Sunny Valley Networks is a startup company that has partnered with Deciso, the creators of OPNsense, to create a plugin called Sensei which adds deep packet inspection and more to OPNsense. These features add greater visibility into your network. Sensei also has built-in cloud threat intelligence that can be used to block web/application access and to prevent known malware attacks.
This post will focus on the features of Sensei and the differences between the Free Edition and the Home Edition. I do not intend to describe every single feature but rather the features I feel may be of most interest to more advanced home network users. I would like to give a shout out to Sunny Valley Networks for making this post possible!
A Note about Installation
The installation process is pretty straightforward and well documented on Sunny Valley’s website so I do not want to repeat all of the same details. However, there is one consideration worth mentioning since I had an issue with this when I was first experimenting with Sensei.
On the “Interface Selection” step, you are prompted for the interfaces you wish to have Sensei monitor. If you have multiple VLANs associated to a single physical interface, you should only select the physical parent interface. Do not select each individual VLAN. This is similar to Suricata where you should only select the physical interface(s), and it is still able to examine each individual VLAN because “Promiscuous Mode” is enabled. In the same manner, Sensei will be able to analyze all of the VLAN traffic when monitoring the parent interface. If you do not do this, you may find that it kills/blocks your VLAN network traffic or causes other issues.
Notice in the screenshot that I am selecting LAN rather than all of the VLANs in the list which are associated to the physical interface “igb2”.
When you monitor the parent interface, Sensei will monitor all VLANs associated to that interface. In the Free Edition, you cannot exclude VLANs from being monitored if you have multiple VLANs assigned to a single, parent interface. This may or may not be an issue for some users (you could always move the VLANs you wish to exclude to other physical ports on your router). As I will discuss later, the Home Edition does allow you to exclude VLANs from being monitored, which is very nice because you may not want to monitor some of your networks.
Basic Features of Free Edition
After installing Sensei, you will notice it has its own top-level menu called “Sensei”. When you click it, you should see the following menu links to the Sensei pages:
The Dashboard provides a default set of reports as you can see below:
You can customize which reports are displayed by clicking the “Add Charts” button. There are over 40 charts to choose from. In addition, you can apply filters on the dashboard in order to drill down to the data you wish to see. Right now, it seems as though the filters are limited to nearly 30 data elements and the only operator you can use is “equals”. Perhaps in the future they will add other types of operations to make the filters even more powerful.
By default, the charts are automatically refreshed every minute but you can set the intervals to be longer or shorter. The intervals are 15 seconds, 1 minute, 5 minutes, and 15 minutes. You can also set the number of days/hours/minutes of history. The intervals include last 15 minutes, 1 hour, 24 hours, 7 days, and 30 days. You may enter a custom time frame as well.
Keep in mind that you may not be able to view 30 days of history if you have Sensei configured to only store less than 30 days of history on the “Sensei > Configuration > Reporting & Data” page. If you have a larger amount of resources available on your router, you should be able to handle a 30 day history. It is possible that retaining a longer time frame will slow down underpowered routers – at least when viewing reports. I have not personally tested longer than 14 days. With Suricata and Sensei enabled, I am using around 60% of 8GB of RAM. It seems since the v1.1 update in November 2019 which increases support for lower end hardware, that Sensei uses less RAM. I was sitting around 78-80% utilization of RAM before the update.
The “Status” page provides information about the version of the Sensei engine and app/rules databases, the cloud node status used by the cloud threat intelligence feature, interface status, and the status of the Sensei services. You may start, restart, and stop the Sensei services at any point in time. You may also put Sensei in “bypass” mode which should cause network traffic to pass through Sensei without any processing in case you want to keep Sensei running but turned off for some reason. If you want Sensei to be running every time you reboot your router, you will need to ensure you have the “Start on Boot” option enabled. By default it is set to enabled.
The “Reports” page looks similar to the Dashboard page. It has similar filters for the time frame and specific data elements. You will also notice a dropdown box that has “Top 10” by default. This option lets you select how many items show up in the charts/graphs. If you change this option on the “Reports” page, it will also apply to the reports on the “Dashboard” page. Below is the “Reports” page:
You will notice that the page has tabs for the different types of reports. The “Connections” tab shows the various applications in your network that are making connections both internally and externally to your network. These connections may be of any protocol and not just HTTP/HTTPS traffic. This tab shows the categories of applications, the protocol used for the connection, the duration of the connection, and other details.
