Sensei - questions on reporting and status

[Styx13]

Hello,

I am testing Sensei (1.6.2) on my OPNsense (20.7.7_1) setup and I have a few questions regarding reporting and status.

In both the dashboard and the report sections, I do not understand the top local host and top remote host widgets.

I would have thought the top local host should only contain hosts/devices from my local networks and the top remote host should only contain hosts from internet .
However, both of them contains IP addresses (or hostname) from my local devices and from internet.
i.e. the top 10 local devices shows currently 3 IPs from the internet and 7 from my local networks
the top 10 remote devices shows currently 4 IPs from the internet and 6 from my local networks

Is that expected ? and if so how should that be interpreted ?

Another question on the status page. I noticed that for all my interfaces, the "Bytes OUT" and "Packets OUT" column are at 0 and seems to never change. While the Bytes IN and Packets IN are showing some values and increase over time.
Why is there not Bytes Out or Packets OUT information ?

Finally, for the scheduled report, it seems the email I receive always indicates as part of the quick facts: Connections: 10,000.
Why is it always 10,000 ? What does this represent ?
Also I noticed in the quick fact: Unique Local hosts: 91.
On my networks I currently have < 30 devices (including VMs and containers), where does the 91 come from ?

Thank you !

BTW, forgot to mention, I am using external elasticsearch database (elasticsearch 7.10.1) and my OPNSense instance has 4GB of memory. (it was using 20 - 25% of that before installing sensei, since running sensei memory utilization is at 30-33%)

[sy]

Hi @Styx13,

- How is your topology and which interface(s) is protecting by Sensei? Can you give some more information?

- For Bytes/Packets out values, what is your Deployment Mode (Configuration - General - Deployment Mode)? If you configured it as Passive, It is just like Suricata's IDS mode. Sensei grabs a copy of packets from the configured interfaces and provides you with a wealth of information through its reporting.

- What is the connection value in the reports (Reports - Connections - Conn - Facts)?

- Every unique device that interacts with the system on which Sensei is running on (in this case the firewall), will be counted as a single device. In technical terms, you can think of it like we're counting MAC addresses and IPv4 addresses.

[Styx13]

- How is your topology and which interface(s) is protecting by Sensei? Can you give some more information?

1 WAN interface and 7 LAN interfaces (not VLANs)
5 of the LAN interfaces are protected by sensei.

- For Bytes/Packets out values, what is your Deployment Mode (Configuration - General - Deployment Mode)? If you configured it as Passive, It is just like Suricata's IDS mode. Sensei grabs a copy of packets from the configured interfaces and provides you with a wealth of information through its reporting.

Ah you're right, I am using passive mode, so I understand now, it only counts the bytes that Sensei gets in, and the bytes that sensei puts out. So if sensei is passive, then it never sends any bytes out. Makes sense.

- What is the connection value in the reports (Reports - Connections - Conn - Facts)?

8,638

- Every unique device that interacts with the system on which Sensei is running on (in this case the firewall), will be counted as a single device. In technical terms, you can think of it like we're counting MAC addresses and IPv4 addresses.

Then I guess you may have counted a lot of test containers I kept creating and deleting using macvlan interfaces. Those probably generated new MAC Address each time I spawned a new one and deleted it , even though they were using the same IP.

[Styx13]

Hello here,

I still notice on the daily report that connection number part of the quick facts at 10,000 , it never changes, like it's hardcoded. Any specific reason for that ?

Also, in the report, the piechart (or doughnut chart) for the Top Local Hosts and Top Remote Hosts, I still see a mix of local and remote IPs (or hostnames) in both (I see some of my Local IPs in the remote hosts, and I see a lot of internet IPs in the Local host). Is there something I should check on my configuration ? or that could be a bug ?

PS: still on OPNsense 20.7.7_1 and Sensei 1.6.2  here.

[sy]

Hi @Styx13,

Can you send a bug report from the upper right corner Sensei GUI? I would like to look into the logs. I can not reproduce in the test lab.

[Styx13]

Bug report sent !

[Styx13]

I updated last week end to OPNsense 21.1 and Sensei 1.7 and I still see the same behavior:
 - always 10,000 connections reported in the quick facts
 - remote and local hosts still mixed up

So the update did not "fix" those.

[sorano]

I've been suffering from the 10 000 connections since October when I look through my mail reports.

https://forum.opnsense.org/index.php?topic=20625.0

[sy]

Hi @Styx13 and Sorano,

I can not reproduce this issue. Is your database Elasticsearch or MongoDB? Attached screenshots are my test lab fw and both give the same value as in the reports menu.

[Styx13]

Using Elasticsearch v 7.10.1 for the database, and it's a standalone database, not part of sensei.



I also want to indicate that I am using Sensei in passive mode.

[rubenx]

Is it possible the 10k connection limit comes from elasticsearch not returning more than 10k elements from a query?

[sy]

Hi Rubenx,

It is at the Remote Elasticsearch. In local elasticsearch, it is normal. We are working on it.

[CoMcE]

I run into the same problem. I use a local MongoDB.
Some remote servers are shown as local hosts and some locals as remote servers.
As far as I can see, it only affects  NTP (port 123) requests and answers in my case.

Some ideas why this happens?

Engine Version 1.7.1, OPNsense 21.1.2.

Thanx

[Styx13]

It is at the Remote Elasticsearch. In local elasticsearch, it is normal. We are working on it.

So, I believe you fixed it in latest version 1.8 as now I can see over 10,000 connections in my dashboard and report (had 68K connection on my report last night and 34K on dashboard right now). Thanks !

However, the Top Local Hosts and Top Remote Hosts still do not make sense, both contains local and remote hosts where I would expect the local hosts would only contain IPs belonging to my local network/subnets and remote host should only contains IPs that do not belong to my local subnets.