From 86a9787cf38cd5cd330d1ed2898bdd04382f59c9 Mon Sep 17 00:00:00 2001
From: MichaelDeciso <42928941+MichaelDeciso@users.noreply.github.com>
Date: Wed, 7 Nov 2018 17:45:54 +0100
Subject: [PATCH] Fix scaling of small images, fix typos, clarify IPsec s2s
(#78)
---
source/conf.py | 2 +-
source/development/examples/helloworld.rst | 12 +-
source/development/frontend/controller.rst | 2 +-
source/development/frontend/routing.rst | 4 +-
source/development/guidelines/basics.rst | 6 +-
source/development/how-tos/api.rst | 2 +-
source/fork/thefork.rst | 2 +-
source/intro.rst | 4 +-
source/manual/aliases.rst | 6 +-
source/manual/captiveportal.rst | 6 +-
source/manual/gui.rst | 4 +-
source/manual/hardware.rst | 12 +-
source/manual/how-tos/cachingproxy.rst | 7 +-
source/manual/how-tos/cellular.rst | 2 +-
source/manual/how-tos/cloud_backup.rst | 2 +-
source/manual/how-tos/fwcategory.rst | 2 +-
source/manual/how-tos/guestnet.rst | 69 +++--
source/manual/how-tos/ips-feodo.rst | 5 +-
source/manual/how-tos/ips-geoip.rst | 6 +-
source/manual/how-tos/ips-sslfingerprint.rst | 3 +-
source/manual/how-tos/ipsec-s2s-binat.rst | 2 +-
source/manual/how-tos/ipsec-s2s.rst | 64 ++---
source/manual/how-tos/multiwan.rst | 10 +-
source/manual/how-tos/orange_fr_fttp.rst | 246 +++++++++---------
source/manual/how-tos/proxyicapantivirus.rst | 2 +-
.../how-tos/proxyicapantivirusinternal.rst | 2 +-
source/manual/how-tos/proxytransparent.rst | 3 +-
source/manual/how-tos/proxywebfilter.rst | 6 +-
source/manual/how-tos/self-signed-chain.rst | 18 +-
source/manual/how-tos/shaper.rst | 60 ++---
source/manual/how-tos/sslvpn_s2s.rst | 2 +-
source/manual/how-tos/transparent_bridge.rst | 2 +-
source/manual/how-tos/user-ldap.rst | 1 -
source/manual/install.rst | 5 +-
source/manual/netflow.rst | 2 +-
source/manual/proxy.rst | 6 +-
source/manual/virtuals.rst | 4 +-
source/manual/vpnet.rst | 1 -
38 files changed, 284 insertions(+), 310 deletions(-)
diff --git a/source/conf.py b/source/conf.py
index d136c582..35f06612 100644
--- a/source/conf.py
+++ b/source/conf.py
@@ -340,7 +340,7 @@ epub_copyright = copyright
# A unique identification for the text.
#epub_uid = ''
-# A tuple containing the cover image and cover page html template filenames.
+# A tuple containing the cover image and cover page HTML template filenames.
#epub_cover = ()
# A sequence of (type, uri, title) tuples for the guide element of content.opf.
diff --git a/source/development/examples/helloworld.rst b/source/development/examples/helloworld.rst
index 70c207c2..317dff19 100644
--- a/source/development/examples/helloworld.rst
+++ b/source/development/examples/helloworld.rst
@@ -66,7 +66,7 @@ Architecture
Always make sure there's a clear separation of concerns, back-end calls
(like shell scripts) should be implemented using the configd system, all
-communication to the client should be handled from an api endpoint. (the
+communication to the client should be handled from an API endpoint. (the
example provides more insights on how this works).
Back-end programs should not access the config.xml directly, if data is
@@ -215,7 +215,7 @@ retrieval/changing of configuration data.
They should live in a subdirectory of the controller called Api and
extend the corresponding class.
-For our modules we create two api controllers, one for controlling
+For our modules we create two API controllers, one for controlling
settings and one for performing service actions. (Named
SettingsController.php and ServiceController.php) Both should look like
this (replace Settings with Service for the other one):
@@ -377,7 +377,7 @@ something like this:
{{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
This tells the template system to add a form using the contents of
-generalForm and name it frm\_GeneralSettings in the html page. Based on
+generalForm and name it frm\_GeneralSettings in the HTML page. Based on
a standard template part which is already part of the standard system,
named base\_form.volt.
@@ -665,7 +665,7 @@ What have we accomplished now, we can input data, validate it and save
it to the corresponding format of the actual service or application,
which uses this data. So if you have a third party application, which
you want to integrate into the user interface. You should be able to
-generate what it needs now. (there’s more to learn, but these are the
+generate what it needs now. (There’s more to learn, but these are the
basics).
But how do should we control that third part program now? That’s the
@@ -760,7 +760,7 @@ elements:
});
});
-(in html section)
+(in HTML section)
.. code-block:: xml
@@ -868,7 +868,7 @@ content in it:
This creates an acl key named “page-user-helloworld” which authorizes
-access to both the ui and api urls of this application. You can now
+access to both the ui and API urls of this application. You can now
grant access to this module from the system user manager.
|
diff --git a/source/development/frontend/controller.rst b/source/development/frontend/controller.rst
index be8c8112..d30e02fc 100644
--- a/source/development/frontend/controller.rst
+++ b/source/development/frontend/controller.rst
@@ -86,7 +86,7 @@ A simple index controller to echo a request back looks like this:
}
}
-When placed inside the api directory of Vendor/Sample can be called by sending a
+When placed inside the API directory of Vendor/Sample can be called by sending a
post request to /api/sample/test/echo, using jquery:
.. code-block:: javascript
diff --git a/source/development/frontend/routing.rst b/source/development/frontend/routing.rst
index 3b59930b..a6e8ec7d 100644
--- a/source/development/frontend/routing.rst
+++ b/source/development/frontend/routing.rst
@@ -62,14 +62,14 @@ This routing is setup via the index page of our new code base and uses
API routing
-----------
-Routing for api functions is quite similar to routing UI components,
+Routing for API functions is quite similar to routing UI components,
just create a Api directory under the app path and place a controller
class to handle the request. The only major difference is that it's
handled by a separate php file (called api.php) in stead of the
index.php file used to configure the ui part, details of the routing can
be found in /usr/local/opnsense/mvc/app/config/services\_api.php .
-If our sample app needs an api to echo something back via a controller called
+If our sample app needs an API to echo something back via a controller called
tools it could be put into a file called:
::
diff --git a/source/development/guidelines/basics.rst b/source/development/guidelines/basics.rst
index afa99630..3b4ec25d 100644
--- a/source/development/guidelines/basics.rst
+++ b/source/development/guidelines/basics.rst
@@ -49,7 +49,7 @@ time and we needed to transition that into something more structured.
One of the first things (on the programming part of the system) we did was build
components around an existing framework (`Phalcon `_)
to create new modules, which could use validated configuration data (from the
-config.xml), supply a RESTful API and generate html output using standard
+config.xml), supply a RESTful API and generate HTML output using standard
templates (Volt).
We created the configd system, which can generate system configuration and
@@ -78,7 +78,7 @@ implementation is one example of this stage.
**3)** Moving on
(re)build new parts, using our new modules, which provide a layered development
-system to automatically support api calls from other systems and xml based model
+system to automatically support API calls from other systems and xml based model
templates to describe configuration data.
*See also:*
@@ -87,7 +87,7 @@ templates to describe configuration data.
* :doc:`Howto use the API `
Our guidelines somewhat depend of the stage the code is in, when writing new code,
-all actions should use the api system for actually changing configuration and
+all actions should use the API system for actually changing configuration and
performing configuration tasks. They should, of course, use the normal PSR coding
standards for PHP code and follow the Python PEPs.
diff --git a/source/development/how-tos/api.rst b/source/development/how-tos/api.rst
index 2b678187..ae34a0fe 100644
--- a/source/development/how-tos/api.rst
+++ b/source/development/how-tos/api.rst
@@ -23,7 +23,7 @@ Creating keys
API keys are managed in the user manager (system\_usermanager.php), go
to the user manager page and select a user. Somewhere down the page you
-will find the api section for this user.
