Being curious about sentinel but not wanting to mess with the router I decided to give it a shot in a container instead, providing an isolated environment. unprivileged container would be icing on the cake…
eth0 -> vlan eth0.2 -> br-sen -> guest fw zone -> privileged container with ip subnet different from guest network
Stripped TOS down to bare essentials
`
Summary
Uninstall(“hd-idle”, “knot-resolver”, “dnsmasq”, “resolver”, “collectd”, “vpnc”, “wol”, “tinyproxy”, “samba36-server”, “samba36-client”, “openssh-sftp-client”, “openssh-sftp-client”, “openssh-sftp-server”, “openvpn-openssl”, “mjpg-streamer”, “miniupnpd”, “minidlna”, “transmission”, “ahcpd”, “ddns-scripts”, “luci-app-wol”, “luci-app-transmission”, “etherwake”, “odhcpd”, “kmod-rxrpc”)
`
Installed the sentinel stuff
Install("sentinel-minipot")
but skipped sentinel-dynfw-client since it makes only sense to run on the host.
From a remote node ran telnet against the router’s ip and the telnet login at the router is popping up and thus confirmed working. 
Questions (remaining after discovery):
-
sentinel-nikolacan be configured in the container to access the nf entries in the host’s kernel log? If so what are the requirements or how to? -
node data collected/submitted by
sentinel-nikolato the TO project can be viewed per node (similar likehaas)where?
Notable issues 
- sentinel-dynfw-client fails to start at boot
- sentinel-nikola not automatically enabling nf/ipt logging in the wan zone
- firewall restart fails to load the wan_input_rule for ipset turris-sn-wan-input-block
- sentinel-dynfw-client fails to detect wan ip rollover
- nf/ipt records reportedly not being parsed - see below