Sensei on OPNsense - Application based filtering

[DenverTech]

Glad I asked! Thanks!

[Julien]

I have tried this at one of our customer however the free version is more limited than expected to test.
So had to remove it unfortunately

[aelghamrawy]

Hi
Pls I have a strange thing PS4 nat type fails when I am running sensei ( all app and web are allowed ) and as soon as I stop or change sensei to bypassmode PS4 nat pass and give type 2
Is there any solution to over come this strange thing
Pls in steps would be helpful
Thank you in advance

[mb]

Hi @aelghamrawy,

Send a bug report, and team will have a look.

[nikkon]

Recently I tried to make some changes to my setup so I can include Suricata as well.
As of now i used Sensei only for the WAN interface.
I am enabling Suricata in WAN and I tried to enable sensei on all my Vlan (LANS)
The problem I see is that Sensei does not support LAGG interfaces. Any ETA for this?

[mb]

As of now i used Sensei only for the WAN interface.

Hi @nikkon, for the sake of clarification: are your running Sensei on WAN or LAN interfaces?

lagg, bridge along with tun support is related to netmap and we're sponsoring another round of work on the netmap side.

Please see:
https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0

tun(4) support has been implemented. Others are under development.

I guess they can be all available in late September / October.

[nikkon]

Thanks for answering this.
I intended to use lan ( which in my case is a lagg)
Now I keep my old setup running it on Wan only.

[mb]

@nikkon, all welcome.

A quick node: Sensei 1.6 will re-enable vlan interfaces on lagg. You don't need to wait for an updated kernel since they are using the netmap emulated driver.

[nikkon]

cool

[GreenMatter]

I still use 20.1.9 (as it runs on ESXi using vmx) and today I lost connectivity (around 0330 AM LT) in my whole lan. I'm out of home but all the time I connect to it through OpenVPN. Opnsense uptime was 35 days.
Long story short - I couldn't reach any hosts/services inside my LAN but I could luckily ping all opnsense interfaces. Pinging from opnsense gave the same results - no connectivity. So I did a reboot. Afterwards, when checking logs, I'd seen following:

2020-09-05T03:26:09
syslog-ng[21339]: I/O error occurred while writing; fd='23', error='Host is down (64)'
2020-09-05T03:01:13
kernel: 673.129619 [1180] netmap_grab_packets bad pkt at 5 len 0
2020-09-05T03:01:13
kernel: 673.129612 [1180] netmap_grab_packets bad pkt at 4 len 0
2020-09-05T03:01:13
kernel: 673.129604 [1180] netmap_grab_packets bad pkt at 3 len 0
2020-09-05T03:01:13
kernel: 673.129596 [1180] netmap_grab_packets bad pkt at 2 len 0
2020-09-05T03:01:13
kernel: 673.129587 [1180] netmap_grab_packets bad pkt at 1 len 0
2020-09-05T03:01:13
kernel: 673.129419 [ 277] vmxnet3_netmap_rxsync 1 skipped! idx 26
2020-09-05T03:01:13
kernel: vmx1: watchdog timeout on queue 0
2020-09-05T03:01:08
eastpect[5346]: nm1::vmx1^: permanently promiscuous mode enabled
2020-09-05T03:01:08
eastpect[5346]: nm0::vmx1: permanently promiscuous mode enabled

And

2020-09-05T03:28:00 configd.py: [f7eb1ea5-7a25-46ae-a9bf-d217585eccbf] Sensei heardbeat

Therefore I think it could be something Sensei related. If so, I hope it is/will be taken care of in upcoming update...?

[mb]

Hi GreenMatter,  sensei heartbeat is unrelated to this.

Netmap error messages make me think this is related to netmap.

We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x

[GreenMatter]

Hi GreenMatter,  sensei heartbeat is unrelated to this.

Netmap error messages make me think this is related to netmap.

We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x

I couldn't find anything more related to this issue. One more contributing factor was/is that Sensei is set to work on vmx1 (LAN) interface and vmx0 is WAN. And affected interface was LAN, nothing could go out through LAN interface...
Anyway, do you know release date of fully functional update?

[hushcoden]

I'm trying to understand what's the best value for Max Swap Utilization (% of total SWAP): the official documentation just states that "You may specify how much swap space Sensei may utilize when the system is low on memory. It is recommended that you do not set this value too high. Otherwise, system performance may suffer."

Is there some sort of criteria to determine the best value based on the hardware specs (attached)?

Tia.

[mb]

Hi @hushcoden,

Default value (30%) is OK. This setting has been introduced to handle a recent OS behavior change where OS started to swap pages more ofthen.

If you have enough memory, you wouldn't need to change anything at all. If you see Sensei warning you about swap space, than you can increase this value to instruct sensei to embrace higher swap utilizations.

Having said that, for optimal performance, we recommend having enough RAM on the device so that you don't need to think about SWAP.

[guyp2k]

Update: I was able to resolve the issue by reinstalling 1.6Beta3 however, when I re-apply my premium key I receive the following error, "We couldn't verify your activation key..." I opened up a support ticket/email.

I assume this is the correct thread to post in specific to opnsense and sensei. The issue I am having is specific to my ring cameras and sensei. I am unable to pull up the live video from the ring app on either my PC or mobile devices unless I enter bypass mode in sensei.

I have checked the policy and I don't have any setting that would block ring as far as I can tell however, when I look at the sensei logs I see the following, see attached file.


What's odd is that the sensei log/reports secure web browsing is blocked, but when I look at the policies this is not the case.

Lastly, I decided to reinstall sensei and now I receive the following error during hardware check, unable to complete hardware check. I am running a Corei7 and 32GB RAM and didn't have any issues during the initial install.