+will find the API section for this user.
|Usermanager add api key.png|
diff --git a/source/fork/thefork.rst b/source/fork/thefork.rst
index 26350de4..9aa9e520 100644
--- a/source/fork/thefork.rst
+++ b/source/fork/thefork.rst
@@ -15,7 +15,7 @@ There are some myths surrounding our project offered mostly by pfSense enthusias
if you have read their comments on us then we'd recommend to just ignore them and
install OPNsense, if you have not already done so.
-.. sidebar:: Lets fork and lift the project!
+.. sidebar:: Let's fork and lift the project!
.. image:: images/fork-lift_new.jpg
diff --git a/source/intro.rst b/source/intro.rst
index acb11539..215a0b79 100644
--- a/source/intro.rst
+++ b/source/intro.rst
@@ -79,11 +79,11 @@ OPNsense Core Features
- Intrusion Detection and Inline Prevention
- - Build-in support for Emerging Treats rules
+ - Built-in support for Emerging Treats rules
- Simple setup by use of rule categories
- Scheduler for period automatic updates
-- Build-in reporting and monitoring tools
+- Built-in reporting and monitoring tools
- System Health, the modern take on RRD Graphs
- Packet Capture
diff --git a/source/manual/aliases.rst b/source/manual/aliases.rst
index d6d8ab15..361da924 100644
--- a/source/manual/aliases.rst
+++ b/source/manual/aliases.rst
@@ -33,7 +33,7 @@ When using a fully qualified domain name, the name will we resolved periodically
(default is each 300 seconds).
Sample
- Lets say we want to create an alias table for **www.youtube.com**
+ Let's say we want to create an alias table for **www.youtube.com**
.. image:: images/aliases_host.png
:width: 100%
@@ -120,10 +120,10 @@ Downloads
Using Aliases in pf Firewall Rules
----------------------------------
Aliases can be used in the firewall rules to make administration of large lists
-easy. For instance we could have a list of remote ip's that should have access to
+easy. For instance we could have a list of remote IPs that should have access to
certain services, when anything changes we only need to update the list.
-Lets create a simple alias list and assume we have 3 remote ip's that may access
+Let's create a simple alias list and assume we have 3 remote IPs that may access
the ipsec server for a site to site tunnel connection:
* 192.168.100.1
diff --git a/source/manual/captiveportal.rst b/source/manual/captiveportal.rst
index eebe92a7..9a7e160c 100644
--- a/source/manual/captiveportal.rst
+++ b/source/manual/captiveportal.rst
@@ -7,13 +7,12 @@ but is also widely used in corporate networks for an additional layer of securit
on wireless or Internet access.
.. image:: images/hotspot_login.png
- :width: 100%
--------------------
Typical Applications
--------------------
* Guest Network
-* Hotel & Camping Wifi Access
+* Hotel & Camping Wi-Fi Access
* Bring Your Own Device (BOYD)
-------------------
@@ -27,7 +26,6 @@ task. At the same time it offers additional functionalities, such as:
* Custom Splash page
.. image:: images/captiveportal_template_folder.png
- :width: 100%
---------------
Zone Management
@@ -69,7 +67,7 @@ the user can resume its active session.
--------------------
Bandwidth Management
--------------------
-The Build-in traffic shaper can be utilized to:
+The Built-in traffic shaper can be utilized to:
* Share bandwidth evenly
* Give priority to protocols port numbers and/or ip addresses
diff --git a/source/manual/gui.rst b/source/manual/gui.rst
index 6c5e8609..b8727c3f 100644
--- a/source/manual/gui.rst
+++ b/source/manual/gui.rst
@@ -85,13 +85,13 @@ The content area is used to display:
----------
Form View
----------
-Lets take a look at how an advanced form may look like:
+Let's take a look at how an advanced form may look like:
.. image:: images/proxy_form.png
Full Help
---------
-Many forms are equipped with build-in help. In the upper right corner of the form
+Many forms are equipped with built-in help. In the upper right corner of the form
you can select to view all help messages at once. The toggle will color green when
enabled and show the help messages beneath the input items.
diff --git a/source/manual/hardware.rst b/source/manual/hardware.rst
index 21ef94ca..5d16e62e 100644
--- a/source/manual/hardware.rst
+++ b/source/manual/hardware.rst
@@ -53,13 +53,13 @@ for the ones that require disk writes, e.g. a caching proxy (cache) or intrusion
and prevention (alert database).
+------------------+--------------------------------------------------------------------------+
-| Processor | 500MHz single core cpu |
+| Processor | 500 MHz single core cpu |
+------------------+--------------------------------------------------------------------------+
| RAM | 512 MB |
+------------------+--------------------------------------------------------------------------+
| Install method | Serial console or video (vga) |
+------------------+--------------------------------------------------------------------------+
-| Install target | SD or CF card with a minimum of 4GB, use nano images for installation. |
+| Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
+------------------+--------------------------------------------------------------------------+
Table: *Minimum hardware requirements*
@@ -78,7 +78,7 @@ or high loads.
+------------------+--------------------------------------------------------------------------+
| Install method | Serial console or video (vga) |
+------------------+--------------------------------------------------------------------------+
-| Install target | 40 GB SSD, a minimum of 1GB memory is needed for the installer to run. |
+| Install target | 40 GB SSD, a minimum of 1 GB memory is needed for the installer to run. |
+------------------+--------------------------------------------------------------------------+
Table: *Reasonable hardware requirements*
@@ -126,9 +126,9 @@ have massive impact on it. The candidates are:
displayed below.
`State transition tables `__
- it is a known fact, that each state table entry requires about 1KB
- (kilo bytes) of RAM. The average state table, filled with 1000
- entries will occupy about ~10MB (mega bytes) of
+ it is a known fact, that each state table entry requires about 1 kB
+ (kilobytes) of RAM. The average state table, filled with 1000
+ entries will occupy about ~10 MB (megabytes) of
`RAM `__.
OPNsense usage settings with hundred of thousands of connections
will require memory accordingly.
diff --git a/source/manual/how-tos/cachingproxy.rst b/source/manual/how-tos/cachingproxy.rst
index e8e9ed56..5085d558 100644
--- a/source/manual/how-tos/cachingproxy.rst
+++ b/source/manual/how-tos/cachingproxy.rst
@@ -26,7 +26,7 @@ select from the list).
Change Proxy Listening Port
---------------------------
By default the proxy will listen at port 3128, you can change this by clicking
-on the tab **Forward Proxy** and fill in the port in the **Proxy port** feild.
+on the tab **Forward Proxy** and fill in the port in the **Proxy port** field.
Don't forget to **Apply** your changes.
------------
@@ -36,7 +36,6 @@ To enable caching click on the arrow next to the **General Proxy Settings** to
see the dropdown menu and click on **Local Cache Settings**.
.. image:: images/proxy_cache.png
- :width: 100%
Check the **Enable local cache** and click **Apply**.
@@ -49,7 +48,7 @@ Advanced
--------
Under the advanced settings (see mode switch on left top of the form) you can
change the cache size, directory structure and max object size to keep in cache.
-Again defaults are fine for normal browsing and creates a 100MB cache with max 4MB
+Again defaults are fine for normal browsing and creates a 100 MB cache with max 4 MB
object size.
