Archives/opensense-docs
2
0
Fork 0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'opnsense:master' into nat-reflection

Browse Source
This commit is contained in:
Monviech 2023-09-30 11:22:00 +02:00 committed by GitHub
commit a1d5b8dade
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 551 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/CE_releases.rst
View File

@ -8,7 +8,7 @@ Community Edition
:width: 600px
:align: center
As of January 2015 there have been *262* releases leading to the latest version *23.7.2*
As of January 2015 there have been *265* releases leading to the latest version *23.7.5*
named "Restless Roadrunner".

19
source/development/api/core/dhcpv4.rst Normal file
View File

@ -0,0 +1,19 @@
Dhcpv4
~~~~~~
.. csv-table:: Resources (LeasesController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","dhcpv4","leases","delLease","$ip"
"``GET``","dhcpv4","leases","searchLease",""
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","dhcpv4","service","reconfigure",""
"``POST``","dhcpv4","service","restart",""
"``POST``","dhcpv4","service","start",""
"``GET``","dhcpv4","service","status",""
"``POST``","dhcpv4","service","stop",""

20
source/development/api/core/dhcpv6.rst Normal file
View File

@ -0,0 +1,20 @@
Dhcpv6
~~~~~~
.. csv-table:: Resources (LeasesController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","dhcpv6","leases","delLease","$ip"
"``GET``","dhcpv6","leases","searchLease",""
"``GET``","dhcpv6","leases","searchPrefix",""
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","dhcpv6","service","reconfigure",""
"``POST``","dhcpv6","service","restart",""
"``POST``","dhcpv6","service","start",""
"``GET``","dhcpv6","service","status",""
"``POST``","dhcpv6","service","stop",""

15
source/development/api/core/interfaces.rst
View File

@ -1,6 +1,21 @@
Interfaces
~~~~~~~~~~
.. csv-table:: Resources (LaggSettingsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","interfaces","lagg_settings","addItem",""
"``POST``","interfaces","lagg_settings","delItem","$uuid"
"``GET``","interfaces","lagg_settings","get",""
"``GET``","interfaces","lagg_settings","getItem","$uuid=null"
"``POST``","interfaces","lagg_settings","reconfigure",""
"``*``","interfaces","lagg_settings","searchItem",""
"``POST``","interfaces","lagg_settings","set",""
"``POST``","interfaces","lagg_settings","setItem","$uuid"
"``<<uses>>``", "", "", "", "*model* `Lagg.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Interfaces/Lagg.xml>`__"
.. csv-table:: Resources (LoopbackSettingsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40

2
source/development/api/core/openvpn.rst
View File

@ -34,7 +34,7 @@ Openvpn
"``POST``","openvpn","instances","add",""
"``POST``","openvpn","instances","addStaticKey",""
"``POST``","openvpn","instances","del","$uuid"
"``GET``","openvpn","instances","delStaticKey","$uuid"
"``POST``","openvpn","instances","delStaticKey","$uuid"
"``GET``","openvpn","instances","genKey",""
"``GET``","openvpn","instances","get","$uuid=null"
"``GET``","openvpn","instances","get",""

2
source/development/api/core/unbound.rst
View File

@ -16,7 +16,7 @@ Unbound
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``GET``","unbound","overview","Rolling","$timeperiod,$clients=false"
"``GET``","unbound","overview","Rolling","$timeperiod,$clients='0'"
"``GET``","unbound","overview","isBlockListEnabled",""
"``GET``","unbound","overview","isEnabled",""
"``GET``","unbound","overview","searchQueries",""

27
source/development/api/plugins/quagga.rst
View File

@ -62,31 +62,22 @@ Quagga
"``GET``","quagga","diagnostics","bfdcounters",""
"``GET``","quagga","diagnostics","bfdneighbors",""
"``GET``","quagga","diagnostics","bfdsummary",""
"``GET``","quagga","diagnostics","bgpneighbors","$format=""json"""
"``GET``","quagga","diagnostics","bgproute","$format=""json"""
"``GET``","quagga","diagnostics","bgproute4","$format=""json"""
"``GET``","quagga","diagnostics","bgproute6","$format=""json"""
"``GET``","quagga","diagnostics","bgpsummary","$format=""json"""
"``GET``","quagga","diagnostics","generalroute","$format=""json"""
"``GET``","quagga","diagnostics","generalroute4","$format=""json"""
"``GET``","quagga","diagnostics","generalroute6","$format=""json"""
