Topics

This is the second time this happened to me, so I filed a ticket but also thought I'd share.
Might be specific to my setup, but maybe others want check if their additional policies are enabled still.

In the past we used to have a clear distinction, when setting custom sub-categories. Now it just says "Allowed", which is wrong. I am only allowing 2 out of 24. See screenshot.
Please use a visual distinction again (different button color) and also a different wording, like "Custom" instead of "Allowed".

This happened twice on my test firewall now, submitting error to OPNsense.

Code Select Expand

[07-Aug-2023 08:16:53 Europe/Berlin] Phalcon\Mvc\Dispatcher\Exception: OPNsense\Sensei\ReportsController handler class cannot be loaded in /usr/local/opnsense/www/index.php:70
Stack trace:
#0 [internal function]: Phalcon\Mvc\Dispatcher->throwDispatchException('OPNsense\\Sensei...', 2)
#1 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#2 /usr/local/opnsense/www/index.php(70): Phalcon\Mvc\Application->handle('/ui/sensei/repo...')
#3 {main}
[07-Aug-2023 08:16:53 Europe/Berlin] Phalcon\Mvc\Dispatcher\Exception: OPNsense\Sensei\ReportsController handler class cannot be loaded in /usr/local/opnsense/www/index.php:70
Stack trace:
#0 [internal function]: Phalcon\Mvc\Dispatcher->throwDispatchException('OPNsense\\Sensei...', 2)
#1 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#2 /usr/local/opnsense/www/index.php(70): Phalcon\Mvc\Application->handle('/ui/sensei/repo...')
#3 {main}

I would not call this a convenient way to configure a policy.

Even if I scroll the right/hidden part to the left, it always flips back when choosing a different section, hiding the actual configuration option.
It would have been nice to consider feedback that was collected a year ago. https://forum.opnsense.org/index.php?topic=28732.msg139799#msg139799

This is not mobile-friendly, and not even usable on laptops with smaller screens.

Just go a HUNSN RJ42 in (shipped from Amazon Germany, https://www.amazon.de/dp/B0C985FVT1 ).
Installed Proxmox and passed through two NICs to an OPNsense VM.
Without Zenarmor, full 2.5G throughput, measured through the box with a local 10G iperf3 server on my WAN.
With Zenarmor Free edition (NICs are in L3 with native netmap driver, seems to work fine) it looks like this

Code Select Expand

iperf3 -R -t60

[  5]   0.00-60.04  sec  14.7 GBytes  2.10 Gbits/sec  1957             sender
[  5]   0.00-60.00  sec  14.7 GBytes  2.10 Gbits/sec                  receiver

iper3 -t60

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  10.3 GBytes  1.48 Gbits/sec  3800             sender
[  5]   0.00-60.04  sec  10.3 GBytes  1.48 Gbits/sec                  receiver

Awesome!  :)

Hi, anyone running Zenarmor on something like this and can share throughput?

Micro Firewall Appliance, Intel N5105, HUNSN RJ03, 4 x Intel 2.5GbE I226-V LAN

It's pretty cheap and I was wondering if I should get one as a portable router, to run OPNsense/Zenarmor either as Proxmox guest with passthrough NICs or directly.
Should run stable with latest Intel microcode it seems, and utilizing emulated netmap as far as my research goes.

Would be great if someone could share e.g. some local iperf3 tests, passing through such hardware.
Thanks!

