Sensei on OPNsense - Application based filtering

[Space]

Hi,

I have Sensei running on my OPNsense and I wondered why big part of the traffic did not show up and I see in the FAQ that IPv6 support is still work in progress.

Do you have an ETA for that feature already?

Thanks and looks great so far!

Space

[mb]

Hi @Space,

Many thanks for trying Sensei. Yep, 0.7 is IPv4 only.

Good news is that IPv6 will be coming very shortly with 0.8. It's been under testing for the past months. Looks like it's good to go for a test ride by BETA users.

We'll ship 0.8-beta1 this week or early next week :)

[Antaris]

19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520

[mb]

Hi @Antaris,

Thanks for reporting this. Looking into it now.

[mb]

19.1 goes in production now, and we that have sensei have a problem:
https://forum.opnsense.org/index.php?topic=11400.msg51520#msg51520

Looks like there was a typo in that command. Correct command should be: (from https://forum.opnsense.org/index.php?topic=11400.msg51521#msg51521)

For OpenSSL:

# opnsense-update -fp -n "19.1\/latest"

Or LibreSSL:

# opnsense-update -fp -n "19.1\/libressl"


Just did an OPNsense 19.1 upgrade on two of our firewalls. Looked good. 

Anyone who had any other issues upgrading to 19.1 ?

[hbc]

Anyone who had any other issues upgrading to 19.1 ?

Update did not work with sensei nor without. Update started and just installed two kernel/base files, then restarted with 18.7.10. Even when sensei was uninstalled, update did not work. I tried GUI and console.

So I saved config, installed 19.1 clean from image and restored backup and reinstalled sensei.

Now with 19.1, sensei finally works with tagged vlan interfaces  8)

[mb]

Hi @hbc,

Thanks for sharing you experience. We're looking into the upgrade problem if it's something related to Sensei repository.

Glad to see that you're enjoying it now :)

[hbc]

Yes, works pretty nice. Just the cloud nodes seem a bit flappy. Most time at least one is displayed down.

One hint:

Traffic to local squid proxy on port 3128 is categorized as "Generic TCPIP". I think it is intention that not labeled as 'Proxy' which would properly cause problems when blocking 'Proxy' category.

But maybe you can label it category 'Web Browsing', application 'Squid Proxy'

[mb]

Hi @hbc,

Thank you very much for the feedback. With regard to Cloud servers, we have a fix for that in 0.8.

Thanks for the suggestion. You're right, and suggestion sounds good ;)

[mb]

Dear Sensei users,

Regarding https://forum.opnsense.org/index.php?topic=11477.0;

To be able to utilize the new functionality that comes with the new netmap - enabled kernel, we'll need to ship Sensei 0.8-beta1 which will re-enable virtio interfaces.

Actual ETA was this week. Still working on a few issues reported. Stay tuned for updates. 

[hbc]

Hi!

utilize the new functionality that comes with the new netmap - enabled kernel

One question. I had opnsense 19.1 (fresh install) active with shipped kernel and tagged vlans already worked in sensei (what they did not with 18.7). I assume the new c4ec367c3d9(master) kernel is just for virtio interfaces?
Well, I updated kernel and it still works.

Will there ever be the possibility to set different policies for different interfaces? I have interfaces where I would like to be more restrictive and just allow productive things and interfaces where social media, gaming, etc. would be ok.

[mb]

Hi hbc,

Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.

Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.

[Antaris]

Hi hbc,

Yep, correct. VLANs were also broken, but it looks like it was fixed with the FreeBSD 11.2 update. My note was about virtio support. Sensei 0.7 filters out any virtio interfaces. 0.8 will remove this filtering so that they will be presented in the Interface Selection.

Source Interface/Network Address/IP Address/VLAN/User/Group filtering is a feature of Policy based enforcement, which will be showing up with the Premium Subscription.

My advice is to consider exchange "Source Interface/Network Address/IP Address/VLAN/" for volume of users above 1000 or so... It's vital for usability and development at all IMHO.

[mb]

@Antaris, Thanks for your input. We'll definitely make use of your feedback.

[Kruemel]

Hi,

greetings from germany.  :)
Great so see such a powerful addon for OPNSense. It was the reason to migrate my APU2C4 to VMWare on HPE ProLiant Xeon CPU, to fulfill the Sensei requirements.

However, it's working great. But I miss a feature: If something is blocked, it's just not loading, right? But the user is not aware, if it's a not working webpage (or parts on it) or if it's blocked. It would be great, if Sensei delivers some kind of block page, something like "This page has been blocked - block category is xxx. Please contact abc@def.de for further information".

Did I miss something in the settings or this feature currently missing?

Keep on the good work!
Cheers
Marco