Sensei on OPNsense - Application based filtering

[mb]

Hi @Antaris, thanks, well noted. This will ship with the next release.

[JohnDoe17]

@mb

Please consult the attached picture...

Is this message normal?  What does it mean?

Thanks.

[mb]

Hi @JohnDoe,

This is HardenedBSD's SEGVGUARD. Message means, sensei engine terminated once and SEGVGUARD tracked the application for some time to make sure someboady is not trying to do a memory-guessing brute-force attack.

If it was, the mechanism would have stepped in and prevented further restarts of the process.

Although, this does not have a practical effect on your traffic, we would like to analyze these to find the root cause and fix the root problem.

When for any reason sensei engine is terminated, it is automatically restarted; and traffic flow resumes.

[jf2001j]

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

Privacy is my concern. I use Sensei for getting an overview over iOT devices, but also want to trust that Sensei itself does not do unwanted connections. For this i have disabled all settings inside Sensei for connections to the Sensei backend, including auto-update.

Could you please describe why the JS from stripe.com included in several Sensei Dashboard webpages is loaded and why it posts data to https://m.stripe.com/4?

I'm also wondering why I did get the notification "Engine 1.2.1" is available for update inside Sensei without auto-update. But I don't have facts here. Perhaps an error on my side.

[mb]

@jf2001j, understood and well respected.

Stripe is our payment backend. This JS needs to get loaded if you want to do an in-app purchase for Sensei Subscription. Though, it might be better to delay its loading until the user opens "Upgrade to Premium" menu, instead of loading it during Sensei UI initialization routines.

If you disabled "Check For Updates Automatically", Sensei should not contact our update server anymore. If you did see a new update notification, two possibilities:

1. This could be a cached result of an update check done before you disabled auto updates.
2. You could have manually invoked "Check for updates" from Sensei -> Status and, this could be a cached result of this operation.

Thank you for your attention. Feel free to get back to us (you can also e-mail to privacy - at - sunnyvalley.io) if you see anything that needs further  attention here.

[mb]

Dear Sensei users,

Sensei 1.2.2 is out fixing some minor problems reported.

https://www.sunnyvalley.io/post/sensei-1-2-2

Enjoy,
Sensei Team

[tusc]

@mb I'm running into that bug that I reported back during beta again.

@donato, we received your problem report and logs, thanks. This looks like something related to the order of services. It looks like after opening an interface in netmap mode, a later interface related action is mangling its operation. Will keep you posted.

@mb, is this resolved in 1.2.2? I thought my issue was fixed when I disabled other services like maltrail and ntopng but I still see this problem. I just updated to 1.2.2 and about a few minutes after the packet engine is started I lose complete access to the firewall and Internet. Let me know what logs I can provide to help figure this out. Thanks.

[mb]

Hi @tusc, nope, we have not addressed that one. It's a nasty bug, which we cannot reproduce. Working on it. If you can send the /usr/local/sensei/log/ directory over to us via e-mail that would be great. Email to send: sensei - at - sunnyvalley.io

or

Click on Contact Sensei Team on the upper right hand corner, select Problem Report and make sure you select "Send logs" option.

[Quetschwalze]

@mb Would it be possible to have the Firewall Aliases available in Sensei's Policy Configuration as well? Adding IP-Adresses in two places feels redundant.

[mb]

@Quetschwalze, this would be a great feature. Added to the 1.3 workload

[jh]

hi mb,
i'm already using the free version for some time now and thinking about buying the home edition
so i still have some questions about the upper limit of 50 clients for the home edition.
My daily sensei report for the free version shows me an entry "Unique Local Hosts". Is this the value I can orientate myself on for the limit of 50?
How is the number of clients exactly calculated?  IPs in use?
What about clients/ip-addresses that are already blocked in the opnsense firewall and don't generate any traffic through the firewall at all? are they included in the calculation?
Currently I get 29 hosts displayed under Unique Local Hosts. But this is not correct. Only when I additional count my default gateway, coupling networks on the WAN side I get 29 clients.
what exactly happens when the maximum is exceeded?

Thank you
Juergen

[Quetschwalze]

@Quetschwalze, this would be a great feature. Added to the 1.3 workload

Awesome, looking forward to that!

I have a question I'm not sure whether its been asked before.
I'm utilizing policies to have different features active for different subnets. However, this only seems to work for me in conjunction with VLANs. If I try to bind a different policy on an untagged / default VLAN (only using the IP / Network Description) its not working. Only the Default Policy shows up in the reports. Is this expected?

[mb]

Hi @jh,

Internal memory buffers are adjusted according to IPv4 hosts. You don't need worry about IPv6 addresses.

Unique Local Hosts include both IPv4 and IPv6 addresses. If you want to see only IPv4 addresses, add a "Transport Proto" filter (Add Filter button on the top of Reports page) as TCP. Then the number of unique hosts value shows your actual device count.

We're updating Conn - Facts information to better show this information. With 1.3, you'll also have "Unique Local Devices" information.

So, for your Home Subscription, we had set it to 50 for providing a peace of mind; so it should be enough for Home use. If in any case, number of devices exceeds this, provided that it's not sustained, it should not cause a problem.

[mb]

Hi @Quetschwalze,

Subnet/IP address based policies should work with or without VLAN. Let me reach out to you, and see what goes on there.

[mb]

Dear Sensei users,

Sensei 1.2.3 maintenance release is out. Below is the Changelog:

Premium

• Convenience: warning message displayed when allowed number of policies reached for Home Edition
• Fix: Policy refreshes

Reporting

• Local Unique Devices information added to Conn - Facts chart in Connections View
• Autowhite/blacklist Hosts: remember user preference (sending categorization feedback)

Other

• Fix: Increase netmap buf_num value to accommodate both Suricata and Sensei on high-end servers
• Other performance and reliability improvements

Enjoy
Sensei Team