Sensei on OPNsense - Application based filtering

[manjeet]

Hello @MB, I need another favor from you if possible.

Can you please work with OPNsense team to add an option for Sensei "Dashboard" and "Reports" in "Assigned Privileges" for users/groups. Well, I need to create few users/group so that they can only check the reports of team assigned to them. I do not want to provide root user access level to them to avoid them poking around and change my configuration or delete any logs or data..

[the-mk]

I finally decided to install Sensei on my box with several network interfaces.
I also have some servers running at those interfaces where I configured different hostname suffixes (configured with dhcp reservations and the checkbox to register the names in unbound dns). i.e. server1.lan, server2.home, server3.iot,...
before running sensei I was able to resolve all hostnames fine.
I guess the setting "local domain name to exclude" in the cloud threat intel tab has something todo with it? tried to enter here one servername for testing - did not work for me... is saving the setting enough or do I need to restart something?
how to tell sensei to honor local servernames when tried to resolve local hostnames?

EDIT: after reading the post of donatom3 and the suggestion of mb to turn off cloud threat intel I can resolve my local hostnames again!

[donatom3]

the-mk,

In my case I left that feature turned on. All I did is put my domain in the local domain section of the cloud threat intel section.

Now my local domain is ad.xxxx.com, but I have entries for domain xxxx.com, so I put in xxxx.com into the local domain and all subdomains are passed through correctly to my custom names in unbound.

[mb]

@manjeet,

This is a cool feature request. Thanks. Added to roadmap.

A quick note on remote IP addresses on "local assets table": We've had a look at the screenshots. 169.254.x.x is actually a local ip address. Your PC is automatically assigned an IP address, if it cannot get an IP address from a DHCP server. More on this: https://www.techrepublic.com/forums/discussions/where-did-ip-16925451183-come-from/

Screenshots show that some PCs (or a PC) wanted to communicate with the outside world, but it did not get any replies (Incoming packets all zero).

[manjeet]

Thanks @MB and Thanks for the update.

Can you also add one option in reports for looking a live reports without manually refresh time. When in Dashboard / Reports -> Filter (Reports Interval) -> When selecting Custom interval there is "Start time" and "End time".

It will be great if you can add another option or select box there to select "End time" as ongoing.

For e.g: If i want to see current reports from a specific time let says since morning and wants to check the reports after every 10 or 15 min gap then every time i have to select the option "Go to today" in End time. It would be better if there is an option as ongoing which will automatically change time in some specific interval of time or select "refresh interval" as time to refresh and update the time in 'Reports Interval"

[dp]

I see that shaping at layer 7 is on the roadmap for sensei. Is there any time table on that feature? Has it even started? I am looking to use it in a 1500-2000 user environment to replace some aging equipment if it is slated for the near future.

Also I have several ideas that I would like to see implemented as I have used application shapers for over 10 years in our environment.

[mb]

@manjeet, you're right. They are already in the workload for 0.8 ;)

Hi @dp, correct. Shaping is on the roadmap. Our plan is to feed the currently existing shaping infrastructure on OPNsense. Sensei development is quite booked with IPv6 support nowadays. Though, you should see it implemented like Q2 or Q3 2019. We'd like to keep in touch about ideas on that ;)

[lmwalker71]

Under Cloud Node Status, The Nodes are always showing Down, with a count down runs with a 'Check Now" button. If the count down runs its cource the status changes to up for about 15 seconds or if I click 'Check Now' is this the normal??? :)

[mb]

Hi @lmwalker71,

Not quite ;)

If you're based in USA, make sure you have the "US - Central" Cloud nodes checked & in green color (Sensei -> Configuration -> Cloud Threat Intelligence). (If in Europe, Europe nodes should be active)

If that's already the case, can you reach out to us through sensei - at - sunnyvalley.io so that we can dig deeper together?

[hbc]

Services are randomly (?) stopping.

