Sensei on OPNsense - Application based filtering

[mb]

@Antaris, thanks for the understanding. @mayo, rene, sorry for the inconvenience.

The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).

The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.

[opnsenseuser]

@Antaris, thanks for the understanding. @mayo, rene, sorry for the inconvenience.

The root cause is that our script which keeps track of upstream OPNsense package dependencies missed a dependency update for mongodb, which in turn resulted in version mismatch between mongodb (which is hosted in SunnyValley repo) and boost-libs package (which is hosted in OPNsense repo).

The problem is addressed now. Necessary remedial actions have been taken. New mongodb packages have been shipped.

Thx very much for your fast support👍

Regards,
Rene

[mb]

Dear Sensei users,

Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.

One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues

What is new in Sensei 1.2.4:

Premium

• Fix: Modifying an existing Policy
• Fix: Deleting Exempt VLAN/Networks

Application Database

• New app signatures for TikTok, Discord App, GroupMe, Houseparty

Reporting

• Fix: Drilling down to a local host (specifially IP addresseswith hostnames associated with them)

Other

• Fix: Reset factory defaults also resetting policies
• Revert: netmap buf_num value to OPNsense deafult.
• Other performance and reliability improvements

Wishing you holiday cheer and a happy new year.
Sensei Team

[opnsenseuser]

Dear Sensei users,

Sensei 1.2.4 is out now. This is a maintenance release for the 1.2 release series.

One important side announcement: With 1.3 release onwards, Sensei will drop supporting OPNsense releases 19.1.x and earlier. Please update to the latest OPNsense release to avoid any incompatibility issues

What is new in Sensei 1.2.4:

Premium

• Fix: Modifying an existing Policy
• Fix: Deleting Exempt VLAN/Networks

Application Database

• New app signatures for TikTok, Discord App, GroupMe, Houseparty

Reporting

• Fix: Drilling down to a local host (specifially IP addresseswith hostnames associated with them)

Other

• Fix: Reset factory defaults also resetting policies
• Revert: netmap buf_num value to OPNsense deafult.
• Other performance and reliability improvements

Wishing you holiday cheer and a happy new year.
Sensei Team

great news. thx very much! :-)

[manf0001]

Hi, I've been testing out the home license of Sensei and I must say it's a nice addition into opnsense.  I have moved from Sophos (formaly Astaro) UTM.  And while there were lots of great features in that, I'm pretty sure that opnsense and sensei together are a nice replacement.

I have some feedback more like feature requests or suggestions. 

1) I am using policies for the web security.  One for my wife's and mine devices and another controlled policy for the kids.  It would be a good feature to include Quota's for sites..  Ie:  Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark,  either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.

2) Under the security settings, would like to have a test option.  You create a policy and have a user name or IP linked to it.  (I use static IPs so this is not an issue)  setup the sites I want to block etc..

But then the test option can be to put in a domain name, and the IP address of user name of who I want to test the policy out as and the output tells me that yes that site is blocked or allowed for this computer/user using this policy and what category under App and Web control it falls under.   This is also a good troubleshooting tool too, as maybe you blocked a category or two, then a site or app that is ok is not working, and you can use this feature to determine that oh,  it looks like its under this category and then you can make what adjustments you need to make.

Overall I am enjoying it, and am looking forward to new features.

[Antaris]

Revert: netmap buf_num value to OPNsense deafult.

How increased was memory consumption?

[mb]

@opnsenseuser, all welcome, enjoy :)

Hi @Antaris,

It had increased the wired kernel memory around 1 - 1.5 GB. So, for now we reverted it until we implement another solution (i.e. adjusting this according to the available RAM in the system).

Hi @manf0001,

Glad to hear that you're enjoying your subscription. Quick answers to your questions/requests;

Under the security settings, would like to have a test option.  You create a policy and have a user name or IP linked to it.  (I use static IPs so this is not an issue)  setup the sites I want to block etc..

Got it.

For now, you can view which connections are matching your newly created policy by drilling down to the specific policy. (i.e see Sensei - Drilling down to details: https://www.youtube.com/watch?v=sRvI7oAz2ac)

It would be a good feature to include Quota's for sites..  Ie:  Kids spend all day on Youtube.. if I can place a 2 hour limit on youtube then when it reaches that two hour mark,  either in one sitting, or two 1 hour viewings or four 30mins, etc over the course of a day, then when that time is up no more youtube until the next day.

