Sensei on OPNsense - Application based filtering

[opnsenseuser]

anyone having issues with the dashboard or reports of Sensei after upgrading to OPNsense 19.7.9?
since that update all the tiles or however to name them are having that spinning circle.
when I have a look at the dashboard of OPNsense (not the Sensei one!) I get the following message: "A problem was detected. Click here for more information." in the "here" for more information I see a lot of lines with "PHP Fatal error:  Uncaught Error: Class 'MongoDB\Driver\Manager' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/SenseiMongoDB.php:152"

After updating to opnsense to 19.7.9_1 everything works again!

1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works

[opnsenseuser]

After restarting the firewall, the network connection on an interface no longer worked.
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.

I will not install sensei now until the problem is finally fixed. sorry ...

[the-mk]

1. i uninstalled sensei
2. update to 19.7.9_1
3. reinstalled sensei
4. works

do you uninstall sensei everytime an OPNsense update is available?

[mb]

Hi @opnsenseuser,

With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.

It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.

We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.

[opnsenseuser]

Hi @opnsenseuser,

With the help of you and the great OPNsense user community, we've been able to create a very promising solution. We've come a long way.

It looks like we need to work a bit more on the integration so that %100 of the users have the same level of experience.

We'll do for sure. What remains is trivial compared to what is already built. I will keep the thread updated on this.

sensei is a really great plugin. I also know that you and your team will solve the problem.
But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.
but i know i will reinstall it as soon as the problem is fixed. thanks again for your great support.

Regards
Rene

[greeno]

same here after last update, seems not working correct... uninstalling necessairy?

[apiods]

But it is currently causing problems and if my firewall doesn't work properly after a restart, I have no choice but to uninstall sensei.

I had a similar problem - my LAN interface was unreachable after a reboot of the OPNsense box, so no Internet access.
Uninstalling Sensei fixed the problem.

On this thread, I was advised:

Don't use tagged and untagged packet on the same interface with Sensei

Which is what I had - a native (untagged) VLAN on the same interface as a trunk (tagging a few other VLANs).
I have now added another interface - a trunk with no native VLAN, and tagging all VLANs on that interface.
But, I have not re-installed Sensei yet - just waiting as there seem a few install issues still. Once these are sorted, I will install and try again.

[mb]

same here after last update, seems not working correct... uninstalling necessairy?

Hi @greeno, run below commands and it should fix:

Code Select Expand

pkg install php72-pecl-mongodb
/usr/local/sbin/configctl webgui restart

[Ultra]

Hi all,

after a successfull installation of all Sensei plugins on the latest Opnsense version (19.7.9) I've trouble to finish the installation. The list of availible Interfaces is empty. See screenshot below. Is that because I am using an USB-to-LAN adapter as my LAN interface? The adapter works fine with Opnsense. Thanks for your help!

Ultra

[Ultra]

Here are the screenshots...

[mb]

Hi @Ultra,

Yes, switch adapters for WAN/LAN and use em for the LAN side. netmap[1] is pretty picky when it comes to compatibility.

[1] https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4

[donatom3]

After restarting the firewall, the network connection on an interface no longer worked.
I unfortunately had to completely uninstall sensei so that my firewall could connect again.
I do not know why.

I will not install sensei now until the problem is finally fixed. sorry ...

I reported on this issue months ago. I must have had a config that tripped it more often than others.
What I found was to leave the auto start for the Sensei Packet engine off then after a restart everything is fine you just need to go in and start sensei manually. I also keep an unprotected interface free now so I can just swap my pc to the second drop I have nearby so I can get in the router to fix it.

[mb]

@donatom3, thanks for the hand and suggestion.

Yes, this workaround would work for people who experience this problem.

This looks like a race condition in netmap(4). Team is working to provide a patch for FreeBSD.

[AlexV]

Hi all, in these days i have tested  Sensei very well,
And after a period of intese testing,  I can Say Wow GOOD WORK, and tanks to the team, for the freeware relase.

I work with every type of network device from Nexus 7000 switch to ASR900 router, and from asa firewall, to firepower, checkpoint, and palo alto, and i think that sensei can reach the same level of this NGFW.

i see that sensei have some difficulties to match traffic  when on the firewall is used   Squid as t proxy. infact sensei dont inspect the traffic directed to the squid  proxy port, or if it do there is some problem because in this condition the web filtering dont work, can implement this feature  ?
I can help you in some manner ?

[mb]

Hi @AlexV,

Many thanks for trying Sensei and your feedback. All welcome and much appreciated.

We're just starting out... Future will bring lots of exciting developments here.

With regard to Squid. For plain HTTP based traffic, you should see no difference. But for HTTPS based traffic, we might be missing Squid's CONNECT requests. Let us have a look at this. I'm guessing this wouldn't be a hard thing to implement.