Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix scaling of small images, fix typos, clarify IPsec s2s (#78)

Browse Source
pull/79/head
MichaelDeciso 6 years ago committed by Ad Schellevis
parent fc18a434df
commit 86a9787cf3
38 changed files with 284 additions and 310 deletions
Show Stats Download Patch File Download Diff File

2
source/conf.py
Unescape Escape View File

@ -340,7 +340,7 @@ epub_copyright = copyright
# A unique identification for the text.
#epub_uid = ''
# A tuple containing the cover image and cover page html template filenames.
# A tuple containing the cover image and cover page HTML template filenames.
#epub_cover = ()
# A sequence of (type, uri, title) tuples for the guide element of content.opf.

12
source/development/examples/helloworld.rst
Unescape Escape View File

@ -66,7 +66,7 @@ Architecture
Always make sure there's a clear separation of concerns, back-end calls
(like shell scripts) should be implemented using the configd system, all
communication to the client should be handled from an api endpoint. (the
communication to the client should be handled from an API endpoint. (the
example provides more insights on how this works).
Back-end programs should not access the config.xml directly, if data is
@ -215,7 +215,7 @@ retrieval/changing of configuration data.
They should live in a subdirectory of the controller called Api and
extend the corresponding class.
For our modules we create two api controllers, one for controlling
For our modules we create two API controllers, one for controlling
settings and one for performing service actions. (Named
SettingsController.php and ServiceController.php) Both should look like
this (replace Settings with Service for the other one):
@ -377,7 +377,7 @@ something like this:
{{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
This tells the template system to add a form using the contents of
generalForm and name it frm\_GeneralSettings in the html page. Based on
generalForm and name it frm\_GeneralSettings in the HTML page. Based on
a standard template part which is already part of the standard system,
named base\_form.volt.
@ -665,7 +665,7 @@ What have we accomplished now, we can input data, validate it and save
it to the corresponding format of the actual service or application,
which uses this data. So if you have a third party application, which
you want to integrate into the user interface. You should be able to
generate what it needs now. (theres more to learn, but these are the
generate what it needs now. (Theres more to learn, but these are the
basics).
But how do should we control that third part program now? Thats the
@ -760,7 +760,7 @@ elements:
});
});
(in html section)
(in HTML section)
.. code-block:: xml
@ -868,7 +868,7 @@ content in it:
</acl>
This creates an acl key named “page-user-helloworld” which authorizes
access to both the ui and api urls of this application. You can now
access to both the ui and API urls of this application. You can now
grant access to this module from the system user manager.
|

2
source/development/frontend/controller.rst
Unescape Escape View File

@ -86,7 +86,7 @@ A simple index controller to echo a request back looks like this:
}
}
When placed inside the api directory of Vendor/Sample can be called by sending a
When placed inside the API directory of Vendor/Sample can be called by sending a
post request to /api/sample/test/echo, using jquery:
.. code-block:: javascript

4
source/development/frontend/routing.rst
Unescape Escape View File

@ -62,14 +62,14 @@ This routing is setup via the index page of our new code base and uses
API routing
-----------
Routing for api functions is quite similar to routing UI components,
Routing for API functions is quite similar to routing UI components,
just create a Api directory under the app path and place a controller
class to handle the request. The only major difference is that it's
handled by a separate php file (called api.php) in stead of the
index.php file used to configure the ui part, details of the routing can
be found in /usr/local/opnsense/mvc/app/config/services\_api.php .
If our sample app needs an api to echo something back via a controller called
If our sample app needs an API to echo something back via a controller called
tools it could be put into a file called:
::

6
source/development/guidelines/basics.rst
Unescape Escape View File

@ -49,7 +49,7 @@ time and we needed to transition that into something more structured.
One of the first things (on the programming part of the system) we did was build
components around an existing framework (`Phalcon <https://phalconphp.com/>`_)
to create new modules, which could use validated configuration data (from the
config.xml), supply a RESTful API and generate html output using standard
config.xml), supply a RESTful API and generate HTML output using standard
templates (Volt).
We created the configd system, which can generate system configuration and
@ -78,7 +78,7 @@ implementation is one example of this stage.
**3)** Moving on
(re)build new parts, using our new modules, which provide a layered development
system to automatically support api calls from other systems and xml based model
system to automatically support API calls from other systems and xml based model
templates to describe configuration data.
*See also:*
@ -87,7 +87,7 @@ templates to describe configuration data.
* :doc:`Howto use the API </development/how-tos/api>`
Our guidelines somewhat depend of the stage the code is in, when writing new code,
all actions should use the api system for actually changing configuration and
all actions should use the API system for actually changing configuration and
performing configuration tasks. They should, of course, use the normal PSR coding
standards for PHP code and follow the Python PEPs.

2
source/development/how-tos/api.rst
Unescape Escape View File

@ -23,7 +23,7 @@ Creating keys
API keys are managed in the user manager (system\_usermanager.php), go
to the user manager page and select a user. Somewhere down the page you
will find the api section for this user.
will find the API section for this user.
|Usermanager add api key.png|

2
source/fork/thefork.rst
Unescape Escape View File

@ -15,7 +15,7 @@ There are some myths surrounding our project offered mostly by pfSense enthusias
if you have read their comments on us then we'd recommend to just ignore them and
install OPNsense, if you have not already done so.
.. sidebar:: Lets fork and lift the project!
.. sidebar:: Let's fork and lift the project!
.. image:: images/fork-lift_new.jpg

4
source/intro.rst
Unescape Escape View File

@ -79,11 +79,11 @@ OPNsense Core Features
- Intrusion Detection and Inline Prevention
- Build-in support for Emerging Treats rules
- Built-in support for Emerging Treats rules
- Simple setup by use of rule categories
- Scheduler for period automatic updates
- Build-in reporting and monitoring tools
- Built-in reporting and monitoring tools
- System Health, the modern take on RRD Graphs
- Packet Capture

