections to the Sensei backend, including auto-update.

Could you please describe why the JS from stripe.com included in several Sensei Dashboard webpages is loaded and why it posts data to https://m.stripe.com/4?

I'm also wondering why I did get the notification "Engine 1.2.1" is available for update inside Sensei without auto-update. But I don't have facts here. Perhaps an error on my side.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 09, 2019, 09:39:27 pm
@jf2001j, understood and well respected.

Stripe is our payment backend. This JS needs to get loaded if you want to do an in-app purchase for Sensei Subscription. Though, it might be better to delay its loading until the user opens "Upgrade to Premium" menu, instead of loading it during Sensei UI initialization routines.

If you disabled "Check For Updates Automatically", Sensei should not contact our update server anymore. If you did see a new update notification, two possibilities:

1. This could be a cached result of an update check done before you disabled auto updates.
2. You could have manually invoked "Check for updates" from Sensei -> Status and, this could be a cached result of this operation.

Thank you for your attention. Feel free to get back to us (you can also e-mail to privacy - at - sunnyvalley.io) if you see anything that needs further  attention here.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 10, 2019, 11:18:26 pm
Dear Sensei users,

Sensei 1.2.2 is out fixing some minor problems reported.

https://www.sunnyvalley.io/post/sensei-1-2-2

Enjoy,
Sensei Team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tusc on December 10, 2019, 11:59:17 pm
Quote
@mb I'm running into that bug that I reported back during beta again.

Quote
@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.

@mb, is this resolved in 1.2.2? I thought my issue was fixed when I disabled other services like maltrail and ntopng but I still see this problem. I just updated to 1.2.2 and about a few minutes after the packet engine is started I lose complete access to the firewall and Internet. Let me know what logs I can provide to help figure this out. Thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 11, 2019, 12:18:15 am
Hi @tusc, nope, we have not addressed that one. It's a nasty bug, which we cannot reproduce. Working on it. If you can send the /usr/local/sensei/log/ directory over to us via e-mail that would be great. Email to send: sensei - at - sunnyvalley.io

or

Click on Contact Sensei Team on the upper right hand corner, select Problem Report and make sure you select "Send logs" option.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Quetschwalze on December 11, 2019, 12:41:01 pm
@mb Would it be possible to have the Firewall Aliases available in Sensei's Policy Configuration as well? Adding IP-Adresses in two places feels redundant.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 11, 2019, 05:49:33 pm
@Quetschwalze, this would be a great feature. Added to the 1.3 workload ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jh on December 12, 2019, 03:17:29 pm
hi mb,
i'm already using the free version for some time now and thinking about buying the home edition
so i still have some questions about the upper limit of 50 clients for the home edition.
My daily sensei report for the free version shows me an entry "Unique Local Hosts". Is this the value I can orientate myself on for the limit of 50?
How is the number of clients exactly calculated?  IPs in use?
What about clients/ip-addresses that are already blocked in the opnsense firewall and don't generate any traffic through the firewall at all? are they included in the calculation?
Currently I get 29 hosts displayed under Unique Local Hosts. But this is not correct. Only when I additional count my default gateway, coupling networks on the WAN side I get 29 clients.
what exactly happens when the maximum is exceeded?

Thank you
Juergen
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Quetschwalze on December 12, 2019, 06:22:55 pm
@Quetschwalze, this would be a great feature. Added to the 1.3 workload ;)

Awesome, looking forward to that!

I have a question I'm not sure whether its been asked before.
I'm utilizing policies to have different features active for different subnets. However, this only seems to work for me in conjunction with VLANs. If I try to bind a different policy on an untagged / default VLAN (only using the IP / Network Description) its not working. Only the Default Policy shows up in the reports. Is this expected?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 12, 2019, 08:07:15 pm
Hi @jh,

Internal memory buffers are adjusted according to IPv4 hosts. You don't need worry about IPv6 addresses.

Unique Local Hosts include both IPv4 and IPv6 addresses. If you want to see only IPv4 addresses, add a "Transport Proto" filter (Add Filter button on the top of Reports page) as TCP. Then the number of unique hosts value shows your actual device count.

We're updating Conn - Facts information to better show this information. With 1.3, you'll also have "Unique Local Devices" information.

So, for your Home Subscription, we had set it to 50 for providing a peace of mind; so it should be enough for Home use. If in any case, number of devices exceeds this, provided that it's not sustained, it should not cause a problem.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 12, 2019, 08:14:15 pm
Hi @Quetschwalze,

Subnet/IP address based policies should work with or without VLAN. Let me reach out to you, and see what goes on there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 16, 2019, 06:50:07 pm
Dear Sensei users,

Sensei 1.2.3 maintenance release is out. Below is the Changelog:

Premium
Reporting
Other

Enjoy ;)
Sensei Team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on December 16, 2019, 06:58:13 pm
Other
Fix: Increase netmap buf_num value to accommodate both Suricata and Sensei on high-end servers

compatibility sensei - suricata low-end devices?
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8GB
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 16, 2019, 07:01:03 pm
Hi @yeraycito,

dev.netmap.buf_num value was low if both Sensei and Suricata was run on -even- different interfaces. This was due to some high-end network adapters having multiple Rx/Tx queues, and thus requiring more kernel memory.

Work on Suricata+Sensei running on the same interface is underway.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on December 16, 2019, 07:07:19 pm
I can't deactivate "US-East" Cloud-Node
Machine Version:    1.2.3
UI Version:    19.12.14
Database Version:    1.2.0
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 16, 2019, 07:16:19 pm
Hi @marcri, sensei needs at least two cloud nodes. You should be able to select any other node as the second one. Can you confirm that this is the case? If not let's check it out.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on December 16, 2019, 07:36:25 pm
Hi @marcri, sensei needs at least two cloud nodes. You should be able to select any other node as the second one. Can you confirm that this is the case? If not let's check it out.
Hi @mb,  selecting an other second node works.
Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 16, 2019, 07:37:54 pm
@marcri, that's good to hear. A side note: we'll launch another Europe node in the coming year.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Kruemel on December 17, 2019, 11:50:01 pm
Hi,

just wondering: I setup sensei to block advertisments. Sometimes I get the page:

#################
The page you are trying to access is restricted by your organization.

Reason:   Advertisements site access
Client IP:   192.168.1.30
Remote IP:   91.215.103.xxx
Application:   Web Browsing
Application Category:   Web Browsing
Web Category:   Advertisements
#################

And sometimes the connection is just reset: ERR_CONNECTION_CLOSED

Why is this?

Thanks and best regards
Marco
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 18, 2019, 01:26:07 am
Hi Marco, many thanks for trying sensei.

This happens if the blocked connection is not speaking HTTP. Sensei displays Landing Page only if it is an HTTP connection.

For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display the landing page (behavior to change with TLS inspection feature, see below)

3. For Application control, we do not display since it might be a connection which does not speak HTTP.

For HTTPS connections, block pages will be available along with TLS inspection feature.

For more FAQ, see: https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on December 18, 2019, 04:36:33 pm
@mb

Today i did a opnsense firmware update to 19.7.8

After this update i can´t start monogdb anymore.

I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!

What can i do?

See my screenshot!!

thx
regards rené

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on December 18, 2019, 08:18:52 pm
@mb

Today i did a opnsense firmware update to 19.7.8

After this update i can´t start monogdb anymore.

I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!

What can i do?

See my screenshot!!

thx
regards rené

don´t know where the problem is!

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mayo on December 18, 2019, 08:32:01 pm
Same for me. Decided to uninstall and not install anymore.

@mb

Today i did a opnsense firmware update to 19.7.8

After this update i can´t start monogdb anymore.

I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!

What can i do?

See my screenshot!!

thx
regards rené

don´t know where the problem is!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 18, 2019, 08:54:58 pm
Same for me. Decided to uninstall and not install anymore.

@mb

Today i did a opnsense firmware update to 19.7.8

After this update i can´t start monogdb anymore.

I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!

What can i do?

See my screenshot!!

thx
regards rené

don´t know where the problem is!
And the relation to the problem of this thred is??
Can you be more specific why you abandone Sensei?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mayo on December 18, 2019, 09:00:06 pm
Simple: every Opnsense update Sensei stops working.
Same for me. Decided to uninstall and not install anymore.

@mb

Today i did a opnsense firmware update to 19.7.8

After this update i can´t start monogdb anymore.

I deleted the report data and even reinstalled the sensei package and did a restart of opnsense but had no luck!

What can i do?

See my screenshot!!

thx
regards rené

don´t know where the problem is!
And the relation to the problem of this thred is??
Can you be more specific why you abandone Sensei?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 18, 2019, 09:28:31 pm
Simple: every Opnsense update Sensei stops working.
Sensei is relatively new addon to OPNsense. Monogdb in it is even newer. I think we need more patience here...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 18, 2019, 09:35:33 pm
Ok, I think I have an idea about what's going on:

19.7.8 update seems to remove mongodb40 and dependencies.

Code: [Select]
=====
Message from opnsense-19.7.8:

--
Roar!
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 3 packages:

Installed packages to be REMOVED:
boost-libs-1.72.0
icu-65.1,1
snappy-1.1.6_1

Number of packages to be removed: 3

Update: Problems is related to mongodb package. Elasticsearch is fine. We're shipping new mongodb40 packages momentarily. Will update the thread.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 19, 2019, 01:44:41 pm
@Antaris, thanks for the understanding. @mayo, rene, sorry for the inconvenience.

The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).

The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on December 19, 2019, 01:47:50 pm
@Antaris, thanks for the understanding. @mayo, rene, sorry for the inconvenience.

The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).

The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.

Thx very much for your fast support👍

Regards,
Rene
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 28, 2019, 10:42:34 pm
Dear Sensei users,

Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.

One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues

What is new in Sensei 1.2.4:

Premium

Application Database

Reporting

Other

Wishing you holiday cheer and a happy new year.
Sensei Team

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on December 29, 2019, 11:58:45 am
Dear Sensei users,

Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.

One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues

What is new in Sensei 1.2.4:

Premium
  • Fix: Modifying an existing Policy
  • Fix: Deleting Exempt VLAN/Networks

Application Database
  • New app signatures for TikTok, Discord App, GroupMe, Houseparty

Reporting
  • Fix: Drilling down to a local host (specifially IP addresseswith hostnames associated with them)

Other
  • Fix: Reset factory defaults also resetting policies
  • Revert: netmap buf_num value to OPNsense deafult.
  • Other performance and reliability improvements

Wishing you holiday cheer and a happy new year.
Sensei Team

great news. thx very much! :-)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: manf0001 on December 29, 2019, 05:16:58 pm
Hi, I've been testing out the home license of Sensei and I must say it's a nice addition into opnsense.  I have moved from Sophos (formaly Astaro) UTM.  And while there were lots of great features in that, I'm pretty sure that opnsense and sensei together are a nice replacement.

I have some feedback more like feature requests or suggestions. 

1) I am using policies for the web security.  One for my wife's and mine devices and another controlled policy for the kids.  It would be a good feature to include Quota's for sites..  Ie:  Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark,  either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.

2) Under the security settings, would like to have a test option.  You create a policy and have a user name or IP linked to it.  (I use static IPs so this is not an issue)  setup the sites I want to block etc..

But then the test option can be to put in a domain name, and the IP address of user name of who I want to test the policy out as and the output tells me that yes that site is blocked or allowed for this computer/user using this policy and what category under App and Web control it falls under.   This is also a good troubleshooting tool too, as maybe you blocked a category or two, then a site or app that is ok is not working, and you can use this feature to determine that oh,  it looks like its under this category and then you can make what adjustments you need to make.

Overall I am enjoying it, and am looking forward to new features.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 29, 2019, 10:32:18 pm
Revert: netmap buf_num value to OPNsense deafult.

How increased was memory consumption?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on December 30, 2019, 08:00:46 pm
@opnsenseuser, all welcome, enjoy :)

Hi @Antaris,

It had increased the wired kernel memory around 1 - 1.5 GB. So, for now we reverted it until we implement another solution (i.e. adjusting this according to the available RAM in the system).

Hi @manf0001,

Glad to hear that you're enjoying your subscription. Quick answers to your questions/requests;

Quote
Under the security settings, would like to have a test option.  You create a policy and have a user name or IP linked to it.  (I use static IPs so this is not an issue)  setup the sites I want to block etc..

Got it.

For now, you can view which connections are matching your newly created policy by drilling down to the specific policy. (i.e see Sensei - Drilling down to details: https://www.youtube.com/watch?v=sRvI7oAz2ac)

Quote
It would be a good feature to include Quota's for sites..  Ie:  Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark,  either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.

Yep, we have this in the roadmap. This will be one of the features you'll see in the new year. Feel free to suggest more. You can also suggest more features via "Contact Sensei Team" option in the top right side of the Sensei UI.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: apiods on December 31, 2019, 11:40:05 am
I've had an on-going issue with my OPNsense box, which I believe Sensei is the culprit. Having uninstalled it, all seems fine. Here's the rundown:

- Bought new QOTOM hardware (primarily to try out Sensei - having run OPNsense successfully for some time on an APU2C4 box)
- Setup QOTOM box, and installed Sensei
- Have a few VLANs configured, so set the main LAN interface (igb0) as the Sensei protected interface
- Additionally, configured a new WAN interface (attached to a 2nd DSL line - but not using failover, etc. Just routing some traffic out an alternate WAN link)

Then, a problem started whenever the OPNsense box rebooted. Initially, this was just during an upgrade but for troubleshooting I also rebooted it.

The issue was that the LAN interface was no longer reachable, so no internet connection for any hosts on any VLAN.
Using the serial console connection on the box, from a shell i could ping outbound (both gateways), but could not ping any internal hosts. No igb0 traffic was being routed.

Rebooted again this morning (due to an error with Sensei reports not showing), and the same thing. After a 'reload services' (serial console option 11?) - some traffic on the default VLAN was working okay. But other VLANs were not.

I then noticed in the DHCP server log that discover packets from clients that were supposed to be on the 'other' VLANs was showing up on the default VLAN, and the DHCP server was offering IPs from the default VLAN (no subsequent DHCP requests were showing up though). Why would traffic from other VLANs be showing up on the default VLAN ???

3 main things had changed since the issues started: 1. new hardware, 2. installed Sensei, 3. Added new WAN interface

So, first off I uninstalled Sensei, rebooted ... and all was working with no issues.
Rebooted again, still working.

For now, it seems Sensei was the problem. No idea what it was doing to my VLAN traffic.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on December 31, 2019, 12:39:55 pm
Hi @ apidos,

If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: apiods on December 31, 2019, 05:01:20 pm
If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.

I do have a spare interface. So, you mean add a new interface (label TRUNK, no IP), then move the existing VLANs onto the new trunk interface ? Assume I'll also have to tag the previous default VLAN now.

Is that the preferred way to configure VLANs - I couldn't see a guide for this ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on January 01, 2020, 04:52:01 am
There is no one. It's from BSD. Don't use tagged and untagged packet on the same interface with Sensei. Try it and give feedback, please...

@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: apiods on January 03, 2020, 10:20:00 am
There is no one. It's from BSD. Don't use tagged and untagged packet on the same interface with Sensei. Try it and give feedback, please...

Working on it. Have the trunk now setup (had some interesting times trying to get it to work with my unifi switch/APs, but have now simplified my overly complex config, hopefully).

Just making some final tweaks and then I'll look at re-installing Sensei and see how it goes.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 03, 2020, 09:23:27 pm
@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...

Hi @Antaris,

Confirmed & fixed. We'll ship this and a few other fixes with 1.2.5 in a couple of days.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: AlexV on January 04, 2020, 03:18:36 am
Hi All,
I Use OpnSense from agust 2019.
I have the firewall installed on virtualized enviroment for testing proupose.
The firewall is configured in this manner :
Squid trasparent proxy + clam AV
UnBound DNS + Dnscrypt Proxy
Suricata on Wan interface (Et Pro telemetry)

I also Have Configured Captive portal (on another interface) (that emulate a WIFI free access )
and Configured Ipsec and OpenVpn server.   

I have installed  Sensei but i see that with this configuration  sensei don't block any site even listed in App or Web or in use defined category.
I suppose that this behavior is determined by the Squid proxy or by the Dns configuration, there is a manner to configure Sensei to work with this configuration ?
For the moment i Dont want to disable Squid or DnsCrypt Proxy.
If this type of configuration isn't supported,  there is a Hope that  sensei  can support this in future ?

Best Regards

A.V.


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 04, 2020, 03:26:35 am
Hi @Alex,

Can you reach out to us using the "Contact Sensei Team" menu in the Sensei UI? Do not forget to check the "Share Sensei program logs"  option in the form.

This configuration should work with Sensei. Let's see what's going wrong.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on January 04, 2020, 09:18:22 am
I'm making a very heavy mess with one HP Z230 now.... Sensei installer Detected low-end hardware Xeon E3-1240 v3 / 8GB DDR3 or can't start the test at all - "Hardware configuration could not be detected!" Will make a clean install of the OPNsense first because i messed the interfaces pretty much: 2 WANs, LAN, TRUNK and 3 VLANs on discrete i340-T4. Between the experiments i updated BIOS with removed NIC and once OPNsense booted with only onboard NIC, the interface assignments and firewall rules got tottaly messed up :) Sensei even consider second WAN as protectable...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 08, 2020, 03:07:17 am
Dear Sensei users,

Sensei 1.2.5 is out with some bug-fixes:

Filtering
Fix: firewall reboots causing default policy rules being deleted

Reporting
Scheduled Reports: errors are now communicated through the user interface

Configuration
Fix: deployment size setting
Fix: re-assigning network interfaces

Enjoy.
You Sensei Team.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tong2x on January 08, 2020, 07:44:38 am
every time it updates,
Security-> Essential security

all setting gets disabled
i am using the free version
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tusc on January 08, 2020, 03:37:44 pm
I just updated to 1.2.5 and can't startup mongodb. I get the error on the attached image.

