OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Zenarmor (Sensei) »
  • Sensei on OPNsense - Application based filtering
« previous next »
  • Print
Pages: 1 ... 26 27 [28] 29 30 ... 79

Author Topic: Sensei on OPNsense - Application based filtering  (Read 359827 times)

marcri

  • Jr. Member
  • **
  • Posts: 59
  • Karma: 5
    • View Profile
    • https://www.risse-it.services/
Re: Sensei on OPNsense - Application based filtering
« Reply #405 on: July 10, 2019, 08:25:06 am »
Hello,
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.
Best,
Marc
Logged

donatom3

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 11
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #406 on: July 10, 2019, 10:48:28 am »
Quote from: mb on July 10, 2019, 02:19:07 am
Hi @donatom3,

Many thanks for the heads-up.

Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new, I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.

Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.

This is the setting which is working for us for 19.7.r1

If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.

MB,

Looks like Franco saw my post and sees that a merge for the ring size didn't make it to the 19.7 netmap kernel.

https://forum.opnsense.org/index.php?topic=13436.msg61879#msg61879

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Sensei on OPNsense - Application based filtering
« Reply #407 on: July 10, 2019, 06:52:06 pm »
Quote from: donatom3 on July 10, 2019, 10:48:28 am

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.

@donatom3, perfect. Thanks for your help. This would cause some headache.

« Last Edit: July 10, 2019, 06:54:47 pm by mb »
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Sensei on OPNsense - Application based filtering
« Reply #408 on: July 11, 2019, 01:27:59 am »
Quote from: marcri on July 10, 2019, 08:25:06 am
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.

Hey Marc,

Yes, it is possible. In Web Controls menu, put the whitelisted URL in a user defined custom category. And mark the category as allowed.

Than you should be good to go.

More info:

https://help.sunnyvalley.io/hc/en-us/articles/360025100393-Web-Control

Look for User Defined Categories.

Logged

aimdev

  • Full Member
  • ***
  • Posts: 119
  • Karma: 4
    • View Profile
Sensei on OPNsense - Spelling errors
« Reply #409 on: July 12, 2019, 12:54:22 pm »
Configuration, select Bridge mode.

Please select the interface paris from below boxes to create your protected L2 pridge

change paris to pairs
change pridge to bridge
Logged

aimdev

  • Full Member
  • ***
  • Posts: 119
  • Karma: 4
    • View Profile
Enhancements?
« Reply #410 on: July 12, 2019, 12:56:23 pm »
1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Enhancements?
« Reply #411 on: July 12, 2019, 08:25:52 pm »
Quote from: aimdev on July 12, 2019, 12:56:23 pm
change paris to pairs
change pridge to bridge

1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net

Hi @aimdev,

Thanks for the corrections. They had been fixed for 1.0.

You should be fine putting domain.com into a user defined category and it should also match subdomain.domain.com.

Didn't it work for you?
Logged

aimdev

  • Full Member
  • ***
  • Posts: 119
  • Karma: 4
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #412 on: July 12, 2019, 08:31:29 pm »
I didn't try it as the UI seemed to intimate a site (www.google.com)   not a domain, (google.com)
Can you confirm that entering google.com will work, or does it need wildcard character/regex?
Tks
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Sensei on OPNsense - Application based filtering
« Reply #413 on: July 13, 2019, 08:43:57 pm »
Hi @aimdev,

Yep, it should work that way. Just put google.com there and it'll match all subdomains.
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Sensei on OPNsense - Application based filtering
« Reply #414 on: July 17, 2019, 04:29:45 am »
Anyone experiencing any issues with VMware deployments?
Logged

donatom3

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 11
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #415 on: July 18, 2019, 04:14:19 am »
@mb

So after the upgrade to 19.7 release I was able to change my tunables back to 4096 for rx and tx.

Here is the issue. And I've seen this on a few upgrades with no changes but firmware or sensei upgrades.

After the unit reboots after the upgrade I can reach the firewall until Sensei's engine starts. At that point it drops all traffic on my protected interfaces. I've been keeping an unprotected interface that I can easily swap to for these times. All I have to do to fix this is to disable "Enable engine heartbeat monitoring". Once I do packets start flowing again and I can re enable it without issue. I'll pull the worker logs and send them to you if that helps.
Logged

opnip

  • Newbie
  • *
  • Posts: 15
  • Karma: 2
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #416 on: July 18, 2019, 01:58:09 pm »
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
Logged

malac

  • Newbie
  • *
  • Posts: 18
  • Karma: 1
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #417 on: July 18, 2019, 05:23:53 pm »
quote author=opnip link=topic=9521.msg62264#msg62264 date=1563451089]
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

Quote
Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
[/quote]

same error on my setup
« Last Edit: July 18, 2019, 05:25:37 pm by malac »
Logged

mb

  • Hero Member
  • *****
  • Posts: 908
  • Karma: 97
    • View Profile
    • Sunny Valley Networks
Re: Sensei on OPNsense - Application based filtering
« Reply #418 on: July 18, 2019, 07:05:00 pm »
@opnip @malac, thanks for the pointer. Having a look at it.

@donatom3, please go ahead and e-mail the logs to me. Does that happen in every reboot, or was it after the 19.7 upgrade reboot?

Logged

Space

  • Full Member
  • ***
  • Posts: 105
  • Karma: 6
    • View Profile
Re: Sensei on OPNsense - Application based filtering
« Reply #419 on: July 18, 2019, 09:05:12 pm »
Hi MB,

where can I configure the retention time for the worker logs? Shouldn't they be compressed somehow?
On my system the worker logs takes about 13GB ...

Thanks and best regards,

    Space
Logged

  • Print
Pages: 1 ... 26 27 [28] 29 30 ... 79
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Zenarmor (Sensei) »
  • Sensei on OPNsense - Application based filtering
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2