6
source/manual/aliases.rst
Unescape Escape View File

@ -33,7 +33,7 @@ When using a fully qualified domain name, the name will we resolved periodically
(default is each 300 seconds).
Sample
Lets say we want to create an alias table for **www.youtube.com**
Let's say we want to create an alias table for **www.youtube.com**
.. image:: images/aliases_host.png
:width: 100%
@ -120,10 +120,10 @@ Downloads
Using Aliases in pf Firewall Rules
----------------------------------
Aliases can be used in the firewall rules to make administration of large lists
easy. For instance we could have a list of remote ip's that should have access to
easy. For instance we could have a list of remote IPs that should have access to
certain services, when anything changes we only need to update the list.
Lets create a simple alias list and assume we have 3 remote ip's that may access
Let's create a simple alias list and assume we have 3 remote IPs that may access
the ipsec server for a site to site tunnel connection:
* 192.168.100.1

6
source/manual/captiveportal.rst
Unescape Escape View File

@ -7,13 +7,12 @@ but is also widely used in corporate networks for an additional layer of securit
on wireless or Internet access.
.. image:: images/hotspot_login.png
:width: 100%
--------------------
Typical Applications
--------------------
* Guest Network
* Hotel & Camping Wifi Access
* Hotel & Camping Wi-Fi Access
* Bring Your Own Device (BOYD)
-------------------
@ -27,7 +26,6 @@ task. At the same time it offers additional functionalities, such as:
* Custom Splash page
.. image:: images/captiveportal_template_folder.png
:width: 100%
---------------
Zone Management
@ -69,7 +67,7 @@ the user can resume its active session.
--------------------
Bandwidth Management
--------------------
The Build-in traffic shaper can be utilized to:
The Built-in traffic shaper can be utilized to:
* Share bandwidth evenly
* Give priority to protocols port numbers and/or ip addresses

4
source/manual/gui.rst
Unescape Escape View File

@ -85,13 +85,13 @@ The content area is used to display:
----------
Form View
----------
Lets take a look at how an advanced form may look like:
Let's take a look at how an advanced form may look like:
.. image:: images/proxy_form.png
Full Help
---------
Many forms are equipped with build-in help. In the upper right corner of the form
Many forms are equipped with built-in help. In the upper right corner of the form
you can select to view all help messages at once. The toggle will color green when
enabled and show the help messages beneath the input items.

12
source/manual/hardware.rst
Unescape Escape View File

@ -53,13 +53,13 @@ for the ones that require disk writes, e.g. a caching proxy (cache) or intrusion
and prevention (alert database).
+------------------+--------------------------------------------------------------------------+
| Processor | 500MHz single core cpu |
| Processor | 500 MHz single core cpu |
+------------------+--------------------------------------------------------------------------+
| RAM | 512 MB |
+------------------+--------------------------------------------------------------------------+
| Install method | Serial console or video (vga) |
+------------------+--------------------------------------------------------------------------+
| Install target | SD or CF card with a minimum of 4GB, use nano images for installation. |
| Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
+------------------+--------------------------------------------------------------------------+
Table: *Minimum hardware requirements*
@ -78,7 +78,7 @@ or high loads.
+------------------+--------------------------------------------------------------------------+
| Install method | Serial console or video (vga) |
+------------------+--------------------------------------------------------------------------+
| Install target | 40 GB SSD, a minimum of 1GB memory is needed for the installer to run. |
| Install target | 40 GB SSD, a minimum of 1 GB memory is needed for the installer to run. |
+------------------+--------------------------------------------------------------------------+
Table: *Reasonable hardware requirements*
@ -126,9 +126,9 @@ have massive impact on it. The candidates are:
displayed below.
`State transition tables <https://en.wikipedia.org/wiki/State_transition_table>`__
it is a known fact, that each state table entry requires about 1KB
(kilo bytes) of RAM. The average state table, filled with 1000
entries will occupy about ~10MB (mega bytes) of
it is a known fact, that each state table entry requires about 1 kB
(kilobytes) of RAM. The average state table, filled with 1000
entries will occupy about ~10 MB (megabytes) of
`RAM <https://en.wikipedia.org/wiki/Random-access_memory>`__.
OPNsense usage settings with hundred of thousands of connections
will require memory accordingly.

7
source/manual/how-tos/cachingproxy.rst
Unescape Escape View File

@ -26,7 +26,7 @@ select from the list).
Change Proxy Listening Port
---------------------------
By default the proxy will listen at port 3128, you can change this by clicking
on the tab **Forward Proxy** and fill in the port in the **Proxy port** feild.
on the tab **Forward Proxy** and fill in the port in the **Proxy port** field.
Don't forget to **Apply** your changes.
------------
@ -36,7 +36,6 @@ To enable caching click on the arrow next to the **General Proxy Settings** to
see the dropdown menu and click on **Local Cache Settings**.
.. image:: images/proxy_cache.png
:width: 100%
Check the **Enable local cache** and click **Apply**.
@ -49,7 +48,7 @@ Advanced
--------
Under the advanced settings (see mode switch on left top of the form) you can
change the cache size, directory structure and max object size to keep in cache.
Again defaults are fine for normal browsing and creates a 100MB cache with max 4MB
Again defaults are fine for normal browsing and creates a 100 MB cache with max 4 MB
object size.
@ -87,7 +86,7 @@ You can setup ACL's by clicking on the arrow next to **Forward Proxy** and sele
**Access Control List**. Here you can:
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IP's)
* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IPs)
* Add Banned hosts IP address (A ban will stop this client from being able to use the proxy)
* Whitelist (Click on the (i) to see examples, whitelist prevail above blacklists)
* Blacklist (If not allowed by a whitelist, this will block traffic based upon a regular expression)

2
source/manual/how-tos/cellular.rst
Unescape Escape View File

@ -28,7 +28,7 @@ Use websites like `FrequencyCheck <https://www.frequencycheck.com/>`_ to find th
frequency band(s) used and get a cellular modem that supports these frequencies.
You should also buy an appropriate pigtail antenna cable and LTE antenna. Note
that LTE antennas often have different connectors than WIFI antennas, chose your
that LTE antennas often have different connectors than Wi-Fi antennas, chose your
equipment accordingly. Getting the right antenna has a big impact on the quality
of your signal. For LTE, MIMO (multiple input, multiple output) antennas should
be considered, see for example `this guide <https://www.specialistantennas.co.uk/news/lte-antenna-choices-considerations>`_.