The “Blocks” tab shows everything that has been blocked based on your web/app controls. If you do not have any blocking enabled, there will be no data shown in the reports in this tab.
The “Web” tab shows reports on web-based traffic generated by browsing websites or API calls that various applications perform. It lists the website category, the method used (GET, POST, etc), the hostname, and other information.
The “DNS” tab shows information on the most frequent DNS requests performed and other DNS related information. The “TLS” tab shows TLS session information such as the hosts/IPs in which the most TLS sessions are created, the ports used, the general categories of the sessions, and other information.
Unlike the “Dashboard”, the “Reports” page provides a “Live Sessions Explorer”, which allows you to see the most recent connections, blocks, web sessions, DNS requests, and TLS sessions depending on which tab you are currently viewing. You can change the update interval so it updates more or less frequently. This view is useful to get insight of the current activity that is taking place on your network.
It is important to note that when you are viewing the “Live Sessions Explorer” in the “Connections”, “Web”, and “TLS” tabs that you have the ability to block the various connections by clicking the circle with a slash icon. Conversely, in the “Blocks” tab, you have the ability to allow connections that have been previously blocked by clicking on the green checkmark icon. This is very useful when something you want to access is being actively blocked by Sensei. I have seen the occasional false positive that I have had to unblock.
The “Security” page allows you to enable blocking for various types of malware activity and potentially dangerous websites. The Free Edition only allows you to choose options in the “Essential Security” section of the page. I do not recommend enabling every single option unless you are ok with potentially having false positives that you have to selectly allow when you encounter legitimate sites that are blocked.
The “App Controls” page is where you can block various types of applications on the network. There are a wide variety of categories you can select. The apps in the list are not necessarily malicious, but they may be apps that are unwanted on the network. For instance, you may not want users to use Tor to bypass security protections on your network. The app categories have more specific apps underneath them when you expand the folder icon in case you do not wish to block the entire category.
The “Web Controls” page is similar to the “App Controls” page. It shows a list of categories of websites which are to be blocked by Sensei. Unlike the app controls, you cannot filter more granular than the category level. However, you can allow certain sites to be accessed by unblocking it in the “Live Sessions Explorer”. Since blocking is done at a category level, you should be careful which categories you select because you may find that many sites you visit are being blocked. You will notice that you can create your own web categories for white or black listing sites. If you edit the default lists “Auto Blocklist Hosts” or the “Auto Whitelist Hosts”, you will be able to see the sites you blocked using the “Live Sessions Explorer”. You may also add new entries in those default lists as well.
The “Configuration” page shows all of the settings which you used when you initially set up Sensei. This page allows you to make changes to those initial settings. You can also see basic information about Sensei and the various support pages on the “About” tab. If you wish to uninstall Sensei, you can do it from the “Uninstall” tab.
The “Cloud Threat Intel” tab lists the various cloud notes in which you can receive updates and check for threats. You can enable all of the servers which are the closest to you locale. It may be best to have at least 2 servers selected in case one node is down or is slow.
The “Updates & Health” tab has settings to enable health checks and automatic checking of updates. Many of these settings will likely be enabled by default, but you can disable any checks if you prefer to check for updates manually.
The “Reports & Data” tab allows you to set a DNS server for domain name/host name lookups, number of days to keep data in the reports, some report database maintenance operations, and the option to email reports on a schedule.
For the DNS reverse IP lookups, I do not know if it is necessary to enter localhost since it may use that by default. I entered 127.0.0.1 to make sure it is using the local DNS resolver to resolve hostnames of my local devices in the reports. This option may be more useful if you have a separate DNS server that does not reside on your OPNsense router.
I have entered 7 days as the amount of history to keep in my reports. The default may be 14 days. I was having some issues with Sensei stopping processing packets after a week or two of uptime. It would essentially kill much of the network connections and accessing the Internet. When I tried using 7 days, it seemed to help with the stability of Sensei. Also, the Sensei developers have made some improvements to netmap on FreeBSD which may have helped fixed some stability issues as well. Perhaps I need more powerful router hardware to handle that much history since I am running several services including Suricata (on the WAN interface), but it could be some other issue that I have not discovered yet. At any rate, 7 days of history still provides interesting insights into the network, and I can set up weekly reports to be sent via email so that I can review the activity once a week before the history is cleared out.
If your Sensei installation stops processing packets, you can simply restart Sensei instead of rebooting the router. That is much quicker than rebooting the router. If you have a VPN server running on your OPNsense, you can log into your VPN to access the web administration page to restart Sensei. Logging into the VPN seems to work because Sensei does not currently operate on VPN networks so packets continue to be processed normally in the VPN network. If you prefer command line, you could also achieve something similar using SSH, but you may need to use SSH from the VPN session.
