121
Zenarmor (Sensei) / Re: Sensei not starting
« on: October 16, 2021, 02:13:44 pm »
Hmm, HW looks good as far as I can tell. Did you install all Sensei/Zenarmor packages in OPNsense's plugins section?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
122
Zenarmor (Sensei) / Re: Sensei not starting
« on: October 16, 2021, 01:35:33 pm »
Did you go through the initial setup process and it went fine? What hardware is this? You need at least 2GB RAM and a decent network card for it to work properly.
123
Zenarmor (Sensei) / Re: ZenArmor 1.10 version differences between free and subscription?
« on: October 16, 2021, 11:35:27 am »
Your subscription database seems outdated, mine is 1.10.21101416
124
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address exemption?
« on: October 16, 2021, 10:34:01 am »Hi @athurdent,
It's our pleasure. I hope you are liking it so far.
Yes, MAC addresses have been introduced to Policies and Reporting. Not yet for bypassing the traffic. A bit of information there:
The reason you're still seeing CPU activity even though you've bypassed an IP address is that it still hits the packet engine.
Although the engine does not apply packet inspection and/or filtering etc, netmap still has to process it, deliver it to the zenarmor engine and re-transmit it to the network stack. This sometimes might be another bottleneck.
Hi @mb,
As always, thank you for you valuable input and explanations!
I really like the new name and the new functions!
If I had 3 wishes, they would be:
- a few more policies for the home subscription, to make your average network security admin happy, who's coming home from working with Checkpoint and Cisco. This way we could cover the basics, with a policy each for guest, IoT, kids and parents. Plus one or two to experiment with.
- an iPhone app to view statistics and configure, or at least a couch-friendly mobile cloud website view for a smartphone. ATM, I fail to unfold the "Firewalls" menu using Safari with an iPhone 13 Pro, so I cannot use the cloud view at all.
- Icons for the services (e.g. Netflix, Youtube, Twitter, etc.) would be a great eye candy.
Anyways, thank you for being so active on the forum!
Edit: I failed to mention that I don't want anything for free, I'd pay for a "Home Plus" subscription and also for an app of course... ;-)
125
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply
« on: October 16, 2021, 07:14:01 am »
@mb, ah thanks I understand the AND logic now I guess.
If I enter my LAN IPv4 network AND the MAC address of a LAN host, then IPv6 packets do NOT get matched, because I failed to enter my LAN IPv6 network, too. Correct?
At leat that is how it works here, just tried. If I remove my LAN IPv4 network and leave the network/IP section blank, then it matches my test host's IPv6 traffic, because the only thing that needs to match for the rule to work is the MAC.
Its around 7:00 am here and my brain already logic-hurts a bit, hehe... :-)
If I enter my LAN IPv4 network AND the MAC address of a LAN host, then IPv6 packets do NOT get matched, because I failed to enter my LAN IPv6 network, too. Correct?
At leat that is how it works here, just tried. If I remove my LAN IPv4 network and leave the network/IP section blank, then it matches my test host's IPv6 traffic, because the only thing that needs to match for the rule to work is the MAC.
Its around 7:00 am here and my brain already logic-hurts a bit, hehe... :-)
126
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply
« on: October 15, 2021, 05:23:02 pm »
Do you also get this one with only MAC addresses?
"Are you sure you want to proceed?
You've only selected interface but did not specify any other criteria for this policy."
"Are you sure you want to proceed?
You've only selected interface but did not specify any other criteria for this policy."
127
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply
« on: October 15, 2021, 05:13:46 pm »
Odd, first thing I did before putting in the MAC address was deleting the IP of the device. I have a bunch of other IPs in that policy though. Do you have any additional IPs, or did you delete all IPs?
128
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply
« on: October 15, 2021, 04:54:52 pm »
Thanks for the update, I also have 2 interfaces. I‘ll try removing one later, it’s a normal one though, no special kind.