2
source/manual/how-tos/cloud_backup.rst
Unescape Escape View File

@ -67,7 +67,7 @@ First we need to have a project in the google developer console:
- In the left menu APIs -> "Drive API" -> Enable
- Open the project and start to create an api key
- Open the project and start to create an API key
- In the left menu : APIs & auth -> Credentials
- Click on the button "Create new Client ID"

2
source/manual/how-tos/fwcategory.rst
Unescape Escape View File

@ -35,7 +35,7 @@ box to make a quick selection.
----------------
Before Selection
----------------
Take a look at this simple rule set before selecting our "My IP's" category.
Take a look at this simple rule set before selecting our "My IPs" category.
.. image:: images/Rules_Full.png
:width: 100%

69
source/manual/how-tos/guestnet.rst
Unescape Escape View File

@ -26,7 +26,7 @@ Hotels and RV Parks
-------------------
Hotels and RV parks usually utilize a captive portal to allow guests (paid) access
to internet for a limited duration. Guests need to login using a voucher they can
either buy or obtain for free at the reception. OPNsense has build-in support for
either buy or obtain for free at the reception. OPNsense has built-in support for
vouchers and can easily create them on the fly. With this example we will show
you how to setup the Guest Network for this purpose and setup a reception account
for creating new vouchers.
@ -88,7 +88,7 @@ Fill in the following to setup the DHCP server for our guest net (leave everythi
================ ==================================== =======================================
**Enable** Checked *Enable the DCHP server on GUESTNET*
**Range** 192.168.200.100 to 192.168.200.200 *Serve ip's from this range*
**Range** 192.168.200.100 to 192.168.200.200 *Serve IPs from this range*
**DNS servers** 192.168.200.1 *Supply a DNS with the lease*
**Gateway** 192.168.200.1 *Supply a gateway with the lease*
================ ==================================== =======================================
@ -228,11 +228,10 @@ Step 5 - Create Template
The template feature is one of the most powerful features of OPNsense's Captive
Portal solution and it's very easy to work with.
Lets create a custom landing page, to do so click on the tab **Templates** and
Let's create a custom landing page, to do so click on the tab **Templates** and
click on the download icon in the lower right corner ( |download| ).
.. image:: images/template_download.png
:width: 100%
Now download the default template, we will use this to create our own.
Unpack the template zip file, you should have something similar to this:
@ -242,21 +241,21 @@ Unpack the template zip file, you should have something similar to this:
Most files of the template can be modified, but some are default and may not be
changes. Upon upload any changes to the files listed in **exclude.list** will be
ignored. Currently these include the bootstrap java scripting and some fonts.
ignored. Currently these include the bootstrap JavaScript and some fonts.
With the captive portal enabled the default screen looks like:
.. image:: images/default_login_no_authenticator.png
:width: 100%
Lets change this default with a new logo and a welcome message, to this:
Let's change this default with a new logo and a welcome message, to this:
.. image:: images/mycompany_login.png
To do so use your favourite editor and open the **index.html** file to make the
changes.
Lets make the following changes to the template:
Let's make the following changes to the template:
#. Change the logo to **company-logo.png**
#. Remove the navigation bar on the top
@ -308,20 +307,19 @@ Hit Upload ( |upload| )
:width: 100%
.. |upload| image:: images/btn_upload.png
:width: 100%
To enable the captive portal on the GUESTNET interface just click on **Apply**.
-------------------------------
Step 6 - Limit Guests Bandwidth
-------------------------------
For our example we will reserve 10Mbps down and 1Mbps Up for the Guest Network's
For our example we will reserve 10 Mbps down and 1 Mbps Up for the Guest Network's
Internet Access. This bandwidth will be shared evenly between connected clients.
.. Note::
With sharing evenly we mean that if 10 users at the same time try to use
as much bandwidth as possible then everyone gets 1/10th. So in our example
that would be 1Mbps down stream (download). It is also possible to limit
that would be 1 Mbps down stream (download). It is also possible to limit
the traffic per user see also :doc:`shaper`
Go to: **Firewall->Traffic Shaper->Settings**.
@ -351,7 +349,7 @@ And add another pipe for the upload traffic.
Click on **Save changes**.
Create the traffic shaper rules.Click on the tab **Rules** and press the **+**
Create the traffic shaper rules. Click on the tab **Rules** and press the **+**
to do so.
First toggle the advanced mode (upper left corner of the form) and then fill in
@ -363,7 +361,7 @@ the following details (leave everything not specified on defaults):
**interface 2** GUESTNET
**direction** in
**target** pipe_10Mbps_down
**description** Limit Guests download to 10Mbps
**description** Limit Guests download to 10 Mbps
================= ==================================
Click **Save changes**.
@ -374,7 +372,7 @@ Click **Save changes**.
**interface 2** GUESTNET
**direction** out
**target** pipe_1Mbps_up
**description** Limit Guests upload to 1Mbps
**description** Limit Guests upload to 1 Mbps
================= ==================================
Click **Save changes**.
@ -428,31 +426,31 @@ Step 9 - Create Vouchers
Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**).
Click on **Create Vouchers** in the lower right corner of the form.
Lets create 1 Day vouchers for our guests:
Let's create 1 Day vouchers for our guests:
.. image:: images/create_vouchers.png
:width: 100%
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wifi day pass f.i.).
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wi-Fi day pass, for example).
For the example we create 10 vouchers. Click on **Generate**.
A file will be generated called **wifi day pass.csv**.
A file will be generated called **Wi-Fi day pass.csv**.
The content of this file looks like this:
.. code-block:: guess
username,password,vouchergroup,validity
"IgJw@Pqf","MLi+Sb7Ak#","Wifi day pass","86400"
"++?f[@i[","!m*)e(@;F,","Wifi day pass","86400"
"bbtK9mBk","f/jCDL3:)b","Wifi day pass","86400"
"iD%L[jLJ","I#FoZ#g!AY","Wifi day pass","86400"
"+4bA\E[I","CNavt@0ck+","Wifi day pass","86400"
"+,fg/\Sv","#22iIL-iQA","Wifi day pass","86400"
":;Pc\N#s","Y\HuG9vAN$","Wifi day pass","86400"
"00nLb=0Q","0*C_\_Nb_x","Wifi day pass","86400"
"PA$J0YHF","kp!q%9;m)g","Wifi day pass","86400"
"a,mCxbya","LcnCb#g/di","Wifi day pass","86400"
"IgJw@Pqf","MLi+Sb7Ak#","Wi-Fi day pass","86400"
"++?f[@i[","!m*)e(@;F,","Wi-Fi day pass","86400"
"bbtK9mBk","f/jCDL3:)b","Wi-Fi day pass","86400"
"iD%L[jLJ","I#FoZ#g!AY","Wi-Fi day pass","86400"
"+4bA\E[I","CNavt@0ck+","Wi-Fi day pass","86400"
"+,fg/\Sv","#22iIL-iQA","Wi-Fi day pass","86400"
":;Pc\N#s","Y\HuG9vAN$","Wi-Fi day pass","86400"
"00nLb=0Q","0*C_\_Nb_x","Wi-Fi day pass","86400"
"PA$J0YHF","kp!q%9;m)g","Wi-Fi day pass","86400"
"a,mCxbya","LcnCb#g/di","Wi-Fi day pass","86400"
The content are:
@ -465,11 +463,11 @@ The content are:
.. Warning::
For security reasons the plain text password for the vouchers are NOT stored
For security reasons the plain text passwords for the vouchers are NOT stored
on the firewall.
This file can be used for creating nice guest vouchers (on paper) by just merging
the cvs data with word, open office or any other dtp/text editor.
the CSV data with Microsoft Word, LibreOffice or any other DTP/text editor.
Create something like this:
@ -501,7 +499,6 @@ When done click **Save changes** and the **Apply** to apply the new settings.
Now users will see the login form as part of your template:
.. image:: images/cp_voucher_login.png
:width: 100%
--------------
Check Sessions
@ -523,8 +520,8 @@ You can drop an active session by clicking on the trashcan.
Check Voucher Status
--------------------
You can check the validity and active status of a voucher by going to the voucher
page of the captive portal (**Services->Captive Protal->Vouchers**) and select
the correct database (Wifi day pass in our example).
page of the captive portal (**Services->Captive Portal->Vouchers**) and select
the correct database (Wi-Fi day pass in our example).
.. image:: images/cp_active_vouchers.png
:width: 100%
@ -538,16 +535,16 @@ the correct database (Wifi day pass in our example).
------------------------
Advanced - Session popup
------------------------
Lets create a Session Popup so user can see some details about there session and
Logout. For this feature we will use OPNsense's build-in api calls.
Let's create a Session Popup so users can see some details about their session and
Logout. For this feature we will use OPNsense's built-in API calls.
In particular we will use the following api call (for zone id 0):
In particular we will use the following API call (for zone id 0):
.. code-block:: guess
/api/captiveportal/access/status/0/
The response on this api call looks like this (for an active session):
The response on this API call looks like this (for an active session):
.. code-block:: json
@ -566,7 +563,7 @@ The response on this api call looks like this (for an active session):
"packets_in":3181,
"clientState":"AUTHORIZED"}
It would go a bit to far to explain standard html and java scripting used for
It would go a bit to far to explain standard HTML and JavaScript used for
our simple popup, but a full demo template can be downloaded:
:download:`Download the example Template (with popup) <resources/template_popup.zip>`