"``GET``","quagga","diagnostics","bgpneighbors",""
"``GET``","quagga","diagnostics","bgpsummary",""
"``GET``","quagga","diagnostics","generalrunningconfig",""
"``GET``","quagga","diagnostics","ospfdatabase","$format=""json"""
"``GET``","quagga","diagnostics","ospfinterface","$format=""json"""
"``GET``","quagga","diagnostics","ospfneighbor","$format=""json"""
"``GET``","quagga","diagnostics","ospfoverview","$format=""json"""
"``GET``","quagga","diagnostics","ospfroute","$format=""json"""
"``GET``","quagga","diagnostics","ospfv3database","$format=""json"""
"``GET``","quagga","diagnostics","ospfv3interface","$format=""json"""
"``GET``","quagga","diagnostics","ospfv3neighbor","$format=""json"""
"``GET``","quagga","diagnostics","ospfv3overview","$format=""json"""
"``GET``","quagga","diagnostics","ospfv3route","$format=""json"""
"``GET``","quagga","diagnostics","ospfdatabase",""
"``GET``","quagga","diagnostics","ospfinterface",""
"``GET``","quagga","diagnostics","ospfoverview",""
"``GET``","quagga","diagnostics","ospfv3interface",""
"``GET``","quagga","diagnostics","ospfv3overview",""
"``GET``","quagga","diagnostics","searchBgproute4",""
"``GET``","quagga","diagnostics","searchBgproute6",""
"``GET``","quagga","diagnostics","searchGeneralroute4",""
"``GET``","quagga","diagnostics","searchGeneralroute6",""
"``GET``","quagga","diagnostics","searchOspfneighbor",""
"``GET``","quagga","diagnostics","searchOspfroute",""
"``GET``","quagga","diagnostics","searchOspfv3database",""
"``GET``","quagga","diagnostics","searchOspfv3route","$format=""json"""
.. csv-table:: Resources (GeneralController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"

23
source/development/api/plugins/wazuhagent.rst Normal file
View File

@ -0,0 +1,23 @@
Wazuhagent
~~~~~~~~~~
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","wazuhagent","service","reconfigure",""
"``POST``","wazuhagent","service","restart",""
"``POST``","wazuhagent","service","start",""
"``GET``","wazuhagent","service","status",""
"``POST``","wazuhagent","service","stop",""
"``<<uses>>``", "", "", "", "*model* `WazuhAgent.xml <https://github.com/opnsense/plugins/blob/master/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml>`__"
.. csv-table:: Service (SettingsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``GET``","wazuhagent","settings","get",""
"``POST``","wazuhagent","settings","set",""
"``<<uses>>``", "", "", "", "*model* `WazuhAgent.xml <https://github.com/opnsense/plugins/blob/master/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml>`__"

57
source/development/api/plugins/wireguard.rst
View File

@ -1,6 +1,60 @@
Wireguard
~~~~~~~~~
.. csv-table:: Resources (ClientController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","wireguard","client","addClient",""
"``POST``","wireguard","client","delClient","$uuid"
"``GET``","wireguard","client","get",""
"``GET``","wireguard","client","getClient","$uuid=null"
"``*``","wireguard","client","searchClient",""
"``POST``","wireguard","client","set",""
"``POST``","wireguard","client","setClient","$uuid"
"``POST``","wireguard","client","toggleClient","$uuid"
"``<<uses>>``", "", "", "", "*model* `Client.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml>`__"
.. csv-table:: Service (GeneralController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``GET``","wireguard","general","get",""
"``GET``","wireguard","general","getStatus",""
"``POST``","wireguard","general","set",""
"``<<uses>>``", "", "", "", "*model* `General.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml>`__"
.. csv-table:: Resources (ServerController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","wireguard","server","addServer","$uuid=null"
"``POST``","wireguard","server","delServer","$uuid"
"``GET``","wireguard","server","get",""
"``GET``","wireguard","server","getServer","$uuid=null"
"``*``","wireguard","server","searchServer",""
"``POST``","wireguard","server","set",""
"``POST``","wireguard","server","setServer","$uuid=null"
"``POST``","wireguard","server","toggleServer","$uuid"
"``<<uses>>``", "", "", "", "*model* `Server.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml>`__"
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","wireguard","service","reconfigure",""
