Topics

1

Zenarmor (Sensei) / Home subscription - policy disabling itself

« on: August 09, 2023, 09:19:20 am »

This is the second time this happened to me, so I filed a ticket but also thought I'd share.
Might be specific to my setup, but maybe others want check if their additional policies are enabled still.

2

Zenarmor (Sensei) / App control sub-categories

« on: August 09, 2023, 05:59:51 am »

In the past we used to have a clear distinction, when setting custom sub-categories. Now it just says "Allowed", which is wrong. I am only allowing 2 out of 24. See screenshot.
Please use a visual distinction again (different button color) and also a different wording, like "Custom" instead of "Allowed".

3

Zenarmor (Sensei) / OPNsense greets with "An issue was detected."

« on: August 07, 2023, 08:21:22 am »

This happened twice on my test firewall now, submitting error to OPNsense.

Code: [Select]

[07-Aug-2023 08:16:53 Europe/Berlin] Phalcon\Mvc\Dispatcher\Exception: OPNsense\Sensei\ReportsController handler class cannot be loaded in /usr/local/opnsense/www/index.php:70
Stack trace:
#0 [internal function]: Phalcon\Mvc\Dispatcher->throwDispatchException('OPNsense\\Sensei...', 2)
#1 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#2 /usr/local/opnsense/www/index.php(70): Phalcon\Mvc\Application->handle('/ui/sensei/repo...')
#3 {main}
[07-Aug-2023 08:16:53 Europe/Berlin] Phalcon\Mvc\Dispatcher\Exception: OPNsense\Sensei\ReportsController handler class cannot be loaded in /usr/local/opnsense/www/index.php:70
Stack trace:
#0 [internal function]: Phalcon\Mvc\Dispatcher->throwDispatchException('OPNsense\\Sensei...', 2)
#1 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#2 /usr/local/opnsense/www/index.php(70): Phalcon\Mvc\Application->handle('/ui/sensei/repo...')
#3 {main}

4

Zenarmor (Sensei) / New Zenarmor GUI not usable on 13" MacBook Pro

« on: August 07, 2023, 05:51:18 am »

I would not call this a convenient way to configure a policy.

Even if I scroll the right/hidden part to the left, it always flips back when choosing a different section, hiding the actual configuration option.
It would have been nice to consider feedback that was collected a year ago. https://forum.opnsense.org/index.php?topic=28732.msg139799#msg139799

This is not mobile-friendly, and not even usable on laptops with smaller screens.

5

Zenarmor (Sensei) / Zenarmor throughput with N100 / i226v

« on: July 25, 2023, 02:52:04 pm »

Just go a HUNSN RJ42 in (shipped from Amazon Germany, https://www.amazon.de/dp/B0C985FVT1 ).
Installed Proxmox and passed through two NICs to an OPNsense VM.
Without Zenarmor, full 2.5G throughput, measured through the box with a local 10G iperf3 server on my WAN.
With Zenarmor Free edition (NICs are in L3 with native netmap driver, seems to work fine) it looks like this

Code: [Select]

iperf3 -R -t60

[  5]   0.00-60.04  sec  14.7 GBytes  2.10 Gbits/sec  1957             sender
[  5]   0.00-60.00  sec  14.7 GBytes  2.10 Gbits/sec                  receiver

iper3 -t60

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  10.3 GBytes  1.48 Gbits/sec  3800             sender
[  5]   0.00-60.04  sec  10.3 GBytes  1.48 Gbits/sec                  receiver
Awesome! 

6

Zenarmor (Sensei) / Zenarmor throughput with N5101 / i226v

« on: July 05, 2023, 12:13:38 pm »

Hi, anyone running Zenarmor on something like this and can share throughput?

Micro Firewall Appliance, Intel N5105, HUNSN RJ03, 4 x Intel 2.5GbE I226-V LAN

It’s pretty cheap and I was wondering if I should get one as a portable router, to run OPNsense/Zenarmor either as Proxmox guest with passthrough NICs or directly.
Should run stable with latest Intel microcode it seems, and utilizing emulated netmap as far as my research goes.