5
source/manual/how-tos/ips-feodo.rst
Unescape Escape View File

@ -20,7 +20,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@ -57,7 +57,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:width: 100%
---------------
Fetch Rule sets
@ -71,7 +70,6 @@ To do so: select Enabled after each one.
To download the rule sets press **Download & Update Rules**.
.. image:: images/downloadbtn.png
:width: 100%
-----------------------
Change default behavior
@ -93,7 +91,6 @@ Apply fraud drop actions
Now press **Download & Update Rules** again to change the behavior to drop.
.. image:: images/downloadbtn.png
:width: 100%
---------------
Keep up to date

6
source/manual/how-tos/ips-geoip.rst
Unescape Escape View File

@ -2,7 +2,7 @@
IPS GeoIP Blocking
==================
This tutorial explains how to setup the IPS system to block ip's based on their
This tutorial explains how to setup the IPS system to block IPs based on their
geographic location. This option is made possible by the integration of the
Maxmind GeoLite2 Country database. More information can be found here: http://dev.maxmind.com/geoip/geoip2/geolite2/
@ -17,7 +17,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@ -87,13 +87,11 @@ Apply configuration
If this is the first GeoIP rule you add then you need to **Download & Update Rules**
.. image:: images/downloadbtn.png
:width: 100%
Then apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:width: 100%
------------

3
source/manual/how-tos/ips-sslfingerprint.rst
Unescape Escape View File

@ -16,7 +16,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@ -106,7 +106,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:width: 100%
----------------------------
Clear Browser Cache and test

2
source/manual/how-tos/ipsec-s2s-binat.rst
Unescape Escape View File

@ -3,7 +3,7 @@ IPSec BINAT
===============
Assume company A has local LAN 10.0.1.0/24 and company B has local LAN 10.0.2.0/24.
Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wifi.
Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wi-Fi.
We have to define new networks for the Phase 2 with unused ones and create NAT entries to reach the final systems.

