Sensei on OPNsense - Application based filtering

[donatom3]

@mb Thank you for your answer.

If i add the VLAN parent interface to the protected interfaces list, all VLAN child are unable to connect to the OPNsense anymore. I can see entries in the Firewall Live-Log, that all packets are denied.
If i stop the Sensei Packet Engine everything works fine again and there are no more denied packets.

Is there something i can debug ?
Thanks

Bene you're only adding the parent interface right?

I had this problem before when adding both parents and vlan.

Sent from my Pixel 3 XL using Tapatalk

[BeNe]

Yes, ONLY the parent interface. One interface at all is added.

[mb]

Hi @BeNe,

A few questions:

1. I'm assuming you're on the latest 0.8.0.rc1, correct?
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same?
3. Which ethernet adapter are you using? Intel, Broadcom or any other?

[BeNe]

1. I'm assuming you're on the latest 0.8.0.rc1, correct? -> Yes
2. What happens if you enter bypass mode (Sensei -> Status -> Enter Bypass Mode) is it still the same? -> Still the same
3. Which ethernet adapter are you using? Intel, Broadcom or any other? ->Intel

OPNsense is running inside a KVM (Virtual Maschine on a Proxmox Host).
The WAN Interface is a Intel Card with PCI Passthrough directly to the VM
The LAN is virtual Network Interface



There is the traffic blocked on the "LAN" interface from 172.16.50.0/24 that is normaly on VLAN_50.
On the LAN is 172.16.17.0/24. Of course is this traffic source blocked on that interface. Did i missed something that i need to adjust ?

[mb]

Hi @Bene,

I think there is something else in your configuration that needs attention. I'll reach out to you. Let's have a look together.

[BeNe]

Hi Murat,

thanks for your help! I changed my interface from "em" to "igb" as you said.
Now it works.

So i can confirm a problem with "em" interfaces. In my case, i let the "igb" interface  ;)

[mb]

Hi @BeNe,

Thank you very much for your update. Now it's clear for me.

When an interface is opened in netmap mode, ARP packets destined for vlan child interfaces do not make its way to their destinations.

This seems to be fixed in FreeBSD 11.2-stable.

We'll sponsor another round of netmap work which is specifically focused on fixing known problems.

For now a bit of advise who are using Sensei or Suricata (IPS mode):

1. Last thing I'd want would be to endorse a brand/model, however for us, igb(4) based adapters seemed to be the ones which gave the best results in terms of reliability / performance (with regard to netmap support).

2. If you're using igb(4) and experiencing high interrupt utilization, you can set:

    a) hw.igb.rx_process_limit: -1 (default is 100)
    b) machdep.hyperthreading_allowed: 0

We've seen these settings help improve the performance for igb(4) based systems.

[mb]

Dear Sensei users,

Sensei 0.8.0 Release Candidate 2 is out. This marks the final step into releasing 0.8 and towards 1.0

This version is also available for an update for 0.7 users.

Change log is as follows:

• Sensei 0.7 to 0.8 updates are tested and ready to roll
• A fix for systems with 4GB memory: A backend misconfiguration has been fixed. Now you can run on 4GB
• Enable support for Hardware-assisted bypass functionality (For experimental L2-Bridge mode deployments). Currently Silicom Bypass adapters are supported.
• More reliability fixes

Enjoy :)

Sensei team

[adel_xf]

Hello,

I tried to go with Sensei, when selecting the network interfaces I have no interface proposing networks.

My OPNSense configuration:

OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s May 28, 2019

OPNSense is a VM Proxmox
2 virtio network cards
100 GB disk
8 GB of RAM

I tried both versions of Sensei (0.7, 0.8 ).
Thank you for your attention.

[adel_xf]

I tested the following command that seems to work your opinions?

Code Select Expand

opnsense-update -fbkr 19.1.4-netmap

[mb]

I tested the following command that seems to work your opinions?

Code Select Expand

opnsense-update -fbkr 19.1.4-netmap

Hi @adel_xf,

Many thanks for giving Sensei a try. OPNsense created 19.1.4-netmap kernel to integrate the latest improvements and bug fixes including the Sunny Valley sponsored virtio/vmx work.

It should be ok to use that. However make sure you're not missing anything important with the newer stock kernels

After Sensei 1.0, we'll do another round of netmap work to complete upstream netmap import process.

[manjeet]

Hi MB, I am facing few issue after updating the sensei package.

1. Do not see deployment size above 25 (Using routed mode)

2. Disabled the health check in previous version and now if i enable it then do not see the save options. Disabled / grayed out.

3. Email reports not working: After update it generated the report once and it was working i.e. showing the result but after that one report didn't receive any new email.
If i reenter the mail server details and click test then it is working and sends  a notification email. but do not receive the report email generated at night.
Also why it happens i.e. if i test email and save it. Then refresh the page and retest it, it just give me an error:
Your mail configuration is invalid!
Response: (535, '5.7.8 Authentication rejected')
Meaning we can only test it once and then save details and leave it that way. It works and emails works, but why receive error when try to test again until we reenter the password before clicking the test.

[mb]

Hi @manjeet,

Thanks for the report.

Looks like #2 and #3 are buggies. We fixed them today. Should be arriving with 0.8 release next week.

#1, if your RAM is 4GB, this is the expected behavior, since we were reported of swap utilization with deployments of around 70-80 users and 4GB RAM.

So we thought that it would be safer to restrict deployment size to 25 users or less if the device has 4GB of memory.

If it's not the case for you, then it's probably a browser issue. Let's have a look together.

[manjeet]

Hello MB,

As per your email and post, here are the details you asked:
1. Did you udpate from 0.7 or from an earlier 0.8 beta/rc?
---> Updated from 0.7
2. How much memory do you have?
---> 8GB
3. Which browser are you using? Anything changes if you switch to Google Chrome?
---> Chromium
4. Does your email account password include any special characters e.g. "&" ?
---> It does contains special characters
5. What happens if you invoke the report manually ? command is as follows:
---> Command ( /usr/local/sbin/configctl sensei mail-reports) gave me OK and received the email report

Update: Ever since i reconfigured the email reporting from Saturday (IST), i am receiving the report email. I think i must be the update which somehow messed something.
b> My System is Intel Core i5-7400 CPU @ 3.00GHz with 8 GB RAM and 8 GB SWAP.
c> I use Chromium. But tested it on Google Chrome and firefox and deployment size is still the same.

[thg0432]

Hi @mb,

Can you tell us if/when users/groups will be implemented within Sensei?