Would be great if someone could share e.g. some local iperf3 tests, passing through such hardware.
Thanks!

7

Zenarmor (Sensei) / Zenarmor 1.11 Safari "Initializing"

« on: April 01, 2022, 05:31:34 am »

Hi,
thanks for the new update. On macOS 12.3 using Safari, the web GUI was working fine with the previous version.
With this one, Safari keeps "Initialising" and the bar stops at 50%.
Chrome works fine.
Tried clearing browser cache, rebooting macOS, OPNsense, all to no avail.
OPNsense 22.1.4_1-amd64

8

Zenarmor (Sensei) / Awesome throughput with 22.1

« on: January 28, 2022, 05:49:15 am »

@mb and @sy,

Throughput on 22.1 for my M11SDV-8C-LN4F Proxmox VM with SR-IOV'ed Intel X710-DA2, went up from 3.5G to

Code: [Select]

root@infra:~# iperf3 -c192.168.178.8 -R
Connecting to host 192.168.178.8, port 5201
Reverse mode, remote host 192.168.178.8 is sending
[  5] local 192.168.111.102 port 35714 connected to 192.168.178.8 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   485 MBytes  4.07 Gbits/sec
[  5]   1.00-2.00   sec   483 MBytes  4.05 Gbits/sec
[  5]   2.00-3.00   sec   484 MBytes  4.06 Gbits/sec
[  5]   3.00-4.00   sec   435 MBytes  3.65 Gbits/sec
[  5]   4.00-5.00   sec   480 MBytes  4.03 Gbits/sec
[  5]   5.00-6.00   sec   481 MBytes  4.04 Gbits/sec
[  5]   6.00-7.00   sec   480 MBytes  4.02 Gbits/sec
[  5]   7.00-8.00   sec   485 MBytes  4.07 Gbits/sec
[  5]   8.00-9.00   sec   465 MBytes  3.90 Gbits/sec
[  5]   9.00-10.00  sec   476 MBytes  3.99 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  4.64 GBytes  3.99 Gbits/sec  237             sender
[  5]   0.00-10.00  sec  4.64 GBytes  3.99 Gbits/sec                  receiver

iperf Done.
root@infra:~# iperf3 -c192.168.178.8
Connecting to host 192.168.178.8, port 5201
[  5] local 192.168.111.102 port 35754 connected to 192.168.178.8 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   480 MBytes  4.03 Gbits/sec   28   1.37 MBytes
[  5]   1.00-2.00   sec   492 MBytes  4.13 Gbits/sec   12   1.15 MBytes
[  5]   2.00-3.00   sec   489 MBytes  4.10 Gbits/sec    0   1.43 MBytes
[  5]   3.00-4.00   sec   464 MBytes  3.89 Gbits/sec    1   1.23 MBytes
[  5]   4.00-5.00   sec   469 MBytes  3.93 Gbits/sec    0   1.49 MBytes
[  5]   5.00-6.00   sec   484 MBytes  4.06 Gbits/sec   12   1.30 MBytes
[  5]   6.00-7.00   sec   485 MBytes  4.07 Gbits/sec    0   1.55 MBytes
[  5]   7.00-8.00   sec   485 MBytes  4.07 Gbits/sec   35   1.34 MBytes
[  5]   8.00-9.00   sec   489 MBytes  4.10 Gbits/sec    0   1.59 MBytes
[  5]   9.00-10.00  sec   454 MBytes  3.81 Gbits/sec    0   1.61 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  4.68 GBytes  4.02 Gbits/sec   88             sender
[  5]   0.00-10.08  sec  4.68 GBytes  3.99 Gbits/sec                  receiver

iperf Done.
Awesome! 👍

9

Zenarmor (Sensei) / Zenarmor 1.10 MAC address exemption?