64
source/manual/how-tos/ipsec-s2s.rst
Unescape Escape View File

@ -203,7 +203,7 @@ General information
-------------------
========================= ============= ================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *both V1 and V2 are supported*
**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
@ -215,7 +215,6 @@ Phase 1 proposal (Authentication)
---------------------------------
=========================== ====================== ======================================
**Authentication method** Mutual PSK *Using a Pre-shared Key*
**Negotiation mode** Main *Use Main. Aggressive is insecure*
**My identifier** My IP address *Simple identification for fixed ip*
**Peer identifier** Peer IP address *Simple identification for fixed ip*
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
@ -224,12 +223,12 @@ Phase 1 proposal (Authentication)
Phase 1 proposal (Algorithms)
-----------------------------
========================== ============= ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**DH key group** 2048 bit *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ============= ===========================================
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== =============== ===========================================
Advanced Options
@ -245,7 +244,6 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
:width: 100%
Now you should see the following screen:
@ -259,7 +257,6 @@ Step 2 - Phase 2 Site A
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:width: 100%
You will see an empty list:
@ -291,30 +288,27 @@ Remote Network
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============ =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 2048 bit *Not required but enhanced security*
=========================== =============== =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
=========================== ============ =======================================
=========================== =============== =======================================
Save your setting by pressing:
.. image:: images/btn_save.png
:width: 100%
-----------------------------
Enable IPsec for Site A, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:width: 100%
Save:
.. image:: images/btn_save.png
:width: 100%
And Apply changes:
@ -340,7 +334,7 @@ General information
-------------------
========================= ============= ================================================
**Connection method** default *default is 'Start on traffic'*
**Key Exchange version** V2 *both V1 and V2 are supported*
**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
@ -352,7 +346,6 @@ Phase 1 proposal (Authentication)
---------------------------------
=========================== ====================== ======================================
**Authentication method** Mutual PSK *Using a Pre-shared Key*
**Negotiation mode** Main *Use Main. Aggressive is insecure*
**My identifier** My IP address *Simple identification for fixed ip*
**Peer identifier** Peer IP address *Simple identification for fixed ip*
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
@ -361,12 +354,12 @@ Phase 1 proposal (Authentication)
Phase 1 proposal (Algorithms)
-----------------------------
========================== ============= ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**DH key group** 2048 bit *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ============= ===========================================
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== =============== ===========================================
Advanced Options
@ -382,7 +375,6 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
:width: 100%
Now you should see the following screen:
@ -429,19 +421,18 @@ Remote Network
Phase 2 proposal (SA/Key Exchange)
----------------------------------
=========================== ============ =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 2048 bit *Not required but enhanced security*
=========================== =============== =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
=========================== ============ =======================================
=========================== =============== =======================================
Save your setting by pressing:
.. image:: images/btn_save.png
:width: 100%
-----------------------------
@ -453,7 +444,6 @@ Enable IPsec for Site B, Select:
Save:
.. image:: images/btn_save.png
:width: 100%
And Apply changes:
@ -530,4 +520,4 @@ Common issues are unequal settings. Both ends must use the same encryption stand
If you are testing locally with your pc connected to one of the two test boxes
as in the sample configuration, then make sure you have no other network
connections (f.i. wifi).
connections (Wi-Fi, for example).

10
source/manual/how-tos/multiwan.rst
Unescape Escape View File

@ -24,7 +24,7 @@ Configure Failover
------------------
To setup Failover the following step will be taken:
#. Add monitor IP's to the gateways
#. Add monitor IPs to the gateways
#. Add a gateway group
#. Configure DNS for each gateway
#. Use policy based routing to utilize our gateway group
@ -40,12 +40,12 @@ To setup Failover the following step will be taken:
Example configuration
---------------------
Our example utilized two previous configured WAN gateways that both are confirmed
to function separately. As DNS's and monitor ip's we will utilize google's DNS
to function separately. As DNS's and monitor IPs we will utilize google's DNS
services 8.8.8.8 and 8.8.4.4, of course you can use your own 'known good' setting.
We defined WAN and WAN2, where WAN will be our primary (default) gateway.
Step 1 - Add monitor IP's
Step 1 - Add monitor IPs
-------------------------
You may skip this step if you already have setup the monitoring ip and both gateways
are shown as online.
@ -185,7 +185,7 @@ gateways.
Sticky Connection
-----------------
Some web sites don't like changing request ip's for the same session, this may
Some web sites don't like changing request IPs for the same session, this may
lead to unexpected behavior. To solve this you can use the option **Sticky Connections**,
this will make sure each subsequent request from the same user to the same website
is send through the same gateway.
@ -196,7 +196,7 @@ Unequal Balancing (Weight)
--------------------------
If you have a non symmetric setup with one IPS having a much higher
bandwidth that the other then you can set a weight on each gateway to change the
load balance. For instance if you have one line of 10Mbps and one of 20Mbps then
load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps then
set the weight of the first one to 1 and the second one to 2. This way the second
gateway will get twice as many traffic to handle than the first.