Differences Between the Free Edition and Home Edition
The menu options in the Home Edition are more condensed even though more features have been activated. In particular, the Security, App Controls, and Web Controls pages have been combined into a Policies page as can be seen in the comparison below:
The “Dashboard” page is the same for the Free Edition and Home Edition. Nothing extra to see here except at the top of the page, it will say “Premium Edition” to indicate you are using a paid version of Sensei.
The same applies for the “Status” page as the “Dashboard” page. No differences other than the “Premium Edition” at the top of the page.
On the “Reports” page, you will finally see some additional features that is included in the Home Edition. There is a new tab to create custom views, a button to export reports to a PDF, and a button for the “Activity Explorer” page.
The “Live Sessions Explorer” in the Home Edition allows you to export activity to a PDF page. The rest of the page is the same as the Free Edition.
A completely new feature is the “Activity Explorer”. This button only exists on the “Connections” tab. This feature shows more context about particular connections made by your devices such as the total duration, the current visit number of the connection, a number of activity details relating to the connection, and the amount of data transferred during the session. I think this view might be a more compact and consolidated view of the “Live Sessions Explorer”. You can see more information at a glance.
Perhaps the best added feature for many users is the ability to create your own custom report page. You have the ability to select from a number of predefined reports for this view. Your favorite reports from each of the report tab could be consolidated to a single page.
As shown with the differences in the menu options, the “Policies” page consolidates the “Security”, “App Controls”, and the “Web Controls” pages into one page. The reason for this is because the Home Edition allows creating more than one policy, which is nice if you wish for different VLANs/interfaces to have different policies. Perhaps you want a stricter policy for the VLAN you use for your children – you can make this happen in the Home Edition.
To create a new policy, you simply click the “Add New Policy” button and choose the appropriate settings, which is similar to how you set up the default policy when you installed Sensei. Unlike the default policy, you have the ability to restrict the users and groups as well as set a time schedule for when the policy is active. There is more granular control than the default policy. It makes sense because you can set a looser (or stricter) set of a restrictions for the default policy and then with the new policy you could specify stricter (or looser) restrictions on certain networks/groups/users as you see fit.
With the Home Edition, you can now enable any of the “Advanced Security” features. Notice how I have a few of those options selected. These settings should help protect against known malware that is actively spreading – especially the type that infects any random vulnerable machine that can be found. Most home users will not be specifically targeted unless perhaps you are a high profile individual. The Home Edition expands on the types of websites that can blocked. Dynamic DNS domain names and newly recovered domains are not necessarily malicious, but malicious sites have been known to use dynamic DNS services and sometimes reclaim expired domain names of well-known sites. These settings may be useful to block some phishing attacks when you are not careful of the URLs you are clicking.
The “App Controls” page is the same as the Free Edition so not much to see here.
The “Web Controls” page is the same as the Free Edition. However, the Free Edition limits how many web filtering categories you may choose. You will notice after choosing more than a couple of categories that it will no longer allow you to select any more. It will display a message saying you need to upgrade to a premium edition to enable more blocking. The Home Edition allows blocking for as many categories as you like. As with the Free Edition, you may add or modify the default blocklist/whitelist categories.
The Home Edition adds more configuration options to the “Configuration” page. A “Exempted VLANs & Networks” section on the page allows you to exclude specific VLANs/IPs/subnets from being processed by Sensei. This may be useful on completely isolated networks or any other network you may not want monitored for some reason. Another extra feature is the ability to create a custom landing page for when Sensei blocks access to a website. I am not quite sure when you will see the landing page because for the few legitimate sites that Sensei blocked that I wanted to visit I did not see a landing page. It just did not load a page at all because it timed out.
Overall, Sensei is a great addition to the OPNsense platform. It adds functionality that is not standard with OPNsense and that no other plugin offers. Sunny Valley strikes a good balance between providing useful features in the Free Edition and enhanced security features in the Home Edition. The main standout features, in my opinion, for the Home Edition is the activity explorer, ability to block new malware outbreaks, and the ability to exempt specific VLANs/IPs from being monitored by Sensei. The value of the Home Edition will further increase when new security features such as botnet blocking become available. If you are interested in a feature comparison of their plans, you may visit their website to see more: https://www.sunnyvalley.io/plans/