Sensei on OPNsense - Application based filtering

Started by mb, August 25, 2018, 03:38:14 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 74 75 76 77 78 79
User actions
March 21, 2021, 12:00:00 AM #1125 Last Edit: March 21, 2021, 12:08:00 AM by Antaris
Well, it still doesn't. From about an year. And we still can't choose database backend manually that was intended for v 1.5...

Quote from: mb on March 13, 2020, 05:07:58 PM
Hi @Antaris,

This looks good and should've worked. But with 1.5 database selection will be optional if the device has enough memory but weak cpu (e.g. 200.000<>300.000 cpu score).

We hope to release 1.5 late this month.

By the way, I think this was your request, you can now request re-classification for a web site through Sunny Valley website ;)

https://www.sunnyvalley.io/site-classification/
Proxmox enthusiast @home, bare metal @work.
March 21, 2021, 01:51:20 AM #1126
Sorry about that. This feature got postponed due to other pressing features becoming higher priority.

No worries. I saw that you also have created a support request. Team will help you out.
March 21, 2021, 02:30:09 PM #1127
It seems that the package os-sensei-db is gone n the server. (see attachment)



March 21, 2021, 03:17:09 PM #1128
Strange assessment. It merely says it did not come from a known repo, which is probably because the scripts install it manually.

Please take new feature visibility with a grain of salt that it's been like that before it displayed the repository in that view...


Cheers,
Franco
March 21, 2021, 07:41:23 PM #1129
@franco, correct. This package was installed manually and out of the sensei package repository. This is why it's being shown like this.

Reason was we wanted to allow the users to move back and forth between appdb releases, not just the latest release.

We saw that it was confusing so starting with 1.9, os-sensei-db will not be delivered as a package.

As for the new plug-in compatibility, expect 1.8.1 to be shipped tomorrow; which will deliver the new packages.
October 05, 2021, 04:29:06 PM #1130
I recently installed the sensei plugin for opnsense.  I love what I am seeing so far, but I seem to be having an issue with the netmap config.  When I choose native netmap, I get half of my 1G fiber speeds.  I usually hit around 940/940 with Sensei enabled on my LAN interface. When I choose the generic netmap driver, I get great download speeds, but my upload is less than 1Mbps.  I think this is telling me that the generic driver works best for my download, but I can't imagine why my upload is doing so bad.
Founder of Geekz
https://geekzweb.com
October 22, 2021, 10:19:01 PM #1131
Hello all,

I am looking at possibly using Zenarmor with OPNsense, but I have some concerns. I am hoping someone has bumped up against some of these:

1) I am using Suricata to handle my WAN, so its my first line of defense. I want Zenarmor to handle everything on the LAN side, as the second line of defense. Has anyone implemented it in this way?
2) I am concerned about the load Zenarmor could put on the OPNsense device. I am running an i7-8700 with 16 gig of RAM. If I implement the OPNsense plugin do I need to bump up the memory to accommodate Zenarmor?
3) Where does Zenarmor write its data to and has anyone added a second HDD to OPNsense and remounted the Zenarmor data to this partition?

I hope you all can help.

Thanks,
Steve
October 23, 2021, 04:47:47 AM #1132
Quote from: spetrillo on October 22, 2021, 10:19:01 PM
1) I am using Suricata to handle my WAN, so its my first line of defense. I want Zenarmor to handle everything on the LAN side, as the second line of defense. Has anyone implemented it in this way?
2) I am concerned about the load Zenarmor could put on the OPNsense device. I am running an i7-8700 with 16 gig of RAM. If I implement the OPNsense plugin do I need to bump up the memory to accommodate Zenarmor?
3) Where does Zenarmor write its data to and has anyone added a second HDD to OPNsense and remounted the Zenarmor data to this partition?

ZenArmour on the LAN side ( and suricata on the WAN side ) is actually what the zenarmor docs suggest, I'm running that way and it works just fine. It's not so much a 'second line of defence' - zenarmor is aimed at blocking access to both malicious sites and managing your devices access to sites ( think things like active filtering for kids etc)

I'm running on an i7-6700 with 32gb and it's total overkill - even 16gb would be more than I've ever seen allocated, but my personal feeling is 8gb would be a little too tight. The more important thing is that you have enough cpu for your connection - I'm driving gigabit fibre wan and the i7-6700 is just enough ( zenarmor is single threaded - and heavy loads on the connection will see the core running zenarmor sitting about 80% load )

The zenarmor database is neither huge nor particularly demanding in terms of IOPS - I was originally running on a 250g hdd and it was able to easil keep up, however the speed running reports mean I ended up rebuilding on a 256gb m.2 nvme, again it's almost certainly overkill but I had it around and it's nice having nearly instantaneous reports
November 25, 2021, 08:05:23 AM #1133
I am migrating my hardware from one server to another for opnSense and this includes Sensei. I backed up my config from the old server, then re-stored it on the new server. I am running the latest versions of both the Sensei engine (1.10) and opnSense (21.7.5).

When I add my VLAN interface into the Protected interface list I get a popup about the driver having known incompatibilities with Netmap, and gives me a link to an old post these forums, and from digging around it seems that this issue should be taken care of in this version of opnSense?

I am running this on a Dell R610, with the Broadcom NICs (bce) and I have two interfaces configured as an LACP LAGG for the LAN interface, with VLANs using that as their parent interface. I am only trying to filter the internet on a single VLAN, the others need not be filtered.

So is this a concern? Or am I doing something wrong here?

Thanks in advanced for the help!

November 25, 2021, 05:52:29 PM #1134
I don't think sensei supports LAGG.
November 25, 2021, 06:18:06 PM #1135
Hi @JRC and @IsaacFL,

Zenarmor warns due to you try to add a LAGG interface. Zenarmor uses netmap that is an Operating System subsystem to grab packets off the wire and netmap is not fully compatible with LAGG interfaces yet. The netmap team works about it but we don't have a date yet about when will it be fully compatible.

Normally we advise adding the parent interface if you have child interface(s) but for LAGG interfaces it could be caused by a Network outage. So you do the correct way by adding a child interface.

We have Zenarmor users that are using with LAGG interfaces. So please try it and contact to us if you have any problem.
February 03, 2022, 02:54:46 PM #1136
I am trying to get Zenarmor to work but when I enable the plugin I lose access to the box and the network falls over.  I see a new message in the console like "drop mbuf that needs checksum offload".  Aside from that, no other obvious errors or issues.

I have a LAN interface with 1 native VLAN and a tagged VLAN and then two WAN ports.  I have added on the physical LAN interface, not the child ones.  The NIC is a 340-T4.  I am on opnsense 22.1.

Any starting points?
February 03, 2022, 03:49:23 PM #1137
Hi,

Are the options are selected as in the attached picture (Interface - Settings)?


February 03, 2022, 08:40:03 PM #1138
Thank you - that did the job!  Out of curiosity, any performance impacts I should consider with offloads disabled?
February 03, 2022, 08:53:58 PM #1139
If the processor is fast enough, there are no performance losses.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
Print
Go Up Pages 1 ... 74 75 76 77 78 79
User actions