Yep, we have this in the roadmap. This will be one of the features you'll see in the new year. Feel free to suggest more. You can also suggest more features via "Contact Sensei Team" option in the top right side of the Sensei UI.

[apiods]

I've had an on-going issue with my OPNsense box, which I believe Sensei is the culprit. Having uninstalled it, all seems fine. Here's the rundown:

- Bought new QOTOM hardware (primarily to try out Sensei - having run OPNsense successfully for some time on an APU2C4 box)
- Setup QOTOM box, and installed Sensei
- Have a few VLANs configured, so set the main LAN interface (igb0) as the Sensei protected interface
- Additionally, configured a new WAN interface (attached to a 2nd DSL line - but not using failover, etc. Just routing some traffic out an alternate WAN link)

Then, a problem started whenever the OPNsense box rebooted. Initially, this was just during an upgrade but for troubleshooting I also rebooted it.

The issue was that the LAN interface was no longer reachable, so no internet connection for any hosts on any VLAN.
Using the serial console connection on the box, from a shell i could ping outbound (both gateways), but could not ping any internal hosts. No igb0 traffic was being routed.

Rebooted again this morning (due to an error with Sensei reports not showing), and the same thing. After a 'reload services' (serial console option 11?) - some traffic on the default VLAN was working okay. But other VLANs were not.

I then noticed in the DHCP server log that discover packets from clients that were supposed to be on the 'other' VLANs was showing up on the default VLAN, and the DHCP server was offering IPs from the default VLAN (no subsequent DHCP requests were showing up though). Why would traffic from other VLANs be showing up on the default VLAN ???

3 main things had changed since the issues started: 1. new hardware, 2. installed Sensei, 3. Added new WAN interface

So, first off I uninstalled Sensei, rebooted ... and all was working with no issues.
Rebooted again, still working.

For now, it seems Sensei was the problem. No idea what it was doing to my VLAN traffic.

[Antaris]

Hi @ apidos,

If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.

[apiods]

If you have free port enable it without set an IP on it and name it TRUNK :) After this assign the VLANS on it. Not on the LAN port.

I do have a spare interface. So, you mean add a new interface (label TRUNK, no IP), then move the existing VLANs onto the new trunk interface ? Assume I'll also have to tag the previous default VLAN now.

Is that the preferred way to configure VLANs - I couldn't see a guide for this ?

[Antaris]

There is no one. It's from BSD. Don't use tagged and untagged packet on the same interface with Sensei. Try it and give feedback, please...

@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...

[apiods]

There is no one. It's from BSD. Don't use tagged and untagged packet on the same interface with Sensei. Try it and give feedback, please...

Working on it. Have the trunk now setup (had some interesting times trying to get it to work with my unifi switch/APs, but have now simplified my overly complex config, hopefully).

Just making some final tweaks and then I'll look at re-installing Sensei and see how it goes.

[mb]

@mb
May be from last version Configuration >> Deployment Size can't be changed. It hangs web page on "Saving changes" and nothing happens.
On 3 different routers...

Hi @Antaris,

Confirmed & fixed. We'll ship this and a few other fixes with 1.2.5 in a couple of days.

[AlexV]

Hi All,
I Use OpnSense from agust 2019.
I have the firewall installed on virtualized enviroment for testing proupose.
The firewall is configured in this manner :
Squid trasparent proxy + clam AV
UnBound DNS + Dnscrypt Proxy
Suricata on Wan interface (Et Pro telemetry)
I also Have Configured Captive portal (on another interface) (that emulate a WIFI free access )
and Configured Ipsec and OpenVpn server.   

I have installed  Sensei but i see that with this configuration  sensei don't block any site even listed in App or Web or in use defined category.
I suppose that this behavior is determined by the Squid proxy or by the Dns configuration, there is a manner to configure Sensei to work with this configuration ?
For the moment i Dont want to disable Squid or DnsCrypt Proxy.
If this type of configuration isn't supported,  there is a Hope that  sensei  can support this in future ?

Best Regards

A.V.

[mb]

Hi @Alex,

Can you reach out to us using the "Contact Sensei Team" menu in the Sensei UI? Do not forget to check the "Share Sensei program logs"  option in the form.

This configuration should work with Sensei. Let's see what's going wrong.