Sensei on OPNsense - Application based filtering

[mb]

Cross posting an update about netmap on OPNsense 20.7: https://forum.opnsense.org/index.php?topic=17363.msg79415#msg79415 :

Sensei packages for OPNsense 20.7 (amd64/OpenSSL) is out and available for testing.

If you test OPNsense 20.7, as a bonus, you get to access to the latest Sensei (1.5.1.rc1) which is yet to be released

PS: Make sure you update to the latest 20.7 beta after the ISO installation, since latest 20.7 includes some important patches with regard to interface drivers. Kernel should read 12.1-RELEASE-p5 or later:

12.1-RELEASE-p5-HBSD FreeBSD 12.1-RELEASE-p5-HBSD #0  d8b850736ba(master)-dirty

[mb]

Dear Sensei users,

In case you did not notice: fixing some issues reported by 1.5 users, Sensei 1.5.1 release it out:

https://www.sunnyvalley.io/post/sensei-1-5-1-for-opnsense-is-out/

[mb]

Cross-posting from: https://forum.opnsense.org/index.php?topic=17363.msg80144#msg80144:

Below file keeps the last status for the Ethernet Drivers <-> netmap compatibility.

https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0

This page also explains how you can easily test OPNsense 20.7 netmap.

Feel free to grab a driver, test and provide test results. You should be able to leave comments on the Google Sheets file.

It looks like there's some work to do. We're here to fix.

Just test and provide feedback.

PS: Please use the thread under: https://forum.opnsense.org/index.php?board=35.0 for communication around this subject.

[GreenMatter]

I'm talking directly with Sensei team but it takes quite a long time to get conclusion :-), so I thought I may ask questions here...
In my instance, Sensei works over vlans' parent interface which is VMware's vmx (vmxnet3 driver). Hardware offloading is disabled.

• Number of devices: for home users limit of 50 is not enough nowadays: IoT devices, multiple devices per family's member and on top of that seems like Sensei counts vlans' interfaces and network appliances too (switches, access points). I run also a few services in my network: file servers, media servers, dns filtering and backup servers which have dedicated interfaces in vlans. For example, Untangle doesn't have such a limit for non-commercial users.
• Top Remote Hosts showing local IPs: I have 10 vlans (including VPN), parent interface is set in Sensei... If Sensei can't recognize/categorize local and "real" remote hosts you should rename that section, i.e.: Top destinations and Top origins? Otherwise it's confusing
• Pricing: as above, I'm home user with extended capabilities :-) - I run "connected home" and I can't find limit of 50 devices satisfactory. I'm not fully committed to OPNsense (it's installed as VM) yet and I'm thinking about running Untangle HomePro which seems to be more flexible (https://forums.untangle.com/installation/41906-before-i-buy-what-home-license-restrictions.html).

TL;DR
Are you going to reconsider limits for home users? If you need to put any limit, I would say 100 devices is a fair number. Of course I'm not threatening / blackmailing, I'm only considering  all available options...
And keep up the good work!

[siga75]

50 devices is fair enough in my opinion, even considering IoT

Anyway it's not a must to put everything behind OPNsense, you don't have it to protect your phones when you are not at home

[GreenMatter]

I use "road warrior" scenario fo all my mobile devices (once device isn't connected to specified wifi network, automatically connects over VPN) and virtually they are always under LAN's umbrella. I know I'm paranoid but I like to minimize users tracking and connect to my servers - most of them are accessible only within LAN...
At the moment I have 54 devices discovered by Sensei but only 44 are in ARP table.
I have many IoT devices and cameras so I'm very much on the limit.

[binaryanomaly]

50 devices is fair enough in my opinion, even considering IoT

Not really. Got 39 here with two adults and a baby and I do not have that many devices besides the standard IoT (lights, plugs, heater,...) stuff. If we'd live in a house it would probably be >50 already.

Imho <100 would be more appropriate.

[mb]

Hi @GreenMatter,

We hear you I've been notified about your suggestion.

The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.

This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.

On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users

[GreenMatter]

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users

It's good to know that at least somebody likes us 
Anyway, I hope you guys will be not only flexible but proactive when it comes to market demands, haha! I have family of 5, multiple devices, IoT, servers, docker containers running on macvlan networks, freenas jails, VPN users and vlans. Thus number of 50 doesn't sound big enough. And as I'm migrating from Unifi, I like nicely presented reporting. That's why I keep fingers crossed you'll change your policy...
Have a great weekend!

[l0rdraiden]

Hi @GreenMatter,

We hear you I've been notified about your suggestion.

The challenge we have here is that our user base is quite unique in the sense that we see home networks that are as evolved as an enterprise data center. We see Active-Active Hypervisors with lots of VM server guests, clustered firewalls, lots of VLANs, networks, Servers, Active Directory integrations, and lots of IoT devices.

This provides us with a unique advantage to be able to get very qualified feedback from all of our user segments.

On the other hand, it is quite challenging to create a home tier that can satisfy all our home users also at the same time to differentiate our business users.

Having said that, we're on it and we want to make sure we are up to the expectations of our unique beloved users

First of all it doesn't make a lot of sense that a free user get unlimited devices and a paid one 50, I know there are other limitations.

On the other hand what differentiates Sophos/enterprise from Home/free should be the professional support and not the features, no one will install this in an enterpise wihtout support. Another thing is LDAP and you are doing it right here. So would not be affraid of companies using your software for free even if the home version features were free.

I still think that the price of the home version might be high considering the alternatives. Maybe selling it as a perpetual license for home users would be an option, or lowering the price to 2-5$ per month and limit more the free edition if you want home users which should be your target to pay for it.

[nzkiwi68]

Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

[packetmangler]

Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

There is an App category for Proxies.  I don't see SkyVPN, but you do have the ability to add it manually if you know the hostname(s) and IP addresses the service uses.

[Koldnitz]

I am really liking Sensei.

I have 2 questions.

First, are you aware that every so often sensei seems to make one of the interfaces I have configured in a Lagg (lacp) go down?  The eastspec(?) process on one of my cores (i7-7500) goes crazy, on the status tab one of the 2 interfaces watched for my Lagg (it can be either of them) dies, while all the bandwidth goes to the other, and only way to fix it is to turn sensei on and off (sometimes takes multiple tries, usually happens within first 10 minutes or after days / weeks of uptime).  The problem occurs randomly to the point that I no longer have sensei configured to automatically load on reboot (I have been fooling with settings and rebooting router a lot to make sure things work still).  I assume you are aware and this will be fixed on 20.7, but if you are not if I can help you make sensei better I am all for it.

Second, I have been trying to get a cloud account set up, but when I click the email validation link it, the webpage tells me this is not a valid link.  My email is registered and I have gotten a password reset just fine, but I am unable to validate my account.

Please let me know.

Cheers,

[mb]

@lordrainden, thanks for additional thoughts/comments. Well noted.

[mb]

Can Sensei block SkyVPN and other such proxy / VPN tunneling systems?

We need this in an education environment to stop students bypassing the filters.

Hi @nzkiwi68, we see growing interest from the education community. Proxy identification/filtering is one of the most requested features.

Proxy filtering can be done both from the Web Controls and App Controls. App Controls come handy if the identification might be trickier for a particular application.

Having said that, SkyVPN, Ultrasurf and a few other trikcy proxy applications are being worked on.

As @packetmangler put it, if you already know the destination IP/hostnames you can create custom applications and enforce policies using the custom developed applications.

Other than that, do not hesitate to reach out to us via "Contact Team" menu on the right hand side of the menu. We want to know more about your problems in the field and create solutions as soon as possible.