Sensei on OPNsense - Application based filtering

[mb]

Really? I'm using a quad port Intel GigE card so wasn't aware this was netmap-incompatible:

Code Select Expand


...
igb0: netmap queues/slots: TX 4/2048, RX 4/2048


Nope, you're right. Actually this is the best one in terms of inter-operability. I notice you have 2048 tx/rx descriptors.

Can you try setting tx/rx descriptors to 1024 and see if you still have the problem?

Code Select Expand

hw.igb.txd: 1024
hw.igb.rxd: 1024


[mb]

Dear Sensei users,

Some of you who uninstalled/re-installed Sensei might have noticed: with 1.0.2, we introduced a feedback form in which you could provide as a feedback for why you're uninstalling the plug-in.

Looking at the results, it looks like more than %80 of the time the reason is low hardware resources.

Seeing that, we have accelerated our efforts to be able to run Sensei on low-end devices (like 2GB RAM, embedded CPUs etc.)

Our test device is a Qotom having an Intel Celeron j3060 @1.60 Ghz. This device has a ubench score of 170.000. Looks like Sensei is running fine /w most of the reporting on this device.

We are wondering how your devices compare to our test device.

For those of you who could not run Sensei due to hardware limitation, any chances that you can run:

Code Select Expand

# ./ubench -c -s
on your device and report the results to us? You can PM me or shoot an e-mail to sensei at sunnyvalley.io. We need the cpu information and ubench single core cpu score.

Any help on this is greatly appreciated.


pS: OPNsense repo does not have ubench, you can download the binary from https://updates.sunnyvalley.io/downloads/ubench

[Archanfel80]

There is an issue with the interfaces since the latest opnsense upgrade. No matter if i select any interfaces sensei said: "You must select at least one interface to start or restart sensei service!" and the packet engine not start. Tried a complete reinstall of sensei, including deleting the corresponding part in the config.xml. It did not help.

[mb]

Hi @Archanfel80,

Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?

[Archanfel80]

Hi!

It seems only the fresh install affected, or if i change the interface config in the exsisting one. That is also break something.

Hi @Archanfel80,

Thank you for bringing this to our attention. Trying to reproduce now. Does that affect a pre-existing Sensei install or this happens during a new install?

[mb]

Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.

[Archanfel80]

I had the 19.7.3 upgraded 19.7.4 now but same issue.

Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.

[Archanfel80]

Its Solved!
Thank You for the help! :)
It was the libressl package issuse.

I had the 19.7.3 upgraded 19.7.4 now but same issue.

Hi @Archanfel80,

Couldn't reproduce this on a 19.7.4 (amd64/OpenSSL) with 1.0.2 fresh install. I'll be reaching out to you. Let's have a look together.

[mb]

@Arhanfel,

You're all welcome. For any LibreSSL users, who might experience the same, resolution is here:

https://forum.opnsense.org/index.php?topic=9521.msg64618#msg64618

1.0.3, which will ship next week, will also be solving this.

[bunchofreeds]

Hi,

Does Sensei aim to supercede IPS in OPNsense?

I cannot run both (IPS and Sensei) as I use PPPoE on the WAN and cannot run both IPS and Sensei on the LAN.
Sensei looks awsome and provides amazing insights into the network traffic, but does it protect against emerging threats in a similar way to IPS using Suricata?

Thanks

[mb]

Hi @bunchofreeds,

With OPnsense, Sensei does not replace IDS. We recommend using both of them.

We have a solution for co-existing Suricata and Sensei on the same interface. Hope to ship the functionality this year. Basically we'll have a virtual device between Sensei and the IPS engine. We have initial thoughts to provide TLS decryption for the IPS engine through this integration.

[bunchofreeds]

@mb

Thanks for confirming that and I'm looking forward to you and your teams future efforts with Sensei.
It really is quite an excellent addition to the already amazing Firewall/Router/Swiss Army Knife OPNsense.

Thanks again for providing this.

[nullinger]

Hello @mb,

i am on my third day with sensei, and i like it very much. Today, i tried to setup reports by mail and got some problems because the system sets "autoreports@sunnyvalley.io" as sender. As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.

Thanks !

[marcri]

As my mail relay does not allow sender addresses with non-local/external domains it would be very nice to have the possibility to set an own sender address.

Sensei uses the SMTP username as sender, in my case it is an email address. Works as expected.

[karl047]

Hi Murat, & thanks a lot for the good job with Sensei...
The addition of many "Next Generation Firewall" functions to Open Source is a big idea, & I had tried Sensei, & it is really good.
One question please: (for Home Users): is there any plan for a good price with a premium subscription? because 499,00€ a year is too heavy with the small plan for 25 Devices! Another Firewall solutions are free for Home Users (or for a small price a year) with the most benefits of different policies & another Services like Sensei!.

Regards;

Karl