Hi,
thanks for the new update. On macOS 12.3 using Safari, the web GUI was working fine with the previous version.
With this one, Safari keeps "Initialising" and the bar stops at 50%.
Chrome works fine.
Tried clearing browser cache, rebooting macOS, OPNsense, all to no avail.
OPNsense 22.1.4_1-amd64

@mb and @sy,

Throughput on 22.1 for my M11SDV-8C-LN4F Proxmox VM with SR-IOV'ed Intel X710-DA2, went up from 3.5G to

Code Select Expand

root@infra:~# iperf3 -c192.168.178.8 -R
Connecting to host 192.168.178.8, port 5201
Reverse mode, remote host 192.168.178.8 is sending
[  5] local 192.168.111.102 port 35714 connected to 192.168.178.8 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   485 MBytes  4.07 Gbits/sec
[  5]   1.00-2.00   sec   483 MBytes  4.05 Gbits/sec
[  5]   2.00-3.00   sec   484 MBytes  4.06 Gbits/sec
[  5]   3.00-4.00   sec   435 MBytes  3.65 Gbits/sec
[  5]   4.00-5.00   sec   480 MBytes  4.03 Gbits/sec
[  5]   5.00-6.00   sec   481 MBytes  4.04 Gbits/sec
[  5]   6.00-7.00   sec   480 MBytes  4.02 Gbits/sec
[  5]   7.00-8.00   sec   485 MBytes  4.07 Gbits/sec
[  5]   8.00-9.00   sec   465 MBytes  3.90 Gbits/sec
[  5]   9.00-10.00  sec   476 MBytes  3.99 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  4.64 GBytes  3.99 Gbits/sec  237             sender
[  5]   0.00-10.00  sec  4.64 GBytes  3.99 Gbits/sec                  receiver

iperf Done.
root@infra:~# iperf3 -c192.168.178.8
Connecting to host 192.168.178.8, port 5201
[  5] local 192.168.111.102 port 35754 connected to 192.168.178.8 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   480 MBytes  4.03 Gbits/sec   28   1.37 MBytes
[  5]   1.00-2.00   sec   492 MBytes  4.13 Gbits/sec   12   1.15 MBytes
[  5]   2.00-3.00   sec   489 MBytes  4.10 Gbits/sec    0   1.43 MBytes
[  5]   3.00-4.00   sec   464 MBytes  3.89 Gbits/sec    1   1.23 MBytes
[  5]   4.00-5.00   sec   469 MBytes  3.93 Gbits/sec    0   1.49 MBytes
[  5]   5.00-6.00   sec   484 MBytes  4.06 Gbits/sec   12   1.30 MBytes
[  5]   6.00-7.00   sec   485 MBytes  4.07 Gbits/sec    0   1.55 MBytes
[  5]   7.00-8.00   sec   485 MBytes  4.07 Gbits/sec   35   1.34 MBytes
[  5]   8.00-9.00   sec   489 MBytes  4.10 Gbits/sec    0   1.59 MBytes
[  5]   9.00-10.00  sec   454 MBytes  3.81 Gbits/sec    0   1.61 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  4.68 GBytes  4.02 Gbits/sec   88             sender
[  5]   0.00-10.08  sec  4.68 GBytes  3.99 Gbits/sec                  receiver

iperf Done.

Awesome! 👍

Hi @mb,
thanks for the new version, still exploring all the new features! :-)

I have noticed though that I cannot seem to exempt a MAC address in configuration? While the policies have that possibility now, we can't seem to use it to disregard a MAC completely?
BTW, in the past I have noticed that if I put an IP there, it's not counted anymore, but running a speed test from that IP, Sensei would still use vast amounts of CPU. So it seems that feature did not stop Sensei from processing the packets, just not apply anything to them anymore? Would be cool if we could have the engine bypassed completely for something entered there.

After I run a firmware update on my 10G switch, or simply reboot it, OPNsense gateway monitoring starts to fail frequently. I can reach the OPNsense box fine on LAN (ixl0, native) but the following problems seem to be responsible for gateway monitoring problems. Restarting the VM (passed through the Intel(R) Ethernet Controller X710 for 10GbE SFP+ controller with Proxmox) immediately fixes the problem.

