Messages

if you do a host lookup on those IP addresses from a host on your network what do they resolve to? 

I wouldn't expect anything outside of opnsense to know what anything inside of your aliases resolve to as that's not how DNS works.

If you're getting 1.1 gigabit you're already getting more than FiOS officially offers.

Taken directly from their website: "Up to 940/880 Mbps"

I typically am in the 930 - 950 range when testing via speedtest.net and haven't done any tuning specifically for FiOS. The connection does sometimes test faster using fast.com.

If you're using Suricata, Sensei or the like, I'd disable those and see where things stand.

The bandwidth issue is because the netmap and the kernel. The main issue is the way too paranoid "hardened" bsd project. I use freebsd on other systems too, this whole project is starting to get annoying and its more like pain in the ass. Much more sideeffect than benefit. I really dont like this where the freebsd developement is going.

Noone is forced to use netmap. On fast hardware you get perfect peflrformance, also with 20.7.

And the relation to HBSD compared to FreeBSD is just a guess ..

What would you consider fast hardware?  I have an i7-2600 with 16GB of ram running OPNsense and I'm seeing my speeds almost cut in half when Sensei is enabled - from 900+ Mb/sec down to about 550+ Mb/sec.

This is quite the drop from 20.1 where I was able to max out my connection with both Suricata and Sensei enabled.

Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

There is an App category for Proxies.  I don't see SkyVPN, but you do have the ability to add it manually if you know the hostname(s) and IP addresses the service uses.

Hi All,

I setup a Maxmind account, added the key to the MaxMind URL and then added it to the Firewall Alias GeoIP settings. As per OPNsense instructions, I should go to IDS "User Defined" rules and setup GeoIP blocking rule, however I am missing the GeoIP options completely from the "User Defined" rule settings.

Did I miss something?

FWIW, I don't have the geoIP settings in the User Defined section either. 

Are you looking to block based on geoIP data? If so, you can do that via firewall rules after you've created the necessary geoIP alias.

EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier.  So now the question is how often should that run?

Hi @packetmangler,

With release 1.5, cache time to live is 8 hours. (higher with 1.4) So, could be every 6 hours so that it replenishes the cache.

Thanks mb.  I have my simple one-liner running every 4 hours for the time being and it seems like it's doing what it needs.

Enjoying 1.5!

As you can see i´m not seeing the names even though i´ve sent some queries for those machine names a few times minutes before and they are seen in the Sensei DNS tab, so, as far as i understand, those names should be cached and shown in the reports.

Hi @Mitheor,

For Sensei to be able to do proper DNS enrichment, it needs to be able to witness all dns transactions. If it does not work as it should it's generally:

https://help.sunnyvalley.io/hc/en-us/articles/360025100613-FAQ. See the section: "I do not see dns hostnames for some IP addresses"

One other thing which might play a role here is if you use a DNS cache in your local network which reside on some other host other than the firewall (on which Sensei is running), this will also cause some mappings going out of sight for Sensei - since those cached dns traffic will NOT be traversing through the firewall.

For those scenarios, (like Pihole) we suggest to disable caching on them and use firewall's dns cache as the forwarder.

If none of these is the case for you, just shoot a report via "Report Bug" menu located on the upper right hand corner of the UI.

I have this issue as well since I run multiple pi-holes and an internal authoritative bind server, but I've ignored it for the most part. 

If the DNS records are updated when requests pass through the firewall, would something as simple as having the firewall run through a list of reverse IP addresses and performing lookups on them work?

EDIT: I'm doing forward and reverse lookups on the firewall for all addresses on my local network and it appears that the graphs are indeed populating with host names where IP addresses were earlier.  So now the question is how often should that run?

Under Interfaces -> LAN

Do you have IPv6 Configuration Type set to Track Interface?

And then down below for Track IPv6 Interface do you have the interface set to WAN?

I have my WAN interface configured as you do and I'm able to pull IPv6 for my internal network with those settings.  My WAN interface does _not_ obtain an IPv6 address though.

Hi @packetmangler, thank you very much for the report. We couldn't reproduce this in our lab.

Any chances that you can create a bug report (Report Bug menu on the upper right hand corner).

Let's take a closer look.

Report sent!  I'm truly expecting a reply along the lines of:  You're doing something really stupid.  So don't do that. :D

Looking forward to the release of 1.5!

Tbanks!

This is the exact issue I'm facing, "is internet down? I can't open this site" from a family member alsmost everyday.

Can you  explain your flow? The Pihole doing the DNS using 9.9.9.9 and sensei doing web and app filtering/

Sure. 

Since I run my own internal DNS server, I don't allow clients to connect to external DNS servers over port 53.  I have OPNsense redirect any queries to my pi-holes. This applies to ipv4 and ipv6.

I run two pi-holes and both point to my internal dns server.  the internal dns server then connects to quad9 via stubby (uses DNS over TLS) for any further queries. 

Assuming clients resolve their queries OK (and don't get denied by pi-holes), they then go through Sensei for further web / app filtering and then out to the Internet.

I have been using sensei  home version for last few month and really loving it.
Along with Sensei I have configured Unbound DNS using CloudFlare, Quad9, Clean Browsing, Google, and Frenom public DNS resolvers (https://sahlitech.com/opnsense-setup-unbound-dns/).
Is this an over kill or a redundant or unnecessary setup?

I personally limit myself to a single forwarder only because having multiple might make troubleshooting issues harder. 

My flow is: pi-holes -> quad9 -> Sensei.  And even then it's a matter of tracking down whether or not it's the pi-holes, quad9 or Sensei doing the blocking. Then add in the pressure of family saying they're unable to get to a super important site right now or something on their precious iOS device isn't working quite right.  It can be a pain. :D

So I've had Sensei working really well for the past couple of months but it seems that reports aren't working or they're not working the way I think they should.

So I've got a host on my network that I want to get detailed info about.  I go to Sensei -> Reports and then click add filter [host] and enter the IP address I want to include.  Lastly, I click Refresh.

When I do this I the graphs don't really change nor does the output for Activity Explorer.  It seems that the filter isn't working for me.  There's no change when I use that same IP address for Source IP as a filter.

Am I missing something obvious? Should the reports only include the any applied filters and exclude anything that doesn't match?

Thanks!

Glad you're able to resolve your issues!  Fun times!

Source_IP:Port is on the left and Destination_IP:Port is on the right. 

Looks to me like like an external host is connecting to that host via the RDP port.

Not sure why, but it looks like you have no default route from the looks of things after you change your WAN interface as viewed at the 1h 01m marker.  You can reach 192.168.1.1 because it's directly connected and opnsense knows about it.

Can you compare before and after using netstat -anr on your opnsense machine?