I'm also still seeing loss of traffic after starting up the engine after a few minutes. Pings to the firewall drop and Internet access is dropped. What logs can I provide?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 08, 2020, 03:40:45 pm
@tong2x, @tusc,

Can you use "Contact Sensei Team" menu (located on the upper right hand side of the screen) to send a problem report.

We'll follow-up there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 08, 2020, 03:51:51 pm
Hello,

I also use sensei free version, for six months.

At each update the parameters are reset in two places.

sensei / security / essential security

sensei / web controls

We have to reselect our choices.

Although it has been reported many times.

Regards, my mother tongue is French
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on January 10, 2020, 06:16:57 am
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error:  Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on January 10, 2020, 09:01:02 am
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error:  Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"

i have the same Problem. had to uninstall sensei to get my firewall working again!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 10, 2020, 09:33:41 am
Bonjour,

mb, je confirme ce disfonctionnement dans sensei/rapports depuis la mise à jour opnsense 19.7.9

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "conn_all",
        "index_uuid": "_na_",
        "index": "conn_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "conn_all",
    "index_uuid": "_na_",
    "index": "conn_all"
  },
  "status": 404
}

Cordialement.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on January 10, 2020, 02:23:38 pm
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error:  Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"

After updating to opnsense to 19.7.9_1 everything works again!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on January 10, 2020, 03:06:45 pm
19.7.9_1 did not work for me...
but there was no official announcement forum for that tiny patch? usually Franco adds some info to his release post?
if I read the logs right PHP might be missing the libraries for MongoDB?!?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 10, 2020, 03:45:23 pm
Re bonjour,

La version 19.7.9_1 ne résout RIEN.

Cordialement.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on January 10, 2020, 03:58:05 pm
finally Franco added some notes to the 19.7.9 release - but nothing Sensei or PHP related - only a small GeoIP thingy...
after uninstalling and reinstalling sensei the issue was fixed. I can see the graphs again...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 10, 2020, 06:24:01 pm
Good evening,

For the malfunction between sensei and the opnsense update 19.7.9_1, I tested two methods:

1) on OPNsense 19.7.8-amd64 update to OPNsense 19.7.9_1-amd64 & SENSEI / dashboard and report is in php error

2) on OPNsense 19.7.8-amd64 before migrating,
(sensei / statute) I stopped sensei packet engine & db services and start on boot
(system / firmware / plugins) updated to 19.7.9_1
(sensei / status) I activated the sensei packet engine & db and start on boot services
FAILURE sensei / dashboard and report do not work any graphics.

My solution:
To restore the functioning of SENSEI
Sensei / configuaration / uninstall

-stop sensei packet engine
- reset to sensei factory defaults & yes
-follow the wizard: / install database & proceed / next / interface selection / next / cloud reputation / next / sensei cli / next / updates & health check / next / deployment size / next / finish / finish
-power / restart & yes

SENSEI WORKING AGAIN

cordially
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 10, 2020, 07:26:59 pm
I think it'll be best if we can include mongodb in the opnsense repo. Let me talk with the OPNsense team to see if there is a chance.

Will keep the thread updated.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on January 11, 2020, 10:50:31 am
anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error:  Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"

After updating to opnsense to 19.7.9_1 everything works again!

1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on January 11, 2020, 11:29:23 am
After restarting the firewall, the network connection on an interface no longer worked.
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.

I will not install sensei now until the problem is finally fixed. sorry ...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on January 11, 2020, 12:29:21 pm
1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works

do you uninstall sensei everytime an OPNsense update is available?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 11, 2020, 06:15:47 pm
Hi @opnsenseuser,

With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.

It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.

We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on January 12, 2020, 08:22:58 am
Hi @opnsenseuser,

With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.

It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.

We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.

sensei is a really great plugin. I also know that you and your team will solve the problem.
But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.
but i know i will reinstall it as soon as the problem is fixed. thanks again for your great support.

Regards
Rene
Title: Re: Sensei on OPNsense - Application based filtering
Post by: greeno on January 12, 2020, 01:30:02 pm
same here after last update, seems not working correct... uninstalling necessairy?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: apiods on January 12, 2020, 04:29:30 pm
But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.

I had a similar problem - my LAN interface was unreachable after a reboot of the OPNsense box, so no Internet access.
Uninstalling Sensei fixed the problem.

On this thread, I was advised:
Quote
Don't use tagged and untagged packet on the same interface with Sensei

Which is what I had - a native (untagged) VLAN on the same interface as a trunk (tagging a few other VLANs).
I have now added another interface - a trunk with no native VLAN, and tagging all VLANs on that interface.
But, I have not re-installed Sensei yet - just waiting as there seem a few install issues still. Once these are sorted, I will install and try again.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 12, 2020, 05:59:26 pm
same here after last update, seems not working correct... uninstalling necessairy?

Hi @greeno, run below commands and it should fix:

Code: [Select]
pkg install php72-pecl-mongodb
/usr/local/sbin/configctl webgui restart
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Ultra on January 13, 2020, 09:33:03 pm
Hi all,

after a successfull installation of all Sensei plugins on the latest Opnsense version (19.7.9) I've trouble to finish the installation. The list of availible Interfaces is empty. See screenshot below. Is that because I am using an USB-to-LAN adapter as my LAN interface? The adapter works fine with Opnsense. Thanks for your help!

Ultra
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Ultra on January 13, 2020, 09:37:53 pm
Here are the screenshots...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 13, 2020, 11:17:50 pm
Hi @Ultra,

Yes, switch adapters for WAN/LAN and use em for the LAN side. netmap[1] is pretty picky when it comes to compatibility.

[1] https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4 (https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on January 20, 2020, 06:57:47 am
After restarting the firewall, the network connection on an interface no longer worked.
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.

I will not install sensei now until the problem is finally fixed. sorry ...

I reported on this issue months ago. I must have had a config that tripped it more often than others.
What I found was to leave the auto start for the Sensei Packet engine off then after a restart everything is fine you just need to go in and start sensei manually. I also keep an unprotected interface free now so I can just swap my pc to the second drop I have nearby so I can get in the router to fix it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 20, 2020, 06:22:27 pm
@donatom3, thanks for the hand and suggestion.

Yes, this workaround would work for people who experience this problem.

This looks like a race condition in netmap(4). Team is working to provide a patch for FreeBSD.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: AlexV on January 21, 2020, 12:01:49 am
Hi all, in these days i have tested  Sensei very well,
And after a period of intese testing,  I can Say Wow GOOD WORK, and tanks to the team, for the freeware relase.
 
I work with every type of network device from Nexus 7000 switch to ASR900 router, and from asa firewall, to firepower, checkpoint, and palo alto, and i think that sensei can reach the same level of this NGFW.

i see that sensei have some difficulties to match traffic  when on the firewall is used   Squid as t proxy. infact sensei dont inspect the traffic directed to the squid  proxy port, or if it do there is some problem because in this condition the web filtering dont work, can implement this feature  ?
I can help you in some manner ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 21, 2020, 09:05:01 pm
Hi @AlexV,

Many thanks for trying Sensei and your feedback. All welcome and much appreciated.

We're just starting out... Future will bring lots of exciting developments here.

With regard to Squid. For plain HTTP based traffic, you should see no difference. But for HTTPS based traffic, we might be missing Squid's CONNECT requests. Let us have a look at this. I'm guessing this wouldn't be a hard thing to implement.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 23, 2020, 02:55:34 am
Dear Sensei users,

I'm pleased to announce that Sensei 1.3 is out with the following new features / fixes:

SOHO Subscription goes live

Filtering

Reporting

Other

We'll have another post about planned upcoming developments regarding netmap project, better OPNsense integration and new features that are to be shipping in 2020.

Enjoy :)
Your Sensei Team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on January 23, 2020, 12:28:07 pm
i updated to version 1.3 and lost my premium subscription and security configuration.
After installing premium key and doing configuration manually, it seems to work o.k. again
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 23, 2020, 12:37:23 pm
Hi,
After the SENSEI 1.3 update, on three machines the widget no longer works. Even after uninstalling and reinstalling the SENSEI plugin.
cordially
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on January 23, 2020, 04:45:25 pm
Hi,
Version 1.3_1 did not reinstate the widget bug.
But after an hour, the widget displays again ???
Title: Re: Sensei on OPNsense - Application based filtering
Post by: malac on January 23, 2020, 04:55:51 pm
after updating 1.3 to 1.3_1 i lost again my premium subscription and security configuration.
After installing premium key and doing configuration manually, it seems to work o.k. again

will that happen on every update now?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 23, 2020, 06:33:39 pm
Hi @Darkopnsense,

We couldn't reproduce the widget issue. Can you create a problem report via "Contact Sensei Team" menu located on the upper right hand corner? Make sure you check all three options. We'll take it from there.

Hi @malac,

Sorry for the invonvenience, 1.3 had a url translation bug which leaded to the license issue. 1.3_1 is a hotfix for this. You've upgraded to 1.3_1 but since the currently running code was still 1.3 you still had the problem. Looking forward you should be safe.

Security settings issue is related to the above problem. You should be safe now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnip on January 25, 2020, 08:29:48 am
Have regularly messsages like this (1.3_1) (newest is top)
Code: [Select]
Jan 25 08:05:00 kernel: -> pid: 47971 ppid: 25978 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Jan 25 08:05:00 kernel: [HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (47971)] Suspension expired.
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.20.1) (interface: Guest[opt2]) (real interface: igb0_vlan20).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0_vlan20'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:08 opnsense: plugins_configure hosts ()
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.8.1) (interface: LAN[lan]) (real interface: igb0).
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jan 25 08:01:08 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:08 kernel: igb0_vlan30: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan40: link state changed to UP
Jan 25 08:01:08 kernel: igb0_vlan20: link state changed to UP
Jan 25 08:01:08 kernel: igb0: link state changed to UP
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for NoT(opt3) but ignoring since interface is configured with static IP (192.168.30.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for IoT(opt5) but ignoring since interface is configured with static IP (192.168.40.1 ::)
Jan 25 08:01:04 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for Guest(opt2) but ignoring since interface is configured with static IP (192.168.20.1 ::)
Jan 25 08:01:03 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.8.1 ::)
Jan 25 08:01:03 sshlockout[69152]: sshlockout/webConfigurator v3.0 starting up
Jan 25 08:01:03 kernel: igb0_vlan30: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan40: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0_vlan20: link state changed to DOWN
Jan 25 08:01:03 kernel: igb0: link state changed to DOWN
Jan 25 08:01:03 kernel: pid 6147 (eastpect), uid 0: exited on signal 11
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on January 25, 2020, 06:32:57 pm
Sensei: Good idea
Sensei integration with opnsense: Very bad
Sensei integration with Suricata: Very bad
Sensei's performance in general: Very bad
The funny thing is that they want us to pay for unfinished software that doesn't work.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 25, 2020, 07:43:20 pm
Hi @opnip, Looks like a bug. I'll be PM'in you for a debug session.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 25, 2020, 07:59:01 pm
Hi @yeraycito,

Many thanks for trying Sensei and sharing your feedback.

Glad to hear that you find Sensei idea interesting.

As of today, there are around 1000 global Sensei deployments spread over 70+ countries. Eacch deployment protect a wide range: from 5 devices to thousands of devices. A proportion of these deployments are Premium Subscribers.

Like any other software in the world, Sensei will work for some people now, for some in the near future.

Eventually, Sensei team will complete every single item in their roadmap to make it work for everybody.

We're committed to accomplish this goal.

The best way to see if it's working for you now is to try the Free Edition, and consider the Premium Edition afterwards if you see it fit for your use cases.

The best way to help improve Sensei is reaching out to us through "Contact Sensei Team" menu option in the Sensei User Interface. You can create bug reports and even suggest ideas for us to consider.

We may not get back to you the second you send a report, however be assured that these reports are evaluated at the highest level in the company.

We've worked hard to be able to provide Sensei to the OPNsense community. We'll work ever harder to make it a perfect solution in the world.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on January 26, 2020, 05:49:23 pm
From the last update (1.3_1) my widget won't show info:
Title: Re: Sensei on OPNsense - Application based filtering
Post by: the-mk on January 26, 2020, 06:00:31 pm
mine is a bit messed up too...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 26, 2020, 07:40:47 pm
@the-mk, got your PR.

@Antaris, any chances you can send a PR (Contact Sensei Team menu located in the upper right hand corner of the UI).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on January 26, 2020, 09:25:03 pm
@mb,

Sent for this one and replied for the one from 24-th...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 26, 2020, 09:35:05 pm
@Antaris, got it, thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: faisalreza on January 27, 2020, 11:31:49 am
hi, new user here,
been searching this thread but cannot find it yet

how to change db engine from mongodb to elasticsearch?
now already installed elasticsearch5 via the shell
does we have to reset sensei to default config or uninstall then install it back?

thanks for the clue

Regards
Reza
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 27, 2020, 02:57:21 pm
Hi faisal,

Many thanks for trying Sensei.

Backend Database selection is done automatically based on your hardware resources. If you have less than 8GB RAM, sensei will pick mongodb.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: faisalreza on January 27, 2020, 04:03:04 pm
hi mb thanks for answering
i have xeon e3 4 core 8 thread with 16gb ram

but no options for using elasticsearch, any required steps or i missed something?

regards
Reza
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 27, 2020, 05:10:10 pm
Hi faisal,

Than it must be the cpu score. There is a 300.000 minimum cpu score requirement for Elasticsearch.

Here's  a quick hack:

1. Remove /usr/local/sensei/etc/.configdone
Code: [Select]
rm /usr/local/sensei/etc/.configdone
3. Edit /usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh file and locate these lines:

Code: [Select]
if [ $CPU_SCORE -le 300000 ]; then
       CPU_PROPER="false"
else
       CPU_PROPER="true"
fi

Change 300000 to a lower value, like 200000. 

4. Do a browser refresh on the OPNsense UI, and click on any sensei menu. It'll re-run the config wizard. Now it should select Elasticsearch.

Now I'm thinking: for cpu scores between 200K and 300K and if there is enough memory (>=8GB) I think we should let the user decide on the database backend.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: faisalreza on January 28, 2020, 07:06:12 am
hi mb, done that and here's the result

/usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh
Code: [Select]
{
   "memory": {
       "size": 17179869184,
       "proper": true
   },
   "cpu": {
       "model": "Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz",
       "proper": true,
       "score": 224783
   },
   "opnsense_version": "1979_1"
}
is there any possibility to separate log file location for the reporting?, i have opnsense installed on a 128GB ssd and sensei looks like take amount of space for keeping log, does 500gb - 1tb disk good enough for log and analytics?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 28, 2020, 07:19:09 am
Hi faisal,

Good, you can now do the initial configuration, it should install Elasctic now.

Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.

For disk sizing, you can use this guide:

https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
Title: Re: Sensei on OPNsense - Application based filtering
Post by: lakej on January 29, 2020, 08:08:13 am
Keep gettin this error even after a clean reinstall.

[29-Jan-2020 07:02:25 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20170718/mongodb.so (Shared object "libcrypto.so.9" not found, required by "mongodb.so"), /usr/local/lib/php/20170718/mongodb.so.so (Cannot open "/usr/local/lib/php/20170718/mongodb.so.so")) in Unknown on line 0

In /user/local/lib there is a libcrypto.so.11 ..
Title: Re: Sensei on OPNsense - Application based filtering
Post by: dragon2611 on January 29, 2020, 01:55:59 pm
I can't install in a VM on a Mac Mini in proxmox, It should (just about) meet the minimum requirements

CPU Model:Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz
CPU Score:384496
Physical Memory Size:2.13 GB (Mini only has 4GB)

Code: [Select]
Please make sure you are running the latest OPNsense version
Code: [Select]
OPNsense 19.7.10-amd64
OPNsense isn't finding any newer updates than this  ???


I could try an install on more powerful hardware but then I'd have to tunnel the traffic I wanted to pass through Sensei to the datacentre first.

Edit:

Seemed to work following a reboot, guess there was an installed update that needed a reboot.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 29, 2020, 07:05:57 pm
Hi @lakej,

I guess you are on OPNsense 20.1rc1. Current Sensei repo is not yet ready for 20.1 since it's not yet released.

Two options:

1. Wait until 20.1 is officially released and re-install sensei, since we'll ship the required dependency packages when 20.1 is officially released.
2. Use 19.7.10 for now.

I would suggest waiting a bit more since we expect that OPNsense will release 20.1 tomorrow. (then we'll ship the 20.1 repo)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on January 30, 2020, 02:39:35 pm
Question:

What system privileges are needed to display / restrict sensei pages? I have several groups with just access to certain pages (viewonly, voucher creation, basic operation, etc.)

There exist no predefined privileges for sensei. I want just to allow reports and status. Without possibility to edit settings.

How can I restrict that?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: faisalreza on January 30, 2020, 05:02:49 pm
hi mb
after doing the cpu score hack, is still installing mongodb, and i cannot see either options to install elasticsearch

i continue installation and after finished, shown error like this

Quote
Warning: Sensei is stopped because of a problem
Sensei has detected a problem during operation and has shut down Sensei services in order to prevent a network outage.

Cannot find workers map file

If you think this is something we should have a look, just click here to let us know about the details and we will investigate this further.

You can re-enable the services from Status page.
any clues?
Hi faisal,

Good, you can now do the initial configuration, it should install Elasctic now.

Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.

For disk sizing, you can use this guide:

https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on January 30, 2020, 06:07:56 pm
Dear Sensei users, (especiallly Mongodb users)

We advise that you postpone 20.1 upgrades for a day or two while we confirm everything works as expected.

20.1 is a major upgrade, we want to make sure upgrade path for Sensei users is clear.

We'll post an update here and from twitter once we have confirmed everythins is ok.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: lakej on January 31, 2020, 10:53:32 am
I'm getting 500mpbs without sensei and 0,5mbps with sensei.

I have a dogshit CPU, E3950 @ 1.60GHz (4 cores).

However the CPU is barely breaking a sweat and memory utilization is ~20% (8gb).

is this what I can expect performance-wise out of this hardware?
I was thinking abut upgrading but I'm doubting the Hades Canyon or similar can pull it if this isn't working out right now?

Or could there be some configuration error at play here?

Edit: Hardware offloading was the problem. now it's around 300 :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 01, 2020, 01:43:41 pm
We advise that you postpone 20.1 upgrades for a day or two while we confirm everything works as expected.

20.1 is a major upgrade, we want to make sure upgrade path for Sensei users is clear.

We'll post an update here and from twitter once we have confirmed everythins is ok.

Tests have been completed and looks good. We're all clear for 20.1.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xsfpo on February 01, 2020, 04:08:00 pm
I also get errors like this:
Code: [Select]
PHP Warning:  PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20170718/mongodb.so (Shared object "libcrypto.so.11" not found, required by "mongodb.so"), /usr/local/lib/php/20170718/mongodb.so.so (Cannot open "/usr/local/lib/php/20170718/mongodb.so.so")) in Unknown on line 0Even after complete uninstall of sensei plugin.
OPNsense 19.7.10_1-amd64
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 01, 2020, 04:16:33 pm
Hi @xsfpo,

This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.

If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on February 01, 2020, 08:47:11 pm
Hi @xsfpo,

This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.

If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.

After installing sensei i get this error

 PHP Errors:

Code: [Select]
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  filesize(): stat failed for /tmp/mongodb_dahsboard5e35d54da4d3d_result.json in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 78
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 187
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 188
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on February 01, 2020, 08:49:25 pm
@mb did you get my bug report?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 01, 2020, 09:06:13 pm
@rene, yes, a colleague should have replied back. this is fixed, needs a package re-install:

Code: [Select]
pkg install -f os-sensei
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 02, 2020, 12:05:45 pm
@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: petrus on February 02, 2020, 12:49:22 pm
Hi,
Thanks for providing Sensei! I thought now with the 20.1 OPNsense release it's just the right time to try.
Unfortunately I ran into an issue before I was able to test Sensei: some network cards are not shown
My HW: Core i5-8400+16G RAM, some RTL onboard card (available from OPNSense, also not shown in Sensei, but I dont use that anyway) 
NIC I use: Intel i350 quad port, igb0+igb3=lagg0, igb1=wan 
Strangely igb0 and igb3 are available in Sensei as unassigned,  but not igb1 and igb2.Also all VLANS on lagg0 are available separatley. 
I was looking into the tunables and reset them according to this post, reset Sensei to factory defult, but that did not help: https://forum.opnsense.org/index.php?topic=13436.msg61860

Code: [Select]
hw.igb.rxd 1024
hw.igb.txd 1024
net.link.ifqmaxlen 2048

I don't see anything special in dmesg/syslog.
Sensei works for some of the VLANs, but it should actually work for WAN, which is igb1, and that's not available.
Suricata is not running on WAN.

Any ideas?
Thanks
Petrus

Code: [Select]
Sensei version info
Engine Version: 1.3.1 View Changelog Version History
UI Version: 20.1.31
Database Version: 1.3.1
Opnsense:
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 02, 2020, 05:36:10 pm
Hi Petrus,

Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 03, 2020, 02:56:43 am
@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.

Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 03, 2020, 08:10:07 pm
@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.

Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?
Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 03, 2020, 08:28:26 pm
Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.

Got it. It should appear shortly this month/early next month.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: petrus on February 06, 2020, 04:41:41 pm
Hi Petrus,

Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.

Hi Antaris,
thanks & sry, should have been obvious about the WAN port.
What I still miss is the list of supported NICs, because I can't see the two onboard ports, just the i350 Interfaces.

Peter
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 07, 2020, 01:52:23 am
Hi @petrus,

To be able to access packet off the wire, Sensei makes use of a FreeBSD subsystem called netmap(4).

Netmap can be a pretty picky when it comes to ethernet device compatibility. So we try to filter out any devices that are known to be having problems with netmap.

Netmap team seems to be maintaining Intel based drivers, igb(4), em(4) being two of the most widely used ones.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on February 07, 2020, 07:47:10 pm
In short you can use integrated Realteks on your mobo as WANs if they needed at all...
If you will not use them better disable them in BIOS.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on February 08, 2020, 11:01:08 am
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene
Title: Re: Sensei on OPNsense - Application based filtering
Post by: marcri on February 08, 2020, 11:21:50 am
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
    "indices": "<index_name>",
    "ignore_unavailable": true,
    "include_global_state": false
}'
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on February 08, 2020, 11:57:35 am
www pornhub com is not in pornography category, really?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on February 08, 2020, 12:38:12 pm
obviously it is an entertainment site !!! ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: lakej on February 08, 2020, 01:16:17 pm
How are you people going about excluding OPNsense traffic?
I have a bunch of vlans, all going to a Pihole (for now) then back to unbound and out from there.
IIRC i lose the lookup if u exclude all but one interface in Unbound aswell.

Sensei doesnt seem to take 127.0.0.1 / self as an exclusion.

Looking for ideas on how to set this up the best way :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 08, 2020, 03:01:40 pm
www pornhub com is not in pornography category, really?

Hi @siga75, it looks like it's correct in the database. Let's see what happened in your case. Kindly send a PR through Report a bug menu located in the upper right hand corner of the UI.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 08, 2020, 03:05:58 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
    "indices": "<index_name>",
    "ignore_unavailable": true,
    "include_global_state": false
}'

@marcri, thanks for the hint.

@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.

One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.

Would that also do the trick?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on February 08, 2020, 04:05:58 pm
www pornhub com is not in pornography category, really?

Hi @siga75, it looks like it's correct in the database. Let's see what happened in your case. Kindly send a PR through Report a bug menu located in the upper right hand corner of the UI.

OK, report just submitted.

Thanks a lot :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on February 08, 2020, 04:11:27 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
    "indices": "<index_name>",
    "ignore_unavailable": true,
    "include_global_state": false
}'

@marcri, thanks for the hint.

@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.

One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.

Would that also do the trick?

due to my hardware, i can only use mongodb. will this also possible with this database?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: opnsenseuser on February 08, 2020, 04:18:48 pm
@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
    "indices": "<index_name>",
    "ignore_unavailable": true,
    "include_global_state": false
}'

@marcri, thanks for the hint.

@opnsenseuser, good idea. My only concern is that it might take really long to do an export/import. Needs careful processing.

One question: in our roadmap this year we have "external elasticsearch" in which you get to chose using an external database instead of installing elastic locally.

Would that also do the trick?

due to my hardware, i can only use mongodb. will this also possible with this database?

or is the database always external so that the own system resources no longer matter?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 12, 2020, 01:22:17 am
or is the database always external so that the own system resources no longer matter?

Correct. Database puts some weight on the device, we think offloading it would provide a lot of flexibility. Engine itself consumes as low as 256MB memory. This way it could be possible to run Sensei even in 512MB memory.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on February 16, 2020, 06:45:32 pm
How do additional policies work ? I wanted to set up an exclusion for a part of the default policy. In the default policy I selected "firstly seen sites" to be blocked, but this breaks my TV and I dont want to disable it completely.

Made a new policy besides the default and disabled "firstly seen sites", re-enabled on the default. The policy isnt being picked up. How can I work the policy so I can set exclusions in it while keeping the settings in the default policy ?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 16, 2020, 07:43:45 pm
Hi @actionhenkt,

It's probably both policy descriptions overlap and the first in the policy list is matching packets. Click "Contact Team" on the right hand corner of the UI. And team member will follow up with you shortly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Wyrm on February 17, 2020, 05:27:59 pm
Hi,
I have some problems with Sensei on PC Engines APU - mainly with graphs and reports.
HW is PC Engines APU4, 4GB RAM, CPU AMD GX-412TC SOC (4 cores), 128GB SSD.
There is new updated opnsense to 20.1(libressl) and sensei latest install. I repeated also install today again.
Sensei shows in status it is OK, but I do not see any graphs or reports.
Is there some advice how to solve this ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 17, 2020, 09:00:31 pm
Hi @Wyrm,

This is due to firewall being shut down abruptly or that /var is a temp filesytem.

If none is valid for your case, just shoot a Problem Report (top right hand corner of the UI) and a team member will follow up with you shortly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Wyrm on February 17, 2020, 09:08:29 pm
Thank you for reply.
I checked now Dashboard and I see this:

Disk usage   
9% / [ufs] (8.9G/108G)
0% /usr/local/sensei/output/active/temp [ufs] (8.0K/9.3M)

In attachement is screenshot...

What does it mean ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 17, 2020, 09:36:41 pm
@Wyrm, all welcome.

"/usr/local/sensei/output/active/temp" directory is auto-created by Sensei, so it is ok.
I don't see /var here, which tells me that /var is not tmpfs.

Send a Problem Report  (top right hand corner of the UI), and we'll have a look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Wyrm on February 17, 2020, 11:15:47 pm
Thanks and problem report sent...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on February 21, 2020, 05:07:20 pm
is it possible to change the MongoDB data location?
I'm running out of disk
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 21, 2020, 06:36:31 pm
Hi @nikkon,

We've implemented this for 1.5, which should arrive late March.

For now, you can do a "Reset Reporting" from Sensei -> Configuration -> Reporting & Data. Please be noted that this will erase all reporting data.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on February 21, 2020, 07:27:57 pm
Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 27, 2020, 03:28:36 pm
Dear Sensei users,

Bringing High Availability Clustering support, better Ad Blocking, more improvements and some bug fixes; Sensei 1.4 release is out for OPNsense.

For a complete list of new features and improvements:


What’s cooking for Sensei in 2020?

We value your opinion. You can fill out “Sensei Roadmap Survey” and help shape Sensei’s roadmap for 2020. Takes 30 seconds to 1min to complete:


Enjoy :)
Your Sensei Team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: hbc on February 27, 2020, 03:42:14 pm
Bringing High Availability Clustering support, better Ad Blocking, more improvements and some bug fixes; Sensei 1.4 release is out for OPNsense.

Is HA cluster support a premium feature?

I just get "The changes have been applied successfully, remember to update your Sensei backup FW in System: Sensei/Configuration/HA", but I have no "Sensei/Configuration/HA" tab and 'System: High Availability: Settings' has no Sensei option to check for sync.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 27, 2020, 07:05:52 pm
Hi @hbc, correct, that's a premium feature. We updated the Changelog/Blog to reflect this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ckishappy on February 28, 2020, 07:10:43 am
Hi, any advise how I upgrade SENSEI if the packages are shown as orphaned in the systems firmware section of opnsense 20.1?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: lakej on February 28, 2020, 09:32:04 am
I can't SSH to my servers on a different VLAN than my Desktop.
I can SSH between my servers on the same interface. (LAN/untagged)

Any fix for this, or do I have have to remove myself from sensei to manage my servers?

I can move them onto a vlan if that's a solution.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 28, 2020, 06:23:09 pm
Hi @ckishappy, which package is shown as orphaned? Are you reported of any new Sensei release (e.g. 1.4) ?

Hi @lakej, is it just SSH or do you have problem accesing the other services/computers on the other VLAN? Are these vlans on the same parent interface?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ckishappy on February 28, 2020, 07:23:23 pm
See attached
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 28, 2020, 07:29:50 pm
@ckishappy, got it. Can you try updating via console (needs SSH access)

Code: [Select]
pkg install -f os-sensei
What happens if you run this command?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ckishappy on February 28, 2020, 08:44:34 pm
unfortunately not that much... see below


$ sudo pkg install -f os-sensei
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sensei' have been found in the repositories
$
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on February 28, 2020, 10:10:27 pm
Ah, you need os-sunnyvalley repo package. That's why...

Code: [Select]
pkg install os-sunnyvalley
pkg install -fy os-sensei-updater
pkg install -fy os-sensei

Alternatively, installing os-sunnyvalley from the UI and trying the update again should produce the same result.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: ckishappy on February 29, 2020, 12:28:15 am
Got it thanks for the advise ✅
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on March 01, 2020, 11:53:56 am
why are sensei logs not available on the WUI? Or am I missing something?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgone on March 01, 2020, 12:15:58 pm
I have opened a bug report for sensei:

First I have the following setup:
Internet <-> Firewall (with sensei) <-> fritzbox (VOIP).
Only the LAN-interface is assigned to be controlled by sensei.

Incoming SIP Invites are not passing sensei.
The SIP Invite-packets arrives as fragmented udp packets.

The problem is that fragmented udp-packets are discarded by sensei.
The packets never reach the LAN-network, if sensei ist enabled.
If the bypass-mode from sensei is active, the packet are passed normally through the firewall and reach the fritzbox.

I believe that sensei is silently discarding fragmented udp-packets.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 01, 2020, 03:50:12 pm
@ckishappy, all welcome.

@siga75, logs contain quite many information which might be abundant trying to display in the UI. Instead, our approach is to selectively notify users for important events via the User Interface.

@cgone, we received your report. Team will get back to you momentarily.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: xsfpo on March 02, 2020, 08:06:54 pm
Hi, freshly installed sensei 1.4 caused SEGVGUARD and stops all traffic.
It looks like that in dmesg.today log file:

Code: [Select]
[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (62199)] Suspension expired.
 -> pid: 62199 ppid: 13537 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...
[HBSD SEGVGUARD] [/usr/local/sensei//bin//eastpect (49329)] Suspension expired.
 -> pid: 49329 ppid: 44449 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
...


When I tried to enable Generation of Support Data (Sensei -> Configuration -> Updates & Health; here turn on "Enable Generation of Support Data".) - nothing happened. After page refresh - "Enable Generation of Support Data" still disabled.
How also I can enable generation of support data to catch core dump file ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 03, 2020, 03:08:00 am
Hi @xsfpo,

We need  a core file to debug this. Just reach out to us through "Report Bug" menu located on the upper right hand corner of the UI. Team will guide you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on March 03, 2020, 12:34:17 pm
My SSH and SFTP connections are detected as "Generic TCPIP" with no more specific information, so my SSH connection are dropped, even if I enabled SFTP snd Secure Shell

I suggest to have, as an option, a blacklist instead of whitelist (even if generally not a good choice from a security perspective) so if a connection is not correctly detected by default it pass. Otherwise the only way is to completely enable the Generic TCPIP category, which contains more than 700 entries.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on March 04, 2020, 04:39:16 am
Hi,
Not sure if it's a bug or not but on I've recently upgraded to v1.4 and I noticed in:

Sensei: Configuration: General: Deployment Size

Database: Elasticsearch
Deployment Size:  Home (Max 15 Devices)  <--- Here

I have the Home subscription and thought the max devices count should be 50. I checked the About: View License  page and it does show 50 devices there.  Is this something I should be concerned about?  I've not noticed anything negative so far.

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bEeReE on March 04, 2020, 02:57:26 pm
Hi all,

What‘s the plan for Sensei in the future?  I really like the approach and added value to OPNsense, but will it be able to replace some other services like web proxy and clamAV? Or is the intention to run everything independently!?

Currently, they are asking about development preferences for 2020 in a survey, but do not differentiate between subscriptions. E.g. if we vote for TLS inspection, it will not be possible for home users according to their plans published on the website. So the survey results may lead to an undesired focus, not? Although, it is definitely one of the important features that should be also possible for home users in order to allow improving the overall security level since most traffic is encrypted now (as per my knowledge, Sensei does not even take usage of traffic decrypted within the proxy). Sophos has also integrated dpi inspection without a real MITM and is able to scan other ports (e.g. IMAPS).

If malware scanning would also be included (I guess currently, it‘s not using a malware engine but rather blocks based on urls), the replacement/alternative to the proxy would be perfect in my opinion....



Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 04, 2020, 05:52:27 pm
Hi @siga75, we could not reproduce this. I think we need a small packet capture. Can you reach out to the team (Report Bug link on the upper right hand corner of the UI)? Team will guide you through.

And, thanks for the suggestion. I might have a few questions to make sure I understand correctly.

Hi @packetmangler, this looks like a glitch with this setting. We are fixing this in the coming release. For now, you do not need to worry since packet engine honors the actual value stored in the license, which is 50 devices.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 04, 2020, 06:13:21 pm
Hi @bEeReE,

Many thanks for your encouraging comments. We've decided to walk through a 'never-tried-before' path for going to the market and delivering the product. Instead of building a full-blown product, we are complementing what's already doing great. It's super to see validation that this is a good idea.

The core technology behind Sensei product is a very powerful packet inspection engine. Indeed, only some fraction of the current underlying capabilities are reflected through the User Interface. Packet engine has a very performant All-ports Full TLS Inspection Capability already built-in (can do almost 500 Mbps on a i5 3Ghz CPU - single core). So in that regard, providing what's available with Squid+ClamAV is possible (i.e. file based AV/Sandbox)

The poll for the 2020 roadmap is kind of what we think we will be providing as of this year. Free/Premium distinction is not decided yet, but we can go ahead and mark the ones which is likely to appear in the Premium version). The poll system did not have a free-answer option. But I think we should be having another poll to have your ideas as to what you would like to see for Sensei (apart from the ones presented in the current poll [1]).