I read somewhere that services will stop, when there is less performance, to save power for opnsense native tasks, but I run Sensei on a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (8 cores) with 24 GB ram which should be quite enough power.

Since I have lacp interfaces for lan (lagg0) and wan (lagg1), each with 2x1g and vlans on lan interface and due to some remarks in this thread that vlans are not supported yet (due to FreeBSD netmap) and will be fixed with OPNsense 19.1, I added an additional, plain interface and just connected 1 pc.

Then I added this single interface with 1 pc as protected interface in Sensei. I even reduced the deployment size from x-large (what I would need if vlans would work) to small in hope that memory footprint will be reduced (actually just 1 user/pc is connected).

But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.

Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.

Any hints what could be the reason for the stopping services.

The service crashes pretty soon. 1-2 minutes after starting up.

[jinn]

I tested sensei last week. after I activated it, however, access to the internet was barely possible (eg google was not available at all). since it was a productive system, I deactivated sensei for now and did not continue to use it. Nevertheless, I would like to know why it was located, how should I proceed best for analysis here?

In addition, I wanted to ask whether it is even possible, what I want to achieve: I would like an evaluation for special services (social media, online gaming, ...). Is sensei able to give me an evaluation of how much time / data was used for special services?

currently sensei works with deactivated cloud threat intel.
Unfortunately, "Egress New Connections by APP Over Time" and "Egress New Connections by Source Over Time" show no data:"no egress new connection" what do I have to configure to make it work?

[mb]

Hi @jinn,

Thank you for giving Sensei a try. I see your quoted message did not get response. Sorry for that. I looks like we missed it.

I guess you've been able to figure out the first part yourself. But I wonder why Cloud Threat Intel did not work for you. I'll write to you about this.

For reporting about application categories, yes you can do it. I guess you've started using it.

As for the egress connections report does not show anything. Is it just a single report or all reports which shows egress connections (i.e. local assets, remote assets, eggress conns by source ) do not show anything at all.

[mb]

But the packet engine still stops randomly. I blocked shopping categories to verify whether engine is just shown as stopped or really stopped. And it is really stopped, since I can open shopping page when service is marked as down.

Same with the ElasticSearch service. Sometimes when I open reports or dashboard, I get a pop-up that ElasticSearch service has to be started first and whether I want this. When I deny and check status page, then both services are down - means whenever packet engine stops, ElasticSearch stops, too.

Any hints what could be the reason for the stopping services.

The service crashes pretty soon. 1-2 minutes after starting up.

Hi @hbc,

Thanks for reporting this. After services stop, and when you look at Status-> Services page, do you also see that both services are disabled at boot time?

If yes, most probably this is because Sensei's Health Check subsystem. Because Sensei is in BETA now, checks are more sensitive to problems. Even if it finds a small problem it disables both services in an effort to keep  network connectivity up & running.

Can you try disabling Health Check and see if services are running persistently?

If they do and it turns out because of Health checks, I'd still recommend investigating this. While running Sensei & ES, can you do 'top' on OPNsense console and see if any processes (not necessarily Sensei (eastpect) processes) are consuming much CPU/Memory?

Performance-wise, your system looks pretty decent. We've been reported a similar system handling 700 concurrent users.

[hbc]

Hi @mb,

you are right, I just set ElasticSearch to start on boot and left packet engine disabled for auto-start. I'll try to set both to start on boot.

But I already had try with health check disabled and after a while, no traffic passed at all. But I'll re-check it again.
First with both starting on boot and then with health check disabled.

Update:
The start on boot was not the reason. Whenever packet engine stopped for unknown reason, the option was automatically disabled. I tried it 3 times and reenabled start on boot. But within 5 minutes service stopped again.

As next option I disabled Health Check. Currently the service runs for 20 minutes which is 4 times longer then ever before. I'll keep an eye on it.

[mb]

Hi @hbc,

Thank you for further information. Let us know if anything weird comes up.