Topics

If you've experienced packet stalls while using Zenarmor or Suricata IPS with vlan/lagg interfaces:

OPNsense team has shipped a test kernel which has bug-fixes for netmap emulated driver, the default mode for vlan and lagg interfaces.

Please test and provide feedback. We want to make sure all issues are addresses this time. So, your help will be greatly appreciated.

https://forum.opnsense.org/index.php?topic=32114.0

If you've experienced packet stalls while using Zenarmor or Suricata IPS with vlan/lagg interfaces:

OPNsense team has shipped a test kernel which has bug-fixes for netmap emulated driver, the default mode for vlan and lagg interfaces.

Please test and provide feedback. We want to make sure all issues are addresses this time. So, your help will be greatly appreciated.

https://forum.opnsense.org/index.php?topic=32114.0

Dear zenarmor users,

We've shipped zenarmor 1.11.4-rc1 on the OPNsense 22.7 branch.

This release is meant for compatibility with the upcoming OPNsense 22.7 release.

Please feel free to report any issues you've encountered and we'll get them all sorted out before OPNsense 22.7.

Dear beloved OPNsense users,

Your opinion matters to us. Please help us decide the future of Zenarmor's UI on OPNsense

In the past year, Zenarmor's Cloud User Interface received significant improvements on the usability side. We want to bring those improvements to the Zenarmor OPNsense plug-in.

We have two options that we would like you to see and provide your feedback.

Please have a look at the Poll below and share your opinion with us.

https://docs.google.com/forms/d/1pWbiObQsKgdaUIduI_mImLo-MW695KmfftwxizxVBzc/viewform?ts=62a4f641

Best
Zenarmor Team

Happy to announce that Zenarmor 1.10.1 is released with the following improvements:

• OPNsense 22.1 packages
• Debian 11 support
• Other fixes and improvements

For the full Release Notes, please see:

https://www.sunnyvalley.io/docs/support/release-notes#1101----jan-16-2022

PS: 1.11 is planned for end of February. Some of the major features that are planned for 1.11:

• Device Identification and Auto-discovery
• RESTful API

Enjoy :)

- Your Zenarmor team

Dear friends,

As of today, we're thrilled to announce that we'll be rebranding Sensei as ZENARMOR.

Sensei will be getting a new logo with a new brand name, but our beloved next-generation firewall plug-in will remain the same if not better.

Read more here:

https://www.sunnyvalley.io/post/sensei-is-now-zenarmor

[UPDATE Jul 29, 6:49pm PT:]

Dear Sensei users,

It looks like igb(4) in netmap mode is mangling with the ahci(4) driver. Therefore, if you're using igb(4) ethernet, we advise you to postpone 21.7 upgrades for a while once we confirm everything is 100% ok.

We'll keep you posted.

UPDATE Jul 29, 6:49pm PT:
We've come across this problem on a system where Sensei and/or Suricata was not installed (thus no netmap). Looked like a similar problem: https://forum.opnsense.org/index.php?topic=23867.msg115304#msg115304; the same ahci-related error was present. We're in touch with the OPNsense team, and will post when we have further updates.

As the second phase for their migration to PHP 7.4, OPNsense will release 21.1.8 tomorrow, upgrading its PHP software to version 7.4. This leaves some compatibility issues with Sensei 1.9.1 and prior releases.

Sensei 1.9.2 addresses these compatibility issues and it is compatible both with OPNsense 21.1.8 and the current and past 21.1.x releases.

You can install Sensei 1.9.2 now or let the OPNsense 21.1.8 updater do the job for you automatically. It will also update Sensei to 1.9.2 release as part of OPNsense 21.1.8 upgrade process.

We would like to thank OPNsense team for their cooperation to make this a smooth transition for Sensei users.

For the full Release Notes, please see:

https://www.sunnyvalley.io/docs/support/release-notes/

[Another important item to note]

Dear Sensei users,

Sensei 1.9.1 is released today. You can now have the "Live Sessions Explorer" feature in the Cloud Management Portal and start using premium subscriptions on the new platforms.

Another important item to note is that Sensei 1.9.1 introduces a forward compatibility enhancement for the upcoming OPNsense 21.1.7 release, which will be released tomorrow.

This is due to the fact that OPNense is upgrading its Phalcon library to version 4. This leaves some compatibility issues with Sensei 1.9 and prior releases.

Sensei 1.9.1 addresses these compatibility issues and it is compatible both with OPNsense 21.1.7 and the prior 21.1.x releases.

You can install Sensei 1.9.1 now or let the OPNsense 21.1.7 updater do the job for you automatically. It will also update Sensei to 1.9.1 release as part of OPNsense 21.1.7 upgrade process.

We would like to thank OPNsense team for the timely heads-up and for their cooperation to make this a smooth transition for the Sensei users.

For the full release notes, please see:

https://www.sunnyvalley.io/docs/support/release-notes

Dear OPNsense users,

As promised, we've just published the new User Manual:

https://www.sunnyvalley.io/docs/opnsense/

In the coming days/weeks, you'll be able to see more guides and tutorials focusing on specific features, which were missing up until now.

Enjoy :)

Dear OPNsense users,

I'm happy to bring you the news that we're very close to providing Application & Web Category based Traffic Shaping and Prioritization to the beloved OPNsense firewall.

Initial tests with the engine implementation looks very promising. We are able to prioritize and/or set bandwidth caps on select traffic according to L7 criteria like Application/Application Category/Web Category.

Next step is the User Interface.

Here, we're trying to decide whether we should provide different policies for filtering and shaping or we should handle them in a single policy. I guess we need to hear your use cases and opinions.

Your feedback will be much appreciated.