"``POST``","wireguard","service","restart",""
"``GET``","wireguard","service","showconf",""
"``GET``","wireguard","service","showhandshake",""
"``POST``","wireguard","service","start",""
"``GET``","wireguard","service","status",""
"``POST``","wireguard","service","stop",""
"``<<uses>>``", "", "", "", "*model* `General.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml>`__"
.. csv-table:: Resources (ClientController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
@ -34,6 +88,7 @@ Wireguard
"``POST``","wireguard","server","delServer","$uuid"
"``GET``","wireguard","server","get",""
"``GET``","wireguard","server","getServer","$uuid=null"
"``GET``","wireguard","server","keyPair",""
"``*``","wireguard","server","searchServer",""
"``POST``","wireguard","server","set",""
"``POST``","wireguard","server","setServer","$uuid=null"
@ -45,8 +100,10 @@ Wireguard
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","wireguard","service","reconfigure",""
"``POST``","wireguard","service","reconfigure",""
"``POST``","wireguard","service","restart",""
"``GET``","wireguard","service","show",""
"``GET``","wireguard","service","showconf",""
"``GET``","wireguard","service","showhandshake",""
"``POST``","wireguard","service","start",""

1
source/interfaces.rst
View File

@ -36,6 +36,7 @@ Setup guides
manual/how-tos/cellular
manual/how-tos/IPv6_ZenUK
manual/how-tos/ipv6_dsl
manual/how-tos/ipv6_fb
manual/how-tos/ipv6_tunnelbroker
manual/how-tos/lan_bridge
manual/how-tos/transparent_bridge

2
source/manual/backups.rst
View File

@ -66,5 +66,5 @@ versions of your settings.
.. Tip::
You can specify the number of backups to keep in this menu, which can be quite practical when a higher level of
You can specify the number of backups to keep in the backups menu, which can be quite practical when a higher level of
auditability is required.

BIN
source/manual/how-tos/images/OF_image10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
source/manual/how-tos/images/OF_image11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
source/manual/how-tos/images/OF_image5_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
source/manual/how-tos/images/OF_image6_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
source/manual/how-tos/images/OF_image8.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 27 KiB

154
source/manual/how-tos/ipv6_fb.rst Normal file
View File

@ -0,0 +1,154 @@
======================================
Configure IPv6 behind an AVM Fritz!Box
======================================
**Original Author:** Thomas Klein
------------
Introduction
------------
The `AVM Fritz!Box`, or FB for short, is a popular home router for
DSL, Cable and Fiber in Germany. This guide will setup a OPNSense
behind a FB, handover delegated prefixes from the provider and
configure local interfaces on the OPNSense to cope with dynamically changing IPv6 prefixes.
This guide is based on a Vodafone Cable connection (formerly Kabel-BW) and an
`AVM Fritz!Box Cable 6591` running `Fritz!OS 7.29`.
The settings presented here should work for most other dial-up scenarios and FB models
too. The size of the delegated subnet may differ.
------------
The Scenario
------------
This guide will configure a home network behind a common dial-up type ISP connection.
The OPNsense has an interface pointing to the ISP named `WAN` and has three internal
interfaces called `DMZ`, `LAN` and `WLAN`. Each of those internal interfaces will get a /64
subnet from the delegated IPv6 prefix. This way it is easy to control the dataflow between
all four segments on the OPNsense.
In this example the dial-up ISP assigns a `/59` prefix to the FB, so there are enough bits left
for subnetting in a SOHO setup.
------------------------------
Step 1 - prepare the Fritz!Box
------------------------------
The AVM website has a knowledge base article about the basic settings required on each FB model to enable IPv6 on client devices.
https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-6591-cable/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/
The crucial setting is the checkbox **allow other routers IPv6 prefixes**. Without that the delegated internal prefixes will
not be reachable from the Internet.
