English Forums > Zenarmor (Sensei)
FreeBSD Install
jclendineng:
Hello, I am trying to install this on a dedicated box inside my opnsense network. I know this runs on FreeBSD, but my question is, how do I get it to route inline? I do not see any documentation on this besides how to install (which works fine). My initial thought was to bridge 2 ports, run sensei on that bridge port in normal routed mode, and have that inline. So basically:
Modem ---> opnsense wan --> opnsense lan --> FreeBSD bridge with sensei (OR opnsense secondary server) --> internal network
Would this work? Just trying to understand how to get sensei up and running on a dedicated server (I dont want to do a full opnsense install on the second server as that seems unneeded and a waste of resources). I could install a second opnsense inline but Im not sure that would work.
Thanks!
mb:
Hi @jclendineng,
The best way to accomplish is to deploy sensei in bridge mode (which will be available with Sensei 1.10 scheduled for the end of July). In this mode Sensei establishes a virtual switch between two ethernet adapters - you'll need the third adapter for maintenance.
Till that time, let us try to get you some instructions for you to get this working manually.
Can you reach out to support through the Cloud Portal?
jclendineng:
Thanks! I actually did some testing and it seems to work the way I thought...for people on freebsd here is what I did:
Create the bridge and add nics, replace with your nics/ip:
ifconfig bridge create
ifconfig bridge0 addm igb0 addm igb1 up
ifconfig igb0 up
ifconfig igb1 up
ifconfig bridge0 inet 10.0.0.1/26
ifconfig igb0 mtu 9000
ifconfig igb1 mtu 9000
ifconfig bridge0 mtu 9000
Now edit the rc.conf file:
vi /etc/rc.conf
hostname="sensei"
ifconfig_bridge0="inet 10.0.0.1 netmask 255.255.255.192" # bridge information
ifconfig_igb0="up" # Make sure both bridged interfaces come up
ifconfig_igb1="up"
cloned_interfaces="bridge0"
autobridge_interfaces="bridge0"
autobridge_bridge0="igb0 igb1"
ifconfig_igb5="inet 10.0.2.52 netmask 255.255.255.192" # My management interface so I dont lock myself out
defaultrouter="10.0.2.1" # Default gateway
I then set up a cloud firewall and select "igb1" in my case and routed mode. igb0 in my setup is connected to the lan out and igb1 is connected to the internal switch, so I think both nics will have the same information, only need to select 1.
I did run into another issue though, a pure cloud install does not let you resolve dns entries via the gateway, so all you see are ip addresses not hostnames. I can confirm though that I am filtering just fine on freebsd with manual bridging. Is DNS resolution coming in 1.10, and/or should I submit a bug report/feature request?
Edit: I removed all nameservers from the resolv.conf and added my main gateways (Im assuming it uses the OS nameservers to resolve IP's) and I also added a manual internal host to the host file, and then I lost access :)
The bridge is still up but I think I screwed up something, I have internet but looks like ill need to hook a monitor up as I lost ssh access. The experiment continues! I was quite happy I got it mostly working though using a manual bridge :)
mb:
@jclendineng, wow! congratulations. Are you on Passive Mode or L3 Mode? I'm surprised to see netmap is working with FreeBSD bridge(4) interface.
Reverse DNS resolution is coming very soon. It's on our plate along with MAC address based reporting / filtering.
jclendineng:
L3 standard netmap mode. I was surprised as well but it does work. Blocking works as well as live traffic view along with full vlan information...I have 3 vlans that would be visible to that interface and all 3 are properly tagged so thats nice. I would have liked to select only the bridge0 interface but I do not think thats possible since it uses netmap to directly talk to each interface and bridge0 is virtual, so would not be visible. I of course need to re-install since I killed my ssh access but Ill wait for 1.10 most likely. Its looking very promising.
Navigation
[0] Message Index
[#] Next page
Go to full version