@@ -87,7 +86,7 @@ You can setup ACL's by clicking on the arrow next to **Forward Proxy** and sele
**Access Control List**. Here you can:
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
-* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IP's)
+* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IPs)
* Add Banned hosts IP address (A ban will stop this client from being able to use the proxy)
* Whitelist (Click on the (i) to see examples, whitelist prevail above blacklists)
* Blacklist (If not allowed by a whitelist, this will block traffic based upon a regular expression)
diff --git a/source/manual/how-tos/cellular.rst b/source/manual/how-tos/cellular.rst
index 06ea480a..58d6dee5 100644
--- a/source/manual/how-tos/cellular.rst
+++ b/source/manual/how-tos/cellular.rst
@@ -28,7 +28,7 @@ Use websites like `FrequencyCheck `_ to find th
frequency band(s) used and get a cellular modem that supports these frequencies.
You should also buy an appropriate pigtail antenna cable and LTE antenna. Note
-that LTE antennas often have different connectors than WIFI antennas, chose your
+that LTE antennas often have different connectors than Wi-Fi antennas, chose your
equipment accordingly. Getting the right antenna has a big impact on the quality
of your signal. For LTE, MIMO (multiple input, multiple output) antennas should
be considered, see for example `this guide `_.
diff --git a/source/manual/how-tos/cloud_backup.rst b/source/manual/how-tos/cloud_backup.rst
index 9e68ad2d..a9732b0c 100644
--- a/source/manual/how-tos/cloud_backup.rst
+++ b/source/manual/how-tos/cloud_backup.rst
@@ -67,7 +67,7 @@ First we need to have a project in the google developer console:
- In the left menu APIs -> "Drive API" -> Enable
-- Open the project and start to create an api key
+- Open the project and start to create an API key
- In the left menu : APIs & auth -> Credentials
- Click on the button "Create new Client ID"
diff --git a/source/manual/how-tos/fwcategory.rst b/source/manual/how-tos/fwcategory.rst
index a1a3442c..80248dd7 100644
--- a/source/manual/how-tos/fwcategory.rst
+++ b/source/manual/how-tos/fwcategory.rst
@@ -35,7 +35,7 @@ box to make a quick selection.
----------------
Before Selection
----------------
-Take a look at this simple rule set before selecting our "My IP's" category.
+Take a look at this simple rule set before selecting our "My IPs" category.
.. image:: images/Rules_Full.png
:width: 100%
diff --git a/source/manual/how-tos/guestnet.rst b/source/manual/how-tos/guestnet.rst
index 751c93bf..7717e69e 100644
--- a/source/manual/how-tos/guestnet.rst
+++ b/source/manual/how-tos/guestnet.rst
@@ -26,7 +26,7 @@ Hotels and RV Parks
-------------------
Hotels and RV parks usually utilize a captive portal to allow guests (paid) access
to internet for a limited duration. Guests need to login using a voucher they can
-either buy or obtain for free at the reception. OPNsense has build-in support for
+either buy or obtain for free at the reception. OPNsense has built-in support for
vouchers and can easily create them on the fly. With this example we will show
you how to setup the Guest Network for this purpose and setup a reception account
for creating new vouchers.
@@ -88,7 +88,7 @@ Fill in the following to setup the DHCP server for our guest net (leave everythi
================ ==================================== =======================================
**Enable** Checked *Enable the DCHP server on GUESTNET*
- **Range** 192.168.200.100 to 192.168.200.200 *Serve ip's from this range*
+ **Range** 192.168.200.100 to 192.168.200.200 *Serve IPs from this range*
**DNS servers** 192.168.200.1 *Supply a DNS with the lease*
**Gateway** 192.168.200.1 *Supply a gateway with the lease*
================ ==================================== =======================================
@@ -228,11 +228,10 @@ Step 5 - Create Template
The template feature is one of the most powerful features of OPNsense's Captive
Portal solution and it's very easy to work with.
-Lets create a custom landing page, to do so click on the tab **Templates** and
+Let's create a custom landing page, to do so click on the tab **Templates** and
click on the download icon in the lower right corner ( |download| ).
.. image:: images/template_download.png
- :width: 100%
Now download the default template, we will use this to create our own.
Unpack the template zip file, you should have something similar to this:
@@ -242,21 +241,21 @@ Unpack the template zip file, you should have something similar to this:
Most files of the template can be modified, but some are default and may not be
changes. Upon upload any changes to the files listed in **exclude.list** will be
-ignored. Currently these include the bootstrap java scripting and some fonts.
+ignored. Currently these include the bootstrap JavaScript and some fonts.
With the captive portal enabled the default screen looks like:
.. image:: images/default_login_no_authenticator.png
:width: 100%
-Lets change this default with a new logo and a welcome message, to this:
+Let's change this default with a new logo and a welcome message, to this:
.. image:: images/mycompany_login.png
To do so use your favourite editor and open the **index.html** file to make the
changes.
-Lets make the following changes to the template:
+Let's make the following changes to the template:
#. Change the logo to **company-logo.png**
#. Remove the navigation bar on the top
@@ -308,20 +307,19 @@ Hit Upload ( |upload| )
:width: 100%
.. |upload| image:: images/btn_upload.png
- :width: 100%
To enable the captive portal on the GUESTNET interface just click on **Apply**.
-------------------------------
Step 6 - Limit Guests Bandwidth
-------------------------------
-For our example we will reserve 10Mbps down and 1Mbps Up for the Guest Network's
+For our example we will reserve 10 Mbps down and 1 Mbps Up for the Guest Network's
Internet Access. This bandwidth will be shared evenly between connected clients.
.. Note::
With sharing evenly we mean that if 10 users at the same time try to use
as much bandwidth as possible then everyone gets 1/10th. So in our example
- that would be 1Mbps down stream (download). It is also possible to limit
+ that would be 1 Mbps down stream (download). It is also possible to limit
the traffic per user see also :doc:`shaper`
Go to: **Firewall->Traffic Shaper->Settings**.
@@ -351,7 +349,7 @@ And add another pipe for the upload traffic.
Click on **Save changes**.
-Create the traffic shaper rules.Click on the tab **Rules** and press the **+**
+Create the traffic shaper rules. Click on the tab **Rules** and press the **+**
to do so.
First toggle the advanced mode (upper left corner of the form) and then fill in
@@ -363,7 +361,7 @@ the following details (leave everything not specified on defaults):
**interface 2** GUESTNET
**direction** in
**target** pipe_10Mbps_down
- **description** Limit Guests download to 10Mbps
+ **description** Limit Guests download to 10 Mbps
================= ==================================
Click **Save changes**.
@@ -374,7 +372,7 @@ Click **Save changes**.
**interface 2** GUESTNET
**direction** out
**target** pipe_1Mbps_up
- **description** Limit Guests upload to 1Mbps
+ **description** Limit Guests upload to 1 Mbps
================= ==================================
Click **Save changes**.
@@ -428,31 +426,31 @@ Step 9 - Create Vouchers
Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**).
Click on **Create Vouchers** in the lower right corner of the form.
-Lets create 1 Day vouchers for our guests:
+Let's create 1 Day vouchers for our guests:
.. image:: images/create_vouchers.png
:width: 100%
-Enter the Validity (1 day), the number of Vouchers and a Groupname (Wifi day pass f.i.).
+Enter the Validity (1 day), the number of Vouchers and a Groupname (Wi-Fi day pass, for example).
For the example we create 10 vouchers. Click on **Generate**.
-A file will be generated called **wifi day pass.csv**.
+A file will be generated called **Wi-Fi day pass.csv**.