129
Zenarmor (Sensei) / Re: Zenarmor 1.10 MAC address for policy apply
« on: October 15, 2021, 04:52:49 pm »
Ah, I‘m not alone then. Already filed a ticket a few hours ago. Same problem here.
130
Zenarmor (Sensei) / Zenarmor 1.10 MAC address exemption?
« on: October 15, 2021, 05:14:17 am »
Hi @mb,
thanks for the new version, still exploring all the new features! :-)
I have noticed though that I cannot seem to exempt a MAC address in configuration? While the policies have that possibility now, we can't seem to use it to disregard a MAC completely?
BTW, in the past I have noticed that if I put an IP there, it's not counted anymore, but running a speed test from that IP, Sensei would still use vast amounts of CPU. So it seems that feature did not stop Sensei from processing the packets, just not apply anything to them anymore? Would be cool if we could have the engine bypassed completely for something entered there.
thanks for the new version, still exploring all the new features! :-)
I have noticed though that I cannot seem to exempt a MAC address in configuration? While the policies have that possibility now, we can't seem to use it to disregard a MAC completely?
BTW, in the past I have noticed that if I put an IP there, it's not counted anymore, but running a speed test from that IP, Sensei would still use vast amounts of CPU. So it seems that feature did not stop Sensei from processing the packets, just not apply anything to them anymore? Would be cool if we could have the engine bypassed completely for something entered there.
131
Zenarmor (Sensei) / Re: Bandwidth test issues with Sensei
« on: October 06, 2021, 05:07:39 am »
Only use Sensei on the interfaces where your clients live, I‘d suggest. WAN interfaces are not really needed, might create additional overhead and if you run Suricata on the same WAN, even conflicts.
132
Zenarmor (Sensei) / Re: Bandwidth test issues with Sensei
« on: October 05, 2021, 05:48:01 pm »
What’s your CPU and which network card?
133
Zenarmor (Sensei) / Re: QUIC Block and Unifi
« on: October 02, 2021, 03:44:38 pm »
Does QUIC have to run on port 443? I don't see why they should not be able to utilise a different port and still use QUIC.
134
Zenarmor (Sensei) / Re: Is Sensei able to block Malware?
« on: October 02, 2021, 03:39:27 pm »
Well, there is no SSL filtering, not implemented yet and it comes with implications. E.g. apps like Skype that only trust their built-in CAs and won't work if you try to fool them with your own CA.
So, anything that is SSL, will probably be either matched by a pattern or filtered by URL/DNS. There is no sandboxing either, but that also comes with implications, because the first sample usually goes through unless it's already known.
Other than that, blocking malicious content is working well, see my screenshot below. Blocking certain services and categories, too.
For anything that does not work, send feedback in a ticket to the friendly guys at Sunnyvalley, they'll usually take care of problems very quick. Only the best experiences with their support so far, very helpful, kudos go out to Salih and Murat!
So, anything that is SSL, will probably be either matched by a pattern or filtered by URL/DNS. There is no sandboxing either, but that also comes with implications, because the first sample usually goes through unless it's already known.
Other than that, blocking malicious content is working well, see my screenshot below. Blocking certain services and categories, too.
For anything that does not work, send feedback in a ticket to the friendly guys at Sunnyvalley, they'll usually take care of problems very quick. Only the best experiences with their support so far, very helpful, kudos go out to Salih and Murat!
135
Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)
« on: September 29, 2021, 05:28:19 am »@athurdent
Do you think SR-IOV also helps if host (virtualized env. platform) uses vSwitches ?
I work with ESXi hosts where a NIC goes directly to vSwitch and so the NIC seems not to be "sliced" for VM guests.
Thanks for the benchmarks btw.
T.
Hi, not sure about the ESXi implementation, they seem to have documentation on it though. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-CC021803-30EA-444D-BCBE-618E0D836B9F.html
The card itself definitely has integrated switching capabilities. If I use a VLAN only on the card for 2 VMs to communicate (VLAN is not configured or allowed on the hardware switch the card is connected to), then I get around 18G throughput, which is done on the card internally.