[1] https://surveymonkey.com/r/BTMH9P7
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on March 05, 2020, 04:30:05 pm
case opened as requested, attached a screenshot, this happens both with putty from windows 10 and from another ssh client from rasbian buster

root@linjs:/root # ssh www.signorini.in
ssh_exchange_identification: Connection closed by remote host

root@linjs:/root # dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version            Architecture Description
+++-==============-==================-============-============================================
ii  ssh            1:7.9p1-10+deb10u2 all          secure shell client and server (metapackage)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 05, 2020, 07:50:56 pm
@siga75, thanks, well received.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Tubs on March 08, 2020, 02:25:01 am
Sensei and AD/LDAP integration

Can Sensei have advantage of AD integration agent in Free plan?

The feature table shows "User based reporting (AD/LDAP) = up to 5 devices" for free plan. But when I install AD agent on DC Sensei reporting shows 0 for authenticated users. The instruction documents are not clear to me in this point.

Something wrong on my set-up or is it supposed to be in this way?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: xsfpo on March 08, 2020, 12:53:16 pm
Hi mb, can you read and comment some topics in main 20.1 forum branch about unsuccessful upgrade to 20.1.2 with sensei plugin installed.

 https://forum.opnsense.org/index.php?topic=16164.0 (https://forum.opnsense.org/index.php?topic=16164.0)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 08, 2020, 03:45:29 pm
Hi @xfspo, thanks for the heads-up, will be looking.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on March 13, 2020, 04:25:38 pm
Hi faisal,

Than it must be the cpu score. There is a 300.000 minimum cpu score requirement for Elasticsearch.

Here's  a quick hack:

1. Remove /usr/local/sensei/etc/.configdone
Code: [Select]
rm /usr/local/sensei/etc/.configdone
3. Edit /usr/local/opnsense/scripts/OPNsense/Sensei/check_hardware.sh file and locate these lines:

Code: [Select]
if [ $CPU_SCORE -le 300000 ]; then
       CPU_PROPER="false"
else
       CPU_PROPER="true"
fi

Change 300000 to a lower value, like 200000. 

4. Do a browser refresh on the OPNsense UI, and click on any sensei menu. It'll re-run the config wizard. Now it should select Elasticsearch.

Now I'm thinking: for cpu scores between 200K and 300K and if there is enough memory (>=8GB) I think we should let the user decide on the database backend.

This solution no longer works on fresh install today. And i can't find from where to choose Elastic engine...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 13, 2020, 05:07:58 pm
Hi @Antaris,

This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).

We hope to release 1.5 late this month.

By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)

https://www.sunnyvalley.io/site-classification/

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on March 14, 2020, 12:01:43 pm
Hi @Antaris,

This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).

We hope to release 1.5 late this month.

By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)

https://www.sunnyvalley.io/site-classification/
Hi @mb,

Looking forward to 1.5 and thx for the classification option. :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: deibit on March 15, 2020, 12:29:07 pm
Hi,

I have just installed OPNsense after many (more than i recall) years using PfSense. One of the first things I installed is Sensei.. I liked it so much that I even paid for the home license :)

I run OPNsense in a SC813 Supermicro Rack, with a X10SLM+LN4F MoBo, 32GB DDR-1600 ECC RAM, a Xeon E3-1230L V3 CPU and a 2TB Seagate Ironwolf HDD (all baremetal, not virtualized).

I use a single 1.000/50 Mbit/s WAN, not many simultaneous webusers (4 or 5) but heavy traffic on the 4 VPN tunnels (fileserver)

The CPU gives 267.081 Single CPU Ubench index. So it's underpowered according to Sensei/Elasticsearch standards.

I guess I wouldn't have any problem in upgrading the CPU, but why is the single core performance so important? ElasticSearch s supposed to take advange of multiple cores isn't it? (CPU has 4 cores and 8 threads)

Should I be worried? Where can I look if my CPU is struggling? Everything "feels" good so far...



Title: Re: Sensei on OPNsense - Application based filtering
Post by: Antaris on March 16, 2020, 12:28:20 am
Hi @deibit,

I think every Intel Core with AES and 4 or more cores @3GHz or more is OK for OPNsense with Sensei and Elastic. In the incoming 1.5 you will have the option to choose backend database manually and this misunderstanding will be solved. May be it's good to upgrade cpu to non-L Haswell or Broadwell cpu for better VPN throughput. Also you have to know that for some strange reason Ubench rates Haswell Xeons way lower than non-xeon i5 on same clocks...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Quetschwalze on March 17, 2020, 11:57:08 pm
@mb sensei is still running very smooth for me
Any news/eta on those botnet and DNS tunneling features already shown in the policy?

Gesendet von meinem MI 9 mit Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: deibit on March 18, 2020, 09:26:36 pm
Hi @deibit,

I think every Intel Core with AES and 4 or more cores @3GHz or more is OK for OPNsense with Sensei and Elastic. In the incoming 1.5 you will have the option to choose backend database manually and this misunderstanding will be solved. May be it's good to upgrade cpu to non-L Haswell or Broadwell cpu for better VPN throughput. Also you have to know that for some strange reason Ubench rates Haswell Xeons way lower than non-xeon i5 on same clocks...

I "upgraded" to a E3-1268L that I had here "laying around". Now the ubench score is in the 342.000 range, I don't think it makes a big difference but my karma is again in balance due to sensei not complaining about my router being lower end :)

I still wonder why the single core performance is so important for elasticsearch though...
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bEeReE on March 20, 2020, 08:57:48 am
@mb sensei is still running very smooth for me
Any news/eta on those botnet and DNS tunneling features already shown in the policy?

Would be also great if we can get a little bit more background how the sensei cloud works. Is it feeded with external sources (e.g. phishtank, malware companies etc.) so that we can avoid duplicated filtering on dns, proxy or ICAP level?
Furthermore, I am wondering how often decisions about security categorization like "undecided safe sites" are made. I believe there are some blocked domains hanging in such status for more than 1 week. Shouldn't this be faster?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: scrensen on March 20, 2020, 11:21:14 pm
I've searched the forums as well as Google but didn't find the answer to my issue. Which is that during Sensei installation I get the following message: "Oops, it looks like LAN interface is also in use by Suricata"

But I do not have Suricata running, Intrusion detection is completely disabled. I did have it running few weeks back, but disabled it a week ago. So to be sure I rebooted my router/fw before installing Sensei, but still same message.

I did a quick search via the command line for Suricate config files to check for interface config, but didn't find anything useful.

Anyone that might be able to help me out here?

Thanks in advance!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: scrensen on March 20, 2020, 11:29:08 pm
during Sensei installation I get the following message: "Oops, it looks like LAN interface is also in use by Suricata"

But I do not have Suricata running

I still decided to check the Captive Portal settings and I removed LAN from the interfaces and applied. And that actually solved the issue. Even though it was not active....
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 21, 2020, 06:00:05 am
@Quetschwalze, glad that it's working good.

We're investing heavily on application, threat intelligence and security databases. With 1.5 version, you'll start seeing weekly / daily database updates. Up until now databases were being updated with every release.

With regard to Botnet filtering / DNS Tunnel filtering, we expect to land them in Q3 this year.

@bEeReE, we are adding more information to our documentation about the cloud architecture. We'll make it available early April.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 21, 2020, 06:07:01 am
I still wonder why the single core performance is so important for elasticsearch though...

Hi @deibit, glad that Sensei is happy with you hardware now.

As for Elasticsearch, you are right, Elasticsearch is multi-threaded and will benefit from multi-core cpus.

For the packet engine itself, for each interface, it has a worker process and workers are currently running single threaded; so each worker process pin itself to a single cpu core. This is why single-core cpu score is also important.

When the kernel in OPNsense becomes RSS-enabled, packet engine will also be able to make use of multiple cpu cores, basically enabling it to process multi-gigabit workloads. 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 21, 2020, 06:11:49 am
But I do not have Suricata running, Intrusion detection is completely disabled. I did have it running few weeks back, but disabled it a week ago. So to be sure I rebooted my router/fw before installing Sensei, but still same message.

Hi @scrensen, even if it's disabled, if you have the interface configured for Suricata, Sensei will still warn you. Because what usually happens is people enable Suricata in some future time forgetting that it's in use by Sensei.

We wanted to be in the safe side; and decided to warn users about this even Suricata is disabled.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: scrensen on March 22, 2020, 02:27:18 pm
Ok, makes sense.

So I got Sensei to work, but then I found my wifi access point (Unifi AP-HD) stopped working right after.

And after some troubleshooting I saw that it could not reach the controller anymore (running on server in same LAN). Since Sensei was the only and most recent change in my network I disabled it and within seconds the UAP-HD came online again an I was able to adopt it again in the controller.

So it seems Sensei is blocking my Unifi AP to reach the controller (http://ip-of-controller:8080/inform) somehow. I'm using the hostname.domain of my controller, perhaps it's something to do with DNS being blocked or so?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Quetschwalze on March 22, 2020, 04:26:52 pm
Ok, makes sense.

So I got Sensei to work, but then I found my wifi access point (Unifi AP-HD) stopped working right after.

And after some troubleshooting I saw that it could not reach the controller anymore (running on server in same LAN). Since Sensei was the only and most recent change in my network I disabled it and within seconds the UAP-HD came online again an I was able to adopt it again in the controller.

So it seems Sensei is blocking my Unifi AP to reach the controller (http://ip-of-controller:8080/inform) somehow. I'm using the hostname.domain of my controller, perhaps it's something to do with DNS being blocked or so?
Pretty sure that's the cause. You probably need to whitelist that URL. Verify that sensei is the cause via Reports-Blocked-Live blocked sessions
This will show everything being blocked right now. If you see your unifi URL there just whitelist it.

Gesendet von meinem MI 9 mit Tapatalk

Title: Re: Sensei on OPNsense - Application based filtering
Post by: lbakyl on March 22, 2020, 05:39:16 pm
Hi Murat and the team!

First of all, I wanted to praise you for a great innovation technology that you have worked on hard! I am testing a free version for home use but will consider deploying a paid version in work environment once thoroughly tested.

While in the free version, I blocked some hostnames while viewing live traffic. It was just for a test and now I would like to remove that. Yet I do not see any blacklist on whitelist. I do not mind finding it manually on the FreeBSD system if you tell me where I can find it.

In addition, it would be great to see a comparison with older NIDS tools like Snort (that runs with PulledPork, Barnyard2 and BASE).

Yours,
Jan
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Darkopnsense on March 22, 2020, 07:17:51 pm
hi @lbakyl,

The functionalities to manage your own blocklit and whitelist lists are in
sensei-> web controls => user defined categories
auto blocklist hosts (edit)
auto whitelist hosts (edit)

Regards,
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mucflyer on March 31, 2020, 09:23:51 pm
Good evening
Does Sensei support IPv6 ?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on March 31, 2020, 09:28:45 pm
Hi @mucflyer,

Yes, Sensei supports IPv6.

Cloud servers serving over IPv4 are able serve both IPv4 and IPv6 queries.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on April 15, 2020, 11:01:05 am
I really like sensei so far.
I’m using dnscrypt proxy and sensei cannot resolve local hostnames.
As mentioned a few weeks before, is their an option in the roadmap for sensei to have their own resolver?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on April 15, 2020, 05:12:49 pm
So I've had Sensei working really well for the past couple of months but it seems that reports aren't working or they're not working the way I think they should.

So I've got a host on my network that I want to get detailed info about.  I go to Sensei -> Reports and then click add filter [host] and enter the IP address I want to include.  Lastly, I click Refresh.

When I do this I the graphs don't really change nor does the output for Activity Explorer.  It seems that the filter isn't working for me.  There's no change when I use that same IP address for Source IP as a filter.

Am I missing something obvious? Should the reports only include the any applied filters and exclude anything that doesn't match?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: meazz1 on April 15, 2020, 06:54:20 pm
I have been using sensei  home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on April 15, 2020, 09:05:07 pm
I have been using sensei  home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?

I personally limit myself to a single forwarder only because having multiple might make troubleshooting issues harder. 

My flow is: pi-holes -> quad9 -> Sensei.  And even then it's a matter of tracking down whether or not it's the pi-holes, quad9 or Sensei doing the blocking. Then add in the pressure of family saying they're unable to get to a super important site right now or something on their precious iOS device isn't working quite right.  It can be a pain. :D
Title: Re: Sensei on OPNsense - Application based filtering
Post by: meazz1 on April 15, 2020, 09:33:00 pm
I have been using sensei  home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?

I personally limit myself to a single forwarder only because having multiple might make troubleshooting issues harder. 

My flow is: pi-holes -> quad9 -> Sensei.  And even then it's a matter of tracking down whether or not it's the pi-holes, quad9 or Sensei doing the blocking. Then add in the pressure of family saying they're unable to get to a super important site right now or something on their precious iOS device isn't working quite right.  It can be a pain. :D

This is the exact issue I'm facing, "is internet down? I can't open this site" from a family member alsmost everyday.

Can you  explain your flow? The Pihole doing the DNS using 9.9.9.9 and sensei doing web and app filtering/
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on April 15, 2020, 10:35:32 pm

This is the exact issue I'm facing, "is internet down? I can't open this site" from a family member alsmost everyday.

Can you  explain your flow? The Pihole doing the DNS using 9.9.9.9 and sensei doing web and app filtering/

Sure. 

Since I run my own internal DNS server, I don't allow clients to connect to external DNS servers over port 53.  I have OPNsense redirect any queries to my pi-holes. This applies to ipv4 and ipv6.

I run two pi-holes and both point to my internal dns server.  the internal dns server then connects to quad9 via stubby (uses DNS over TLS) for any further queries. 

Assuming clients resolve their queries OK (and don't get denied by pi-holes), they then go through Sensei for further web / app filtering and then out to the Internet.



Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 15, 2020, 11:13:27 pm
I have been using sensei  home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/ (https://sahlitech.com/opnsense-setup-unbound-dns/)).
Is this an over kill or a redundant or unnecessary setup?

Hi @sol, many thanks for your feedback.

This has become one of the most wanted feature request (what we call in-flight dns query). We've added this to the road-map and should appear sometime around Q2-Q3 this year.

Quick update:
For remote IP addresses, even if Sensei cannot see DNS transactions, it should still be able to map hostnames with IP addresses if the session is HTTP/TLS/QUIC (since there are other places where we can extract hostnames)

For local IP addresses <-> hostnames mapping, in-flight dns reverse query feature will do the trick.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 15, 2020, 11:23:04 pm
So I've had Sensei working really well for the past couple of months but it seems that reports aren't working or they're not working the way I think they should.

So I've got a host on my network that I want to get detailed info about.  I go to Sensei -> Reports and then click add filter [host] and enter the IP address I want to include.  Lastly, I click Refresh.

When I do this I the graphs don't really change nor does the output for Activity Explorer.  It seems that the filter isn't working for me.  There's no change when I use that same IP address for Source IP as a filter.

Am I missing something obvious? Should the reports only include the any applied filters and exclude anything that doesn't match?

Hi @packetmangler, thank you very much for the report. We couldn't reproduce this in our lab.

Any chances that you can create a bug report (Report Bug menu on the upper right hand corner).

Let's take a closer look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 15, 2020, 11:36:01 pm
Hi @meazz1, hi @packetmangler, thanks for sharing your setup, very much helpful.

For troubleshooting, a quick note:

If Sensei is blocking a connection, it should be reporting that in Reports -> Blocks.
Reports -> Live Blocked Sessions Explorer displays this information on a per-connection basis.

 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 15, 2020, 11:53:37 pm
Dear Sensei users,

I hope everyone is at home and staying healthy. During the Corona days, Sensei team was mostly busy with 1.5 features.

1.5 is in pilot tests right now, and will be most likely released late this month.

Here is the Release Notes for this upcoming release:

What is new in Sensei for OPNsense Release 1.5

Application Control
Application Database will be a seperate package and will be updated independently and more frequently

Privacy and Compliance

Policies and Filtering

Reporting

Cloud
Improved feedback loop for Web Categorization:

When you submit an entry for re-classification we can now re-categorize it within as fast as 10 minutes. Re-categorized web sites may become available via Cloud as soon as 15 minutes. You can submit web sites for re-classification either through our Web site (https://www.sunnyvalley.io/site-classification (https://www.sunnyvalley.io/site-classification)/) or through the Sensei UI when you add a site to whitelist/blacklist or to a user defined category.


Integrations

Other

Stay safe,
Your Sensei team
https://sunnyvalley.io/sensei
https://help.sunnyvalley.io


Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on April 16, 2020, 05:23:40 am

Hi @packetmangler, thank you very much for the report. We couldn't reproduce this in our lab.

Any chances that you can create a bug report (Report Bug menu on the upper right hand corner).

Let's take a closer look.

Report sent!  I'm truly expecting a reply along the lines of:  You're doing something really stupid.  So don't do that. :D

Looking forward to the release of 1.5!

Tbanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: bEeReE on April 16, 2020, 03:09:44 pm

Hi mb,

Thanks a lot for your great work - also during this hard times!

Could you shortly specifcy this a little bit more, please:
Cloud
Improved feedback loop for Web Categorization:

When you submit an entry for re-classification we can now re-categorize it within as fast as 10 minutes.

Is there a kind of check/rating you perform in order to maintain overall security for all users connecting to the cloud or how does it work?

Is there also an improvement / faster updates in the cloud-based re-classification of web sites, without having users involved (e.g. potenially dangerous  / undecided not safe / undecided safe sites) which aren't updated, currently?