« on: October 15, 2021, 05:14:17 am »

Hi @mb,
thanks for the new version, still exploring all the new features! :-)

I have noticed though that I cannot seem to exempt a MAC address in configuration? While the policies have that possibility now, we can't seem to use it to disregard a MAC completely?
BTW, in the past I have noticed that if I put an IP there, it's not counted anymore, but running a speed test from that IP, Sensei would still use vast amounts of CPU. So it seems that feature did not stop Sensei from processing the packets, just not apply anything to them anymore? Would be cool if we could have the engine bypassed completely for something entered there.

10

21.7 Legacy Series / Connectivity problem after switch update

« on: September 05, 2021, 11:45:28 am »

After I run a firmware update on my 10G switch, or simply reboot it, OPNsense gateway monitoring starts to fail frequently. I can reach the OPNsense box fine on LAN (ixl0, native) but the following problems seem to be responsible for gateway monitoring problems. Restarting the VM (passed through the Intel(R) Ethernet Controller X710 for 10GbE SFP+ controller with Proxmox) immediately fixes the problem.

Code: [Select]

Sep  5 11:18:17 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:18:19 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:18:19 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:18:20 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:18:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:20:08 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:20:41 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:20:59 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:21:21 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:21:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:21:23 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:22:22 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:22:50 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_DOWN'
Sep  5 11:22:51 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:22:52 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:23:56 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:23:57 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:23:57 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'
Sep  5 11:24:25 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_DOWN'
Sep  5 11:24:26 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_DOWN'
Sep  5 11:24:26 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_DOWN'
Sep  5 11:24:27 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl1 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan200 type=LINK_UP'
Sep  5 11:25:14 OPNsense.local-lan devd[93739]: Processing event '!system=IFNET subsystem=ixl0_vlan106 type=LINK_UP'

11

Zenarmor (Sensei) / 10G capable CPU / system anyone?

« on: August 20, 2021, 09:36:01 am »

Hi,

ATM, I am using OPNsense in a Proxmox KVM on a Supermicro X11SSL-F with an old Core i3 7100. In combination with a PCI-passthrough'ed ixl Intel X710-DA2 10G adapter (ixl was kindly recommended by Sunnyvalley, thanks again guys!) gives me nice download speeds around 2.5G, but maxes out the CPU.
I'm looking to replace that old system at some point in the future, with a recent X12 Supermicro (-F) board and a CPU, both not yet determined. Single core high performance still is the key it seems, so any super duper and expensive Xeon is probably not the right choice today.
Is anybody already using a 10G capable Sensei install and can share details?
Thanks!

12

Zenarmor (Sensei) / 21.7 and igb interface problem

« on: July 29, 2021, 11:07:39 am »

Hi,
I have tried various updates on my Proxmox hosted OPNsense KVM and all have failed when using my mapped igb0 interface. As soon as Sensei is started in non-passive mode, either emulated or native netmap, my Proxmox host's load goes up to 150 and OPNsense is no responsive anymore.
Using the VTNET interface only, no problem. Adding the igb0 interface, OPNsense is no longer responsive.

13

21.1 Legacy Series / Freeradius fails to start after update to 21.1.7

« on: June 16, 2021, 02:35:39 pm »

Log:

Code: [Select]

2021-06-16T14:31:55 Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"
2021-06-16T14:31:55 Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"
Tried deleting and reinstalling the plugin to no avail.

14

Zenarmor (Sensei) / Roadmap "Device Identification" feature question or identifying IPv6 clients

« on: June 07, 2021, 05:19:54 pm »

Hi,
with the planned feature Device Identification & Asset Discovery, will we be able to use identified devices in a policy or and exception rule?
Some of us can only use IPv6 with dynamic prefixes, and we would not be able to identify a client properly, as the prefixes and IPs change. Plus, modern clients tend to use IPv6 privacy extensions which makes it hard to identify them, even with a fixed prefix.
An alternative would maybe be the ability to use MAC addresses in a policy or exception rule?
Any thoughts? Thanks!

15

Zenarmor (Sensei) / Deciso DEC840/850 Sensei throughput

« on: April 01, 2021, 07:25:31 pm »

The new Deciso fanless appliances look very tempting. It would be veeeery cool to have Sensei throughput tested and listed for those.