Sensei on OPNsense - Application based filtering

[mb]

Hi @xsfpo,

This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.

If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.

[opnsenseuser]

Hi @xsfpo,

This is because of package dependencies. OPNsense upgraded OpenSSL with 20.1. OpenSSL is a dependency for mongodb package.

If you're on the latest sensei version (1.3.1), you need to upgrade to OPNsense 20.1.

After installing sensei i get this error

 PHP Errors:

Code: [Select]

[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  filesize(): stat failed for /tmp/mongodb_dahsboard5e35d54da4d3d_result.json in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 78
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  explode() expects parameter 2 to be string, array given in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 187
[01-Feb-2020 20:45:17 Europe/Vienna] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 188

[opnsenseuser]

@mb did you get my bug report?

[mb]

@rene, yes, a colleague should have replied back. this is fixed, needs a package re-install:

Code: [Select]

pkg install -f os-sensei


[Antaris]

@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.

[petrus]

Hi,
Thanks for providing Sensei! I thought now with the 20.1 OPNsense release it's just the right time to try.
Unfortunately I ran into an issue before I was able to test Sensei: some network cards are not shown. 
My HW: Core i5-8400+16G RAM, some RTL onboard card (available from OPNSense, also not shown in Sensei, but I dont use that anyway) 
NIC I use: Intel i350 quad port, igb0+igb3=lagg0, igb1=wan 
Strangely igb0 and igb3 are available in Sensei as unassigned,  but not igb1 and igb2.Also all VLANS on lagg0 are available separatley. 
I was looking into the tunables and reset them according to this post, reset Sensei to factory defult, but that did not help: https://forum.opnsense.org/index.php?topic=13436.msg61860

Code: [Select]

hw.igb.rxd 1024
hw.igb.txd 1024
net.link.ifqmaxlen 2048
I don't see anything special in dmesg/syslog.
Sensei works for some of the VLANs, but it should actually work for WAN, which is igb1, and that's not available.
Suricata is not running on WAN.

Any ideas?
Thanks
Petrus

Code: [Select]

Sensei version info
Engine Version: 1.3.1 View Changelog Version History
UI Version: 20.1.31
Database Version: 1.3.1
Opnsense:
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019


[Antaris]

Hi Petrus,

Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.

[mb]

@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.

Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?

[Antaris]

@mb, may be is a good idea to implement report form in the web filtration page, where we can report sites that pass through blocked specific category.

Hi @Antaris, is this the landing page which gets displayed when a block happens or the Web Controls menu?

Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.

[mb]

Nope. I mean a form where we can report porn sites URLs to your company that loads when pornography category is restricted.

Got it. It should appear shortly this month/early next month.

[petrus]

Hi Petrus,

Sensei protect internal interface(s). If you want to protect tagged and untagged networks, try to put them on different physical ports.

Hi Antaris,
thanks & sry, should have been obvious about the WAN port.
What I still miss is the list of supported NICs, because I can't see the two onboard ports, just the i350 Interfaces.

Peter

[mb]

Hi @petrus,

To be able to access packet off the wire, Sensei makes use of a FreeBSD subsystem called netmap(4).

Netmap can be a pretty picky when it comes to ethernet device compatibility. So we try to filter out any devices that are known to be having problems with netmap.

Netmap team seems to be maintaining Intel based drivers, igb(4), em(4) being two of the most widely used ones.

[Antaris]

In short you can use integrated Realteks on your mobo as WANs if they needed at all...
If you will not use them better disable them in BIOS.

[opnsenseuser]

@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

[marcri]

@mb just one question. it would be interesting to be able to export or import report data. because if you have to uninstall sensei and erase the data (for whatever reason - hardware change or other problems), it would be great to be able to import the previously recorded data again afterwards. is just an idea. greetings rene

maybe you could try the snapshot function of elastic-dump (Github) or just curl:
CURL -XPUT 'localhost:9200/_snapshot/<backup_folder name>/<backupname>' -d '{
    "indices": "<index_name>",
    "ignore_unavailable": true,
    "include_global_state": false
}'