Also, not stated in above document, it is possible to modify the **Internet - Permit Access** settings for
the OPNsense host. Select :menuselection:`Internet --> Permit Access --> <your OPN Host> --> IPv6 Settings --> Open firewall for delegated IPv6 prefixes of this device`
in order to make your delegated internal subnets available via Internet.
------------------------------------
Step 2 - configure the WAN interface
------------------------------------
On the OPNSense go to :menuselection:`Interfaces --> WAN` and set the configuration type for IPv6 to **DHCPv6**. On the bottom part of the dialog in
**DHCPv6 Client configuration** make sure to select
* checkbox: **Request only an IPv6 prefix**
* checkbox: **Send IPv6 prefix hint**
* dropdown: **Prefix delegation size**. For this example setup select `60`
Note the following:
1. the requested prefix differs by one bit compared to what the ISP delegated the FB (60 vs. 59)
2. the setting **Request only an IPv6 prefix** is the important part.
With this setting the FB acknowledges
the OPNsense as a router and really delegates a prefix. The OPNSense will only get a link-local `0xfe80`
address but that is fine. If this checkbox is not selected the FB considers the OPNsense as an end-user device
and plainly refuses to delegate a prefix to it. The OPNsense end up with an valid IPv6 address but with `/64`
netmask so nothing to delegate into the internal network.
-----------------------------------------------------------
Step 3 - configure the internal DMZ / LAN / WLAN interfaces
-----------------------------------------------------------
Now it is time to set up the internal interfaces. The settings are more or less the same for all of them.
Instead of **DHCPv6** select **Track Interface** and on the bottom IPv6 dialog and choose the `WAN` interface for tracking.
This is also the place to divide the delegated prefix into distinct subnets. Just specify an individual **Interface prefix ID**
for each interface. In this example the FB gave us `aaaa:bbbb:cccc:9410::/60` and we choose:
========= =================== =======================
Interface Interface prefix ID result-prefix
========= =================== =======================
`DMZ` `0x01` `aaaa:bbbb:cccc:9411::`
`WLAN` `0x02` `aaaa:bbbb:cccc:9412::`
`LAN` `0x03` `aaaa:bbbb:cccc:9413::`
========= =================== =======================
The **Interface prefix Id** acts as the subnet extension (for lack of better wording) on top of the prefix provided by the FB.
In this example we have a /60 prefix so effectively there are 4 bits left for subnetting. As a result valid values for **Interface prefix Id** are between `0x00` and `0x0f`.
In order to being able to manually set up the router advertisements in the next step make sure to select the checkbox
**Allow manual adjustment of DHCPv6 and Router Advertisements** for each of the internal interfaces. If the
setting is not used the system tries to set sane defaults for both Router Advertisements and DHCPv6 server.
----------------------------------------------
Step 3.1 - configure the Router Advertisements
----------------------------------------------
With the new subnets in place it is time to configure the **Router Advertisements**.
For this guide the following settings have been chosen:
=========================== =========== ======================================================================
Setting Value Comment
=========================== =========== ======================================================================
Router Advertisements Assisted this enables DHCPv6 and SLAAC
Router Priority Normal Default is high which would work too
Source Address Automatic the default
Advertise Default Gateway checked the default
Advertise Routes empty
DNS options empty this gives away the OPNsense as DNS server with the current dynamic IP
=========================== =========== ======================================================================
---------------------------------------
Step 3.2 - configure the DHCPv6 service
---------------------------------------
The clients would now be able to grab an IPv6 via SLAAC, find their router and get a DNS resolver but not all clients do
know SLAAC. Also there are valid reasons to assign fixed IPv6 address via DHCP to some clients for instance to make them available
from the Internet.
In :menuselection:`Services --> DHCPv6 --> [DMZ]` (and similar for the other interfaces) the DHCPv6 settings can be configured.
Initially the dynamically acquired subnet including the interface id and the available range is shown.
Consider assigning a suitable address pool for DHCP client leases. The target range for the DMZ looks like
this: `aaaa:bbbb:cccc:9411::1:0` --> `aaaa:bbbb:cccc:9411::1:ffff`.
But wait! The prefix is dynamic. How to deal with that?
Easy. Just omit the variable prefix and configure the DHCPv6 range to be `::1:0` --> `::1:ffff`
OPNSense will automatically prefix this pattern with the dynamically acquired prefix.
