Sensei on OPNsense - Application based filtering

Started by mb, August 25, 2018, 03:38:14 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 65 66 67 68 69 ... 79
User actions
July 31, 2020, 01:28:08 PM #990
Hi @nines, thanks for letting us know. Yes, we did not have reports for vmx up until now.

Can you send a PR? We want to have a closer look.
July 31, 2020, 01:33:54 PM #991
July 31, 2020, 01:34:56 PM #992
July 31, 2020, 02:20:16 PM #993
Quote from: mb on July 31, 2020, 01:28:08 PM
Hi @nines, thanks for letting us know. Yes, we did not have reports for vmx up until now.

Can you send a PR? We want to have a closer look.

unfortunately I cant, the vm instantly reboots after the update
any ideas?
July 31, 2020, 02:23:55 PM #994
Try this:

Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.

Also make sure that you don't have Suricata enabled.

Upgrade the system, and before starting Sensei/Suricata send the PR.
July 31, 2020, 05:27:05 PM #995
I've got exactly the same - after upgrading my OPNsense VM to 20.7 Sensei had ceased to run. Due to constant reboot loop, I had to restore VM snapshot and now I'm back on 20.1.9 - I reported a bug as well.
Are you going to improve compatibility for vmx drivers?
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)
July 31, 2020, 06:25:48 PM #996 Last Edit: July 31, 2020, 06:28:03 PM by sorano
So I had sensei running on 20.7 using the vmx0_vlan## interfaces.

So I started playing around, switched to just using vmx0 interface together with vlan id's in sensei and got my host in a crash bootloop without a snapshot  ::) . Is there anyway to disable sensei during boot?
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 31, 2020, 07:15:51 PM #997
Quote from: mb on July 31, 2020, 02:23:55 PM
Try this:

Before the upgrade make sure you have autostart disabled for Sensei: Sensei -> Status -> Set "Start on Boot" to Disabled.

Also make sure that you don't have Suricata enabled.

Upgrade the system, and before starting Sensei/Suricata send the PR.

that worked, report sent!
July 31, 2020, 08:59:17 PM #998
Quote from: sorano on July 31, 2020, 06:25:48 PM
Is there anyway to disable sensei during boot?

Well, I answered my own question:

Boot up in single user mode
Mount the fs
/usr/local/etc/rc.d/eastpect disable
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 31, 2020, 09:00:42 PM #999 Last Edit: July 31, 2020, 09:04:59 PM by mb
Hi @sorano,

Your message just landed while I was preparing my post. Nicely done. Thanks for the update.

Upon user reports received, we've just updated the latest netmap status. Please see below post before you update to 20.7:

https://www.sunnyvalley.io/post/status-on-the-netmap-improvement-efforts-for-opnsense-20-7/

For the problematic drivers, work has already begun. I'll provide interim updates on their status.
August 01, 2020, 02:13:31 AM #1000
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.
August 01, 2020, 02:55:28 AM #1001
Quote from: mb on August 01, 2020, 02:13:31 AM
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.

This is my setup:

Hypervisor: VMware ESXi, 7.0.0, 16324942
VM Compatibility: ESXi 7.0 and later (VM version 17)
Distributed switch version:   7.0.0
Distributed Port group: Vlan trunk (Tagging vlans inside OPNsense)

Distributed Port group Security Policies:
Promiscuous mode   Reject ( I'm running Native MAC Learning instead to work around the vswitch + CARP duplicates issue)
MAC address changes   Accept
Forged transmits   Accept

Like I wrote earlier; Running Sensei on the interfaces that are tagged in OPNsense (vmx0_vlan#) works, but running on the "native" vmx0 interface + vlan id in sensei will cause kernel race.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 01, 2020, 10:26:37 AM #1002 Last Edit: August 01, 2020, 10:31:18 AM by Waschl
Quote from: mb on August 01, 2020, 02:13:31 AM
Friends who use OPNsense on ESX:

Which ESX version are you on?  We would like to know about the problematic versions.

Hello. I have the same problem. My setup:
Hypervisor: VMware ESXi 6.7.0 Update 3 Build 16316930
VM Compatibiltiy: 6.7 U2
Standard vSwitch

Running OPNsense with no special interfaces configurations (VLAN etc.) using vmxnet3.
August 01, 2020, 11:06:41 AM #1003
Running into the same issue as well: https://forum.opnsense.org/index.php?topic=18338.0

Code Select

Hypervisor: VMware ESXi, 7.0.0, 16324942
VM compatibility: 6.7 U2


OPNSense VM having 7 vmx interfaces. I use VLAN in my networks but I do tagging on ESX dvSwitch so OPNSense isn't aware of VLANs. Just seeing vmx0 - vmx6 interfaces.

Reverted to snapshots of 20.1.9 I created before upgrade.
August 01, 2020, 07:12:28 PM #1004
Ok, I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests.
Print
Go Up Pages 1 ... 65 66 67 68 69 ... 79
User actions