Sensei on OPNsense - Application based filtering

[nines]

Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.

Already answerred Matt via mail but here's mine just for reference

6.7.0 update 2 build 13473784


Gesendet von iPhone mit Tapatalk

[scream]

Ok, I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests.

How can we easy test this? As I'm on a vm I can just create a snapshot before to easy revert back, if something goes wrong

[franco]

We will likely provide a test kernel next week. Note we are on 12.1 to avoid surprises in other areas and go from there...


Cheers,
Franco

[mb]

Yes, totally agree. I'm awaiting confirmation from several Sensei users whether 12-STABLE is fixing their problems.

I'll be updating here once I have some news.

[almodovaris]

AFAIK eastpect is single-core. Why not make it use multi-core?

[mb]

@almodovaris, very good catch.

Indeed, it is multi-core, but we had to run it single core in the current environment (Routed / L3 mode) because of a lack of OS feature (netmap multiple host rings) and kernel flow asymmetry. In some environments (Bridged / L2 mode), we deploy Sensei - with a custom kernel- in multi-core mode to be able to serve multi-gigabit speeds and userbase exceeding several thousand users.

Multiple host rings feature has been introduced with FreeBSD-12. Flow symmetry requires a bit of work.

Currently, the focus is to help OPNsense ship the new netmap kernel to be able to provide a seamless Sensei / Suricata experience.

Next, this is also planned down the road.

[cgone]

It is possible to enlarge the mount /usr/local/sensei/output/active/temp?

I got often the following error messages (and lags):

Aug  5 12:40:53 firewall kernel: pid 83092 (eastpect), uid 0 inumber 5 on /usr/local/sensei/output/active/temp: filesystem full
Aug  5 12:40:57 firewall kernel: pid 83092 (eastpect), uid 0 inumber 8 on /usr/local/sensei/output/active/temp: filesystem full

[mb]

Hi @cgone, sure. This feature will ship with the upcoming 1.6

Check for a new configuration item under "Configuration -> Reporting & Data" : "Size of Temporary Memory Disk Space".

[Rickytr]

I'm trying to install Sensei on a new virtualized (vmware) installation of OPNsense, but during the setup the lan interface (vmx0) is not displayed in available interfaces. I don't have anything installed that can lock that interface.
Any help?

[mb]

Hi @Rickytr, on 20.7, we explicitly filter out vmx interfaces to prevent a system crash. Please see this thread:

https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997

[Rickytr]

In the thread you mentioned seems they found a way to solve the problem. How can I configure sensei correctly on LAN nic after I patch the kernel?

[mb]

Hi @Rickytr, vmx patch seems incomplete. It just prevents the crash. Packet transmission has problems.

Below table summarizes the current situation.
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0

I'll post more updates once we confirm everything is working.

[actionhenkt]

I upgraded opnsense to the latest version, now sensei doesnt see any interfaces anymore. Im running opnsense on proxmox if that matters. Just finished installing a fresh copy of the latest opnsense and sensei and im getting the same result, sensei doesnt detect any interfaces to protect ?

[mb]

Hi @actionhenkt,

on 20.7, we explicitly filter out some interfaces to prevent a system crash. If yours is vtnet, this is one of them.

Please see this thread:

https://forum.opnsense.org/index.php?topic=17363.msg83997#msg83997

Good news is; vtnet fix looks good. There'll be a test kernel soon.

[actionhenkt]

Thanks, that was a fast response - I installed the kernel but unfortunately im not able to select any interfaces yet (im using vtnet).