246
source/manual/how-tos/orange_fr_fttp.rst
Unescape Escape View File

@ -1,123 +1,123 @@
Orange France FTTP IPv4 & IPv6
==============================
**Original Author:** Kev Willers
**Introduction**
-----------------
This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
**Getting ready to make the connection**
----------------------------------------
Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
.. image:: images/OF_image0.png
:width: 100%
and the WAN interface assignment should hence look something like this
.. image:: images/OF_image1.png
:width: 100%
**Configuring the WAN Interface**
---------------------------------
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
requests respectively
select options DHCP and DHCPv6 in general configuration
.. image:: images/OF_image2.png
:width: 100%
**On the DHCP request it is a requirement to pass the following:**
* dhcp-class-identifier "sagem"
* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
The eleven leading hex 00 pairs to be prefixed to the converted userID
These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request
.. image:: images/OF_image3.png
:width: 100%
.. Note::
It is necessary to specify the following 'Request Options'
* subnet-mask
* broadcast-address
* dhcp-lease-time
* dhcp-renewal-time
* dhcp-rebinding-time
* domain-search, routers
* domain-name-servers
* option-90
These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request
Now for the regional specific part.
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
this can be done via the 'Option Modifiers'.
.. Note::
The vlan-parent is the physical WAN interface - igb0, em0 etc.
.. image:: images/OF_image4.png
:width: 100%
On the DHCP6 request we need to use raw options
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
.. image:: images/OF_image5.png
:width: 100%
then add the following options in the 'Send Options' field
* ia-pd 0
* raw-option 6 00:0b:00:11:00:17:00:18
* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
The eleven leading hex 00 pairs to be prefixed to the converted userID
Finally set the Identity Association and Prefix interface as shown
.. image:: images/OF_image6.png
:width: 100%
Click Save and then Apply.
**LAN Interface**
-----------------
Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to Track
Interface
.. image:: images/OF_image7.png
:width: 100%
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
.. image:: images/OF_image8.png
:width: 100%
Click Save and then Apply.
It is advisable at this point to reboot the system.
Orange France FTTP IPv4 & IPv6
==============================
**Original Author:** Kev Willers
**Introduction**
-----------------
This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
**Getting ready to make the connection**
----------------------------------------
Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
.. image:: images/OF_image0.png
:width: 100%
and the WAN interface assignment should hence look something like this
.. image:: images/OF_image1.png
:width: 100%
**Configuring the WAN Interface**
---------------------------------
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
requests respectively
select options DHCP and DHCPv6 in general configuration
.. image:: images/OF_image2.png
:width: 100%
**On the DHCP request it is a requirement to pass the following:**
* dhcp-class-identifier "sagem"
* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
The eleven leading hex 00 pairs to be prefixed to the converted userID
These parameters should be passed as comma separated options in the 'Send Options' area of their WAN DHCP request
.. image:: images/OF_image3.png
:width: 100%
.. Note::
It is necessary to specify the following 'Request Options'
* subnet-mask
* broadcast-address
* dhcp-lease-time
* dhcp-renewal-time
* dhcp-rebinding-time
* domain-search, routers
* domain-name-servers
* option-90
These parameters should be passed as comma separated options in the 'Request Options' area of their WAN DHCP request
Now for the regional specific part.
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
this can be done via the 'Option Modifiers'.
.. Note::
The vlan-parent is the physical WAN interface - igb0, em0 etc.
.. image:: images/OF_image4.png
:width: 100%
On the DHCP6 request we need to use raw options
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
.. image:: images/OF_image5.png
:width: 100%
then add the following options in the 'Send Options' field
* ia-pd 0
* raw-option 6 00:0b:00:11:00:17:00:18
* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
The eleven leading hex 00 pairs to be prefixed to the converted userID
Finally set the Identity Association and Prefix interface as shown
.. image:: images/OF_image6.png
:width: 100%
Click Save and then Apply.
**LAN Interface**
-----------------
Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to Track
Interface
.. image:: images/OF_image7.png
:width: 100%
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
.. image:: images/OF_image8.png
:width: 100%
Click Save and then Apply.
It is advisable at this point to reboot the system.

2
source/manual/how-tos/proxyicapantivirus.rst
Unescape Escape View File

@ -4,7 +4,7 @@ Setup Anti Virus Protection
OPNsense can offer http and https protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
trojans and viruses. This protection can be further enhanced by the build-in Intrusion
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
Prevention System and Category Based Web filtering.
This How To will utilize Symantec's Protection Engine, but any other vendor that

2
source/manual/how-tos/proxyicapantivirusinternal.rst
Unescape Escape View File

@ -4,7 +4,7 @@ Setup Anti Virus Protection using OPNsense Plugins
OPNsense can offer http and https protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
trojans and viruses. This protection can be further enhanced by the build-in Intrusion
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
Prevention System and Category Based Web filtering.
This How To will use the Plugins C-ICAP and ClamAV.

3
source/manual/how-tos/proxytransparent.rst
Unescape Escape View File

@ -151,9 +151,8 @@ certificate for each page manually, but for some pages that may not work well un
not bumped.
.. image:: images/export_CA_cert.png
:width: 100%
Import and change trust settings on your favorite OS. Per example on OSX it looks
Import and change trust settings on your favorite OS. For example, on macOS it looks
like this:
.. image:: images/Trust_Settings_OSX.png

6
source/manual/how-tos/proxywebfilter.rst
Unescape Escape View File

@ -1,7 +1,7 @@
====================
Setup Web Filtering
====================
Category based web filtering in OPNsense is done by utilizing the build-in proxy
Category based web filtering in OPNsense is done by utilizing the built-in proxy
and one of the freely available or commercial blacklists.
For this this How-to we will utilize the `UT1 "web categorization list" <https://dsi.ut-capitole.fr/blacklists/index_en.php>`__ from the
@ -62,7 +62,7 @@ Press **Save Changes**.
Step 3 - Download the Categories
--------------------------------
Now press Download ACL's, please note that this will take a while (can be several
minutes) as the full list (>19MB) will be converted to squid acl's.
minutes) as the full list (>19 MB) will be converted to squid acl's.
-------------------------
Step 4 - Setup Categories
@ -82,7 +82,7 @@ clear the list and select the following from the drop down list:
Now **Save changes** and press **Download ACLs** again to download and reconstruct
the list with only the selected categories. This will take roughly the same amount
of time as the first fetch as the adult alone section is ~15MB.
of time as the first fetch as the adult alone section is ~15 MB.
---------------------
Step 5 - Enable Proxy

18
source/manual/how-tos/self-signed-chain.rst
Unescape Escape View File

@ -79,17 +79,17 @@ When you are done save the form, the CA is now generated.
====================== =================================== ========================================
.. image:: images/CA.png
:width: 15%
:width: 100%
.. Tip::
Use valid email addresses for your certificates always.
Bogus addresses can pose a security risk not only for certificates btw. ;-)
Always use valid email addresses for your certificates.
Bogus addresses can pose a security risk and not only for certificates.
The Intermediate
----------------
Time to create the second CA which is an **intermediate CA**. This certificate will be signed
Time to create the second CA, which is an **intermediate CA**. This certificate will be signed
by the root CA we just created. In return it will sign the sever certificate for OPNsense.
Go to **Trust/Authorities**
@ -103,7 +103,7 @@ Have a look at the form, create an intermediate CA and save it.
====================== =================================== ========================================
.. image:: images/CA-inter.png
:width: 15%
:width: 100%
The Certificate
---------------
@ -122,7 +122,7 @@ Have a look at the next form and notice the common name, create a server certifi
====================== =================================== ========================================
.. image:: images/webgui-cert.png
:width: 15%
:width: 100%
.. Tip::
@ -189,7 +189,7 @@ Go to **Trust/Authorities** create a new CA for Nextcloud and save it.
====================== =================================== ========================================
.. image:: images/CA-cloud.png
:width: 15%
:width: 100%
OPNsense needs to be made aware of the Nextcloud chain we are creating.
@ -231,7 +231,7 @@ Go to **Trust/Authorities** and create an intermediate CA.
====================== =================================== ========================================
.. image:: images/CA-cloud-inter.png
:width: 15%
:width: 100%
Download the intermediate CA and install it to your browser:
@ -253,7 +253,7 @@ Go to **Trust/Certificates** create a server certificate.
====================== =================================== ========================================
.. image:: images/cloud-cert.png
:width: 15%
:width: 100%
We need to install this certificate and key to our Nextcloud server, two ways are shown here.