Repeat for all the other subnets. Do not forget to configure the `Domain search list` to match the SOHO internal DNS domain if applicable.
-----------------------------
Step 4 - setup Firewall rules
-----------------------------
By default outgoing traffic should already be possible but traffic from the Internet to the internal server needs a firewall rule.
There are different philosophies on how to manage firewall rules. Just use a similar strategy as with your IPv4 setup so rule management
is consistent.
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The build-in macros like `DMZ net` will work for the whole network.
But if you need a rule for a single server your should setup an alias pointing to your (fixed) DHCP IP and use this instead.
---------------
Troubleshooting
---------------
While discovering the specifics of IPv6 behind a FB in combination with OPNsense the first point of debugging was always
connecting via SSH to OPNsense on the CLI.
In the directory `/tmp/` you will find several IPv6 related intermediate files. The most helpful here was `/tmp/<interfacename>_prefixv6`.
In this file you will find the prefix delegated to you by your upstream router. If you are behind an FB and this file does not exist chances
are you forgot to seth the **Request only an IPv6 prefix** setting on the WAN interface.
Another helpful command is `radvdump`. This tool dumps the output of the router advertisements in a nicely formatted way.

42
source/manual/how-tos/orange_fr_fttp.rst
View File

@ -1,4 +1,4 @@
Orange France FTTP IPv4 & IPv6
Orange France FTTH IPv4 & IPv6
==============================
**Authors:** Kev Willers, David Néel
@ -83,7 +83,12 @@ Orange require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. T
On the DHCP6 request we need to use raw options
Firstly select 'Advanced' and set 'Use VLAN priority' to 'Internetwork Control (6)'
Firstly select 'Basic' and tick 'Request only an IPv6 prefix' and set 'Prefix delegation size' to 56
.. image:: images/OF_image5_1.png
:width: 100%
Then select 'Advanced' and set 'Use VLAN priority' to 'Internetwork Control (6)'
.. image:: images/OF_image5.png
:width: 100%
@ -107,6 +112,13 @@ Finally set the Identity Association and Prefix interface as shown
Click Save and then Apply.
Update IPv6 Gateway
Select :menuselection:`System --> Gateway --> Single` and edit IPv6 gateway to add 'fe80::ba0:bab' as IP address
.. image:: images/OF_image6_1.png
:width: 100%
**LAN Interface**
-----------------
@ -121,6 +133,7 @@ Select :menuselection:`Interfaces --> [LAN]` and set IPv4 to “Static IPv4” a
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
Tick 'Manual Configuration'
.. image:: images/OF_image8.png
:width: 100%
@ -135,3 +148,28 @@ Select :menuselection:`Services --> Router Advertisements` On the Lan interface
Click Save
It is advisable at this point to reboot the system.
**Troubleshooting**
-------------------
getting the option-90 chain from the Livebox
--------------------------------------------
Rarely, the authentication option from the generator doesn't work, you can instead use the one from the Livebox
Plug the WAN interface of the Livebox in your network (green port)
Use Wireshark on any other computer in the network and look for DHCP Discover packets
.. image:: images/OF_image10.png
:width: 100%
decode DHCP packets
-------------------
In this packet, look for Option: (90) Authentication
.. image:: images/OF_image11.png
:width: 100%
You can copy paste the full option without the first 2 bytes (5a 46) in your WAN configuration

1
source/manual/how-tos/user-ldap.rst
View File

@ -52,6 +52,7 @@ Enter the following information:
**User naming attribute** samAccountName *Auto filled in based upon Initial Template*
**Read properties** *Fetch account details after successful login*
**Synchronize groups** *Enable to Synchronize groups, requires the option above*
**Constraint groups** *Only consider groups inside the Authentication containers*
**Limit groups** *Select list of groups that may be considered during sync**
**Automatic user creation** *When groups are automatically synchronized,
this offers the ability to automatically create the

2
source/manual/reverse_proxy.rst
View File

@ -176,7 +176,7 @@ that it fully supports TLS for the client while it does not need a lot of
power to do a TLS handshake inside your own computer centre.
.. Warning::
You should not use this for upstream servers reachable via untrusted newtworks.
You should not use this for upstream servers reachable via untrusted networks.
