OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mb »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - mb

Pages: 1 ... 55 56 [57] 58 59 ... 63
841
19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel
« on: February 07, 2019, 05:36:44 pm »
Quote from: jjanzz on February 07, 2019, 08:45:32 am
Installed the netmap enabled kernel, seems like it crashes elasticsearch in Sensei constantly. Though, the Sensei service itself is running perfectly. Could it be the case that Sensei is not adjusted yet? Seems I can't activate Sensei on the WAN port - which is a VLAN interface (my provider requires it).

EDIT: rebooted once more (second reboot after kernel installation) and now it seems to work as solid as before.

Good to hear that @jjanzz, any chances you retained some logs regarding Elastic search issue? Might be a good idea to have a look at them. Normally it shouldn't affect ES.

With regard to Sensei, the only difference is that Sensei will be able to run on VLAN and virtio interfaces.

0.7 intentionally refuses to run on those interfaces, because with old kernel it would just cause traffic flow to cease.

One other note regarding WAN interfaces: Sensei is designed to run on inner-looking interfaces. This is because this way, we can also do a mapping between  userid and local ip. With WAN interfaces we lose this information (because we get packets after they're NAT'd).

Working on Sensei 0.8-beta1, which should arrive soon. This has virtio/VLAN enabled. So that you can fully enjoy the new functionality with the new kernel.

With Suricata, you can just start testing the new kernel on virtio / VLAN interfaces.

To our experience, virtio on QEMU/KVM gives better performance results compared to em.


842
19.1 Legacy Series / Re: Call for testing: New netmap enabled kernel
« on: February 07, 2019, 02:48:02 am »
@lattera, thx, that'd be great. As for the deadline,  it'd be cool if we could see the initial status.. maybe in a couple of weeks?

843
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: February 07, 2019, 02:43:32 am »
Hi @hbc,

Thank you very much for the feedback. With regard to Cloud servers, we have a fix for that in 0.8.

Thanks for the suggestion. You're right, and suggestion sounds good ;)

844
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: February 06, 2019, 02:55:31 am »
Hi @hbc,

Thanks for sharing you experience. We're looking into the upgrade problem if it's something related to Sensei repository.

Glad to see that you're enjoying it now :)


845
19.1 Legacy Series / Call for testing: New netmap enabled kernel
« on: February 06, 2019, 12:21:44 am »
Dear OPNsense community,

One of the exciting new features, introduced with OPNsense 19.1 release, is the introduction of an alternate test kernel having the latest upstream netmap code.

Netmap is a very important subsystem in the base OS, since it provides the necessary plumbing for the operation of Suricata in IPS mode and also Sensei in particular.

Netmap code in FreeBSD (thus HardenedBSD) was almost 4 years old. It lacked lots of new developments and bug-fixes that have been done in this timeframe.

On the FreeBSD side, we (Sunny Valley Networks) sponsored a development effort to bring the latest upstream netmap code into FreeBSD.

Quite promptly, OPNsense team has now landed all this development to OPNsense 19.1. New functionality can be enabled by switching to the new-netmap-kernel (Instructions below)

As said, new kernel brings lots of bug-fixes and new developments, two of the most notable ones are being:

1 - VirtIO network adapters support:
     You can now run Suricata/Sensei on virtio adapters. Virtio adapters are found mostly on QEMU/KVM based
     Hypervisors like Proxmox, and on Cloud VPS providers.

2 - VLAN child interfaces: You can now run Suricata / Sensei on child vlan interfaces.

There is some more development pending (i.e. native VMware vmxnet support) but as of now and as far as our tests are concerned, we now seem to have a stable netmap implementation.

Bottomline, you should have a more stable Suricata (IPS mode) and Sensei experience after you switch to the new kernel.

Here are the steps for you to run and test the new kernel. Please feel free to share any issues you encountered and we'll do our best to investigate and try to find a solution.

IMPORTANT: Make sure you've completed your upgrade to 19.1. The new kernel is available & compatible with OPNsense 19.1.