Thanks a lot!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on April 19, 2020, 11:57:03 am
@mb

If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?

Does sensei allows the load external IP block lists?

For when is planned the integration with suricata 5 in opnsense?

Are you doing the app control with snort?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 21, 2020, 03:18:36 am
Hi @bEeReE,

Thanks for your feedback, much appreciated.

From time to time, we receive questions about the Cloud Reputation System. You can see the following article for detailed information:

https://help.sunnyvalley.io/hc/en-us/articles/360046515334-Cloud-Reputation-Threat-Intelligence (https://help.sunnyvalley.io/hc/en-us/articles/360046515334-Cloud-Reputation-Threat-Intelligence)

Regardless of user feedback, the database is continuously updated. We prioritize sites which we see active in the field. If you think we're missing some sites, that's something we should be looking at. Any chances that you can reach out to us via "Contact Team" menu? We'd like to run a trace.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 21, 2020, 03:29:32 am
Hi @l0rdraiden, thanks for the questions, please find my answers inline:

If I understood well with the free versión you can define 3 profiles but then you can only have 1 policy.
Could you make at least available the use of 2 policies at the same time based on subnet or IPs?

Correct. Let us think about it. We strive to strike a good balance between paid and free editions. While trying to provide many features in the free edition, we want to make sure paying users have good differentiation.

Quote
Does sensei allows the load external IP block lists?

Not currently. We understand the need to be able to feed custom lists to Sensei and working on a solution. I'll write more about this later on.

Quote
For when is planned the integration with suricata 5 in opnsense?

It's going to be available this year.

Quote
Are you doing the app control with snort?

No. From ground-zero, Sensei is a unique technology. We do not utilize any open source IDS/IPS tools in our source code.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: zerolution on April 21, 2020, 01:36:48 pm
Hi faisal,

Good, you can now do the initial configuration, it should install Elasctic now.

Currently database location is /var/db. Upcoming 1.4 or 1.5 will move it to /usr/local since /var can be a temp memory file system in OPNsense.

For disk sizing, you can use this guide:

https://help.sunnyvalley.io/hc/en-us/articles/360025047373-Hardware-Requirements

Could you please explain how I can move db location to a secondary disk  / partition ?

Thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 21, 2020, 03:34:08 pm
Hi @zerolution,

1.5 will have the option to do that. Find the feature under Sensei -> Configuration -> Reports & Data.

See attachment.

1.5 is in pilot tests right now. We plan to release it late this month.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: zerolution on April 22, 2020, 08:17:37 am
Hello @mb,

Thank you for your reply !

So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?

There is no application (sensei) limitation to the path I will be able to provide ?

Looking forward to being able to use this as my current HD is at 90% usage :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 22, 2020, 07:53:43 pm
So according to what you replied, I could potentially mount a second hard drive to a path (ie /mnt/storage) which I would then reference as displayed in your post in the path section ?

There is no application (sensei) limitation to the path I will be able to provide ?

Correct :) I think we'll be able to release 1.5 by the end of April.
Title: Re: Sensei on OPNsense - Web Control whitelists
Post by: m1ke486837 on April 25, 2020, 12:20:47 am
Is it possible to block an entire domain rather than each subdomain? For example, I have whitelisted apple.com, but then receive blocks on init.itunes.apple.com, play.itunes.apple.com, bag.itunes.apple.com, etc. This is the same behavior with several other domains as well. I was hoping that a single entry of apple.com would exclude all domains ending in .apple.com. Basically a *.apple.com
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on April 25, 2020, 01:50:18 am
Hi @m1ke486837,

This should already work like this. You might be blocked by the App filter, since this comes earlier to the scene (This is improved in 1.5). Can you confirm if this is the case from "Reports -> Blocks -> Live Blocked Sessions" ? See if it is blocked by App Controls or Web Controls.

If this is not the case send a PR from "Report Bug" menu located on the upper right hand corner of the UI and team will take a deeper look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: m1ke486837 on April 25, 2020, 04:35:03 am
Thank you for the quick response. I will monitor the traffic with the 'live blocked sessions', and report back if the blocks originate from the web control category
Title: Re: Sensei on OPNsense - Application based filtering
Post by: m1ke486837 on April 26, 2020, 07:00:30 pm
After some testing, it appears it is working as it should. All of the blocks were specific to the App Controls. It gives the option to whitelist the host, but that is whitelisting the host address for the Web Controls rather than App Controls. I know it is possible to drill down into the categories and unblock entire sub-categories, but it would be nice to have more control as we do with whitelists.

There was mention of a new release (1.5) on the horizon. Will there be a way to whitelist for App Filtering, or will hosts listed in Web Filtering take precedence over App Control?

Loving the premium features of this plugin, and looking forward to further development and features.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mks on May 02, 2020, 04:20:13 pm
Hi opnsense community.

I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.

Anybody with an similar issue?

I've already filed a bug to the SunnyValley Helpdesk.

br
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on May 02, 2020, 08:21:44 pm
@mb

Since sensei is based on ELK here are some ideas to include in sensei, both quite impressive. This will provide more added value to sensei over the standalone opnsense.

https://github.com/3ilson/pfelk
https://github.com/robcowart/elastiflow
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on May 02, 2020, 10:34:33 pm
Hi opnsense community.

I'm facing a strange issue with Sensei and VLANs. After every reboot as soon as Sensei is started I loose every connectivity on VLAN interfaces.
I need to login via non-VLAN assigned interface, restart Sensei and then it works again.

Anybody with an similar issue?

I've already filed a bug to the SunnyValley Helpdesk.

br

For the vlans are you adding the vlans themselves to the protected interface or the physical interface the vlans are on. Make sure you aren't doing both. I was having this bug to and I was just adding the physical interface. It didn't happen all the time. As soon as it happens send the bug report over so they have more reports than just mine.

Since It last happened to me I think mb and team told me in the ticket they found an issue with netmap when sensei packet engine started at startup. I have since created a bridge from my firewall to my switch, mainly to increase bandwidth and now the bridge interface isn't even an option in Sensei but I can add all the vlans and I haven't had the problem since.

One workaround I did before the bridge though was to turn Sensei auto startup off, and turn sensei back on manually after a reboot. It's not ideal but it's something. You could probably make a cron job to start the packet engine everyday at a certain time that way in case you forget to turn it on after a reboot it can turn on with the job.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mks on May 03, 2020, 10:46:18 am
Hi,

thanks for the feedback.
I'm already in contact with the Sensei support and its as you described an issue with netmap.

I switched back to the VLAN Interfaces.

br
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on May 03, 2020, 11:41:45 am
Hi all,

in your Sensei, is the name resolution working properly?

In my case it´s not in the reports page (realtime sessions works because the IPs are resolved in that moment).

(https://i.imgur.com/ubf5vWu.jpg)

As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.

Am i right? Or what am i missing here?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 03, 2020, 07:54:41 pm
After some testing, it appears it is working as it should. All of the blocks were specific to the App Controls. It gives the option to whitelist the host, but that is whitelisting the host address for the Web Controls rather than App Controls. I know it is possible to drill down into the categories and unblock entire sub-categories, but it would be nice to have more control as we do with whitelists.

There was mention of a new release (1.5) on the horizon. Will there be a way to whitelist for App Filtering, or will hosts listed in Web Filtering take precedence over App Control?

Loving the premium features of this plugin, and looking forward to further development and features.

Hi @m1ke486837,

Thanks for your positive feedback. Yes, as you put it, With 1.4, app control takes precedence so whitelisting does not apply to App Controls.

We've improved this behavior with 1.5. With that, App Controls also takes whitelists into account.

You won't need to write seperate rules for App Controls. The ones on Web Controls will also work for it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 03, 2020, 08:15:31 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.

Hi @Mitheor,

For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:

https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"

One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.

For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.

If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 03, 2020, 08:15:47 pm
@l0rdraiden, thanks for the pointer. We'll have a look at these.

@donatom3, thanks for the hint.

@Mks, glad to hear that donatom3's hint also worked for you.

We hope to kill all netmap(4) related issues soon. Additionally we hope to bring netmap(4) support for lagg(4), bridge(4) and tun(4) based interfaces.

For that we might need some help in re-producing the bugs for the developers; and testing the fixes. I'll create a dedicated thread about this later this month.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on May 03, 2020, 10:10:07 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.

Hi @Mitheor,

For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:

https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"

One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.

For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.

If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.

Thanks for the reply.

I don’t think it’s the case because I can see those dns queries for these hosts en the Sensei DNS session browser 🤷🏻‍♂️
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 03, 2020, 10:17:55 pm
I don’t think it’s the case because I can see those dns queries for these hosts en the Sensei DNS session browser 🤷🏻‍♂️

Hi @Mitheor, got it. Send a PR and we'll look closer into that.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on May 04, 2020, 04:45:25 pm
As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.

Hi @Mitheor,

For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:

https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"

One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.

For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.

If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.

I have this issue as well since I run multiple pi-holes and an internal authoritative bind server, but I've ignored it for the most part. 

If the DNS records are updated when requests pass through the firewall, would something as simple as having the firewall run through a list of reverse IP addresses and performing lookups on them work?

EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier.  So now the question is how often should that run?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Callahan on May 06, 2020, 03:54:39 am
I'd like to chime in with the same question and an additional question (plus a small cosmetic bug report at the end).

Question one
To give you specifics in the hope that it helps give you/me a better understanding of what is going wrong (or more likely what I'm missing), my setup is as follows:
I've installed Sensei today and also added the DNS servers (192.168.100.14 & 192.168.100.15), under: Sensei/Configuration/Reporting & Data with the expectation that Sensei would check DNS for the hostnames of the IPs that are hitting the LAN interface. This doesn't appear to be happening and I'm not clear on why that is.
Further testing shows that if I use the FW to do DNS then I see the hostnames.

Is the only solution to this setup, to set the DNS in my DHCP scopes as the firewall then set the forwarder on the firewall DNS to be my Windows DNS servers (to keep the domain working), then the forwarder on the Windows DNS servers to be my Pihole docker container? That seems an overly excessive amount of DNS queries but it's the only way I'm seeing this working. This would be a pretty standard setup in most orgs in the sense that the first DNS host they query will always be the Windows DNS servers on the domain.

If this is the solution, then I don't understand why the option to allow the reverse lookup of IPs is present in Sensei.

Question 2
I am looking at the reports for "Top Remote Hosts" and I am seeing entries in there as FQDNs that are my internal hosts on the 192.168.100.0/24 subnet. Definitely not remote hosts. Interestingly, as Sensei is reporting the FQDN, it has to be getting that from my Windows DNS servers (I'm running split DNS so my domain is resolved internally), so it is able to query my DNS servers and retreive local addresses. Surely it should know that if the resolved address sits on a range that it knows it hosts on the LAN interface, it isn't remote. I'd almost accept it if the address was on my DMZ but even then, the DMZ (in my specific case here), is a virtual interface of the LAN so again, easy to spot that it's not Remote.
Or maybe I'm misunderstanding your meaning of "remote".  :)

Last question/bug report
Go to Sensei/Configuration/Reporting & Data
Click the small orange "i" next to: "Perform health check for indices:" and you'll see that the help section for "Connection Security" and the section for "Reporting Criteria" in the block below opens up with the explanation for setting the Reporting Criteria for the email reports. The same thing happens if you click the orange "i" for "You can erase reporting data:"

Sorry for the overly long post, thanks for making it this far! I look forward to any insight you can offer to the above questions.

Thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Callahan on May 06, 2020, 04:07:45 am
I had another suggestion/possible feature request. I build a fair number of dashboards using an Elasticstack cluster at work and noticed that you use the map to locate traffic destinations. I'm assuming you make use of the same DB that OPNSense does if you use the GeoIP alias (GeoLite2-Country-CSV)? I use the same setup for plotting traffic destinations at work except I use the GeoLite2-City-CSV. As you allow for the zooming in on the traffic map, might it be a suggestion to use a city IP locator instead of a country one? The map would look far more impressive if it split out the destinations into cities. At the moment, all my traffic bound for the US is ending up in Cheney Reservoir in Wichita!  ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on May 06, 2020, 07:12:05 pm
I'd like to chime in with the same question and an additional question (plus a small cosmetic bug report at the end).

Question one
To give you specifics in the hope that it helps give you/me a better understanding of what is going wrong (or more likely what I'm missing), my setup is as follows:
  • OPNSense running on an i5 NUC with 8GB RAM.
  • 1 LAN subnet of 192.168.100.0/24 which is attached to the physical LAN in OPNSense.
  • 1 DMZ subnet (192.168.50.0/24), which is a virtual interface (VLAN) hanging off the LAN interface of OPNSense.
  • 1 Proxy server on the DMZ.
  • 1 Guest network (192.168.150.0/24), which is a virtual interface (VLAN) also hanging off the LAN interface of OPNSense.
  • 1 WAN interface using PPoE to a DSL modem.
  • A Windows domain of around 10 Windows servers and multiple Linux servers with 2 Windows DNS servers sitting at 192.168.100.14 & 192.168.100.15.
  • A Pihole running on the same subnet (192.168.100.18).
  • Both Windows DNS servers have the Pihole set as their forwarder.
  • DHCP is handled by the same Windows servers that handle DNS queries.
  • OPNSense is set up as a DHCP relay for both the Guest and LAN subnets.
  • Windows DHCP is set up to always update DNS so I can see all of the hosts, regardless of type, are being registered in DNS.
  • DNS query route goes: Client --> Windows DNS --> Pihole --> Internet.
I've installed Sensei today and also added the DNS servers (192.168.100.14 & 192.168.100.15), under: Sensei/Configuration/Reporting & Data with the expectation that Sensei would check DNS for the hostnames of the IPs that are hitting the LAN interface. This doesn't appear to be happening and I'm not clear on why that is.
Further testing shows that if I use the FW to do DNS then I see the hostnames.

Is the only solution to this setup, to set the DNS in my DHCP scopes as the firewall then set the forwarder on the firewall DNS to be my Windows DNS servers (to keep the domain working), then the forwarder on the Windows DNS servers to be my Pihole docker container? That seems an overly excessive amount of DNS queries but it's the only way I'm seeing this working. This would be a pretty standard setup in most orgs in the sense that the first DNS host they query will always be the Windows DNS servers on the domain.

If this is the solution, then I don't understand why the option to allow the reverse lookup of IPs is present in Sensei.

Question 2
I am looking at the reports for "Top Remote Hosts" and I am seeing entries in there as FQDNs that are my internal hosts on the 192.168.100.0/24 subnet. Definitely not remote hosts. Interestingly, as Sensei is reporting the FQDN, it has to be getting that from my Windows DNS servers (I'm running split DNS so my domain is resolved internally), so it is able to query my DNS servers and retreive local addresses. Surely it should know that if the resolved address sits on a range that it knows it hosts on the LAN interface, it isn't remote. I'd almost accept it if the address was on my DMZ but even then, the DMZ (in my specific case here), is a virtual interface of the LAN so again, easy to spot that it's not Remote.
Or maybe I'm misunderstanding your meaning of "remote".  :)

Last question/bug report
Go to Sensei/Configuration/Reporting & Data
Click the small orange "i" next to: "Perform health check for indices:" and you'll see that the help section for "Connection Security" and the section for "Reporting Criteria" in the block below opens up with the explanation for setting the Reporting Criteria for the email reports. The same thing happens if you click the orange "i" for "You can erase reporting data:"

Sorry for the overly long post, thanks for making it this far! I look forward to any insight you can offer to the above questions.

Thanks.

The only clean solution would be to feed pihole or adguard home logs into logstash so it can be displayed by sensei. Maybe with the API's something can be done.
https://github.com/AdguardTeam/AdGuardHome/tree/master/openapi

Or doing exactly this

Pi-hole data visualization using Elasticsearch, Logstash and Kibana
https://github.com/nin9s/elk-hole
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on May 07, 2020, 10:54:59 pm
https://www.sunnyvalley.io/post/sensei-for-opnsense-1-5-released/

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 08, 2020, 02:45:45 am
EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier.  So now the question is how often should that run?

Hi @packetmangler,

With release 1.5, cache time to live is 8 hours. (higher with 1.4) So, could be every 6 hours so that it replenishes the cache.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 08, 2020, 02:59:21 am
Hi @Callahan,

Thanks for taking the time and sharing your thoughts. Much appreciated.

Correction & suggestion well noted.

For IP <-> Hostname mapping, please see this FAQ entry:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ#h_023043d9-df52-46e7-a7f6-cded4bf8f697

As for some hosts being reported as "Remote": Yes, there's some philosophy here:)

Sensei runs on inner-facing interfaces and determines the "remote" / "local" properties in terms of where the connection is initiated. If it comes from the LAN side, than the src ip address is considered local and dst ip address is regarded as "remote".

So if a connection is from a local host behind network A to a host behind local network B, sensei will consider the host on local network B as "remote", since for the context of the connection, it was the "remote end".

Obviously this is creating a bit confusion. Let us give this a bit of thought.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 08, 2020, 03:05:24 am
https://www.sunnyvalley.io/post/sensei-for-opnsense-1-5-released/

Hi @l0rdraiden, thanks for the post.

Yes, Sensei for OPNsense Release 1.5 is available for update/installation.

Enjoy and stay safe
Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: guyp2k on May 09, 2020, 09:21:10 pm
Disregard, I was able to address the issue.


Installed Sensei and subscibed but stuck at "waiting for database service to come up." Any suggestions as I have tried w/ out success.

I reinstalled elasticsearch5 w/ out success.

Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on May 10, 2020, 01:39:50 am
EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier.  So now the question is how often should that run?