Use (1) or (4) in such cases.
(4) TLS Passthough

2
source/manual/updates.rst
View File

@ -10,7 +10,7 @@ the fortnightly updates adding a third number (e.g. 19.1.3 for the third update
Installing updates
------------------
Updates can be installed from the web interface, by going to :menuselection:`System --> Firmware --> Updates`. On this page, you can click
Updates can be installed from the web interface, by going to :menuselection:`System --> Firmware --> Status`. On this page, you can click
**Check for updates** to search for updates. If they are available, a button will appear to install them.
---------------

5
source/releases/BE_23.4.rst
View File

@ -110,6 +110,11 @@ Here are the full patch notes:
* ports: strongswan upstream fix for VICI stalls `[18] <https://github.com/opnsense/core/issues/6308>`__
* ports: suricata 6.0.13 `[19] <https://suricata.io/2023/06/15/suricata-6-0-13-released/>`__
A hotfix release was issued as 23.4.2_1:
* system: fix data cleansing issue in "column_count" and "sequence" values on dashboard
* ports: krb5 1.21.2 `[8] <https://web.mit.edu/kerberos/krb5-1.21/>`__
* ports: python 3.9.18 `[20] <https://docs.python.org/release/3.9.18/whatsnew/changelog.html>`__
--------------------------------------------------------------------------

4
source/releases/CE_23.1.rst
View File

@ -71,6 +71,10 @@ A hotfix release was issued as 23.1.11_1:
* firmware: enable upgrade path to 23.7
* ports: openssh 9.3p2 `[5] <https://www.openssh.com/txt/release-9.3p2>`__
A hotfix release was issued as 23.1.11_2:
* unbound: enable migration of Unbound DNS reports
--------------------------------------------------------------------------

190
source/releases/CE_23.7.rst
View File

@ -26,6 +26,196 @@ can be found below as well.
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
23.7.5 (September 26, 2023)
--------------------------------------------------------------------------
Today introduces a change in MTU handling for parent interfaces mostly
noticed by PPPoE use where the respective MTU values need to fit the
parent plus the additional header of the VLAN or PPPoE. Should the
MTU already be misconfigured to a smaller value it will be used as
configured so check your configuration and clear the MTU value if you
want the system to decide about the effective parent MTU size.
Another change in far gateway handling is also included which prevents
a monitoring failure if that particular gateway was not being designated
as default during boot which made the routing table miss the essential
interface route and monitoring would always report it as down. Now the
interface route is ensured but not only when applying the default gateway
so that it works all the time.
Also fixed was the problematic migration of the Unbound interfaces settings
which now clears the possibly unknown interfaces in order to proceed and
have Unbound up and running post update which was not the case for some
users previously.
Other reliability improvements and third party security updates are
included as well. We also continue our effort to clean up the interface
handling code and audit the MVC model files for consistency. A missing
change for out of the box DS-Lite support is also being tested on the
development version now and will likely hit in 23.7.6.
Here are the full patch notes:
* system: pluginctl: allow -f mode to drop config properties
* system: switch to /usr/sbin/nologin as authoritative command location
* system: remove remaining spurious ifconfig data pass to Gateways class
* system: fix data cleansing issue in "column_count" and "sequence" values on dashboard
* system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
* system: refactor far gateway handling out of default route handling
* interfaces: use interfaces_restart_by_device() where appropriate
* interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
* interfaces: add GRE/GIF/bridge/wlan return values
* interfaces: signal wlan device creation success/failure
* interfaces: update link functions for GIF/GRE
* interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
* interfaces: update read-only bridge member code
* interfaces: redirect after successful interface add
* interfaces: add interface return feature for use on bridges/assignment page
* interfaces: VIP model style update
* interfaces: implement interface_configure_mtu()
* firewall: fix cleanup issue when renaming an alias
* dhcp: make dhcrelay code use the Gateways class
* ipsec: add local_port and remote_port to connections (contributed by Monviech)
* openvpn: force instance interface down before handing it over to daemon
* openvpn: add missing up and down scripts to instances (contributed by Daggolin)
* unbound: properly set a default value for private address configuration
* unbound: allow disabled interfaces in interface field
* unbound: migrate active/outgoing interfaces discarding invalid values
* unbound: UX improvements on several pages
* unbound: update model
* mvc: update diagnostics models
* mvc: add isLinkLocal()
* interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
* plugins: os-upnp replaces calls to obsolete get_interface_ip()
* plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
* plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunnyvalley)
* plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)
* ports: curl 8.3.0 `[1] <https://curl.se/changes.html#8_3_0>`__
* ports: nss 3.93 `[2] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html>`__
* ports: openssl 1.1.1w `[3] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: phalcon 5.3.1 `[4] <https://github.com/phalcon/cphalcon/releases/tag/v5.3.1>`__
* ports: phpseclib 3.0.23 `[5] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.23>`__
* ports: sqlite 3.43.1 `[6] <https://sqlite.org/releaselog/3_43_1.html>`__
* ports: suricata 6.0.14 `[7] <https://suricata.io/2023/09/14/suricata-6-0-14-released/>`__
--------------------------------------------------------------------------
23.7.4 (September 14, 2023)
--------------------------------------------------------------------------
The usual amount of improvements go out today with FreeBSD security
advisories on top. The new Python version was also picked up.