The content of this file looks like this:
.. code-block:: guess
username,password,vouchergroup,validity
- "IgJw@Pqf","MLi+Sb7Ak#","Wifi day pass","86400"
- "++?f[@i[","!m*)e(@;F,","Wifi day pass","86400"
- "bbtK9mBk","f/jCDL3:)b","Wifi day pass","86400"
- "iD%L[jLJ","I#FoZ#g!AY","Wifi day pass","86400"
- "+4bA\E[I","CNavt@0ck+","Wifi day pass","86400"
- "+,fg/\Sv","#22iIL-iQA","Wifi day pass","86400"
- ":;Pc\N#s","Y\HuG9vAN$","Wifi day pass","86400"
- "00nLb=0Q","0*C_\_Nb_x","Wifi day pass","86400"
- "PA$J0YHF","kp!q%9;m)g","Wifi day pass","86400"
- "a,mCxbya","LcnCb#g/di","Wifi day pass","86400"
+ "IgJw@Pqf","MLi+Sb7Ak#","Wi-Fi day pass","86400"
+ "++?f[@i[","!m*)e(@;F,","Wi-Fi day pass","86400"
+ "bbtK9mBk","f/jCDL3:)b","Wi-Fi day pass","86400"
+ "iD%L[jLJ","I#FoZ#g!AY","Wi-Fi day pass","86400"
+ "+4bA\E[I","CNavt@0ck+","Wi-Fi day pass","86400"
+ "+,fg/\Sv","#22iIL-iQA","Wi-Fi day pass","86400"
+ ":;Pc\N#s","Y\HuG9vAN$","Wi-Fi day pass","86400"
+ "00nLb=0Q","0*C_\_Nb_x","Wi-Fi day pass","86400"
+ "PA$J0YHF","kp!q%9;m)g","Wi-Fi day pass","86400"
+ "a,mCxbya","LcnCb#g/di","Wi-Fi day pass","86400"
The content are:
@@ -465,11 +463,11 @@ The content are:
.. Warning::
- For security reasons the plain text password for the vouchers are NOT stored
+ For security reasons the plain text passwords for the vouchers are NOT stored
on the firewall.
This file can be used for creating nice guest vouchers (on paper) by just merging
-the cvs data with word, open office or any other dtp/text editor.
+the CSV data with Microsoft Word, LibreOffice or any other DTP/text editor.
Create something like this:
@@ -501,7 +499,6 @@ When done click **Save changes** and the **Apply** to apply the new settings.
Now users will see the login form as part of your template:
.. image:: images/cp_voucher_login.png
- :width: 100%
--------------
Check Sessions
@@ -523,8 +520,8 @@ You can drop an active session by clicking on the trashcan.
Check Voucher Status
--------------------
You can check the validity and active status of a voucher by going to the voucher
-page of the captive portal (**Services->Captive Protal->Vouchers**) and select
-the correct database (Wifi day pass in our example).
+page of the captive portal (**Services->Captive Portal->Vouchers**) and select
+the correct database (Wi-Fi day pass in our example).
.. image:: images/cp_active_vouchers.png
:width: 100%
@@ -538,16 +535,16 @@ the correct database (Wifi day pass in our example).
------------------------
Advanced - Session popup
------------------------
-Lets create a Session Popup so user can see some details about there session and
-Logout. For this feature we will use OPNsense's build-in api calls.
+Let's create a Session Popup so users can see some details about their session and
+Logout. For this feature we will use OPNsense's built-in API calls.
-In particular we will use the following api call (for zone id 0):
+In particular we will use the following API call (for zone id 0):
.. code-block:: guess
/api/captiveportal/access/status/0/
-The response on this api call looks like this (for an active session):
+The response on this API call looks like this (for an active session):
.. code-block:: json
@@ -566,7 +563,7 @@ The response on this api call looks like this (for an active session):
"packets_in":3181,
"clientState":"AUTHORIZED"}
-It would go a bit to far to explain standard html and java scripting used for
+It would go a bit to far to explain standard HTML and JavaScript used for
our simple popup, but a full demo template can be downloaded:
:download:`Download the example Template (with popup) `
diff --git a/source/manual/how-tos/ips-feodo.rst b/source/manual/how-tos/ips-feodo.rst
index cc18878b..1c71f821 100644
--- a/source/manual/how-tos/ips-feodo.rst
+++ b/source/manual/how-tos/ips-feodo.rst
@@ -20,7 +20,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
- logging (>10GB advisable).
+ logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@@ -57,7 +57,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
- :width: 100%
---------------
Fetch Rule sets
@@ -71,7 +70,6 @@ To do so: select Enabled after each one.
To download the rule sets press **Download & Update Rules**.
.. image:: images/downloadbtn.png
- :width: 100%
-----------------------
Change default behavior
@@ -93,7 +91,6 @@ Apply fraud drop actions
Now press **Download & Update Rules** again to change the behavior to drop.
.. image:: images/downloadbtn.png
- :width: 100%
---------------
Keep up to date
diff --git a/source/manual/how-tos/ips-geoip.rst b/source/manual/how-tos/ips-geoip.rst
index 6c35c29a..dfdc269e 100644
--- a/source/manual/how-tos/ips-geoip.rst
+++ b/source/manual/how-tos/ips-geoip.rst
@@ -2,7 +2,7 @@
IPS GeoIP Blocking
==================
-This tutorial explains how to setup the IPS system to block ip's based on their
+This tutorial explains how to setup the IPS system to block IPs based on their
geographic location. This option is made possible by the integration of the
Maxmind GeoLite2 Country database. More information can be found here: http://dev.maxmind.com/geoip/geoip2/geolite2/
@@ -17,7 +17,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
- logging (>10GB advisable).
+ logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@@ -87,13 +87,11 @@ Apply configuration
If this is the first GeoIP rule you add then you need to **Download & Update Rules**
.. image:: images/downloadbtn.png
- :width: 100%
Then apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
- :width: 100%
------------
diff --git a/source/manual/how-tos/ips-sslfingerprint.rst b/source/manual/how-tos/ips-sslfingerprint.rst
index dc17a3c2..751edd2a 100644
--- a/source/manual/how-tos/ips-sslfingerprint.rst
+++ b/source/manual/how-tos/ips-sslfingerprint.rst
@@ -16,7 +16,7 @@ Prerequisites
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
- logging (>10GB advisable).
+ logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
@@ -106,7 +106,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
- :width: 100%
----------------------------
Clear Browser Cache and test
diff --git a/source/manual/how-tos/ipsec-s2s-binat.rst b/source/manual/how-tos/ipsec-s2s-binat.rst
index b42b8fef..a8d5f9f2 100644
--- a/source/manual/how-tos/ipsec-s2s-binat.rst
+++ b/source/manual/how-tos/ipsec-s2s-binat.rst
@@ -3,7 +3,7 @@ IPSec BINAT
===============
Assume company A has local LAN 10.0.1.0/24 and company B has local LAN 10.0.2.0/24.
-Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wifi.
+Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wi-Fi.
We have to define new networks for the Phase 2 with unused ones and create NAT entries to reach the final systems.