To switch to the new-netmap-enabled kernel:

# opnsense-update -bkr 19.1-netmap

After the update & reboot, your 'uname -a' output should be similar: (pay attention to the commit hash and branch, it should be:  c4ec367c3d9(master) )

root@fw:~ # uname -a
FreeBSD fw.local 11.2-RELEASE-p8-HBSD FreeBSD 11.2-RELEASE-p8-HBSD  c4ec367c3d9(master)  amd64


To revert back to the 19.1-default kernel:

# opnsense-update -bkf

Kudos to the OPNsense team for all of their co-operation and help on this.

846
19.1 Legacy Series / Re: OPNsense 19.1 released update!
« on: February 02, 2019, 11:33:28 am »
Quote from: franco on January 31, 2019, 07:23:22 pm
I just saw, it might be Sensei blocking the upgrade...

For OpenSSL:

# opnsense-update -fp -n "19.1\/latest"

Or LibreSSL:

# opnsense-update -fp -n "19.1\/libressl"

worked for us (Sensei installed). I guess it was because of the typo in the command.

Any Sensei users, who are having any issues while upgrading to 19.1, please refer to this thread:

https://forum.opnsense.org/index.php?topic=9521.msg51688#msg51688

Just upgraded two of our firewalls to 19.1, went flawless. Thanks :)

847
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: February 02, 2019, 11:24:53 am »
Quote from: Antaris on February 02, 2019, 10:20:23 am
19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520

Looks like there was a typo in that command. Correct command should be: (from https://forum.opnsense.org/index.php?topic=11400.msg51521#msg51521)

For OpenSSL:

# opnsense-update -fp -n "19.1\/latest"

Or LibreSSL:

# opnsense-update -fp -n "19.1\/libressl"


Just did an OPNsense 19.1 upgrade on two of our firewalls. Looked good. 

Anyone who had any other issues upgrading to 19.1 ?

848
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: February 02, 2019, 10:27:54 am »
Hi @Antaris,

Thanks for reporting this. Looking into it now.

849
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 28, 2019, 09:16:05 pm »
Hi @Space,

Many thanks for trying Sensei. Yep, 0.7 is IPv4 only.

Good news is that IPv6 will be coming very shortly with 0.8. It's been under testing for the past months. Looks like it's good to go for a test ride by BETA users.

We'll ship 0.8-beta1 this week or early next week :)

850
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 17, 2019, 06:33:08 pm »
Quote from: xames on January 17, 2019, 02:18:41 pm
ssl_error_syscall

I attach

Hi @xames,

Looks like everything is ok on the server side. Can you try with fetch:

# fetch https://updates.sunnyvalley.io/getsensei
# sh getsensei


851
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 15, 2019, 02:46:48 pm »
Hi @jinn,

Got it. Will send you a few commands to diagnose the issue.

852
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 15, 2019, 02:45:44 pm »
Hi @OPNsenseN00b,

The command to install Sensei is:

curl https://updates.sunnyvalley.io/getsensei | sh

I checked again. It should be the same both Users' guide (https://guide.sunnyvalley.io/sensei/getting-started/setup) and Website.

Can you copy/paste the error message you get when you run the command on the OPNsense console?

853
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 14, 2019, 06:13:58 am »
Quote from: l0rdraiden on January 13, 2019, 10:25:38 pm
What are the plans between sensei and opensense? it will be embedded in opnsense or it will be available as a pluging at some point?

Hi @l0rdraiden,

It'll be a plugin.

Currently, we're working together to address some issues related to netmap (e.g. virtio). Once it's done, whole integration will be completed, and you'll be able to install it from OPNsense plugin manager.


854
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 14, 2019, 06:09:04 am »
@hbc, @manjeet: thanks for your update. We're fine-tuning health check auto-bypass.

@cgwork, how about this: likewise destination hostnames, the default will be hostnames for source addresses, and when you move the mouse over the src hostname field, IP address is displayed as a tooltip. Adding another column would make the table more crowded. We'd like to use the space allowance for the new-coming "username" column.

@jinn, are you running Sensei on your LAN? Any chances that it might be on your WAN interface?

855
Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering
« on: January 11, 2019, 02:38:11 am »
Hi @hbc,

Thank you for further information. Let us know if anything weird comes up.

Pages: 1 ... 55 56 [57] 58 59 ... 63
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2