Sensei on OPNsense - Application based filtering

[SchylgeICT]

Hi MB,

With beta7 i was able to add OPT1(vlan interface) to the protected interfaces. I can still do this with beta 8. What did actually change with

"We've shipped 0.8.0.beta8 yesterday. This update brings vlan tagged interface support and fixes several issues with beta7. All beta7 users are encouraged to update to beta8."

. I think I'm overlooking something.
It would be nice to add different Sensei rules for different Vlans. I was hoping this was one of the things that changed in beta8.
I can confirm faster DNS lookups now with cloud threat intel enabled!
Best regards.
Ruud

[Archanfel80]

Yeah, different rules on different interfaces would be a great feature, as also a scheduling function.

[opnsenseuser]

a nice feature would be synonymous if you could install the plugin as standalone on an external bsd or linux computer and could use the plugin as an analyzer.

The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.

is there any news on the topic sensei for low power hardware optimization?

Thank you

Regards, rene

[thg0432]

Hi,

Is it possible to have parental controls or per device/group filtering?

[rb_newbie]

Just installed 0.8.0.beta8 and did an audit of the packages and found that an outdated library is being used that is vulnerable.  Any way I can manually update this w/o breaking anything or will it be fixed in the stable release?

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
libXdmcp-1.1.2_2 is vulnerable:
libXdmcp -- insufficient entropy generating session keys
CVE: CVE-2017-2625
WWW: https://vuxml.freebsd.org/freebsd/1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335.html

1 problem(s) in the installed packages found.
***DONE***

[timota]

Im keen to check your plugin, but installer complains on

"Unfortunately Celeron is not supported by Sensei."

i cant say that my CPU is weak, it peforms good on most of tasks.

What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?

[Archanfel80]

Yes! If you have less than 4GB ram the installer will also fail. You can remove this check too. The ram is not problem, i have sensei with 2GB apu board without problem, but that board have a quad core intel processor, and the cpu usage is kinda heavy. Im not sure the celeron processor can handle this.

Im keen to check your plugin, but installer complains on

"Unfortunately Celeron is not supported by Sensei."

i cant say that my CPU is weak, it peforms good on most of tasks.

What will happened if i remove this check from installer ? do you have any other cheks that will prevent to install it ?

[timota]

great thanks.

will try anyway.

[the-mk]

Hi,

is anyone using the scheduled reports in reports&data section of the configuration (Sensei 0.7)?
Is it just me or is the "click to download and view detailed reports" link not working within the email (getting a blank html file with 0 bytes)?
It does not work for me in MS Outlook (Office 365) and Thunderbird.
If I access that mails through the webmail of my GMX (my mail provider) I can see that there's a html file attached. I can see the attachment in the app on my iPhone, but that's not my favorite "view that report" device.

Are there any updates on Sensei 0.8? since that thread fell asleep ;)

Thanks!

[the-mk]

@mb: is there an update about this issue?
I ran into this issue on my physical test hardware with only two ethernet ports, where one is running several VLANs. After reading your post I removed the parent adapter from the protected interfaces and it is working again. But that was on Sensei 0.8.0.beta8...
Thanks!

Hi Bene,

Messages in the screenshot are ok: netmap telling you it was able to open the ethernet port.

I can confirm that there's something weird with the trunk interface when we bridge hw <-> sw rings. After a while packet transmission stalls for the child interfaces:

Code Select Expand

658.955704 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048
683.531482 [2909] netmap_transmit           igb3 from_host, drop packet size 541392904 > 2048


Looking into that.

For now our advise is - if you're using VLANs -:

• Stay with the stock kernel which comes default with the OPNsense release, we need more work in new kernel with regard to VLANs
• Do not put any untagged traffic to your VLAN trunk port and you should be able to protect vlan child interfaces just fine

Our plan is to be able to process the trunk interface directly and for all VLANs and you'll not need to separately select child interfaces. Will get you updated on this.

For now, if you can carve out the untagged traffic from the trunk port, you're ok.

[malac]

Hi @donatom3,

For application control, dns does not play any role there, so you'll be utilizing Sensei at its full potential in any ways.

For security & web filtering, yes, you'll lose some data there, provided that you do not enable Web Reputation & Cloud Threat Intel, which requires DNS override.

If your DNS transactions are traversing through an interface which is protected by Sensei & you have Cloud enabled, dns override will be in place (like unbound). Because we are way earlier in the process, we'll also override unbound.

That being said, if you place the DC in the same broadcast domain with your clients, they'll be utilizing your DC (this way they do not traverse through Sensei to reach the DNS server). -- Local DNS server will still be subject to the same behavior if its traffic passes through Sensei. -- Here you have your local queries untouched.

We've been asked (by some more users) of a possibility of using both Sensei Cloud database & local dns servers. We're evaluating methods to do it. Most probably we'll be back into this in the second or third quarter of 2019.

Very happy to hear that you've attained gigabit speeds and happy with the software ;)

Would be great if i could use Cloud database & local dns!

Do you have a pricing idea for premium edition for home user?

thx

[mb]

Dear Sensei users,

An update on the low-resource systems:

Below is the results of the poll "How much memory do you have on your OPNsense firewall"

Many thanks to those who attended the poll. According to the results, 2/3 of the OPNsense users have either 4GB or more memory.

So, as per Archanfel80's suggestion, enabling for 4GB will allow another 40% to be able to start using Sensei. We thought that this is a huge number and lowered the minimum memory requirement to 4GB (Elastic is configured accordingly).

So, practically, if you have 4GB RAM, than starting with beta9 (coming this weekend), you'll be able to enjoy Sensei for up to 100 users.

I'd like to thank Archanfel80 for his awesome suggestion. It's in the works now.

Alternative database backend work (which will enable Sensei for 2GB or less memory) is continuing, but might take a little longer than we originally planned -- most probably post 2019. (due to other high priority work).

Note: I see that we missed some messages unanswered here. Apologies for that: we're recovering quite a loaded timeframe, and will be getting back to you shortly.

[mb]

a nice feature would be synonymous if you could install the plugin as standalone on an external bsd or linux computer and could use the plugin as an analyzer.

The firewall could be relieved. especially in the home user area an advantage but certainly also in the business area a welcome feature.

Yes, we have some good news about this. Part of our overload was due to this feature actually. With 0.8.0.beta9 (coming this weekend), you'll notice in Configuration page that we have introduced another deployment option:

L2 transparent bridge.

In this mode, Sensei literally bridges two of your ethernet interfaces.

This way, we can scale to the number of Rx/Tx ethernet queues, thus making maximum use of the multiple CPU cores in the system.

We introduced this to be able to support sites which have thousands of users.

This also helps you to keep your existing firewall and still enjoy the functionality offered by OPNsense & Sensei as an additional layer of defense.

A live deployment for 5000 users was done; and looks quite promising.

is there any news on the topic sensei for low power hardware optimization?

Yep, please see my above answer: https://forum.opnsense.org/index.php?topic=9521.msg58741#msg58741

[mb]

Would be great if i could use Cloud database & local dns!

Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.

Do you have a pricing idea for premium edition for home user?

Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.

[malac]

Would be great if i could use Cloud database & local dns!

Yes, it's implemented :) Look for 0.8.0 beta9, coming up this weekend.

Do you have a pricing idea for premium edition for home user?

Pricing and premium subscription plan details are almost complete. Hope to announce it very soon.

GREAT!!! looking forward...THX