Is the free version really worth it ?

[hushcoden]

I'm trying to understand the level of additional protection that the free version (and the free version only) would provide to OPNsense and I'd appreciate anyone input.

Not talking about the reporting capabilities, for instance, if I look at the security policies, I can enable the block for sites that are responsible for malware, phishing, etc - am I right to say that what Sensei does here is to block access to/from a list of malicious IPs, that is the same I can configure with the blocklist feature in Unbound ?

Or adding rules as for this article https://docs.opnsense.org/manual/how-tos/edrop.html

Tia.

[Vilhonator]

Free version provides good overall protection in general.

Paid version enables custom policies and such.

Full list of features each edition has can be found at:

https://www.sunnyvalley.io/plans/

[hushcoden]

Yes, I'm aware of the features of the different versions...

Can you answer my question ?

If I look at the security policies, I can enable the block for sites that are responsible for malware, phishing, etc - am I right to say that what Sensei does here is to block access to/from a list of malicious IPs, that is the same I can configure with the blocklist feature in Unbound ?

Or adding rules as for this article https://docs.opnsense.org/manual/how-tos/edrop.html

[Vilhonator]

Well technically yes, Sensei does use lists of known malicious websites and blocks them and yes, if you know a website which hosts such lists of IPs then you can just create an URL IP table Alias, and create a block rule, though you are more likely to pump into hardware limitations to be able to have as huge database.

Also Sensei (just like with any commercial IDS/IPS), actively updates their databases and runs tests.

Does the paid version provide better protection? Yes, do you need it? Not if you aren't hosting any servers and have to keep certain ports open or constantly download torrents and visit porn sites or want to limit what type of websites your kids can access to and at what time they can surf the internet

[jclendineng]

Its not about the protection, everything sensei does is easily done using aliases + suricata.  The draw here is visibility.  You have dns logging and everything is in a nice format.  Thats all you are paying for.  You can do this for free by setting up an ELK stack: https://github.com/pfelk/pfelk

An ELK stack requires quite a bit of RAM though and is more than most people need.  Sensei is, for most people in a non-enterprise setting, more than enough.  Hope tat helps.  Think of this as a less powerful Untangle, but built right in to opnsense making it so you dont need a dedicated server.  If you have a dedicated server or can spin up a dedicated VM I would use untangle in bridge mode to analyze traffic.  I use both as I enjoy testing new products but the fact that sensei is tied to opnsense for basically all features, I will probably not renew and instead use untangle in bridge mode. I also prefer keeping edge firewall appliances separate from internal filtering.

Yes, I'm aware of the features of the different versions...

Can you answer my question ?

If I look at the security policies, I can enable the block for sites that are responsible for malware, phishing, etc - am I right to say that what Sensei does here is to block access to/from a list of malicious IPs, that is the same I can configure with the blocklist feature in Unbound ?

Or adding rules as for this article https://docs.opnsense.org/manual/how-tos/edrop.html

[almodovaris]

Unbound block list only works for DNS calls. Sensei does not care about DNS (you may even use DoT or DoH), but it actually inspects the connections to see where they go.

[hushcoden]

Unbound block list only works for DNS calls. Sensei does not care about DNS (you may even use DoT or DoH), but it actually inspects the connections to see where they go.

So, if it's checking the potential malicious IP addresses, this is can be done by creating alias(es) and rules as per that article I've mentioned https://docs.opnsense.org/manual/how-tos/edrop.html ?

[jimjohn]

Unbound block list only works for DNS calls. Sensei does not care about DNS (you may even use DoT or DoH), but it actually inspects the connections to see where they go.

So, if it's checking the potential malicious IP addresses, this is can be done by creating alias(es) and rules as per that article I've mentioned https://docs.opnsense.org/manual/how-tos/edrop.html ?

As someone who never dove deep into Sensei, what does Sensei (Free) offer more than what can be achieved with mechanisms built in natively into OPNsense?

- DNS filtering => Unbound / BIND Blacklists
- IP filtering => Alias Lists + Firewall Rules
- IDS / IPS => Suricata + Lists
- GeoIP filtering => GeoIP Alias + Firewall Rules

[JasonJoel]

Reporting is better, and it is much easier to setup/maintain as you don't have to micromanage a bunch of lists and FW rules.

If you are OK with existing reporting, and don't mind manually setting up a bunch of lists and keeping them up to date, then that's cool too.

But I will point out that if you want really granular filtering (not just identification/reporting), you can't use Sensei anyway as you only get 3 profiles with the PAID version - default + 2 custom. So if you have >3 "groups" of things to filter with different rules you can't do it in Sensei anyway...