Hi @packetmangler,

With release 1.5, cache time to live is 8 hours. (higher with 1.4) So, could be every 6 hours so that it replenishes the cache.

Thanks mb.  I have my simple one-liner running every 4 hours for the time being and it seems like it's doing what it needs.

Enjoying 1.5!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tong2x on May 10, 2020, 05:36:29 am
Disregard, I was able to address the issue.


Installed Sensei and subscibed but stuck at "waiting for database service to come up." Any suggestions as I have tried w/ out success.

I reinstalled elasticsearch5 w/ out success.

Thanks

there should be a next button at the bottom...
in anycase... try to uninstall (via web or console) and reinstall then do the wizard again
Title: Re: Sensei on OPNsense - Application based filtering
Post by: tong2x on May 10, 2020, 05:39:17 am
Policies & Filtering

where is this in 1.5?
is this available in free?
also can we now upload list instead?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on May 10, 2020, 12:41:27 pm
Hi,

quick question here regarding the different plans.

I´m already paying for the home premium and i´d like to know if features like the "Stream Reporting Data to External Elasticsearch" or the future "SSL proxy/inspection" are included in this tier or only in the premium (highest enterprise plan).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Callahan on May 11, 2020, 04:02:23 pm
Sensei runs on inner-facing interfaces and determines the "remote" / "local" properties in terms of where the connection is initiated. If it comes from the LAN side, than the src ip address is considered local and dst ip address is regarded as "remote".

So if a connection is from a local host behind network A to a host behind local network B, sensei will consider the host on local network B as "remote", since for the context of the connection, it was the "remote end".

Obviously this is creating a bit confusion. Let us give this a bit of thought.
Yep that makes complete sense. Should have given that more thought before posting. I guess, you could build into an option to "Define local hosts" whereby we could add all addresses or subnets that we class as local and use them in the report. You couldn't just use RFC1918 as you'd end up with IPs on the end of VPNs being considered local. So easier said than done no doubt but if you were to use Logstash (you don't I know but as you're using an Elastic backend, the reference is somewhat valid), you could have all submitted "local addresses" assigned to a key/value pair file and import them into an array to use in the filter.

You'd loop through that array on each update of the report and if the source address existed in the KV pair, add a field called "local" then use than field as a key in the report for local connections. Given that very little thought until now so there are probably many reasons why that wouldn't work. Overhead for one thing... :-)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2020, 06:43:17 pm
Hi @packetmangler, hi @guyp2k, glad to hear that.

Hi @tong2x, Policy based filtering is available in all paid subscriptions.

Hi @Mitheor, for log streaming to elasticsearch, you can do that with the Free Edition. But please note that this will offload the database to this remote database system.
Starting with SOHO subscription tier, you can both have local Elastic/Mongo and at the same time stream reporting data to another remote database.

TLS decryption will appear on the highest plan (Premium, which will be re-named to Enterprise soon).

For the complete list of features and how they appear in free/paid subscriptions, please refer to this page:

https://sunnyvalley.io/plans
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 11, 2020, 06:51:29 pm
Hi @Callahan,

Thanks for the suggestion. I would agree, simply RFC1918 wouldn't do the job.

Indeed, we evaluated to have this on the packet engine itself since it can already do a lot more complex data enrichment.

We were not sure whether people would want to manually enter such a list. Thinking again, this list wouldn't be such a long one anyway.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mks on May 12, 2020, 09:06:51 pm
Hi,

do you see also a huge increase in memory consumption (~20%) due to the last update?

br
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 13, 2020, 02:30:59 am
Hi @Mks,

1.5 do not normally have any updates which might induce increased memory usage. Let's see if some other people also experience this, and we can analyze further.

What we've observed however that, with one of the OPNsense 20.1.x updates, Operating System swappiness behavior changed in a way that it is more likely to do swapping even if there's decent amount of free memory in the system. This is why we've introduced SWAP warning threashold configuration parameter. This might be unrelated to your case though.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Parallax on May 16, 2020, 02:32:27 am
Hi, I have an external Elasticsearch container (7.7.0) and it is complaining a lot about invalid UTF-8 bytes from Sensei, eg :


{"type": "server", "timestamp": "2020-05-16T00:28:33,695Z", "level": "DEBUG", "component": "o.e.a.b.TransportShardBulkAction", "cluster.name": "docker-cluster", "node.name": "da8d9957dfaf", "message": "[conn-200516][0] failed to execute bulk item (index) index {[conn_write][_doc][_9_hGnIBvp4cvgKY7pYd], source[{\"transport_proto\":\"UDP\",\"policyid\":\"0\",\"interface\":\"vtnet0\",\"vlanid\":\"0\",\"conn_uuid\":\"12a6680a-5ce0-4a7c-ae38-1a27c85ff66d\",\"src_hostname\":\"librarian.local\",\"src_username\":\"\",\"ip_src_saddr\":\"10.1.1.10\",\"ip_src_port\":65062,\"src_dir\":\"EGRESS\",\"dst_hostname\":\"81.0.84.116\",\"dst_username\":\"\",\"ip_dst_saddr\":\"81.0.84.116\",\"ip_dst_port\":57997,\"dst_dir\":\"INGRESS\",\"input\":1,\"output\":1,\"src_npackets\":1,\"src_nbytes\":0,\"src_pbytes\":104,\"dst_npackets\":2,\"dst_nbytes\":345,\"dst_pbytes\":317,\"src tcp_flags\":\"\",\"dst tcp_flags\":\"\",\"start_time\":1589588789000,\"end_time\":1589588911000,\"encryption\":\"TLS\",\"app_id\":16,\"app_proto\":\"QUIC\",\"app_name\":\"Quic UDP Connection\",\"app_category\":\"Streaming\",\"tags\":\"Encrypted,SSL,QUIC\",\"src_geoip\":{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"\",\"country_name\":\"\",\"country_code2\":\"\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":0.0,\"longitude\":0.0,\"location\":{\"lat\":0.0,\"lon\":0.0}},\"dst_geoip\":{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"Duna�jv�ros\",\"country_name\":\"HU\",\"country_code2\":\"\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":46.983299255371097,\"longitude\":18.933300018310548,\"location\":{\"lat\":46.983299255371097,\"lon\":18.933300018310548}}}]}", "cluster.uuid": "3zoVrbvRRfmZcZZHbXwCZw", "node.id": "5MoI-6jVTFGAfVm-XSZ4TA" ,
"stacktrace": ["org.elasticsearch.index.mapper.MapperParsingException: failed to parse field [dst_geoip.city_name] of type [text] in document with id '_9_hGnIBvp4cvgKY7pYd'. Preview of field's value: ''",
"Caused by: com.fasterxml.jackson.core.JsonParseException: Invalid UTF-8 middle byte 0x72",
" at [Source: (org.elasticsearch.common.bytes.AbstractBytesReference$MarkSupportingStreamInputWrapper); line: 1, column: 1108]",
"at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1840) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:712) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidOther(UTF8StreamJsonParser.java:3574) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidOther(UTF8StreamJsonParser.java:3581) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._decodeUtf8_3fast(UTF8StreamJsonParser.java:3386) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._finishString2(UTF8StreamJsonParser.java:2490) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._finishAndReturnString(UTF8StreamJsonParser.java:2438) ~[jackson-core-2.10.4.jar:2.10.4]",
"at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText(UTF8StreamJsonParser.java:294) ~[jackson-core-2.10.4.jar:2.10.4]",
"at org.elasticsearch.common.xcontent.json.JsonXContentParser.text(JsonXContentParser.java:83) ~[elasticsearch-x-content-7.7.0.jar:7.7.0]",
"at org.elasticsearch.common.xcontent.support.AbstractXContentParser.textOrNull(AbstractXContentParser.java:253) ~[elasticsearch-x-content-7.7.0.jar:7.7.0]",
"at org.elasticsearch.index.mapper.TextFieldMapper.parseCreateField(TextFieldMapper.java:823) ~[elasticsearch-7.7.0.jar:7.7.0]",
"at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:284) ~[elasticsearch-7.7.0.jar:7.7.0]",


And so on. The Opnsense install is the DVD ISO in Proxmox 6.2, the Elasticsearch is in a Docker container on an adjacent host. Any ideas?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 16, 2020, 04:00:29 am
Hi @Parallax,

Thanks for the heads-up. Remote Elastic support is quite fresh. There might still be some bugs left.

Can you reach out to the team via "Report Bug" so that we can follow up?

EDIT: Spotted and fixed this. Fix is shipping with 1.5.1 scheduled for this week(end).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 18, 2020, 12:26:28 pm
super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?

i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917
Title: Re: Sensei on OPNsense - Application based filtering
Post by: binaryanomaly on May 18, 2020, 12:46:24 pm
super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?

i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917


Reports -> Blocks -> Live Blocked Session Explorer -> find Session -> Click green ✅ and allow host
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on May 18, 2020, 12:48:18 pm
super stupid question:
Once I enable the app control i have a few websites i can't access anymore.
Is there a way to whitelist these as exception?

i'm using engine version 1.5 and App & Rules DB Version: 1.5.20200501062917

It´s via what binaryanomaly said or in policies / web control / Whitelist
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 18, 2020, 08:42:30 pm
Thank you.
super helpfull. I should have spend more time looking for it.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 19, 2020, 09:15:06 am

Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any
Title: Re: Sensei on OPNsense - Application based filtering
Post by: binaryanomaly on May 19, 2020, 06:24:08 pm

Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any


Really? Not seeing this?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 20, 2020, 06:54:40 pm
Dear Sensei users,

If you're using Mongodb as the db backend, please postpone your OPNsense 20.1.7 update a bit since we're trying to verify if evertyhing works with the current Sensei release.

We'll post an update later today once we have the confirmation.

Elasticsearch looks fine.

UPDATE 5/20/20 10:00 PT:
20.1.7's new PHP package is incompatible with Mongodb. New package build in progress. ETA 3 hours.

UPDATE 5/20/20 18:35 PT:
Mongodb users can update to 1.5_1 to handle the incompatibility. 1.5_1 will automatically fix the problem behind the scenes.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: jf2001j on May 21, 2020, 10:45:24 am
Hi,

there seems to be a bug, that using Drill Down/Session Details of ipv6 addresses is not possible because of additional \ characters

Problem:
a) Selection of an ip6-address 2aaa:1234:1234:1234:1234:1234:1234:1234 in a chart of the Dashboard screen.
b) Source Hostname is now: 2aaa\:1234\:1234\:1234\:1234\:1234\:1234\:1234
c) => no results

Workaround:
manual filter Source-Hostname 2aaa:1234:1234:1234:1234:1234:1234:1234
=> expected results

Could you please fix this?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 21, 2020, 03:09:32 pm

Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any


Really? Not seeing this?

No i don't have the options you show me.
see the attached file
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on May 21, 2020, 03:11:53 pm

Unfortunately I cannot make any change to the live sessions. I can see the session policy but can't modify any


Really? Not seeing this?

No i don't have the options you show me.
see the attached file


Could you show the session being blocked in the Blocks / Live web explorer?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 21, 2020, 10:37:10 pm
Yes. The session seems blocked and none of the lan clients can access the website. If I stop Sensei engine it works


Sent from my iPad using Tapatalk
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 23, 2020, 02:44:35 am
Hi @nikkon, send a problem report and the team will have a look at it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 23, 2020, 02:45:52 am
Dear Sensei users,

As promised, we've[1] kicked off another project which focuses on killing remaining netmap bugs on HardenedBSD 12 (FreeBSD 12).

Please see the main topic here:

https://forum.opnsense.org/index.php?topic=17363.0
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sol on May 23, 2020, 10:06:40 pm
Thx for the news about the netmap changes.

I disable the cache in pihole and still cannot see local resolved hostnames in sensei's reports.
Dns Crypt proxy is used though.
Can I change anything to resolve the hostnames or will you guys add an option update to handle this case?

Furthermore do you have a date for the update to automaticly impoert / update custom block lists like in pihole, etc?

Thx
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nikkon on May 24, 2020, 07:15:49 pm
Hi @nikkon, send a problem report and the team will have a look at it.
Ok. I will
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mittenz on May 24, 2020, 09:23:25 pm
I have the home edition.

Reporting configuration suggests Elasticsearch can be used. I would like to forware this to my ELK stack.

The help page says "Sensei Premium can stream data to external remote Elasticsearch or MongoDB servers for log parsing and Security Information and Event Management (SIEM) system integration. In the Configuration section of the Sensei OPNsense portal select the Reporting & Data tab."

However, there is no such section on my reporting page.

Any ideas?

PS - would it be worth this forum having a seperate OpnSense subforum, as searching through one single long thread is a little tricky.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2020, 01:29:20 am
Hi @sol,

Are you using DnsCrypt Proxy on the firewall? If so, since it runs on WAN, it should not interfere with Sensei.

Are you sure DNS traffic (querying local hostnames) is passing through the Sensei protected interface?
To make sure this is the case, you can run a quick tcpdump session and check if you can see any dns/mdns/llmnr requests for local devices.

For the custom block lists: it's not yet in the short-term roadmap :(
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2020, 01:30:04 am
Hi @mittenz,

With home edition, you can completely offload your database to a remote ES instance. But beware this option is only configurable during initial configuration wizard:
Backup Sensei && Uninstall Sensei && Install Sensei and during initial config, select remote ES as the database.

Here's a quick blog post explaining this in detail:
https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/

About subforum: Good idea, thanks for the suggestion. Let me discuss this with the OPNsense team. Maybe we can have this under a section called "Third Party Tools".
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on May 30, 2020, 02:56:43 am
Cross posting an update about netmap on OPNsense 20.7: https://forum.opnsense.org/index.php?topic=17363.msg79415#msg79415 :

Sensei packages for OPNsense 20.7 (amd64/OpenSSL) is out and available for testing.

If you test OPNsense 20.7, as a bonus, you get to access to the latest Sensei (1.5.1.rc1) which is yet to be released ;)

PS: Make sure you update to the latest 20.7 beta after the ISO installation, since latest 20.7 includes some important patches with regard to interface drivers. Kernel should read 12.1-RELEASE-p5 or later:

12.1-RELEASE-p5-HBSD FreeBSD 12.1-RELEASE-p5-HBSD #0  d8b850736ba(master)-dirty


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 03, 2020, 05:16:53 pm
Dear Sensei users,

In case you did not notice: fixing some issues reported by 1.5 users, Sensei 1.5.1 release it out:

https://www.sunnyvalley.io/post/sensei-1-5-1-for-opnsense-is-out/
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 13, 2020, 02:20:10 am
Cross-posting from: https://forum.opnsense.org/index.php?topic=17363.msg80144#msg80144:

Below file keeps the last status for the Ethernet Drivers <-> netmap compatibility.

https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0

This page also explains how you can easily test OPNsense 20.7 netmap.

Feel free to grab a driver, test and provide test results. You should be able to leave comments on the Google Sheets file.

It looks like there's some work to do. We're here to fix.

Just test and provide feedback.

PS: Please use the thread under: https://forum.opnsense.org/index.php?board=35.0 for communication around this subject.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 19, 2020, 03:58:28 pm
I'm talking directly with Sensei team but it takes quite a long time to get conclusion :-), so I thought I may ask questions here...
In my instance, Sensei works over vlans' parent interface which is VMware's vmx (vmxnet3 driver). Hardware offloading is disabled.

TL;DR
Are you going to reconsider limits for home users? If you need to put any limit, I would say 100 devices is a fair number. Of course I'm not threatening / blackmailing, I'm only considering  all available options...
And keep up the good work!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: siga75 on June 19, 2020, 04:43:11 pm
50 devices is fair enough in my opinion, even considering IoT

Anyway it's not a must to put everything behind OPNsense, you don't have it to protect your phones when you are not at home
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 19, 2020, 04:50:12 pm
I use "road warrior" scenario fo all my mobile devices (once device isn't connected to specified wifi network, automatically connects over VPN) and virtually they are always under LAN's umbrella. I know I'm paranoid but I like to minimize users tracking and connect to my servers - most of them are accessible only within LAN...
At the moment I have 54 devices discovered by Sensei but only 44 are in ARP table.
I have many IoT devices and cameras so I'm very much on the limit.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: binaryanomaly on June 19, 2020, 07:36:48 pm
50 devices is fair enough in my opinion, even considering IoT

Not really. Got 39 here with two adults and a baby and I do not have that many devices besides the standard IoT (lights, plugs, heater,...) stuff. If we'd live in a house it would probably be >50 already.

Imho <100 would be more appropriate.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 19, 2020, 11:09:08 pm
Hi @GreenMatter,

We hear you :) I've been notified about your suggestion.

The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.

This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.

On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)

Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 20, 2020, 08:38:41 am
Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)
It's good to know that at least somebody likes us  8)
Anyway, I hope you guys will be not only flexible but proactive when it comes to market demands, haha! I have family of 5, multiple devices, IoT, servers, docker containers running on macvlan networks, freenas jails, VPN users and vlans. Thus number of 50 doesn't sound big enough. And as I'm migrating from Unifi, I like nicely presented reporting. That's why I keep fingers crossed you'll change your policy...
Have a great weekend!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: l0rdraiden on June 24, 2020, 11:59:25 pm
Hi @GreenMatter,

We hear you :) I've been notified about your suggestion.

The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.

This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.

On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)

First of all it doesn't make a lot of sense that a free user get unlimited devices and a paid one 50, I know there are other limitations.

On the other hand what differentiates Sophos/enterprise from Home/free should be the professional support and not the features, no one will install this in an enterpise wihtout support. Another thing is LDAP and you are doing it right here. So would not be affraid of companies using your software for free even if the home version features were free.