diff --git a/source/manual/how-tos/ipsec-s2s.rst b/source/manual/how-tos/ipsec-s2s.rst
index 9a79424d..94e14b62 100644
--- a/source/manual/how-tos/ipsec-s2s.rst
+++ b/source/manual/how-tos/ipsec-s2s.rst
@@ -203,7 +203,7 @@ General information
-------------------
========================= ============= ================================================
**Connection method** default *default is 'Start on traffic'*
-**Key Exchange version** V2 *both V1 and V2 are supported*
+**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
@@ -215,7 +215,6 @@ Phase 1 proposal (Authentication)
---------------------------------
=========================== ====================== ======================================
**Authentication method** Mutual PSK *Using a Pre-shared Key*
- **Negotiation mode** Main *Use Main. Aggressive is insecure*
**My identifier** My IP address *Simple identification for fixed ip*
**Peer identifier** Peer IP address *Simple identification for fixed ip*
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
@@ -224,12 +223,12 @@ Phase 1 proposal (Authentication)
Phase 1 proposal (Algorithms)
-----------------------------
-========================== ============= ===========================================
- **Encryption algorithm** AES *For our sample we will Use AES/256 bits*
- **Hash algoritm** SHA512 *Use a strong hash like SHA512*
- **DH key group** 2048 bit *2048 bit should be sufficient*
- **Lifetime** 28800 sec *lifetime before renegotiation*
-========================== ============= ===========================================
+========================== =============== ===========================================
+ **Encryption algorithm** AES *For our sample we will Use AES/256 bits*
+ **Hash algoritm** SHA512 *Use a strong hash like SHA512*
+ **DH key group** 14 (2048 bit) *2048 bit should be sufficient*
+ **Lifetime** 28800 sec *lifetime before renegotiation*
+========================== =============== ===========================================
Advanced Options
@@ -245,7 +244,6 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
- :width: 100%
Now you should see the following screen:
@@ -259,7 +257,6 @@ Step 2 - Phase 2 Site A
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
- :width: 100%
You will see an empty list:
@@ -291,30 +288,27 @@ Remote Network
Phase 2 proposal (SA/Key Exchange)
----------------------------------
-=========================== ============ =======================================
-**Protocol** ESP *Choose ESP for encryption*
-**Encryption algorithms** AES / 256 *For the sample we use AES 256*
-**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
-**PFS Key group** 2048 bit *Not required but enhanced security*
+=========================== =============== =======================================
+**Protocol** ESP *Choose ESP for encryption*
+**Encryption algorithms** AES / 256 *For the sample we use AES 256*
+**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
+**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
-=========================== ============ =======================================
+=========================== =============== =======================================
Save your setting by pressing:
.. image:: images/btn_save.png
- :width: 100%
-----------------------------
Enable IPsec for Site A, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
- :width: 100%
Save:
.. image:: images/btn_save.png
- :width: 100%
And Apply changes:
@@ -340,7 +334,7 @@ General information
-------------------
========================= ============= ================================================
**Connection method** default *default is 'Start on traffic'*
-**Key Exchange version** V2 *both V1 and V2 are supported*
+**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
@@ -352,7 +346,6 @@ Phase 1 proposal (Authentication)
---------------------------------
=========================== ====================== ======================================
**Authentication method** Mutual PSK *Using a Pre-shared Key*
- **Negotiation mode** Main *Use Main. Aggressive is insecure*
**My identifier** My IP address *Simple identification for fixed ip*
**Peer identifier** Peer IP address *Simple identification for fixed ip*
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
@@ -361,12 +354,12 @@ Phase 1 proposal (Authentication)
Phase 1 proposal (Algorithms)
-----------------------------
-========================== ============= ===========================================
- **Encryption algorithm** AES *For our sample we will Use AES/256 bits*
- **Hash algoritm** SHA512 *Use a strong hash like SHA512*
- **DH key group** 2048 bit *2048 bit should be sufficient*
- **Lifetime** 28800 sec *lifetime before renegotiation*
-========================== ============= ===========================================
+========================== =============== ===========================================
+ **Encryption algorithm** AES *For our sample we will Use AES/256 bits*
+ **Hash algoritm** SHA512 *Use a strong hash like SHA512*
+ **DH key group** 14 (2048 bit) *2048 bit should be sufficient*
+ **Lifetime** 28800 sec *lifetime before renegotiation*
+========================== =============== ===========================================
Advanced Options
@@ -382,7 +375,6 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
- :width: 100%
Now you should see the following screen:
@@ -429,19 +421,18 @@ Remote Network
Phase 2 proposal (SA/Key Exchange)
----------------------------------
-=========================== ============ =======================================
-**Protocol** ESP *Choose ESP for encryption*
-**Encryption algorithms** AES / 256 *For the sample we use AES 256*
-**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
-**PFS Key group** 2048 bit *Not required but enhanced security*
+=========================== =============== =======================================
+**Protocol** ESP *Choose ESP for encryption*
+**Encryption algorithms** AES / 256 *For the sample we use AES 256*
+**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
+**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
-=========================== ============ =======================================
+=========================== =============== =======================================
Save your setting by pressing:
.. image:: images/btn_save.png
- :width: 100%
-----------------------------
@@ -453,7 +444,6 @@ Enable IPsec for Site B, Select:
Save:
.. image:: images/btn_save.png
- :width: 100%
And Apply changes:
@@ -530,4 +520,4 @@ Common issues are unequal settings. Both ends must use the same encryption stand
If you are testing locally with your pc connected to one of the two test boxes
as in the sample configuration, then make sure you have no other network
- connections (f.i. wifi).
+ connections (Wi-Fi, for example).
diff --git a/source/manual/how-tos/multiwan.rst b/source/manual/how-tos/multiwan.rst
index 98368bba..02ca6e86 100644
--- a/source/manual/how-tos/multiwan.rst
+++ b/source/manual/how-tos/multiwan.rst
@@ -24,7 +24,7 @@ Configure Failover
------------------
To setup Failover the following step will be taken:
-#. Add monitor IP's to the gateways
+#. Add monitor IPs to the gateways
#. Add a gateway group
#. Configure DNS for each gateway
#. Use policy based routing to utilize our gateway group
@@ -40,12 +40,12 @@ To setup Failover the following step will be taken:
Example configuration
---------------------
Our example utilized two previous configured WAN gateways that both are confirmed
-to function separately. As DNS's and monitor ip's we will utilize google's DNS
+to function separately. As DNS's and monitor IPs we will utilize google's DNS
services 8.8.8.8 and 8.8.4.4, of course you can use your own 'known good' setting.
We defined WAN and WAN2, where WAN will be our primary (default) gateway.
-Step 1 - Add monitor IP's
+Step 1 - Add monitor IPs
-------------------------
You may skip this step if you already have setup the monitoring ip and both gateways
are shown as online.
@@ -185,7 +185,7 @@ gateways.
Sticky Connection
-----------------
-Some web sites don't like changing request ip's for the same session, this may
+Some web sites don't like changing request IPs for the same session, this may
lead to unexpected behavior. To solve this you can use the option **Sticky Connections**,
this will make sure each subsequent request from the same user to the same website
is send through the same gateway.
@@ -196,7 +196,7 @@ Unequal Balancing (Weight)
--------------------------
If you have a non symmetric setup with one IPS having a much higher
bandwidth that the other then you can set a weight on each gateway to change the
-load balance. For instance if you have one line of 10Mbps and one of 20Mbps then
+load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps then
set the weight of the first one to 1 and the second one to 2. This way the second
gateway will get twice as many traffic to handle than the first.
diff --git a/source/manual/how-tos/orange_fr_fttp.rst b/source/manual/how-tos/orange_fr_fttp.rst
index 86f054fe..fca71e4c 100644
--- a/source/manual/how-tos/orange_fr_fttp.rst
+++ b/source/manual/how-tos/orange_fr_fttp.rst
@@ -1,123 +1,123 @@
-Orange France FTTP IPv4 & IPv6
-==============================
-
-**Original Author:** Kev Willers
-
-**Introduction**
------------------
-This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
-
-The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
-
-
-**Getting ready to make the connection**
-----------------------------------------
-
-Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
-
-.. image:: images/OF_image0.png
- :width: 100%
-
-and the WAN interface assignment should hence look something like this
-
-.. image:: images/OF_image1.png
- :width: 100%
-
-**Configuring the WAN Interface**
----------------------------------
-
-In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
-requests respectively
-
-select options DHCP and DHCPv6 in general configuration
-
-.. image:: images/OF_image2.png
- :width: 100%
-
-**On the DHCP request it is a requirement to pass the following:**
-
-* dhcp-class-identifier "sagem"
-* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
-* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
- (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
-
-.. Note::
- The eleven leading hex 00 pairs to be prefixed to the converted userID
-
-These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request
-
-.. image:: images/OF_image3.png
- :width: 100%
-
-.. Note::
- It is necessary to specify the following 'Request Options'
-
-* subnet-mask
-* broadcast-address
-* dhcp-lease-time
-* dhcp-renewal-time
-* dhcp-rebinding-time
-* domain-search, routers
-* domain-name-servers
-* option-90
-
-These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request
-
-Now for the regional specific part.
