Sensei on OPNsense - Application based filtering

[mb]

Hi @sol,

And another question. How can I use sensei for my openvpn network. I cannot select it at the interface selection.

They utilize tun interfaces, which Sensei does not have support at the time being. Support is planned for early 2020.

See: https://help.sunnyvalley.io/hc/en-us/articles/360025100613#no_tun

And local hostname resolution does not work for me or I'm not using the right configuration.
Opnsense runs unbound and dnscrypt proxy.

Which server do I have to use?
DNS server IP addresses to do reverse IP lookups:
127.0.0.1,192.168.1.1
is the current setup.

127.0.0.1 would be the best bet since I'm guessing it would be the best knowledgeable one in terms of local name resolutions.

When you open live session explorer and hover over src hostname fields,  you should see them being resolved, isn't it the case?

See: https://forum.opnsense.org/index.php?topic=9521.msg66123#msg66123

In terms of SWAP, normally this configuration should easily handle your scenario. Does turning off squid help? We have seen some cases where web cache was already using more than half the memory, so Sensei couldn't fit in.

[giovanit]

Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3

Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?

Same problem here. Started after upgrading to version 1.0.3

WAN adapter: Intel
LAN adapter: tp-link

[the-mk]

is it possible that the daily report mail is broken somehow since the upgrade to Sensei 1.0.3?
I've already checked the settings and performed to send a testmail (which arrived), as well as disabling and reenabling it did not help.
After the upgrade-process to Sensei 1.0.3 was successful one report mail arrived since then, but after that no more mails :(

strange... did not change anything since the last post, I didn't even reboot or something like that... but today I received a report... lets see what happens tomorrow...
is there somewhere a log that tells me that the mails were sent and I have a problem with my mailaccount?
mail is sent from a gmail.com address and received from a GMX address - but there was nothing in a spamfolder...

[mb]

WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?

[mb]

WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?

[giovanit]

WAN adapter: Intel
LAN adapter: tp-link

@giovanit, is tp-link (LAN) em or igb? My guess it is re. If it's not em/igb, any chances you swap adapters and see if anything changes?

@mb, tp-link is re.
The firewall is running in production and I don't have another adapter at the moment. I disabled Sensei, as crashes are becoming frequent.

Is it possible to go back to the previous version?

[ErkDog]

Why does your website no longer load?  What's going on with this addon?

[ErkDog]

Fix your DNS Please - https://puu.sh/EoNKU/6320b7e5d5.png

[mb]

@ErkDog, website is operational. DNS is working. Might be a local problem on your side.

[mucflyer]

Good day everyone. I do have issues with Sensei on my pfsense box. When starting Sensei Packet Engine, all traffic is gone. No ping to router, no internet, nothing.
OPNsense 19.7.4_1-amd64, Engine Version:1.0.3

Hi @mucflyer, thanks for trying out Sensei. This looks like a netmap issue. Which ethernet adapter were you using?

igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k

[Tubs]

Somehow Sensei is not filtering on my machine. But I cound not yet figure out if it is because of LAGG interface, running squid webproxy or IPv6 GIF tunnel.

I started here before I found this thread.
https://forum.opnsense.org/index.php?topic=14649.0

[Ralf_s]

Hi MB,

creating a new interface for a child wifi and installing SENSEI again as a content filter fonly for this interface and block the categories "child porn", "adult", "pornography" and some more. Connecting with an iPAD, switching to private mode in safari and searching for "porn" at google. 60% of listed results are accessible. The rest are blocked by the Sensei splash screen.

Are the content filter under development? What about the other categories?

best

Ralf

[actionhenkt]

Sorry if this has been answered before, I havent read all 38 pages. Sensei is working pretty good, very detailed reporting. I have a few questions about the plugin.

When browsing the session explorer, I wanted to block a website directly from the session explorer, is it possible block single websites without blocking the whole web/app control from the session explorer ? 
Is it possible to bulk import websites into the "white/black-list" ?
Can I add my own webcontrols/appcontrols ?
Redirect to the "block page" doesnt work when connecting over https. Do I need TLS inspection for this ?

Thanks!

[mb]

@Ralf_s,

This looks like the result of a combination of factors:

With increasing number of Sensei users, 2 weeks ago, we experienced a performance issue, which persistent 2-3 days. This looks to be overlapping the time you experienced the problem.

In the Free Edition, the blocking feature is limited to 20 Million sites. If the queried site does not fall in this cloud, the site is not blocked.

If Sensei cannot correlate the hostname to the connection it's inspecting, (i.e. missing dns transaction) it wouldn't block.

But for your case, looking at the ratio and the nature of your particular test, I'm guessing the first one might be the primary problem.

For the second item, with 1.1, we're changing how we are handling the free/paid database queries. Since we could not measure if we really missed a site or it was a limitation of the free edition; we've removed the site limit and it'll be unlimited. The differentation of will be based on the number of web categories blocked.

For the third item, 1.1 does send a cloud query even after later stages in the connection (i.e. when TLS SNI seen, HTTP Hostname is seen etc.). So this allows the engine to be able to have further policy decision even if the cloud answer does not come very fast and early in the connection.

[mb]

@Tubs,

Yes, that's because of the lagg interface. Since it's a software interface, netmap cannot find any hw rings. Solution is that we're introducing the option to be able to protect lagg/bridge members interfaces (which are real interfaces with hw/sw rings).

This functionality is coming with 1.1. When that ships, go to Sensei -> Configuration -> Interface Selection. There you'll see "Unasigned" interfaces. Select the ones which constitutes your lagg / bridge, and you should be good to go. For the lagg interfaces, you might want to select an algorithm which does a symmetric load balancing - i.e. avoid roundrobin).

1.1 is scheduled for early November.