Code Select Expand

Sep  5 11:18:17 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:18:19 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:18:19 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:18:20 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:18:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:20:08 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:20:41 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:20:59 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:21:21 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:21:23 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:22:50 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:22:52 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:23:56 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:23:57 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:23:57 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:24:25 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:24:26 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:24:26 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:24:27 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'

Hi,

ATM, I am using OPNsense in a Proxmox KVM on a Supermicro X11SSL-F with an old Core i3 7100. In combination with a PCI-passthrough'ed ixl Intel X710-DA2 10G adapter (ixl was kindly recommended by Sunnyvalley, thanks again guys!) gives me nice download speeds around 2.5G, but maxes out the CPU.
I'm looking to replace that old system at some point in the future, with a recent X12 Supermicro (-F) board and a CPU, both not yet determined. Single core high performance still is the key it seems, so any super duper and expensive Xeon is probably not the right choice today.
Is anybody already using a 10G capable Sensei install and can share details?
Thanks!

Hi,
I have tried various updates on my Proxmox hosted OPNsense KVM and all have failed when using my mapped igb0 interface. As soon as Sensei is started in non-passive mode, either emulated or native netmap, my Proxmox host's load goes up to 150 and OPNsense is no responsive anymore.
Using the VTNET interface only, no problem. Adding the igb0 interface, OPNsense is no longer responsive.

Log:

Code Select Expand

2021-06-16T14:31:55 Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"
2021-06-16T14:31:55 Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"

Tried deleting and reinstalling the plugin to no avail.

Hi,
with the planned feature Device Identification & Asset Discovery, will we be able to use identified devices in a policy or and exception rule?
Some of us can only use IPv6 with dynamic prefixes, and we would not be able to identify a client properly, as the prefixes and IPs change. Plus, modern clients tend to use IPv6 privacy extensions which makes it hard to identify them, even with a fixed prefix.
An alternative would maybe be the ability to use MAC addresses in a policy or exception rule?
Any thoughts? Thanks!

The new Deciso fanless appliances look very tempting. It would be veeeery cool to have Sensei throughput tested and listed for those.  :)

If I enable Ad Blocking / Ad Tracker Blocking, Safari on macOS 11.2.2 (iOS/iPadOS is fine) throws NSPOSIXErrorDomain:24 after a few hours.
Turning off Ad Blocking, everything is absolutely fine.
Any idea how to debug or why this is happening?

Hi,
trying to register my clients with their IPv6 IP, for Sensei DNS host enrichment to work.
I'm tracking a WAN interface, the client gets and uses DHCPv6 IPv6 just fine.
But unbound registers it as:

Code Select Expand

local-data-ptr: "::50 iphone-11-pro-v6.local-lan"
local-data: "iphone-11-pro-v6.local-lan IN AAAA ::50"
DHCPv6 config, see screenshot (DUID obfuscated)
Any idea how to get this to work?

There are a few missing diagrams, screenshot attached. E.g. Top detected threats, Top blocked hosts, Top detected hosts. Tried with Safari and Firefox on macOS 11.

I cannot make my iPhone show the reporting stats from the e-mails. Tapping on the link in the mail does nothing and the attachment does not show.
Should this work?
Thanks in advance!

Hi @mb,

it would really cool if we had a switch to at least partly block DoH, as good as possible, to gain more control over DNS.

I know, best blocking capabilities can probably only be achieved using SSL inspection by decrypting, analyzing and re-encrypting SSL (seems to be on the roadmap). This technique tends to break apps that come with their own hardcoded CA info though, plus SSL was made to not be decrypted, so always a possibility something goes sideways.

A nice DoH block "lite" would probably be denying access to the growing list of DoH IPs, plus blocking DNS record type 65 (HTTPS). https://support.umbrella.com/hc/en-us/articles/360049713451-DNS-Resolver-Selection-in-iOS-14-and-macOS-11 is a nice read on the topic, did not know iOS 14 implemented DoH. It seems to be possible for apps to use their own DNS now, which is probably something not everybody will like. I don't.  ;)

What does the community think?