-
-Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
-this can be done via the 'Option Modifiers'.
-
-.. Note::
- The vlan-parent is the physical WAN interface - igb0, em0 etc.
-
-.. image:: images/OF_image4.png
- :width: 100%
-
-On the DHCP6 request we need to use raw options
-
-Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
-
-.. image:: images/OF_image5.png
- :width: 100%
-
-then add the following options in the 'Send Options' field
-
-* ia-pd 0
-* raw-option 6 00:0b:00:11:00:17:00:18
-* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
-* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
-* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
- (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
-
-.. Note::
- The eleven leading hex 00 pairs to be prefixed to the converted userID
-
-Finally set the Identity Association and Prefix interface as shown
-
-.. image:: images/OF_image6.png
- :width: 100%
-
-Click ‘Save’ and then ‘Apply’.
-
-
-**LAN Interface**
------------------
-
-
-Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track
-Interface’
-
-.. image:: images/OF_image7.png
- :width: 100%
-
-
-Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
-
-
-.. image:: images/OF_image8.png
- :width: 100%
-
-Click ‘Save’ and then ‘Apply’.
-
-It is advisable at this point to reboot the system.
+Orange France FTTP IPv4 & IPv6
+==============================
+
+**Original Author:** Kev Willers
+
+**Introduction**
+-----------------
+This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
+
+The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
+
+
+**Getting ready to make the connection**
+----------------------------------------
+
+Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
+
+.. image:: images/OF_image0.png
+ :width: 100%
+
+and the WAN interface assignment should hence look something like this
+
+.. image:: images/OF_image1.png
+ :width: 100%
+
+**Configuring the WAN Interface**
+---------------------------------
+
+In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
+requests respectively
+
+select options DHCP and DHCPv6 in general configuration
+
+.. image:: images/OF_image2.png
+ :width: 100%
+
+**On the DHCP request it is a requirement to pass the following:**
+
+* dhcp-class-identifier "sagem"
+* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
+* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
+ (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
+
+.. Note::
+ The eleven leading hex 00 pairs to be prefixed to the converted userID
+
+These parameters should be passed as comma separated options in the 'Send Options' area of their WAN DHCP request
+
+.. image:: images/OF_image3.png
+ :width: 100%
+
+.. Note::
+ It is necessary to specify the following 'Request Options'
+
+* subnet-mask
+* broadcast-address
+* dhcp-lease-time
+* dhcp-renewal-time
+* dhcp-rebinding-time
+* domain-search, routers
+* domain-name-servers
+* option-90
+
+These parameters should be passed as comma separated options in the 'Request Options' area of their WAN DHCP request
+
+Now for the regional specific part.
+
+Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
+this can be done via the 'Option Modifiers'.
+
+.. Note::
+ The vlan-parent is the physical WAN interface - igb0, em0 etc.
+
+.. image:: images/OF_image4.png
+ :width: 100%
+
+On the DHCP6 request we need to use raw options
+
+Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
+
+.. image:: images/OF_image5.png
+ :width: 100%
+
+then add the following options in the 'Send Options' field
+
+* ia-pd 0
+* raw-option 6 00:0b:00:11:00:17:00:18
+* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
+* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
+* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
+ (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
+
+.. Note::
+ The eleven leading hex 00 pairs to be prefixed to the converted userID
+
+Finally set the Identity Association and Prefix interface as shown
+
+.. image:: images/OF_image6.png
+ :width: 100%
+
+Click ‘Save’ and then ‘Apply’.
+
+
+**LAN Interface**
+-----------------
+
+
+Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track
+Interface’
+
+.. image:: images/OF_image7.png
+ :width: 100%
+
+
+Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
+
+
+.. image:: images/OF_image8.png
+ :width: 100%
+
+Click ‘Save’ and then ‘Apply’.
+
+It is advisable at this point to reboot the system.
diff --git a/source/manual/how-tos/proxyicapantivirus.rst b/source/manual/how-tos/proxyicapantivirus.rst
index ee59b46c..50ba3bce 100644
--- a/source/manual/how-tos/proxyicapantivirus.rst
+++ b/source/manual/how-tos/proxyicapantivirus.rst
@@ -4,7 +4,7 @@ Setup Anti Virus Protection
OPNsense can offer http and https protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
-trojans and viruses. This protection can be further enhanced by the build-in Intrusion
+trojans and viruses. This protection can be further enhanced by the built-in Intrusion
Prevention System and Category Based Web filtering.
This How To will utilize Symantec's Protection Engine, but any other vendor that
diff --git a/source/manual/how-tos/proxyicapantivirusinternal.rst b/source/manual/how-tos/proxyicapantivirusinternal.rst
index d28b0420..c27999db 100644
--- a/source/manual/how-tos/proxyicapantivirusinternal.rst
+++ b/source/manual/how-tos/proxyicapantivirusinternal.rst
@@ -4,7 +4,7 @@ Setup Anti Virus Protection using OPNsense Plugins
OPNsense can offer http and https protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
-trojans and viruses. This protection can be further enhanced by the build-in Intrusion
+trojans and viruses. This protection can be further enhanced by the built-in Intrusion
Prevention System and Category Based Web filtering.
This How To will use the Plugins C-ICAP and ClamAV.
diff --git a/source/manual/how-tos/proxytransparent.rst b/source/manual/how-tos/proxytransparent.rst
index 0fcb4cbf..52b34585 100644
--- a/source/manual/how-tos/proxytransparent.rst
+++ b/source/manual/how-tos/proxytransparent.rst
@@ -151,9 +151,8 @@ certificate for each page manually, but for some pages that may not work well un
not bumped.
.. image:: images/export_CA_cert.png
- :width: 100%
-Import and change trust settings on your favorite OS. Per example on OSX it looks
+Import and change trust settings on your favorite OS. For example, on macOS it looks
like this:
.. image:: images/Trust_Settings_OSX.png
diff --git a/source/manual/how-tos/proxywebfilter.rst b/source/manual/how-tos/proxywebfilter.rst
index 3a77bc6e..4a2970d8 100644
--- a/source/manual/how-tos/proxywebfilter.rst
+++ b/source/manual/how-tos/proxywebfilter.rst
@@ -1,7 +1,7 @@
====================
Setup Web Filtering
====================
-Category based web filtering in OPNsense is done by utilizing the build-in proxy
+Category based web filtering in OPNsense is done by utilizing the built-in proxy
and one of the freely available or commercial blacklists.
For this this How-to we will utilize the `UT1 "web categorization list" `__ from the
@@ -62,7 +62,7 @@ Press **Save Changes**.
Step 3 - Download the Categories
--------------------------------
Now press Download ACL's, please note that this will take a while (can be several
-minutes) as the full list (>19MB) will be converted to squid acl's.
+minutes) as the full list (>19 MB) will be converted to squid acl's.
-------------------------
Step 4 - Setup Categories
@@ -82,7 +82,7 @@ clear the list and select the following from the drop down list:
Now **Save changes** and press **Download ACLs** again to download and reconstruct
the list with only the selected categories. This will take roughly the same amount
-of time as the first fetch as the adult alone section is ~15MB.
+of time as the first fetch as the adult alone section is ~15 MB.
---------------------
Step 5 - Enable Proxy
diff --git a/source/manual/how-tos/self-signed-chain.rst b/source/manual/how-tos/self-signed-chain.rst
index cbdf15f2..de851336 100644
--- a/source/manual/how-tos/self-signed-chain.rst
+++ b/source/manual/how-tos/self-signed-chain.rst
@@ -79,17 +79,17 @@ When you are done save the form, the CA is now generated.
====================== =================================== ========================================
.. image:: images/CA.png
- :width: 15%
+ :width: 100%
.. Tip::
- Use valid email addresses for your certificates always.