60
source/manual/how-tos/shaper.rst
Unescape Escape View File

@ -17,9 +17,9 @@ In this scenario we will create a pipe dedicated for traffic going to and coming
from our realtime application. For the sample we presume a SIP trunk or hosted
Voice Over IP (VOIP) server.
For this example we presume a requirement of 4 uncompressed voice channels of 64Kbps,
resulting in a total bandwidth of 256Kbps. The internet connection in this example
has 10Mbps Download and 1Mbps Upload.
For this example we presume a requirement of 4 uncompressed voice channels of 64 kbps,
resulting in a total bandwidth of 256 kbps. The internet connection in this example
has 10 Mbps Download and 1 Mbps Upload.
@ -69,17 +69,17 @@ Create Pipe For Upload (To our VOIP Server)
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeUp-256Kbps *Free field, enter something descriptive*
**description** PipeUp-256kbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Upload (Other Traffic = 1024Kbps - 256Kbps = 768Kbps)
Create Pipe For Upload (Other Traffic = 1024 kbps - 256 kbps = 768 kbps)
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 768 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeUp-768Kbps *Free field, enter something descriptive*
**description** PipeUp-768kbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Download (From our VOIP Server)
@ -89,17 +89,17 @@ Create Pipe For Download (From our VOIP Server)
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeDown-256Kbps *Free field, enter something descriptive*
**description** PipeDown-256kbps *Free field, enter something descriptive*
====================== ================== ================================================
Create Pipe For Download (Other Traffic = 10240Kbps - 256Kbps = 9984Kbps )
Create Pipe For Download (Other Traffic = 10240 kbps - 256 kbps = 9984 kbps )
====================== =================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 9984 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeDown-9984Kbps *Free field, enter something descriptive*
**description** PipeDown-9984kbps *Free field, enter something descriptive*
====================== =================== ================================================
Step 2 - Create Rules
@ -117,7 +117,7 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
**src-port** any *The source port to shape, leave on any*
**destination** 172.10.2.1 *The ip address of our VOIP server*
**dst-port** any *Use any of the destination port if static*
**target** PipeUP-256Kbps *Select the Upload 256Kbps Pipe*
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
**description** ShapeVOIPUpload *Enter a descriptive name*
====================== ================= =====================================================
@ -132,7 +132,7 @@ Create a rule for traffic coming from the VOIP Server (Download).
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown256Kbps *Select the Download 256Kbps Pipe*
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
**description** ShapeVOIPDown *Enter a descriptive name*
====================== ================= =====================================================
@ -142,11 +142,11 @@ Create a rule for all other internet upload traffic
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**source** 192.168.1.0/24 *The source ip's to shape, our LAN network*
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *the destination address, leave in any*
**dst-port** any *Use any of the destination port if static*
**target** PipeUp-768Kbps *Select the Upload 256Kbps Pipe*
**target** PipeUp-768kbps *Select the Upload 768 kbps Pipe*
**description** ShapeUpload *Enter a descriptive name*
====================== ================= =====================================================
@ -159,9 +159,9 @@ Create a rule for all other internet download traffic
**proto** ip *Select the protocol, ip in our example*
**source** any *The source ip to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip's to shape, our LAN network*
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-9984Kbps *Select the Download 256Kbps Pipe*
**target** PipeDown-9984kbps *Select the Download 256Kbps Pipe*
**description** ShapeDown *Enter a descriptive name*
====================== =================== =====================================================
@ -185,8 +185,8 @@ Now press |apply| to activate the traffic shaping rules.
Share bandwidth evenly
----------------------
For this example we presume an internet connection of 10Mbps Download and 1Mbps
Upload that we want to share evenly over all users.
For this example we presume an internet connection of 10 Mbps Download and 1 Mbps
Upload that we want to share evenly between all users.
.. nwdiag::
:scale: 100%
@ -299,7 +299,7 @@ Create a rule for traffic coming from the internet (Download).
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** QueueDown-10Mbps *Select the Download 10Mbps Queue*
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
@ -315,7 +315,7 @@ Limit bandwidth per user
------------------------
For this example we will divide the internet Download traffic between the connected
users in such manner that each user will receive up to a maximum of 1Mbps.
users in such manner that each user will receive up to a maximum of 1 Mbps.
.. nwdiag::
:scale: 100%
@ -378,7 +378,7 @@ Create a rule for traffic coming from the internet (Download).
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-1Mbps *Select the Download 256Kbps Pipe*
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
@ -401,11 +401,11 @@ By utilizing queues we can influence the bandwidth within a pipe and give certai
applications more bandwidth than others based on a weighted algorithm.
The idea is simple:
Let presume we have a pipe of 10Mbps and 2 applications for instance smtp (email)
Let presume we have a pipe of 10 Mbps and 2 applications for instance smtp (email)
and http(s). The http(s) traffic will get a weight of 1 and the smtp traffic a
weight of 9, then when all capacity of our pipe is in use the email traffic will
get 9x more bandwidth than our http(s) traffic, resulting in 1Mbps for http(s)
and 9Mbps for smtp.
get 9x more bandwidth than our http(s) traffic, resulting in 1 Mbps for http(s)
and 9 Mbps for smtp.
For our example we only look at download traffic, but the exact same can be done
for the upload traffic.
@ -413,10 +413,10 @@ for the upload traffic.
+----------------+--------+-------------------+
| Application | Weight | Minimum Bandwidth |
+================+========+===================+
| SMTP (port 25) | 9 | 9Mbps |
| SMTP (port 25) | 9 | 9 Mbps |
+----------------+--------+-------------------+
| HTTP (80) | | |
+----------------+ 1 | 1Mbps |
+----------------+ 1 | 1 Mbps |
| HTTPS (443) | | |
+----------------+--------+-------------------+
@ -428,7 +428,7 @@ On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Download (10Mbps)
Create Pipe For Download (10 Mbps)
====================== ================= ===============================================
**enabled** Checked *Check to enable the pipe*
@ -515,7 +515,7 @@ Adding an extra rule for https traffic is simple as we can use the same http que
**description** ShapeHTTPSDownload *Enter a descriptive name*
====================== ==================== =====================================================
This way http and https traffic will be treated the same (total max of 1Mbps).
This way http and https traffic will be treated the same (total max of 1 Mbps).
Now press |apply| to activate the traffic shaping rules.
@ -532,11 +532,11 @@ One of the options with OPNsense's traffic shaper is its ability to add shaping
rules based upon two interfaces. This option allows you to shape traffic
differently based on the direction the traffic is moving between interfaces.
For this example we will use this functionality to share a symmetric 10Mbps internet
For this example we will use this functionality to share a symmetric 10 Mbps internet
connection between a primary LAN network and a Guest Network.
The LAN network will not be limited, traffic from users on our Guest Network will
be limited to a total of 2Mbps Download and 1Mbps Upload.
be limited to a total of 2 Mbps Download and 1 Mbps Upload.
.. nwdiag::
:scale: 100%
@ -636,7 +636,7 @@ Create a rule for the upload traffic
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface that matches your GuestNet*
**interface2** GuestNet *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*

