Sensei on OPNsense - Application based filtering

[myzar495]

It looks like setting the IDS from WAN to another interface, even if it's off, should work around this issue.

Perhaps adding this to the knowledge base, or recommending it in the error prompt, would let people know to do this if they choose to use bridged mode?

[mb]

Hi @myazar495, you're right, thanks for the suggestion. We've updated the warning message.

[bunchofreeds]

Help with Sensei App Controls (Home Edition)

UPDATE - I'm making some progress using Sensei Reports and discovering what rule is blocking my progress.
Is it possible to show 'Block Sub Category' in the Reports view?
I can see for example Blocked by 'Application Category Online Utility' but not specifically what Signature it is. Like 'Microsoft Licensing' for example.

I'm trying to create a Policy that restricts internet usage for my kids. More out of interest than anything really, and they are the best testers to be honest.

My approach so far is 'select option>save>test' which is really slow considering the number of options.
Also browser caching on the client is annoying.

My Policy is controlling a set of IP addresses (not an entire subnet) that are assigned to their devices. Being an android phone, android tablet and two windows 10 laptops.
Ultimately I'd like to create a 'Family Safe' setup for the kids and maybe even restrict it to certain times.
Any help or advice on what to do or where to look with regards to configuring Sensei for info on this would be great.

Thanks in advance

 

[sorano]

Ultimately I'd like to create a 'Family Safe' setup for the kids and maybe even restrict it to certain times.
Any help or advice on what to do or where to look with regards to configuring Sensei for info on this would be great.

I've put my kids devices on a separate VLAN.
Then just created a policy named Kids with the rules I wanted for them, added a schedule for that policy and configured the policy to match the kids VLAN interface. Then just sit back and prosper when they start complaining that they cannot watch youtube anymore! 

Kinda self explanatory really.

[Dayve]

Is there a way to have Sensei not block when I'm connected to one of my VLAN's?

[sorano]

Is there a way to have Sensei not block when I'm connected to one of my VLAN's?

Yes you can use Exempted VLANs & Networks

[Dayve]

Is there a way to have Sensei not block when I'm connected to one of my VLAN's?

Yes you can use Exempted VLANs & Networks

Guess I need to pay for that option.

[almodovaris]

Nope, each Ethernet port and each VLAN can be filtered by Sensei or not filtered, at your own choice. You are fully free to do that.

[mb]

Good morning dear Sensei users,

Some good news. Please give this kernel a test drive and provide feedback.

https://forum.opnsense.org/index.php?topic=17363.msg85539#msg85539

If you don't see your interface show up in Sensei interface configuration, /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php is the file you'll need to play with. You'll need to comment lines which filter your interface:

Code: [Select]

      3                     if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
     74                         $filterflag = true;
     75                     }

[Dayve]

I installed the test kernel. The only interface I have selected in the UI is the LAN.

Code: [Select]

                    if (strpos(strtolower($interface), "lagg") !== false && strpos(strtolower($interface), "vlan") == false) {
                        $filterflag = true;
                    }

                    if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
                        $filterflag = true;
This is what I see in the ToolsController.php

Not sure which one would be my VLAN20 and do I just edit the "$filterflag" to be false?

[scream]

I installed the test kernel. The only interface I have selected in the UI is the LAN.

Code: [Select]

                    if (strpos(strtolower($interface), "lagg") !== false && strpos(strtolower($interface), "vlan") == false) {
                        $filterflag = true;
                    }

                    if (strpos(strtolower($interface), "vmx") !== false && strpos(strtolower($interface), "vlan") == false) {
                        $filterflag = true;
This is what I see in the ToolsController.php

Not sure which one would be my VLAN20 and do I just edit the "$filterflag" to be false?

I just commented out the lines with "#" on each of the lines belonging to one interface type.
I do not use VLAN so I can't answer about that. But basicly the filter matches the name of the interface.
So just take a look at "ifconfig" and you should see which you've to comment out.

[almodovaris]

Speedtest APU2 with Sensei, Aug 22 test kernel: 66.4 Mbps download speed from my own internet provider.

Speedtest APU2 with Sensei, but through OpenVPN from a Linux box behind it, Aug 22 test kernel: 149.5 Mbps download speed from my own internet provider.

[mb]

In case anyone would like to give 1.6 an early try:

https://forum.opnsense.org/index.php?topic=17363.msg85734#msg85734

[DenverTech]

Just ran into a bug I've not seen before (or I did something wrong). Installed Sensei previously on our company vmware-hosted fw, then removed it to prep for the 20.7 upgrade (just in case). I upgraded without issue. Installed Sensei, went to configure it...and there's no available interfaces. It's blank. They were there in 20.1 just 15 minutes ago.

Possibly because this is a vmware guest, or something else?

[mb]

Hi @DenverTech, correct;

See here: https://forum.opnsense.org/index.php?topic=17363.msg85734#msg85734

Make sure you're running the netmap test kernel; or the fw will crash.