- Bogus addresses can pose a security risk not only for certificates btw. ;-)
+ Always use valid email addresses for your certificates.
+ Bogus addresses can pose a security risk – and not only for certificates.
The Intermediate
----------------
-Time to create the second CA which is an **intermediate CA**. This certificate will be signed
+Time to create the second CA, which is an **intermediate CA**. This certificate will be signed
by the root CA we just created. In return it will sign the sever certificate for OPNsense.
Go to **Trust/Authorities**
@@ -103,7 +103,7 @@ Have a look at the form, create an intermediate CA and save it.
====================== =================================== ========================================
.. image:: images/CA-inter.png
- :width: 15%
+ :width: 100%
The Certificate
---------------
@@ -122,7 +122,7 @@ Have a look at the next form and notice the common name, create a server certifi
====================== =================================== ========================================
.. image:: images/webgui-cert.png
- :width: 15%
+ :width: 100%
.. Tip::
@@ -189,7 +189,7 @@ Go to **Trust/Authorities** create a new CA for Nextcloud and save it.
====================== =================================== ========================================
.. image:: images/CA-cloud.png
- :width: 15%
+ :width: 100%
OPNsense needs to be made aware of the Nextcloud chain we are creating.
@@ -231,7 +231,7 @@ Go to **Trust/Authorities** and create an intermediate CA.
====================== =================================== ========================================
.. image:: images/CA-cloud-inter.png
- :width: 15%
+ :width: 100%
Download the intermediate CA and install it to your browser:
@@ -253,7 +253,7 @@ Go to **Trust/Certificates** create a server certificate.
====================== =================================== ========================================
.. image:: images/cloud-cert.png
- :width: 15%
+ :width: 100%
We need to install this certificate and key to our Nextcloud server, two ways are shown here.
diff --git a/source/manual/how-tos/shaper.rst b/source/manual/how-tos/shaper.rst
index 3191d6f2..163e3617 100644
--- a/source/manual/how-tos/shaper.rst
+++ b/source/manual/how-tos/shaper.rst
@@ -17,9 +17,9 @@ In this scenario we will create a pipe dedicated for traffic going to and coming
from our realtime application. For the sample we presume a SIP trunk or hosted
Voice Over IP (VOIP) server.
-For this example we presume a requirement of 4 uncompressed voice channels of 64Kbps,
-resulting in a total bandwidth of 256Kbps. The internet connection in this example
-has 10Mbps Download and 1Mbps Upload.
+For this example we presume a requirement of 4 uncompressed voice channels of 64 kbps,
+resulting in a total bandwidth of 256 kbps. The internet connection in this example
+has 10 Mbps Download and 1 Mbps Upload.
@@ -69,17 +69,17 @@ Create Pipe For Upload (To our VOIP Server)
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
- **description** PipeUp-256Kbps *Free field, enter something descriptive*
+ **description** PipeUp-256kbps *Free field, enter something descriptive*
====================== ================ ================================================
-Create Pipe For Upload (Other Traffic = 1024Kbps - 256Kbps = 768Kbps)
+Create Pipe For Upload (Other Traffic = 1024 kbps - 256 kbps = 768 kbps)
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 768 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
- **description** PipeUp-768Kbps *Free field, enter something descriptive*
+ **description** PipeUp-768kbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Download (From our VOIP Server)
@@ -89,17 +89,17 @@ Create Pipe For Download (From our VOIP Server)
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
- **description** PipeDown-256Kbps *Free field, enter something descriptive*
+ **description** PipeDown-256kbps *Free field, enter something descriptive*
====================== ================== ================================================
-Create Pipe For Download (Other Traffic = 10240Kbps - 256Kbps = 9984Kbps )
+Create Pipe For Download (Other Traffic = 10240 kbps - 256 kbps = 9984 kbps )
====================== =================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 9984 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
- **description** PipeDown-9984Kbps *Free field, enter something descriptive*
+ **description** PipeDown-9984kbps *Free field, enter something descriptive*
====================== =================== ================================================
Step 2 - Create Rules
@@ -117,7 +117,7 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
**src-port** any *The source port to shape, leave on any*
**destination** 172.10.2.1 *The ip address of our VOIP server*
**dst-port** any *Use any of the destination port if static*
- **target** PipeUP-256Kbps *Select the Upload 256Kbps Pipe*
+ **target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
**description** ShapeVOIPUpload *Enter a descriptive name*
====================== ================= =====================================================
@@ -132,7 +132,7 @@ Create a rule for traffic coming from the VOIP Server (Download).
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
- **target** PipeDown256Kbps *Select the Download 256Kbps Pipe*
+ **target** PipeDown256kbps *Select the Download 256 kbps Pipe*
**description** ShapeVOIPDown *Enter a descriptive name*
====================== ================= =====================================================
@@ -142,11 +142,11 @@ Create a rule for all other internet upload traffic
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
- **source** 192.168.1.0/24 *The source ip's to shape, our LAN network*
+ **source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *the destination address, leave in any*
**dst-port** any *Use any of the destination port if static*
- **target** PipeUp-768Kbps *Select the Upload 256Kbps Pipe*
+ **target** PipeUp-768kbps *Select the Upload 768 kbps Pipe*
**description** ShapeUpload *Enter a descriptive name*
====================== ================= =====================================================
@@ -159,9 +159,9 @@ Create a rule for all other internet download traffic
**proto** ip *Select the protocol, ip in our example*
**source** any *The source ip to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
- **destination** 192.168.1.0/24 *The destination ip's to shape, our LAN network*
+ **destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
**dst-port** any *The destination port to shape, leave on any*
- **target** PipeDown-9984Kbps *Select the Download 256Kbps Pipe*
+ **target** PipeDown-9984kbps *Select the Download 256Kbps Pipe*
**description** ShapeDown *Enter a descriptive name*
====================== =================== =====================================================
@@ -185,8 +185,8 @@ Now press |apply| to activate the traffic shaping rules.
Share bandwidth evenly
----------------------
-For this example we presume an internet connection of 10Mbps Download and 1Mbps
-Upload that we want to share evenly over all users.
+For this example we presume an internet connection of 10 Mbps Download and 1 Mbps
+Upload that we want to share evenly between all users.
.. nwdiag::
:scale: 100%
@@ -299,7 +299,7 @@ Create a rule for traffic coming from the internet (Download).
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
- **target** QueueDown-10Mbps *Select the Download 10Mbps Queue*
+ **target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
@@ -315,7 +315,7 @@ Limit bandwidth per user
------------------------
For this example we will divide the internet Download traffic between the connected
-users in such manner that each user will receive up to a maximum of 1Mbps.
+users in such manner that each user will receive up to a maximum of 1 Mbps.
.. nwdiag::
:scale: 100%
@@ -378,7 +378,7 @@ Create a rule for traffic coming from the internet (Download).
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
- **target** PipeDown-1Mbps *Select the Download 256Kbps Pipe*
+ **target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
@@ -401,11 +401,11 @@ By utilizing queues we can influence the bandwidth within a pipe and give certai
applications more bandwidth than others based on a weighted algorithm.
The idea is simple:
-Let presume we have a pipe of 10Mbps and 2 applications for instance smtp (email)
+Let presume we have a pipe of 10 Mbps and 2 applications for instance smtp (email)
and http(s). The http(s) traffic will get a weight of 1 and the smtp traffic a
weight of 9, then when all capacity of our pipe is in use the email traffic will
-get 9x more bandwidth than our http(s) traffic, resulting in 1Mbps for http(s)
-and 9Mbps for smtp.
+get 9x more bandwidth than our http(s) traffic, resulting in 1 Mbps for http(s)
+and 9 Mbps for smtp.
For our example we only look at download traffic, but the exact same can be done
for the upload traffic.
@@ -413,10 +413,10 @@ for the upload traffic.