2
source/manual/how-tos/sslvpn_s2s.rst
Unescape Escape View File

@ -265,7 +265,7 @@ For our configuration we only use one server accessible on UDP port 1194.
Next we also need to allow traffic from the VPN client network (192.168.2.0/24).
For our example we will allow client to access anything on our local network(s),
however you may decide just to allow traffic to one or more IP's.
however you may decide just to allow traffic to one or more IPs.
.. image:: images/sslvpn_openvpn_rule.png
:width: 100%

2
source/manual/how-tos/transparent_bridge.rst
Unescape Escape View File

@ -107,7 +107,7 @@ and fill-in the ip/netmask.
5. Disable Block private networks & bogon
-----------------------------------------
For the WAN interface we nee to disable blocking of private networks & bogus ip's.
For the WAN interface we nee to disable blocking of private networks & bogus IPs.
Goto **Interfaces** -> **WAN** and unselect **Block private networks**
and **Block bogon networks**.

1
source/manual/how-tos/user-ldap.rst
Unescape Escape View File

@ -88,7 +88,6 @@ to import the users into the local user manager. Go to **System->Access->Users**
you will see a cloud import icon at the lower right corner of the form.
.. image:: images/user_cloudimport.png
:width: 100%
Click on the cloud import icon to start importing users.

5
source/manual/install.rst
Unescape Escape View File

@ -87,7 +87,7 @@ Depending on you hardware and use case different installation media are provided
| | | running in serial console (115200) mode with |
| | | secondary VGA support (no kernel messages though) |
+--------+-----------------------------------------------------+
| nano | | a preinstalled serial image for 4GB USB sticks, |
| nano | | a preinstalled serial image for 4 GB USB sticks, |
| | | SD or CF cards for use with embedded devices |
+--------+-----------------------------------------------------+
@ -104,7 +104,6 @@ Depending on you hardware and use case different installation media are provided
Media Filename Composition
------------------------------
.. blockdiag::
:scale: 100%
diagram {
default_shape = roundedbox;
@ -182,7 +181,7 @@ your target platform has a serial interface choose the "serial image.
64-bit and 32-bit install images are provided. The following examples
apply to both.
Write the image to a USB flash drive (>= 1GB) or an IDE hard disk,
Write the image to a USB flash drive (>=1 GB) or an IDE hard disk,
either with dd under FreeBSD or under Windows with physdiskwrite
Before writing an (iso) image you need to unpack it first (use bunzip2).

2
source/manual/netflow.rst
Unescape Escape View File

@ -16,7 +16,7 @@ ip and port number.
OPNsense offers full support for exporting Netflow data to external collectors as
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
OPNsense is the only open source solution with a build-in Netflow analyzer integrated
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
into it's Graphical User Interface.
------------------

6
source/manual/proxy.rst
Unescape Escape View File

@ -25,7 +25,7 @@ Features include:
--------------
Authenticators
--------------
User authentication can be done using OPNsense standard and build-in authenticators.
User authentication can be done using OPNsense standard and built-in authenticators.
Currently these include:
* LDAP (incl. Microsoft Active Directory)
@ -61,13 +61,13 @@ shaping features.Additionally it includes its own options:
-------------------------
Category Based Web Filter
-------------------------
No need for additional plugins, such as squidGuard - as OPNsense has build-in
No need for additional plugins, such as squidGuard - as OPNsense has built-in
category based web filter support. Main features include:
* Fetch from a remote URL
* Supports flat file list and category based compressed lists
* Automatically convert category based blacklists to squid ACL's
* Keep up to date with the build-in scheduler
* Keep up to date with the built-in scheduler
* Compatible with most popular blacklist
----------------

4
source/manual/virtuals.rst
Unescape Escape View File

@ -13,7 +13,7 @@ General tips
For optimum performance and compatibility, these guides are given:
* Minimum required RAM is 1 GB
* Minimum recommended virtual disk size of 8GB
* Minimum recommended virtual disk size of 8 GB
* Disable all off-loading settings in **Interfaces->Settings**
.. image:: images/disableoffloading.png
@ -109,7 +109,7 @@ article first.
File copy failed during installation
------------------------------------
This issue is most likely caused by low memory setting. Make sure your virtual
OPNsense installation has a minimum of 1GB of RAM.
OPNsense installation has a minimum of 1 GB of RAM.
------------------

1
source/manual/vpnet.rst
Unescape Escape View File

@ -29,7 +29,6 @@ well known IPsec as well as older (now considered insecure) legacy options such
L2TP and PPTP.
.. image:: images/vpn.png
:width: 100%
.. Note::

Write Preview
Loading…
Cancel
Save