Sensei on OPNsense - Application based filtering

[opnsenseuser]

@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.

@mb menu problem solved!!
working on the "css code" fixes for sensei now!! this will come later this week!!

https://github.com/opnsense/core/pull/3653

@mb css code fixes for tukan and cicada
https://github.com/opnsense/plugins/pull/1456

Everything is done.
One last css thing i found in the css code of sensei. i will tell you by email!

[opnsenseuser]

@mb sensei widget would be great!!

[mb]

UPDATE:
So I decided to do the nmbridge test even though the offload settings could not be disabled via the ifconfig command. See attached for the results, I did one test with an active VPN connection and one with no VPN connection.

Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?

If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.

We're also giving wireguard a try here. Will keep you updated.

[mb]

Hi @opnsenseuser, that's great news. Looking forward to your e-mail.

[xpendable]

Hi @xpendable, this looks promising. Have you been able to use the vpn interface while the nmbridge was running? Any connectivity issues?

If not, than all we need to do is check if this is a pseudo interface and it so, we won't try to disable offloadings. Than it should just work.

We're also giving wireguard a try here. Will keep you updated.

Hi @mb,

I did a quick test during the netmap command in which a website loaded correctly, google news was checked, and I even played a youtube video with no issues.

I would imagine that it is a pseudo interface as by default WireGuard does not show up as an actual interface under interfaces within OPNsense. I manually create a new interface in OPNsense under interfaces and assign "wg0" to it, and then enable that newly created interface with no other settings because the IP address is already being assigned by WireGuard. This allows me to see the netflow/insight data for the VPN connections, because by default the "WireGuard" interface that is shown in netflow/insight always shows no data.

[mb]

Hi @xpendable,

Thanks for further analysis. This tells us that a wireguard interface can be used with netmap. That's very good news.

We did a quick wireguard install. Looks like it's a tun interface instead of a tap interface. If it was tap, than if would be as easy as tweaking the offloading settings, since tap is identical to a virtual ethernet interface.

tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.

[xpendable]

tun is a little bit different (no mac addresses, different L2 header), so although not a big deal, we'll need to add an explicit support for it. Added to the roadmap. Will update on the status.

Hi @mb,

That's great to hear, thanks for looking into this and putting it on the roadmap. Just another great feature to look forward to in Sensei ;D

[donald24]

I am new to Sensei - I have just installed it and I wander around the menu.

Is it normal that there are no web-categories in web-controls, no entries in app-controls and security? I cannot even add something in security or app-controls?

Thanks for clarification!

[mb]

Hi @donald24,

Many thanks for trying out Sensei.

This is not normal. Can you PM a screenshot of your screen to me? Also please share a screenshot of "Lobby -> System Information"

[marcri]

Hi Murat,

is there a bug?

Code Select Expand

[23-Aug-2019 14:33:30 Europe/Berlin] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:335 - Undefined offset: 50 (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:85
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php(335): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Undefined offse...', '/usr/local/opns...', 335, Array)
#1 [internal function]: OPNsense\Sensei\Api\EngineController->licenseAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Sensei\Api\EngineController), 'licenseAction', Array)
#3 [internal function]: Phalcon\Dispatcher->dispatch()
#4 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#5 {main}

Best
Marc

[h311m4n1]

Hello,

Been an OpenSense User for a few months now, switched from pFsense. Love it so far.

Maybe like others here, I'm a cryptocurrency enthusiast and I need to strengthen the security of my machine where my wallets run on. I'm planning on moving it to a separate VLAN and authorize only specific ports for the wallets that need them. I want no web trafic on it. However while checking the traffic to list the ports I need to let through, I see two of the wallets I have (which are multiasset) use 443 and I want to avoid just opening 443 on that VLAN.

Where I work we use a PaloAlto firewall and the application based filtering is really handy. I just discovered Sensei and I'm playing around with it. I assume you could let 443 through for a specific application.

One question: is there a way to add custom application to the app control that aren't in the list?

I think this answers it: https://help.sunnyvalley.io/hc/en-us/articles/360025098033

But still wanted a confirmation.

Thanks!

[mb]

A quick follow-up on @donald24's issue: It looks like having ntopng on the same interface messes things up. When he moved it to another interface & re-installed everything back to normal.  Thanks @donald24 for helping diagnose the issue.

@marcri, we had an update on the licensing API, might be that this fell into the same window. It should be all ok now.

@h311m4n1, many thanks for trying out Sensei. User-defined application signatures are not here yet. This is one of the most wanted features, and will be implemented in near future.

[yukaia]

It appears that the CDN for Escape From Tarkov is being miscategorized as malware/virus and is therefore being blocked. Can we get this fixed? The URLs are as followed.

http://cdn-11.eft-store.com

Here's a download for the game launcher.

http://cdn-11.eft-store.com/LauncherDistribs/0.7.2.569_a332f4f4-2fcb-43cb-bc8a-cd0d1692a6a8/BsgLauncher.0.7.2.569.exe

[mb]

Hi @yukaia,  sure, done. In the meantime, you can whitelist this site from Web Controls -> User Defined Web Categories.

We'll be launching a web re-categorization feedback service soon.

[opnsenseuser]

@mb i replied to a few emails from your colleague! (html/css)
but i think he didn´t get my mails?
Any Problems on your/his email Server?

anyway..

1. i only found one margin problem in the sensei html/css code.
For the main color modification i made a pr on github for Tukan/cicada themes which will be released in the next opnsense Firmware update!
2. the active menu problem i fixed and i made a pr too. this is already merged. it will be also released in the next firmware update!

regards rené