Sensei on OPNsense - Application based filtering

[Archanfel80]

I referred for this: "In an effort to be able to provide Sensei for people who have less than 8GB memory, and as per Archanfel80's suggestion, we've enabled Sensei to run for deployments with 4B of RAM."

Im glad i can help :)

How does it help to just quote the complete previous text without any sensful addition?  ::)

[ruffy91]

I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

[Archanfel80]

Login to the firewall through SSH:
mkdir -p /usr/local/sensei/log/active
mkdir -p /usr/local/sensei/log/archive

reboot

I installed Sensei 0.8p9 on 19.1.6 (which I now updated to 19.1.7).
I get the following error when accessing the Dashboard or any sensei page:
Warning: fopen(/usr/local/sensei/log/active/Senseigui.log): failed to open stream: No such file or directory in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

[mb]

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

Hi ruffy,

Having a look at log folder creation. Thanks for reporting this.

As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?

[Archanfel80]

Im using tagged vlan interfaces and all shown correctly. See attached image.

The folder /usr/local/sensei/log does not exist.

After manually creating /usr/local/sensei/log/active the plugin does seem to work.

The interface selection unfortunately does not show any tagged VLAN interfaces. Is this correct? I tought tagged VLANs are supported now?

Hi ruffy,

Having a look at log folder creation. Thanks for reporting this.

As for the VLAN tagged interface, any chances that you did not enable the trunk interface from OPNsense Interfaces menu?

[hbc]

Im using tagged vlan interfaces and all shown correctly. See attached image.

Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.

mb:

[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]

You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.

[Archanfel80]

True!
I can confirm that, i dont see the vlan interfaces unless i add manually to the config.xml (Sensei section) or do the same what you mentioned.

Im using tagged vlan interfaces and all shown correctly. See attached image.

Yes, but you had these interfaces already active before you upgraded sensei. If you remove them, you will not be able to readd them again unless you edit the right file to disable the display filter.

mb:

[...] since we started supporting vlan trunk interfaces, we are filtering child interfaces now. Because netmap was causing problems when there are more than 2-3 vlan child interfaces monitored at the same time. [...]

You will have to edit /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/ToolsController.php
and change $filterflag = true; to $filterflag = false; in line #51 where is the comparision with 'vlan'.

[opnip]

Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?

[mb]

@opnip,

As a private message, can you share your firewall's IP address with me? Let's do a trace.

Hi updated from beta8 to 9, everythings looks fine so far.
Also local DNS an Cloud Threat Intel is working, GREAT!

Only: I cannot set deployment size, drop down is empty....but thats it

@holger, fixed for beta10.

I get the following error when accessing the Dashboard or any sensei page:
73 Can't open log file at '/usr/local/sensei/log/active/Senseigui.log'

@ruffy, fixed for beta10.


@Archanfel80, @hbc, @ruffy,

Please watch for beta10. We removed the filter for VLAN child interfaces.

So the latest situation:

You can either

- Add the parent/tagged ethernet interface and protect the whole tagged/untagged
   traffic passing through the interface

or

- Add each vlan child interface seperately to the protected interfaces. The thing
  to note here is do NOT add both the parent and the child interfaces at the same
  time, or you'll hit a netmap bug.

Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?

[donatom3]

Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Sent from my Pixel 3 XL using Tapatalk

[donatom3]

Any Sensei users who are using more than two VLAN child interfaces at the same
time? Any issues so far?

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Sent from my Pixel 3 XL using Tapatalk

Just saw you said more than 2 I can add a third one just for fun.

Sent from my Pixel 3 XL using Tapatalk

[manjeet]

Hi MB, In App Control, we can block an entire protocol / type of service. Is there any way to block one user and allow everyone else OR allow one user and block rest in network either by IP or MAC address. Thanks

[malac]

Cloud Node Status is always DOWN (see attachment). I can klick "Check Now" and after that, the status changes to "UP". But after a few seconds it goes back to "DOWN" and stays at is. Is this normal?

i have exact same behavior!

[mb]

Ive got one parent and two vlans interfaces on the same trunk all working fine. Same issue as others where the vlan interfaces don't show up as selectable but just adding the parent gets all 3

Just saw you said more than 2 I can add a third one just for fun.

Hi @donato,

Thanks, much appreciated. Please note that problem seem to arise when you add more than two "child" vlan interfaces. Haven't beed reported of a problem with tagged/trunk interfaces, although curious to know if there are any.

[mb]

@manjeet,

This is addressed via policy based filtering coming up with Premium subscription. Details almost complete. Hope to announce it very soon.

@malac,

Please send your public IP address to sensei - at - sunnyvalley.io. We'll run a trace.