Sensei on OPNsense - Application based filtering

[m.chupin]

Hi all,
I'm newbie for Sensei. I need an application filter. I plan to apply policy "Deny all, except certain apps".
Firstly, apply "Block all" on "App controls" page. Check some apps (like TeamViewer, Skype, Windows Store) - they really don't work. Then I check Telegram Desktop app - it started up and works without problems. Though "Reports" show that Sensei recognize Telegram.
I try free version of Sensei.

What should I do to block Telegram?

[zauopn]

Hello, I have latest version of opnsense already installed in a VirtualBox VM and it is working.

Internet WAN -> Modem -> Opnsense device (Ethernet port) LAN -> USB Ethernet adapter (usb connected to Opnsense device and Ethernet to WAN Ethernet port of router) -> Router ( multiple devices connected to it via Ethernet LAN ports and WiFi)

However, there are some issues with Sensei and IDS/IPS that need to be fixed:

1) All the web traffic in opnsense has the same WAN IP from router, so it makes it look that there is only one device connected to the network. I need to see in the Sensei and IDS traffic logs exactly the IP of the device in the network (I.e printer, PC etc..) that generates the traffic. For example, if a user using a smartphone goes to Facebook, I need to see the IP of the smartphone, not the WAN IP of the router.
2) Snort rules are not getting triggered, there are several ERR INVALID SIGNATURE in the IDS logs. Also, the GeoIP settings have an issue, the country flags are not showing up in the logs maxmind was already added to the geoip settings. :-\
I also have ET telemetry and some of the rules work but many of those rules are empty, it seems that ET Telemetry doesn't have the same rulesets as ET PRO.

Does anyone know how fix these issues? I'd appreciate your help. Thanks

[mb]

Hi @zaupon,

This looks like Sensei/OPNsense is not the gateway for your devices and thus traffic does not flow through Sensei.

In reports, if all you see is WAN IP, it might be that your router might be doing NAT for the devices behind it.

To make sure it is not the case, run a tcpdump trace to see if you can see the internal IP addresses.

For the other question, is it Snort or Suricata? If Suricacata, IDS/IPS forum might be a better place to ask:
https://forum.opnsense.org/index.php?board=27.0

[Xelas]

Just installed OPNsense on a dedicated PC with an i3, 8GB RAM, 250 GB SSD. Fresh install, one of the first packages I'm installing is Sensei, using ElasticSearch as the DB. The installation is failing because ES is failing to start, with the error message:

Code Select Expand

Starting elasticsearch service...
***ERROR***: Elasticsearch service could not be started in 60 seconds!***
***ERROR*** CODE:2***

ES installation log attached.
/var/log/elasticsearch/ is empty.

[mb]

Hi @Xelas, what does this command tell?

Code Select Expand

service elasticsearch5 status


[Xelas]

Code Select Expand

root@OPNsense:~ # service elasticsearch5 status
elasticsearch5 does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
root@OPNsense:~ #

[mb]

Hi @Xelas, reach out to the team via "Report Bug" menu located on the right hand corner of the UI, and we'll have a closer look.

[mb]

Dear Sensei users,

OPNsense 20.7 is set to be released this week Thursday.

This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.

We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.

With regard to the netmap improvement efforts, a bit of caution is necessary since we witnessed regression with some device drivers, vtnet being the most notable one.

Here's the detailed netmap status:

https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/

Speaking with @franco, some good news: it looks like OPNsense team will be able to provide a test kernel and start landing the bug-fixes with 20.7.1 or 20.7.2.

As mentioned in the blog post, we need more testing with regard to some drivers. Any help in that regard would be much appreciated.

We can't start fixing a problem if we don't know there is a problem.

[donatom3]

Dear Sensei users,

OPNsense 20.7 is set to be released this week Thursday.

This is a major upgrade.OPNsense will be switching to FreeBSD/HardenedBSD 12.

We're taking the necessary steps for this upgrade to proceed as smooth as possible. Having said that, please stay tuned for further updates on this. We advise to postpone 20.7 upgrade for a few days so that we can fully confirm the upgrade is compatible with Sensei.

Should we submit bug reports if Sensei Packet Engine wont' start cuz we upgraded to 20.7 early and didn't see this or is it known that it isn't working?

For me Sensei Packet engine fails on starting and I get a popup that let's me report it's not working but then nothing pops up.

[mb]

Hi donato,

Yes, this is expected. Fix is easy. Below commands should fix it:

Code Select Expand

pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-sensei

If db is elasticsearch:

Code Select Expand

pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5

Mongodb:

Code Select Expand

pkg remove mongodb40
pkg autoremove
pkg install mongodb40

All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.

On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.

[donatom3]

Hi donato,

Yes, this is expected. Fix is easy. Below commands should fix it:

Code Select Expand

pkg remove os-sunnyvalley
pkg install os-sunnyvalley
pkg install -f -y os-sensei

If db is elasticsearch:

Code Select Expand

pkg remove elasticsearch5
pkg autoremove
pkg install elasticsearch5

Mongodb:

Code Select Expand

pkg remove mongodb40
pkg autoremove
pkg install mongodb40

All these are currently being built into the software to handle the upgrade automatically. More on this later tomorrow.

On the other hand, before proceeding with the above commands, can you shoot a PR? We'd like to have a look at a few files.

I missed what you said about the PR until after I ran the first three commands. I sent it anyway even though it's in the middle of updating the SunnyValley repository catalogue. Hopefully it still helps.

[almodovaris]

Yup, I have installed the preview version based on 12.1 and Sensei slashed my Usenet download speed to 8 MB/s instead of 22 or 24 MB/s as previously. I have APU2.

[mb]

@donatom3, no worries, thanks for the update. 

[mb]

Dear Sensei users,

An update for the OPNsense 20.7 upgrade and compatibility:

https://www.sunnyvalley.io/post/sensei-and-opnsense-20-7-all-set-to-go/

All you need to do is running "Check Updates" once more after you're finished with upgrading to OPNsense 20.7.

OPNsense package manager will install the packages for the new OPNsense version and you'll be all set.

[nines]

I know the vmx driver is listed under "Drivers that needs testing and verification" but I just want to point out that its not working. After upgrading to 20.7 and afterwards searching for updates again in order to update sensei the system crashes and reboots.

is this issue already known?