Messages

Yes sorry, the 50 bytes are when generating a random password.
The salt should be 128bit but I found no definitive source for this.

The most accurate technical documentation is the code:
function local_user_set_password(&$user, $password = null)
{
    $cost = 10;

    if ($password == null) {
        /* generate a random password */
        $bytes = openssl_random_pseudo_bytes(50);
        $password = pack('H*', bin2hex($bytes));
    }

    $hash = password_hash($password, PASSWORD_BCRYPT, [ 'cost' => $cost ]);
    if ($hash !== false) {
        $user['password'] = $hash;
    }
}

If i understand that right all loval users use bcrypt2 with 2^10 rounds and 50 bytes salt.

It's still not released. Don't know how marjohn56 is running it..

Try setting the Machine to q35 and the CPU to host.
I have it running with these settings on a similar CPU (although I use OVMF UEFI, not SeaBIOS)

For comparison I get the following throughput with/without sensei on a pcengines APU3A4:
The interface is just the LAN interface which is a igb NIC without VLAN or LAGG.

Without Sensei 250/50 Mbps
With Sensei 140/40 Mbps

I enabled some security features of sensei and I blocked the malware Web category.

I do not use any other features which do have an impact on throughput like IDS or traffic shaping.

Run a tcpdump on your server, capture a few packets and have a look at the answer packets.

Gesendet von meinem MI 9 mit Tapatalk

Forewall Rules should be manageable using Interface Groups. No need to duplicate all the rules!
Maybe you should split up the VLANs and use 3 or 4 systems. You could then also use one as pilot group for upgrades/config changes and only have 200 users complain instead of 800 :-)

Gesendet von meinem MI 9 mit Tapatalk

Ja. Und damit du dies in einem query brauchen kannst (z.B. Kuchendiagramm das zeigt wieviel % der Pakete IPv6 sind) führst du dann ein Feld ein wo du drin speicherst ob es v4 oder v6 ist -> besser gleich von Anfang an speichern.

Gesendet von meinem MI 9 mit Tapatalk

The new netmap kernel also made it possible to use Suricata on an interface with multiple VLANs in Promiscous Mode in IPS mode.
Without the netmap kernel all traffic stops as soon as suricata starts.

At least I tought it was the kernel.

Gesendet von meinem MI 9 mit Tapatalk

They do different things but they overlap a bit.

Both do Deep Packet Inspection but with other targets.
Suricata is only an engine, you have to select the rules yourself to reach your target.
You can use abuse.ch SSL Blacklist to block known bad Certificates or ET Pro Trojan Rules to block and detect network traffic from trojans and many more. It's there to defend against known exploits, vulnerabilities and threats mostly. You can enhance it yourself by adding the right rules.

Sensei classifies Traffic into application + web categories and allows you to specify what to block.
For example block File-Upload/Sharing sites to enforce the policy that employees have to use your in-house file sharing system etc. which would be very hard to do using suricata.
As addition they provide a blacklist of sites they see spreading malware.

So I see it like this: Block known threats using suricata and use Sensei for defense-in-depth by disabling apps you do not need or do not want in your network.

Also sensei has usable reporting, suricata just shows alerts, sensei shows relations and also what is happening in your network even if it's not an alert.

Gesendet von meinem MI 9 mit Tapatalk

My setup has 3 VIP (WAN, LAN, DMZ) + an Alias IP on WAN and has Problems with switching between Firewalls.

I had exactly the same symptoms, including that disabling CARP and reenabling did not help. Pfsync bulk was successful and skew got to 0 but it did not become master again.
Instead of the workaround I just rebooted it and it became master again.

This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

"Under the current support model, each major version's stable branch is explicitly supported for 5 years".
As stable/12 was released in december 2018 it should be supported until at least december 2023.

So it seems that this page just hasnt been updated in half a year.