Sensei on OPNsense - Application based filtering

[jjanzz]

If I try to update Sensei (engine version 0.8.0) to the stable release, it throws the following error:

Code Select Expand

OPNsense version later than 19.7.2, activating Sunny Valley Networks Sensei packet repository via "os-sunnyvalley"...Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-sunnyvalley' have been found in the repositories
Repo package "os-sunnyvalley" installation failed!
***ERROR***


This is on OPNsense 19.7.2

EDIT: I was able to install the engine version 1.0, by removing os-sensei and reinstalling it via the package tools. Though, sensei-updater continues to throw the same error.

[mb]

@jjanzz, many thanks for the heads-up. Lookin into it.

[mb]

Thanks to @jjanz, we were able to spot the cause.

It's because of the fact that we don't -yet- have a os-sunnyvalley package for OPNsense LibreSSL. We have a workaround for this for now, and will be shipping it shortly.

[mb]

Dear Sensei users,

We're super excited to announce that Sensei 1.0 for OPNsense is finally out and available for everyone to enjoy.

This release is considered stable and marks the end of the BETA program. We'd like to take the time to convey our gratitudes to all beta users for testing the software and giving feedback to us.

A special thanks go to the OPNsense team for their precious time & help in integrating the software to OPNsense.

During BETA period, product received very quality feedback from the community and improved a lot. We're looking forward to continuing the collaboration and providing more value to the community.

Comparing to 0.8.x, below are the features that are introduced with 1.0:

• First version of Active Directory Agent. You can now integrate Sensei with Microsoft Active Directory to get user/group info in reports.
• OPNsense Captive Portal Integration: Captive Portal users are now displayed in reports.
• Sensei can now be automatically updated via OPNsense firmware updater.
• 11 more applications are recognized
• Engine logs are not archived anymore
• Premium subscription features are introduced in this release

More information on Installing, Updating:

https://www.sunnyvalley.io/post/sensei-1-0-out

[mb]

Yes adding the ability to add lists from different sources would be a nice feature. This could be IPBL or DNSBL for example from this websites.
https://github.com/collinbarrett/FilterLists
https://iplists.firehol.org/
This is more or less what pfblockerng does in pfsense but is able to remove duplicates and many other options like apply the lists only to certain ports, etc.

Hi @l0rdraiden, a quick update on this. We've decided to bring this functionality to the freemium edition of sensei.

Will post another update on the timing.

[Marcel_75]

Hi,

installed Sensei today (latest version 1.0.1) on my OPNsense and wondering, why some manual filters work and some not?

I've created a new "User Defined Category" inside "Web Controls" called "Mac-Warez" and added the following three mac warez domains to it:

cmacapps.com
macwarez.net
nmac.to

UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.

Is this normal?

[opnsenseuser]

@mb I programmed the sidebar and I have tried sensei now. but note that something in the menu structure must be different because the automatic closing of the previous menu item only works if sensei is not activated as an active menu. To make it easier I attached a screenshot. I think there must be something different in the menu structure.

[mb]

UPDATE: As I'am writing this, it seems to work now (all three sites are blocked). But it was only working after a complete restart, not after saving and applying changes.

Is this normal?

Hi Marcel, not indeed. Restart should not be required. New configuration is handed over to the packet engine on the fly.

Though we're fixing an issue which might cause occasional problems for the rule reload. Can you test with the upcoming 1.0.2? (should arrive this week).

@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.

[Marcel_75]

Hi mb,

sure, will give it a try with the upcoming version 1.0.2, thanks for the fast answer and all the best.

Marcel

[opnsenseuser]

@opnsenseuser, thanks for reporting. We were able to reproduce this. Looks like a javascript buggie. Working on a fix now.

thx very much!

by the way. there are a few css classes in sensei that need to be customized!
i think you didn´t use the default css classes of opnsense.

[mty620]

Does Sensei have similar feature?

Shella List has a URLs where you can:

1. Search what category a specific URL falls under. so I see that "porn.com" category "porn/domains"

    http://www.shallalist.de/search.html

2. submit or revise URLs

    http://www.shallalist.de/search.html

[mb]

@opnsenseuser, we'll be revisiting css/jscript codes.

@mty620, not yet. Both are on the roadmap. #2 should be coming up sooner.

[mb]

Dear Sensei users,

We've just released 1.0.2 to address below issues and introduce a few enhancements:

• Installer/Updater: Fix LibreSSL install and update problem
• UI fix: Delete policy time schedule button has been placed in a more appropriate section
• UI fix: Fixed an issue which cause app/web category listing being incomplete during Policy creation
• Convenience: Removed an unnecessary engine restart during policy creation
• Filtering: Fixed a bug preventing Landing Page to display when blocking a connection
• Policy filtering: Fixed a bug affecting daily schedules
• Enable unmapping of user <-> ip addresses
• New feature: Live Authenticated Users View (Captive Portal/Active Directory)

Enjoy your weekend :)

- Sensei team

Note: The fix for LibreSSL install/update is temporary. In the coming week, we plan to deploy a separate repo for the LibreSSL build.

[opnsenseuser]

@opnsenseuser, we'll be revisiting css/jscript codes.

Thx. If you need help just ask!

[ctr]

I have two VLAN-related issues with Sensei (installed via plugin selection on "fresh" 19.7.2). My internal network "Trust" is on ix1 (native VLAN / untagged) and I have some special zones as tagged VLAN also on ix1 which are represented as ix1_vlan2 and so on in OPNsense.

When "protecting" Trust (the main interface) in Sensei, I have intermittent packet loss for about 3-4 seconds, every 10-15 seconds. No data is seen by Sensei (according to live view and reports) at all.

When trying to select Trust and a DMZ I get an error message:
"You cannot protect both parent and its child VLAN interface"
Technically OPNsense doesn't really see them as parent and child interface though, at least the report always shows sth like interface "ix1_vlan2" and vlan "0" when activated *on a VLAN interface only*.


It seems to work fine though when only "protecting" VLAN interfaces without the main interface. Only the interface naming is not consistent: for some of my VLANs the "friendly" name is displayed (i.e. "DMZ" or "voice") for some the subinterface name, i.e. ix1:3


This could be observed both with versions 1.0.1 and 1.0.2

Unrelated to the VLAN issues:
My RFC1918 IP address range 172.17.2.0/24 is recognized to be from Australia in the Geo IP view (Top Destination Locations Heatmap).
"Network interfaces" on the status page is not showing what is configured. Sometimes it shows nothing, sometimes an interface that has not been configured.