I still think that the price of the home version might be high considering the alternatives. Maybe selling it as a perpetual license for home users would be an option, or lowering the price to 2-5$ per month and limit more the free edition if you want home users which should be your target to pay for it.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nzkiwi68 on June 25, 2020, 06:34:20 am
Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: packetmangler on June 25, 2020, 03:41:56 pm
Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

There is an App category for Proxies.  I don't see SkyVPN, but you do have the ability to add it manually if you know the hostname(s) and IP addresses the service uses.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Koldnitz on June 27, 2020, 01:08:46 am
I am really liking Sensei.

I have 2 questions.

First, are you aware that every so often sensei seems to make one of the interfaces I have configured in a Lagg (lacp) go down?  The eastspec(?) process on one of my cores (i7-7500) goes crazy, on the status tab one of the 2 interfaces watched for my Lagg (it can be either of them) dies, while all the bandwidth goes to the other, and only way to fix it is to turn sensei on and off (sometimes takes multiple tries, usually happens within first 10 minutes or after days / weeks of uptime).  The problem occurs randomly to the point that I no longer have sensei configured to automatically load on reboot (I have been fooling with settings and rebooting router a lot to make sure things work still).  I assume you are aware and this will be fixed on 20.7, but if you are not if I can help you make sensei better I am all for it.

Second, I have been trying to get a cloud account set up, but when I click the email validation link it, the webpage tells me this is not a valid link.  My email is registered and I have gotten a password reset just fine, but I am unable to validate my account.

Please let me know.

Cheers,


Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 27, 2020, 03:18:41 am
@lordrainden, thanks for additional thoughts/comments. Well noted.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 27, 2020, 03:25:33 am
Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

Hi @nzkiwi68, we see growing interest from the education community. Proxy identification/filtering is one of the most requested features.

Proxy filtering can be done both from the Web Controls and App Controls. App Controls come handy if the identification might be trickier for a particular application.

Having said that, SkyVPN, Ultrasurf and a few other trikcy proxy applications are being worked on.

As @packetmangler put it, if you already know the destination IP/hostnames you can create custom applications and enforce policies using the custom developed applications.

Other than that, do not hesitate to reach out to us via "Contact Team" menu on the right hand side of the menu. We want to know more about your problems in the field and create solutions as soon as possible.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 27, 2020, 03:33:08 am
Hi @Koldnitz,

Thank you very much for your feedback. We're happy to hear that you like Sensei so far.

We are curious about the lagg interface problem. Yes, as you put it, Sensei protects member interfaces. It's normal if they go down/up during Sensei start/stop because enabling netmap mode forces an interface down/up event.

But I guess this is different, and if you can create a problem report from the Sensei UI - Report Bug - on the UI right hand corner , that would be very much helpful.

For the Cloud Portal account, if you do additional password reset requests previous links become invalid and you need to use the latest activation code. If you can PM your email address to me, I can have it inspected.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Koldnitz on June 27, 2020, 06:29:30 am
Since you have not heard about this, I will provide a slightly better description.

Generally, what seems to happen is that after I start Sensei (within 10 to 20 minutes) something happens with my interfaces and it says in the logs shown on Dashboard / Lobby screen a hot plug event and then shortly thereafter I get a line saying possible flapping and one of the Lagg ports goes down (light on router port stops blinking / goes solid, and status tab in Sensei shows one interface doing everything whole other interface is all 0s or bytes.

In the System Diagnostics Activity tab the 1 of the 2 Eastspec processes (my processor is a 2 core 4 (hyper)threads but it looks like 4 CPUs to Opnsense) goes nuts.  On Netdata the temperature chart gets weird, showing 2 cores 20+ celsius hotter than the 2.  Also in Netdata one of the CPUs (threads) goes crazy compared to the other 3.

I never had this problem until I set up the Lagg interface (I ran Sensei for maybe 2 to 4 weeks before I set it up), and once Sensei is shut down(I do it from the status tab) it disappears because whenever Sensei is started / shutdown all interfaces reinitialize up and down.

This leads me to be 99% certain it has to do with Sensei interacting with the Lagg interface. Furthermore, I have not seen it happen without Sensei running, and I have had to restart Sensei 2 to 3 times at times to get it to start correctly.

I will definitely create report and send you all the logging information available to the report next time it happens.

P.S.  I did all the tweaks I could find to eliminate flapping on this forum and over at pfsense forum but it still happens.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 29, 2020, 06:49:54 pm
Hi @Koldnitz, thanks for the additional information and for the report.

It looks like we have your problem report. Team will be following up with you.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 29, 2020, 07:51:51 pm
(...)
On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users :)


So, have you reached conclusion when it comes to number of devices (>50) for home users?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 29, 2020, 10:37:10 pm
So, have you reached conclusion when it comes to number of devices (>50) for home users?

Hi @GreenMatter, yes. Hopefully we'll have an announcement this week.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 29, 2020, 10:38:19 pm
Dear Sensei users,

As some of you might have noticed, Sensei 1.5.2 is out.

This is a maintenance release for 1.5. For the full Release Notes:

https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/

Title: Re: Sensei on OPNsense - Application based filtering
Post by: STX on June 30, 2020, 09:32:15 am
Hello,

Gave Sensei a go over the past 5 days or so. Linked up with AWS ElasticSearch and pushed on. My initial impressions were good but at the end of that test some strange things began to happen.

Serving FW would drop LAN randomly around every 5 minutes or so. Checked logs tried turning every added feature off even re-configuring anew. Finally turned off and uninstalled Sensei completely and now everything is fine. Not sure exactly what was causing the issue due hasty resolve but definitely not stable.

Paid for a license too early it would seem.

Also, the UI is buggy. Around 60% of the time the status and reporting graphs would shake around a little in their designated cells. This behavior would continue until I logged out and back in but not always.

Promising and indeed grateful to have this for an open project but needs more work before prime-time in a serious/critical environment IMHO.


Specs:

Manufacturer: Supermicro
Product Name: Super Server
Processor: Intel(R) Pentium(R) CPU N3710 @ 1.60GHz
Core: 4
RAM: 8GB
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 30, 2020, 09:58:36 am
Dear Sensei users,

As some of you might have noticed, Sensei 1.5.2 is out.

This is a maintenance release for 1.5. For the full Release Notes:

https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/ (https://www.sunnyvalley.io/post/sensei-1-5-2-for-opnsense-is-out/)


Yes, I have updated to 1.5.2 and have noticed that Live Blocked Sessions Explorer displays empty page. See attachment.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 30, 2020, 10:42:13 am
If I want to exclude more than one domain from cloud queries (Cloud & Thread Intel tab in configuration):
Local Domain Name To Exclude From Cloud Queries:
Shall I separate them by space or coma or something else...?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: binaryanomaly on June 30, 2020, 06:17:38 pm
So, have you reached conclusion when it comes to number of devices (>50) for home users?

Hi @GreenMatter, yes. Hopefully we'll have an announcement this week.




https://www.sunnyvalley.io/plans/
Quote
Up to 100 Devices

Kewl thx ;)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 30, 2020, 06:49:54 pm
@STX, you can always request a cancellation through the Cloud Portal. We'll be happy to help.

Having said that, chances are high that the thing with the interface going down/up might be related to netmap(4).

Let us have a closer look.  You can send a problem report through the user interface. Just click on "Report Bug" menu located on the upper right hand corner. Make sure you share the relevant logs and team will take it from there.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 30, 2020, 06:55:48 pm
@GreenMatter, this is caused by a bug in earlier versions. Though it is fixed in 1.5.2, since the erroneous entry is still in the database you still experience the problem.

I'll share a simple command which will get it sorted out.

For the cloud query, you can only specify a single domain name there, since it was meant to whitelist local network. However, domains ending in  ".local", ".localdomain", ".lan", ".intra", ".intranet",  ".bind", ".home", ".mshome", ".corp", ".mail",  ".group", ".workgroup" are considered local and they do not get queried from the Cloud.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 30, 2020, 06:58:20 pm

https://www.sunnyvalley.io/plans/
Quote
Up to 100 Devices

Kewl thx ;)

Yes, and all welcome :) Still a few minor things left to get it right technically. Official announcement to follow shortly.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on June 30, 2020, 07:35:13 pm
System: OPNsense 20.7.b_181-amd64
FreeBSD 12.1-RELEASE-p5-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Sensei 1.5.2 missing:
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 30, 2020, 07:40:14 pm
Hi @yeraycito, You are on OPnsense 20.7 beta and it looks like you've somehow installed FreeBSD11 package. Can you try:

pkg remove os-sunnyvalley-devel
pkg install os-sunnyvalley-devel
pkg install -f os-sensei

Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on June 30, 2020, 08:41:19 pm
Uninstalled and reinstalled from opnsense-firmware-plugins: 1.5.2 missing
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on June 30, 2020, 09:26:39 pm
@yeraycito, give it one more try. 1.5.2 is there now.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on June 30, 2020, 09:28:54 pm
That's it. Installed from the console.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on June 30, 2020, 09:30:47 pm
@GreenMatter, this is caused by a bug in earlier versions. Though it is fixed in 1.5.2, since the erroneous entry is still in the database you still experience the problem.

I'll share a simple command which will get it sorted out.

For the cloud query, you can only specify a single domain name there, since it was meant to whitelist local network. However, domains ending in  ".local", ".localdomain", ".lan", ".intra", ".intranet",  ".bind", ".home", ".mshome", ".corp", ".mail",  ".group", ".workgroup" are considered local and they do not get queried from the Cloud.


Thanks @mb!
I've just received a prompt reply from support and running following command:
Code: [Select]
echo -n "delete from user_configuration where id = 2;" |sqlite3 /usr/local/sensei/userdefined/config/settings.dbhas fixed an issue...
And thanks for updating Sensei plans!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on June 30, 2020, 09:34:03 pm
If you need to update it from the console.....Sensei:Status - Engine versión - check updates ?????????????
                                                                      os-sensei-updater  ????????????
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on July 02, 2020, 09:44:28 am

If I have multiple policies, does their order make any difference?
For example, I have 2 almost identical policies: #1 is the main, set as vlan13, #2 is a copy with additionally blocked app, set as vlan13 subnet (I couldn't choose same vlan13) and with active schedule (on & off).
So now policies order is as follow:
Default
#2
#1


If it is like that:
Default
#1
#2
would it change anything?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on July 03, 2020, 02:24:13 am
After installing version 1.5.2 I tried to install wireguard but it didn't work. I have uninstalled wireguard and restarted opnsense and mongodb does not start.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 03, 2020, 07:45:03 am
Hi @GreenMatter,

Yes, policy order does matter. Suppose that you have:

Default
Policy 1
Policy 2

Engine tries to match in this order:
Policy 1
Policy 2
if none matches assigns Default policy.

With 1.6, we've changed the display order so it will be just as it is evaluated:
Policy 1,
Policy 2,
Default

PS: in case you did not notice: you can re-order policies in the policy list view which is displayed when you click on the Policies from the left menu.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 03, 2020, 07:48:03 am
After installing version 1.5.2 I tried to install wireguard but it didn't work. I have uninstalled wireguard and restarted opnsense and mongodb does not start.

Hi @yeraycito,

Might be that wireguard has a clashing dependency. Let's have a look here.

Anyhow, to re-install just do:

pkg remove mongodb40
pkg install mongodb40

Title: Re: Sensei on OPNsense - Application based filtering
Post by: yeraycito on July 03, 2020, 03:14:36 pm
After installing version 1.5.2 I tried to install wireguard but it didn't work. I have uninstalled wireguard and restarted opnsense and mongodb does not start.

Hi @yeraycito,

Might be that wireguard has a clashing dependency. Let's have a look here.

Anyhow, to re-install just do:

pkg remove mongodb40
pkg install mongodb40

It worked, thanks.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on July 04, 2020, 08:45:05 am
I have a few questions about sensei,

1 I have a home subscription, is TLS/SSL inspection available for home users (if so how do I set it up?) ?
2. Is it possible to view blocks in a table format so I can easily see which website has been blocked ?
3. There is a template blockpage set up to show up when a website is being blocked, I almost never see this page when a site is blocked, is it possible to show this block page on ssl connections (its a little confusing now because now i see an error page that says dns_probe_finished or connection_closed so I dont know if this was sensei blocking the page, or if my DNS has some issues. to check I have to go through reports on sensei so thats my reason for question2) ?

Thanks!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 04, 2020, 05:54:23 pm
Hi @actionhenkt,

1. TLS/SSL inspection will be on the premium (will be renamed to enterprise soon) tier.
2. Sure, you have it already. Go to Reports -> Blocks -> Live Blocked Sessions Explorer. This shows in realtime which connections are blocked and for what.
3. Yes, please see this FAQ entry:
https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ#h_3fc561e1-efd2-4e19-8cc7-accb5b2ebaac

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 04, 2020, 06:12:12 pm
Dear Sensei users,

As this is a very much requested feature, I feel like I should let you know now:

Beginning with release 1.6, Sensei will have two more dns enrichment sources

1. Engine will do an active real-time reverse PTR query in case it cannot detect an immediate dns enrichment data from previous attempts  (available in home & higher subscription tiers)

2. Also, it'll utilize and prioritize OPNsense alias definitions if you have created a Host alias. (will be available in all tiers)

We hope to ship 1.6 later this month.

Stay safe & healthy,
Sensei team
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Rickytr on July 07, 2020, 01:59:40 pm
After the latest update I cannot see sessions in reports blocks anymore so I cannot add exception for single destinations.
Any suggestion?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: evergreek on July 07, 2020, 05:44:28 pm
During high network utilization I see..

0% /usr/local/sensei/output/active/temp [ufs]

go above 100% - is that normal?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 08, 2020, 08:44:14 pm
Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)

Hi @evergreek, is that you see 100% active/tmp utilization during peak time? or you see no utilization at all?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: evergreek on July 08, 2020, 11:07:53 pm
mb - it will go above 100% to 104% etc... (in my previous post - the network is quiet).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 09, 2020, 02:21:33 am
@evergreek, that's not expected. Shoot a PR and let's have a look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on July 09, 2020, 03:56:15 pm
Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)


I have the same problem. Resetting the reports does not solve the problem.

Live session explorer of connections and TLS works though. It's failing in DNS and Blocks.

Edit. Solved after opening a bug report.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Mitheor on July 09, 2020, 07:18:55 pm
Is there any way to check current installed database content (like what urls are included for each category)?

I'd like to test some policies but I need this info  :P
Title: Re: Sensei on OPNsense - Application based filtering
Post by: evergreek on July 09, 2020, 11:32:49 pm
What are these messages on the logs?

Jul 9 16:28:12    kernel: /usr/local/sensei/output/active/temp: optimization changed from SPACE to TIME
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 12, 2020, 10:27:57 pm
Hi @Rickytr, it's not expected. Does resetting reporting help ? (Sensei -> Configuration -> Reports & Data -> Reset Reporging)


I have the same problem. Resetting the reports does not solve the problem.

Live session explorer of connections and TLS works though. It's failing in DNS and Blocks.

Edit. Solved after opening a bug report.

Reported bug through the GUI with my logs.

I also have the same problem. I think the issue is the live blocked sessions explorer is now missing all the columns such as start, end, source IP, protocol. Now it shows the columns you expect on the overview page such as "alerts - top blocks" "top remote hosts" Checking all those shows undefined and there is  loaded record counter. So the data is there but the web page for it is missing the columns it needs to show the data.

Live blocked sessions. https://imgur.com/a/B1qt9EP
Here are the columsn in every other live report.  https://imgur.com/a/IKIz8Ec
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 14, 2020, 05:12:41 pm
Hi @donatom3,

UI bug which was causing this had been fixed with 1.5.2. But the database entry was still there.
1.6 will auto-detect this issue and fix it during post-install.

Below command should handle this for the time being:

Code: [Select]
echo -n "delete from user_configuration;" | sqlite3 /usr/local/sensei/userdefined/config/settings.db
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 14, 2020, 05:19:11 pm
Jul 9 16:28:12    kernel: /usr/local/sensei/output/active/temp: optimization changed from SPACE to TIME

This is a notification from Unix File System (UFS) about its data placement policy. It tells that new priority is back to performance.

This is related to this directory being 100% utilized. We do not expect this to happen under normal traffic conditions. Can you open a PR in case you did not do so?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: evergreek on July 16, 2020, 05:00:10 pm
mb,

I having a big problem - after upgrading from free -> premium - every couple of days the Sensei instance seems to be killing my internet. I have to login to the shell and kill the sensei process. Then everything starts work again.. a reboot does not fix it .. the problem persists until I kill the process.. i sent in a bug report but I was wondering if you guys had seen this before or someone else on this forum.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 16, 2020, 06:41:57 pm
Hi @evergreek,yes, we received your report. Team is on it. We'll get back to you momentarily.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: DenverTech on July 16, 2020, 11:16:20 pm
@mb

Having some issues with a new deployment. Previously, we'd had no problems choosing larger sized deployments during install. Based on that, a client hired us to setup a large OPNsense deployment with Sensei. However, it won't let me pick anything larger than "Small II." Specs of the firewall below...it definitely should be able to do far more than Small II. Amusingly, those are the same limitations our 2-core ATOM CPU at another office gets, so something isn't quite right. I've tried uninstalling, reinstalling, rebooting, etc.

CPU: Xeon, 1.9ghz, 6 cores, hyperthreading (12 logical cores)
Memory: 64gb
Score: 131578 (low-end?!)