+----------------+--------+-------------------+
| Application | Weight | Minimum Bandwidth |
+================+========+===================+
-| SMTP (port 25) | 9 | 9Mbps |
+| SMTP (port 25) | 9 | 9 Mbps |
+----------------+--------+-------------------+
| HTTP (80) | | |
-+----------------+ 1 | 1Mbps |
++----------------+ 1 | 1 Mbps |
| HTTPS (443) | | |
+----------------+--------+-------------------+
@@ -428,7 +428,7 @@ On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
-Create Pipe For Download (10Mbps)
+Create Pipe For Download (10 Mbps)
====================== ================= ===============================================
**enabled** Checked *Check to enable the pipe*
@@ -515,7 +515,7 @@ Adding an extra rule for https traffic is simple as we can use the same http que
**description** ShapeHTTPSDownload *Enter a descriptive name*
====================== ==================== =====================================================
-This way http and https traffic will be treated the same (total max of 1Mbps).
+This way http and https traffic will be treated the same (total max of 1 Mbps).
Now press |apply| to activate the traffic shaping rules.
@@ -532,11 +532,11 @@ One of the options with OPNsense's traffic shaper is its ability to add shaping
rules based upon two interfaces. This option allows you to shape traffic
differently based on the direction the traffic is moving between interfaces.
-For this example we will use this functionality to share a symmetric 10Mbps internet
+For this example we will use this functionality to share a symmetric 10 Mbps internet
connection between a primary LAN network and a Guest Network.
The LAN network will not be limited, traffic from users on our Guest Network will
-be limited to a total of 2Mbps Download and 1Mbps Upload.
+be limited to a total of 2 Mbps Download and 1 Mbps Upload.
.. nwdiag::
:scale: 100%
@@ -636,7 +636,7 @@ Create a rule for the upload traffic
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface that matches your GuestNet*
**interface2** GuestNet *Select the interface connected to the internet*
- **proto** ip *Select the protocol, ip in our example*
+ **proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
diff --git a/source/manual/how-tos/sslvpn_s2s.rst b/source/manual/how-tos/sslvpn_s2s.rst
index 83a241a8..1ca6bedc 100644
--- a/source/manual/how-tos/sslvpn_s2s.rst
+++ b/source/manual/how-tos/sslvpn_s2s.rst
@@ -265,7 +265,7 @@ For our configuration we only use one server accessible on UDP port 1194.
Next we also need to allow traffic from the VPN client network (192.168.2.0/24).
For our example we will allow client to access anything on our local network(s),
-however you may decide just to allow traffic to one or more IP's.
+however you may decide just to allow traffic to one or more IPs.
.. image:: images/sslvpn_openvpn_rule.png
:width: 100%
diff --git a/source/manual/how-tos/transparent_bridge.rst b/source/manual/how-tos/transparent_bridge.rst
index 198e6241..b278d871 100644
--- a/source/manual/how-tos/transparent_bridge.rst
+++ b/source/manual/how-tos/transparent_bridge.rst
@@ -107,7 +107,7 @@ and fill-in the ip/netmask.
5. Disable Block private networks & bogon
-----------------------------------------
-For the WAN interface we nee to disable blocking of private networks & bogus ip's.
+For the WAN interface we nee to disable blocking of private networks & bogus IPs.
Goto **Interfaces** -> **WAN** and unselect **Block private networks**
and **Block bogon networks**.
diff --git a/source/manual/how-tos/user-ldap.rst b/source/manual/how-tos/user-ldap.rst
index ab59031f..4f8db056 100644
--- a/source/manual/how-tos/user-ldap.rst
+++ b/source/manual/how-tos/user-ldap.rst
@@ -88,7 +88,6 @@ to import the users into the local user manager. Go to **System->Access->Users**
you will see a cloud import icon at the lower right corner of the form.
.. image:: images/user_cloudimport.png
- :width: 100%
Click on the cloud import icon to start importing users.
diff --git a/source/manual/install.rst b/source/manual/install.rst
index a552107c..f264e791 100644
--- a/source/manual/install.rst
+++ b/source/manual/install.rst
@@ -87,7 +87,7 @@ Depending on you hardware and use case different installation media are provided
| | | running in serial console (115200) mode with |
| | | secondary VGA support (no kernel messages though) |
+--------+-----------------------------------------------------+
-| nano | | a preinstalled serial image for 4GB USB sticks, |
+| nano | | a preinstalled serial image for 4 GB USB sticks, |
| | | SD or CF cards for use with embedded devices |
+--------+-----------------------------------------------------+
@@ -104,7 +104,6 @@ Depending on you hardware and use case different installation media are provided
Media Filename Composition
------------------------------
.. blockdiag::
- :scale: 100%
diagram {
default_shape = roundedbox;
@@ -182,7 +181,7 @@ your target platform has a serial interface choose the "serial image.
64-bit and 32-bit install images are provided. The following examples
apply to both.
-Write the image to a USB flash drive (>= 1GB) or an IDE hard disk,
+Write the image to a USB flash drive (>=1 GB) or an IDE hard disk,
either with dd under FreeBSD or under Windows with physdiskwrite
Before writing an (iso) image you need to unpack it first (use bunzip2).
diff --git a/source/manual/netflow.rst b/source/manual/netflow.rst
index 6b88c09b..8bf82000 100644
--- a/source/manual/netflow.rst
+++ b/source/manual/netflow.rst
@@ -16,7 +16,7 @@ ip and port number.
OPNsense offers full support for exporting Netflow data to external collectors as
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
-OPNsense is the only open source solution with a build-in Netflow analyzer integrated
+OPNsense is the only open source solution with a built-in Netflow analyzer integrated
into it's Graphical User Interface.
------------------
diff --git a/source/manual/proxy.rst b/source/manual/proxy.rst
index a622ae86..d2f3ce20 100644
--- a/source/manual/proxy.rst
+++ b/source/manual/proxy.rst
@@ -25,7 +25,7 @@ Features include:
--------------
Authenticators
--------------
-User authentication can be done using OPNsense standard and build-in authenticators.
+User authentication can be done using OPNsense standard and built-in authenticators.
Currently these include:
* LDAP (incl. Microsoft Active Directory)
@@ -61,13 +61,13 @@ shaping features.Additionally it includes its own options:
-------------------------
Category Based Web Filter
-------------------------
-No need for additional plugins, such as squidGuard - as OPNsense has build-in
+No need for additional plugins, such as squidGuard - as OPNsense has built-in
category based web filter support. Main features include:
* Fetch from a remote URL
* Supports flat file list and category based compressed lists
* Automatically convert category based blacklists to squid ACL's
-* Keep up to date with the build-in scheduler
+* Keep up to date with the built-in scheduler
* Compatible with most popular blacklist
----------------
diff --git a/source/manual/virtuals.rst b/source/manual/virtuals.rst
index 8f6e3337..06a22e4f 100644
--- a/source/manual/virtuals.rst
+++ b/source/manual/virtuals.rst
@@ -13,7 +13,7 @@ General tips
For optimum performance and compatibility, these guides are given:
* Minimum required RAM is 1 GB
-* Minimum recommended virtual disk size of 8GB
+* Minimum recommended virtual disk size of 8 GB
* Disable all off-loading settings in **Interfaces->Settings**
.. image:: images/disableoffloading.png
@@ -109,7 +109,7 @@ article first.
File copy failed during installation
------------------------------------
This issue is most likely caused by low memory setting. Make sure your virtual
-OPNsense installation has a minimum of 1GB of RAM.
+OPNsense installation has a minimum of 1 GB of RAM.
------------------
diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst
index 16a8e099..266dbedf 100644
--- a/source/manual/vpnet.rst
+++ b/source/manual/vpnet.rst
@@ -29,7 +29,6 @@ well known IPsec as well as older (now considered insecure) legacy options such
L2TP and PPTP.
.. image:: images/vpn.png
- :width: 100%
.. Note::