Messages

that PIN option sounds amazing !

Justement, à partir de l'étape pour le https cela impose d'utiliser un certificat sur les navigateurs. Ce que je ne veux pas.

SVN team did some analysis on my router today and:

- confirmed that throughput indeed drops from >900 Mbps to ~250 Mbps when Sensei is on and active
- throughput goes back to >900 Mbps when Sensei is in bypass mode
- disabling the hyperthreading of firewall increased the throughput to ~350 Mbps

My device is one of the new-generation Protectli clones: https://www.aliexpress.com/item/4000803229693.html

i7 CPU with 32 GB ram and 500 GB mSATA

Will post an update once we progress more.

Is that a 7th generation proc ? I have an i5 8th and it seems that i got more physical CPUs.  :o

QUIC hosts drill down to 74.125.104.75 (Google) and 92.224.0.0/13 (Telefonica).

This Sounds thats sensei app detection only operates on layer 3/4 detection. This is not enough for the real App detection and control used in next Generation Firewalls -  as it must operate in upper Layer 5 up to 7. You must examine up to the Layer 7 to fully catch things like Youtube Video streams

In fact they always says it is 3,4 layer. We do not do ssl decryption as well. It's only SNI checking.

in System: Settings: Administration
try to tick  DNS Rebind Check

go at the top right and click on allow button on any nfl.demdex.net line to allow it and wait the engine reload then try again.

Bonjour à tous, venant d'un Fortigate où il m'était possible d'inspecter les certificats TLS sans déchiffrement, je n'arrive pas à mettre cette configuration en place sur OPNsense. Je vois bien l'option SNI (Log SNI information only
) que je coche mais sans certificat cela ne fonctionne pas.
Des idées ou tutoriels sur lequel je puisse m'appuyer ? Merci.
      

Coming back to you as Salih from the support find the problem.

We had to use 192.168.1.3 and not 102.168.1.3/32 for aliases or it won't work.

If that call help ppl..  ;)

Will do it when i'll be back at home. Thanks !

Will try. I didn't use unbound

Yes and i also tick :  Use OPNsense Host aliases for DNS enrichment

I put all my hostname in aliases with network and /32 by ip and it's the same.

Actually i use remote (1.1.1.1) dns in Sensei config meanwhile i use local (adguardhome) dns server. I will replace 9.9.9.9 by my local dns and see how it goes.

Hi there,

I can't find a way to resolve local hostnames.

I'm too interrested to know about the question above  ;D

Great ! I had another question but the answer is on the roadmap :

Policy based Shaping (App, Web category ..) as i used it a lot to priorize voip over www, media or p2p/bulk at home.

Can't wait !  ;D

hi there, as i'm coming from Fortinet as i already said, I have some insights and suggestions to improve Sensei even more.

Actually i can't find option to force safesearch for some websites like google,bing,yandex etc..

For instance the big prob actually is if i want to block porn it works but if i want to find porn through yandex.com it works as it's not in safesearch. As i'm testing web filtering for young people i can't actually put opnsense in production.

I know we could  do it on dns or hosts file but it could be easier to tick/untick option in web control for instance.

Actually on my adguardhome (dns server) i made dns rewrites. My objective is to concentrate all options on opnsense and drop my dns server.

Does someone knows if it will be added ? Thanks