How can I get Sensei to properly recognize this overpowered beast of a firewall?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 16, 2020, 11:19:20 pm
Hi @DenverTech,

We received several other reports and looking into this.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: DenverTech on July 17, 2020, 04:43:34 am
For anyone else following...it appears ubench (used to measure this), isn't reading some Xeon processors properly. Atom CPU = 130,000...Xeon = 130,000. It's measuring single-core oddly. The support team (kudos for the quick solutions) was able to override it and test without the ubench measurement. Despite the claim from ubench that the system couldn't handle anything, it's handling 500+ devices without issue.

Looks like a ubench bug!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 17, 2020, 06:47:20 pm
Hi @DenverTech,

Thanks for the update. Yes, most CPUs look ok, but with some, ubench is producing lower scores.

Team is looking for an alternative solution which could better yield the computing power of the cpu.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: m.chupin on July 23, 2020, 11:23:02 am
Hi all,
I'm newbie for Sensei. I need an application filter. I plan to apply policy "Deny all, except certain apps".
Firstly, apply "Block all" on "App controls" page. Check some apps (like TeamViewer, Skype, Windows Store) - they really don't work. Then I check Telegram Desktop app - it started up and works without problems. Though "Reports" show that Sensei recognize Telegram.
I try free version of Sensei.

What should I do to block Telegram?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: zauopn on July 23, 2020, 08:30:09 pm
Hello, I have latest version of opnsense already installed in a VirtualBox VM and it is working.

Internet WAN -> Modem -> Opnsense device (Ethernet port) LAN -> USB Ethernet adapter (usb connected to Opnsense device and Ethernet to WAN Ethernet port of router) -> Router ( multiple devices connected to it via Ethernet LAN ports and WiFi)

However, there are some issues with Sensei and IDS/IPS that need to be fixed:

1) All the web traffic in opnsense has the same WAN IP from router, so it makes it look that there is only one device connected to the network. I need to see in the Sensei and IDS traffic logs exactly the IP of the device in the network (I.e printer, PC etc..) that generates the traffic. For example, if a user using a smartphone goes to Facebook, I need to see the IP of the smartphone, not the WAN IP of the router.
2) Snort rules are not getting triggered, there are several ERR INVALID SIGNATURE in the IDS logs. Also, the GeoIP settings have an issue, the country flags are not showing up in the logs maxmind was already added to the geoip settings. :-\
I also have ET telemetry and some of the rules work but many of those rules are empty, it seems that ET Telemetry doesn't have the same rulesets as ET PRO.

Does anyone know how fix these issues? I'd appreciate your help. Thanks
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 24, 2020, 11:22:43 pm
Hi @zaupon,

This looks like Sensei/OPNsense is not the gateway for your devices and thus traffic does not flow through Sensei.

In reports, if all you see is WAN IP, it might be that your router might be doing NAT for the devices behind it.

To make sure it is not the case, run a tcpdump trace to see if you can see the internal IP addresses.

For the other question, is it Snort or Suricata? If Suricacata, IDS/IPS forum might be a better place to ask:
https://forum.opnsense.org/index.php?board=27.0


Title: Re: Sensei on OPNsense - Application based filtering
Post by: Xelas on July 25, 2020, 07:46:45 am
Just installed OPNsense on a dedicated PC with an i3, 8GB RAM, 250 GB SSD. Fresh install, one of the first packages I'm installing is Sensei, using ElasticSearch as the DB. The installation is failing because ES is failing to start, with the error message:
Code: [Select]
Starting elasticsearch service...
***ERROR***: Elasticsearch service could not be started in 60 seconds!***
***ERROR*** CODE:2***

ES installation log attached.
/var/log/elasticsearch/ is empty.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 26, 2020, 01:29:57 am
Hi @Xelas, what does this command tell?

Code: [Select]
service elasticsearch5 status
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Xelas on July 26, 2020, 06:49:13 am
Code: [Select]
root@OPNsense:~ # service elasticsearch5 status
elasticsearch5 does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
root@OPNsense:~ #
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 26, 2020, 05:26:36 pm
Hi @Xelas, reach out to the team via "Report Bug" menu located on the right hand corner of the UI, and we'll have a closer look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 28, 2020, 02:47:17 am
Dear Sensei users,

OPNsense 20.7 is set to be released this week Thursday.

This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.

We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.

With regard to the netmap improvement efforts, a bit of caution is necessary since we witnessed regression with some device drivers, vtnet being the most notable one.

Here's the detailed netmap status:

https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/

Speaking with @franco, some good news: it looks like OPNsense team will be able to provide a test kernel and start landing the bug-fixes with 20.7.1 or 20.7.2.

As mentioned in the blog post, we need more testing with regard to some drivers. Any help in that regard would be much appreciated.

We can't start fixing a problem if we don't know there is a problem.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 28, 2020, 05:18:56 am
Dear Sensei users,

OPNsense 20.7 is set to be released this week Thursday.

This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.

We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.


Should we submit bug reports if Sensei Packet Engine wont' start cuz we upgraded to 20.7 early and didn't see this or is it known that it isn't working?

For me Sensei Packet engine fails on starting and I get a popup that let's me report it's not working but then nothing pops up.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 28, 2020, 05:59:49 am
Hi donato,

Yes, this is expected. Fix is easy. Below commands should fix it:

Code: [Select]
pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-sensei

If db is elasticsearch:

Code: [Select]
pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5

Mongodb:
Code: [Select]
pkg remove mongodb40
pkg autoremove
pkg install mongodb40

All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.

On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: donatom3 on July 28, 2020, 06:03:55 am
Hi donato,

Yes, this is expected. Fix is easy. Below commands should fix it:

Code: [Select]
pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-sensei

If db is elasticsearch:

Code: [Select]
pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5

Mongodb:
Code: [Select]
pkg remove mongodb40
pkg autoremove
pkg install mongodb40

All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.

On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.

I missed what you said about the PR until after I ran the first three commands. I sent it anyway even though it's in the middle of updating the SunnyValley repository catalogue. Hopefully it still helps.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: almodovaris on July 28, 2020, 08:50:14 am
Yup, I have installed the preview version based on 12.1 and Sensei slashed my Usenet download speed to 8 MB/s instead of 22 or 24 MB/s as previously. I have APU2.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 29, 2020, 03:18:02 am
@donatom3, no worries, thanks for the update. 
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 29, 2020, 03:21:26 am
Dear Sensei users,

An update for the OPNsense 20.7 upgrade and compatibility:

https://www.sunnyvalley.io/post/sensei-and-opnsense-20-7-all-set-to-go/

All you need to do is running "Check Updates" once more after you're finished with upgrading to OPNsense 20.7.

OPNsense package manager will install the packages for the new OPNsense version and you'll be all set.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on July 31, 2020, 12:34:15 pm
I know the vmx driver is listed under "Drivers that needs testing and verification" but I just want to point out that its not working. After upgrading to 20.7 and afterwards searching for updates again in order to update sensei the system crashes and reboots.

is this issue already known?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 31, 2020, 01:28:08 pm
Hi @nines, thanks for letting us know. Yes, we did not have reports for vmx up until now.

Can you send a PR? We want to have a closer look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on July 31, 2020, 01:33:54 pm
Hi @mb

yes of course. like described here: https://help.sunnyvalley.io/hc/en-us/articles/360045745053-Reporting-a-bug

?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 31, 2020, 01:34:56 pm
yes of course. like described here: https://help.sunnyvalley.io/hc/en-us/articles/360045745053-Reporting-a-bug

Yep.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on July 31, 2020, 02:20:16 pm
Hi @nines, thanks for letting us know. Yes, we did not have reports for vmx up until now.

Can you send a PR? We want to have a closer look.

unfortunately I cant, the vm instantly reboots after the update
any ideas?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 31, 2020, 02:23:55 pm
Try this:

Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.

Also make sure that you don't have Suricata enabled.

Upgrade the system, and before starting Sensei/Suricata send the PR.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: GreenMatter on July 31, 2020, 05:27:05 pm
I've got exactly the same - after upgrading my OPNsense VM to 20.7 Sensei had ceased to run. Due to constant reboot loop, I had to restore VM snapshot and now I'm back on 20.1.9 - I reported a bug as well.
Are you going to improve compatibility for vmx drivers?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sorano on July 31, 2020, 06:25:48 pm
So I had sensei running on 20.7 using the vmx0_vlan## interfaces.

So I started playing around, switched to just using vmx0 interface together with vlan id's in sensei and got my host in a crash bootloop without a snapshot  ::) . Is there anyway to disable sensei during boot?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on July 31, 2020, 07:15:51 pm
Try this:

Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.

Also make sure that you don't have Suricata enabled.

Upgrade the system, and before starting Sensei/Suricata send the PR.

that worked, report sent!
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sorano on July 31, 2020, 08:59:17 pm
Is there anyway to disable sensei during boot?

Well, I answered my own question:

Boot up in single user mode
Mount the fs
/usr/local/etc/rc.d/eastpect disable
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on July 31, 2020, 09:00:42 pm
Hi @sorano,

Your message just landed while I was preparing my post. Nicely done. Thanks for the update.

Upon user reports received, we've just updated the latest netmap status. Please see below post before you update to 20.7:

https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/

For the problematic drivers, work has already begun. I'll provide interim updates on their status.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 01, 2020, 02:13:31 am
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: sorano on August 01, 2020, 02:55:28 am
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.

This is my setup:

Hypervisor: VMware ESXi, 7.0.0, 16324942
VM Compatibility: ESXi 7.0 and later (VM version 17)
Distributed switch version:   7.0.0
Distributed Port group: Vlan trunk (Tagging vlans inside OPNsense)

Distributed Port group Security Policies:
Promiscuous mode   Reject ( I'm running Native MAC Learning instead to work around the vswitch + CARP duplicates issue)
MAC address changes   Accept
Forged transmits   Accept

Like I wrote earlier; Running Sensei on the interfaces that are tagged in OPNsense (vmx0_vlan#) works, but running on the "native" vmx0 interface + vlan id in sensei will cause kernel race.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Waschl on August 01, 2020, 10:26:37 am
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.

Hello. I have the same problem. My setup:
Hypervisor: VMware ESXi 6.7.0 Update 3 Build 16316930
VM Compatibiltiy: 6.7 U2
Standard vSwitch

Running OPNsense with no special interfaces configurations (VLAN etc.) using vmxnet3.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: scream on August 01, 2020, 11:06:41 am
Running into the same issue as well: https://forum.opnsense.org/index.php?topic=18338.0

Code: [Select]
Hypervisor: VMware ESXi, 7.0.0, 16324942
VM compatibility: 6.7 U2

OPNSense VM having 7 vmx interfaces. I use VLAN in my networks but I do tagging on ESX dvSwitch so OPNSense isn't aware of VLANs. Just seeing vmx0 - vmx6 interfaces.

Reverted to snapshots of 20.1.9 I created before upgrade.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 01, 2020, 07:12:28 pm
Ok, I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests.
Title: Sensei on OPNsense - Application based filtering
Post by: nines on August 02, 2020, 09:36:23 am
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.
Already answerred Matt via mail but here's mine just for reference

6.7.0 update 2 build 13473784


Gesendet von iPhone mit Tapatalk
Title: Re: Sensei on OPNsense - Application based filtering
Post by: scream on August 02, 2020, 11:26:55 am
Ok, I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests.

How can we easy test this? As I'm on a vm I can just create a snapshot before to easy revert back, if something goes wrong :)
Title: Re: Sensei on OPNsense - Application based filtering
Post by: franco on August 02, 2020, 11:36:33 am
We will likely provide a test kernel next week. Note we are on 12.1 to avoid surprises in other areas and go from there... ;)


Cheers,
Franco
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 03, 2020, 11:19:36 pm
Yes, totally agree. I'm awaiting confirmation from several Sensei users whether 12-STABLE is fixing their problems.

I'll be updating here once I have some news.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: almodovaris on August 04, 2020, 10:48:58 am
AFAIK eastpect is single-core. Why not make it use multi-core?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 04, 2020, 03:29:33 pm
@almodovaris, very good catch.

Indeed, it is multi-core, but we had to run it single core in the current environment (Routed / L3 mode) because of a lack of OS feature (netmap multiple host rings) and kernel flow asymmetry. In some environments (Bridged / L2 mode), we deploy Sensei - with a custom kernel- in multi-core mode to be able to serve multi-gigabit speeds and userbase exceeding several thousand users.

Multiple host rings feature has been introduced with FreeBSD-12. Flow symmetry requires a bit of work.

Currently, the focus is to help OPNsense ship the new netmap kernel to be able to provide a seamless Sensei / Suricata experience.

Next, this is also planned down the road.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: cgone on August 05, 2020, 02:26:06 pm
It is possible to enlarge the mount /usr/local/sensei/output/active/temp?

I got often the following error messages (and lags):

Aug  5 12:40:53 firewall kernel: pid 83092 (eastpect), uid 0 inumber 5 on /usr/local/sensei/output/active/temp: filesystem full
Aug  5 12:40:57 firewall kernel: pid 83092 (eastpect), uid 0 inumber 8 on /usr/local/sensei/output/active/temp: filesystem full
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 05, 2020, 08:09:37 pm
Hi @cgone, sure. This feature will ship with the upcoming 1.6 :)

Check for a new configuration item under "Configuration -> Reporting & Data" : "Size of Temporary Memory Disk Space".
Title: Re: Sensei on OPNsense - Application based filtering
Post by: Rickytr on August 06, 2020, 06:13:49 pm
I'm trying to install Sensei on a new virtualized (vmware) installation of OPNsense, but during the setup the lan interface (vmx0) is not displayed in available interfaces. I don't have anything installed that can lock that interface.
Any help?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 06, 2020, 06:27:16 pm
Hi @Rickytr, on 20.7, we explicitly filter out vmx interfaces to prevent a system crash. Please see this thread:

https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997

Title: Re: Sensei on OPNsense - Application based filtering
Post by: Rickytr on August 07, 2020, 04:22:56 pm
In the thread you mentioned seems they found a way to solve the problem. How can I configure sensei correctly on LAN nic after I patch the kernel?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 07, 2020, 04:27:10 pm
Hi @Rickytr, vmx patch seems incomplete. It just prevents the crash. Packet transmission has problems.

Below table summarizes the current situation.
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0

I'll post more updates once we confirm everything is working.

Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on August 07, 2020, 08:25:34 pm
I upgraded opnsense to the latest version, now sensei doesnt see any interfaces anymore. Im running opnsense on proxmox if that matters. Just finished installing a fresh copy of the latest opnsense and sensei and im getting the same result, sensei doesnt detect any interfaces to protect ?

Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 07, 2020, 08:29:24 pm
Hi @actionhenkt,

on 20.7, we explicitly filter out some interfaces to prevent a system crash. If yours is vtnet, this is one of them.

Please see this thread:

https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997

Good news is; vtnet fix looks good. There'll be a test kernel soon.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on August 07, 2020, 08:41:26 pm
Thanks, that was a fast response :) - I installed the kernel but unfortunately im not able to select any interfaces yet (im using vtnet).
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 07, 2020, 09:45:12 pm
You're welcome. Here's a quick hack to bypass the check:

Open /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php with your favorite editor and comment below lines:

Code: [Select]
if ((substr($interface, 0, 5) == 'vtnet') && (floatval($netmapVersion) < 13 or floatval($opnsenseInfo['product_version']) >= 20.7)) {
            $filterflag = true;
}

Title: Re: Sensei on OPNsense - Application based filtering
Post by: actionhenkt on August 08, 2020, 08:26:30 am
Thanks! This allowed me to configure sensei. I see the packetengine is detecting traffic. However I seem to be having the same issue I had when I first upgraded to latest opnsense, the reports no longer work and dont see any live sessions.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 10, 2020, 08:49:35 pm
Hi @actionhenkt, that's good to hear, thanks for the update. For the reporting, send a PR and team will have a look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on August 11, 2020, 01:11:44 pm
Even if I uninstall sensei via the uninstall button and then upgrade to 20.7 the system keeps crashing as if there is still something sensei related remaining.

Any hints?
Title: Re: Sensei on OPNsense - Application based filtering
Post by: mb on August 11, 2020, 06:37:31 pm
Hi @nines, if you've uninstalled Sensei, it's very unlikely that it'll interfere with the system.

Having said that, you can also issue the following commands:

pkg remove os-sensei
pkg remove elasticsearch5|mongodb40 (choose your database here)
pkg remove os-sunnyvalley
pkg autoremove -y
rm -rf /usr/local/sensei



Are there any errors reported? If you have any error reports or screenshots, feel free to send a PR and we'll have a look.
Title: Re: Sensei on OPNsense - Application based filtering
Post by: nines on August 11, 2020, 08:00:50 pm
//EDIT: my issues seems not to have something to do with sensei but with the problem described here:
https://forum.opnsense.org/index.php?topic=18552.msg84503#msg84503

@mb: are you able to help anyway by having a look into the dmesg log?

did that, no errors, seems like the gui installs button is doing the same.
would love to share a crash log but the whole vm crashes instantly after finished booting which makes it difficult (with just a vmware console) to copy logs etc.

strange at least ...

Code: [Select]
root@OPNsense:/home/shelladmin # pkg remove os-sensei
No packages matched for pattern 'os-sensei'

Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg remove mongodb40
No packages matched for pattern 'mongodb40'

Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg remove os-sunnyvalley
No packages matched for pattern 'os-sunnyvalley'

Checking integrity... done (0 conflicting)
1 packages requested for removal: 0 locked, 1 missing
root@OPNsense:/home/shelladmin # pkg autoremove -y
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages:

Installed packages to be REMOVED:
        ubench-0.32

Number of packages to be removed: 1
[1/1] Deinstalling ubench-0.32...
[1/1] Deleting files for ubench-0.32: 100%
root@OPNsense:/home/shelladmin # rm -rf /usr/local/sensei