Dear OPNsense community,

Sensei 1.6.1 is now available; doubling TLS/SSL download speeds and fixing remote Elasticsearch TLS authentication bug.

Full Release Notes:

https://www.sunnyvalley.io/post/sensei-1-6-1-for-opnsense-is-out/

[vmx(4), vtnet(4), ixl(4), ix(4) and em(4)]

Dear OPNsense community,

It's my pleasure to announce that OPNsense team has shipped the official netmap test kernel today.

This kernel fixes important stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.

The  kernel also adds long-awaited support for tun(4) and lagg(4) interfaces.

The end benefit of this kernel is that you'll be able to run Sensei or Suricata on the following:

• OpenVPN and other VPNs which use tun(4) interface
• Link Aggregation Groups (lagg)
• QEMU/KVM guests with performant vtnet driver
• VMware guests with vmx driver
• Intel 10 Gbps Ethernet drivers
• Intel 1 Gbps Ethernet (em driver) with VLANs

To deploy the new kernel just run below command and restart your firewall.

Code Select Expand

# opnsense-update -kr 20.7.3-netmap

Patches which went into this kernel have been under heavy testing by us (Sunny Valley Networks) and by the OPNsense team for a few weeks now.

We'd very much appreciate your further testing and feedback. If no further issues pop up, OPNsense team will be shipping all these functionality with 20.7.4 or later releases.

As Sunny Valley Networks, we'd very much like to thank OPNsense/HardenedBSD team, netmap team (Universita di Pisa) and the FreeBSD team for their awesome collaboration and precious efforts. With their full coordination and co-operation, we are able to provide this today.

Main topic here:

https://forum.opnsense.org/index.php?topic=17363.0

Dear OPNsense community,

As promised, we've[1] kicked off another project which focuses on killing remaining netmap bugs on HardenedBSD 12 (FreeBSD 12).

Any help in testing the upcoming OPNsense 20.7 with Suricata (IPS mode) and/or Sensei and providing bug reports would be much appreciated.

We'll get them prioritized, fixed, and committed to the upstream Operating System as soon as possible. 

We hope to help provide a release quality netmap implementation for the upcoming OPNsense 20.7 release.

Make sure you update to the latest 20.7 beta after the ISO installation, since latest 20.7 includes some important patches with regard to interface drivers. Kernel should read 12.1-RELEASE-p5 or later:

12.1-RELEASE-p5-HBSD FreeBSD 12.1-RELEASE-p5-HBSD #0  d8b850736ba(master)-dirty


[1] Sunny Valley Networks

Anyone out there who has any amd64 20.1 alpha/beta images (dvd or usb images) ready? Any links much appreciated.

Dear OPNsense community,

One of the exciting new features, introduced with OPNsense 19.1 release, is the introduction of an alternate test kernel having the latest upstream netmap code.

Netmap is a very important subsystem in the base OS, since it provides the necessary plumbing for the operation of Suricata in IPS mode and also Sensei in particular.

Netmap code in FreeBSD (thus HardenedBSD) was almost 4 years old. It lacked lots of new developments and bug-fixes that have been done in this timeframe.

On the FreeBSD side, we (Sunny Valley Networks) sponsored a development effort to bring the latest upstream netmap code into FreeBSD.

Quite promptly, OPNsense team has now landed all this development to OPNsense 19.1. New functionality can be enabled by switching to the new-netmap-kernel (Instructions below)

As said, new kernel brings lots of bug-fixes and new developments, two of the most notable ones are being:

1 - VirtIO network adapters support:
     You can now run Suricata/Sensei on virtio adapters. Virtio adapters are found mostly on QEMU/KVM based
     Hypervisors like Proxmox, and on Cloud VPS providers.

2 - VLAN child interfaces: You can now run Suricata / Sensei on child vlan interfaces.

There is some more development pending (i.e. native VMware vmxnet support) but as of now and as far as our tests are concerned, we now seem to have a stable netmap implementation.

Bottomline, you should have a more stable Suricata (IPS mode) and Sensei experience after you switch to the new kernel.

Here are the steps for you to run and test the new kernel. Please feel free to share any issues you encountered and we'll do our best to investigate and try to find a solution.

IMPORTANT: Make sure you've completed your upgrade to 19.1. The new kernel is available & compatible with OPNsense 19.1.

To switch to the new-netmap-enabled kernel:

# opnsense-update -bkr 19.1-netmap

After the update & reboot, your 'uname -a' output should be similar: (pay attention to the commit hash and branch, it should be:  c4ec367c3d9(master) )

root@fw:~ # uname -a
FreeBSD fw.local 11.2-RELEASE-p8-HBSD FreeBSD 11.2-RELEASE-p8-HBSD  c4ec367c3d9(master)  amd64


To revert back to the 19.1-default kernel:

# opnsense-update -bkf

Kudos to the OPNsense team for all of their co-operation and help on this.

Hello,

I'm Murat, founder of Sunny Valley Networks, the company behind Sensei.

Very much pleased to meet the OPNsense community.

I've seen a thread about Sensei in the forum, so I thought it might be a good idea to start a dedicated topic to help people with the software.

Sensei is a plugin for firewalls which complement them with features like Application Filtering, Advanced Network Visibility and Cloud Application Control. Currently, Sensei community edition is available for OPNsense platform.

I've seen that some members have already downloaded and trying Sensei. Many thanks for that. We're grateful.

I've created this topic about Sensei to help you to try it out, and try to solve any problems you guys might have encountered.

Although we reached our target number of beta testers, we always have room for forum members.
If you're interested in trying it, please do not hesitate to contact me privately. I can share the URL to the latest installer.

Very much looking forward to reading your feedback and helping you with the software.

More information about Sensei can be found on the product web page: https://sunnyvalley.io/sensei

All the best
Murat