Note that the WireGuard plugin improvement effort is still going on
and this time we refreshed the dashboard widget as that was being
requested a number of times. The Polish language has been added to
the GUI as well.
Here are the full patch notes:
* system: correctly set RFC 5424 on remote TLS system logging
* system: remove hasGateways() and write DHCP router option unconditionally
* system: avoid plugin system for gateways monitor status fetch
* system: remove passing unused ifconfig data to Gateways class on static pages
* system: remove passing unused ifconfig data on gateway monitor status fetch
* system: remove the unused "alert interval" option from the gateway configuration
* interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
* interfaces: teach ifctl to dump all files and its data for an interface
* interfaces: remove dead link/hint in GIF table
* interfaces: avoid duplicating $vfaces array
* interfaces: introduce interfaces_restart_by_device()
* firewall: remove old __empty__ options trick from shaper model
* firewall: update models for clarity
* firmware: update model for clarity
* ipsec: omit conditional authentication properties when not applicable on connections
* ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
* ipsec: allow the use of eap_id = %any in instances
* openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
* openvpn: add CARP VHID tracking for client instances
* openvpn: add tun-mtu/fragment/mssfix combo for instances
* openvpn: add "route-gateway" advanced option to CSO
* openvpn: use new File::file_put_contents() wrapper for instances
* openvpn: updated model and clarified "auth" default option
* mvc: remove "non-functional" hints from form input elements
* mvc: uppercase default label in BaseListField is more likely
* ui: add bytes format to standard formatters list
* plugins: os-ddclient 1.16 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__
* plugins: os-frr 1.36 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__
* plugins: os-wireguard 2.1 `[3] <https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr>`__
* plugins: os-tinc 1.7 adds support for "StrictSubnets" variable (contributed by andrewhotlab)
* lang: update translations and add Polish
* src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)
* src: axgbe: gracefully handle i2c bus failures
* src: bnxt: do not restart on VLAN changes
* src: ice: do not restart on VLAN changes
* src: net: do not overwrite VLAN PCP
* src: net: remove VLAN metadata on PCP / VLAN encapsulation
* src: if_vlan: always default to 802.1
* src: iflib: fix panic during driver reload stress test
* src: iflib: fix white space and reduce some line lengths
* src: ixgbe: define IXGBE_LE32_TO_CPUS
* src: ixgbe: check for fw_recovery
* src: net80211: fail for unicast traffic without unicast key `[4] <FREEBSD:FreeBSD-SA-23:11.wifi>`__
* src: pcib: allocate the memory BAR with the MSI-X table `[5] <FREEBSD:FreeBSD-EN-23:10.pci>`__
* ports: php 8.2.10 `[6] <https://www.php.net/ChangeLog-8.php#8.2.10>`__
* ports: python 3.9.18 `[7] <https://docs.python.org/release/3.9.18/whatsnew/changelog.html>`__
* ports: unbound 1.18.0 `[8] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0>`__
--------------------------------------------------------------------------
23.7.3 (August 30, 2023)
--------------------------------------------------------------------------
Recently we improved the workflow for bringing language updates to the
release so here we are with an updated translation package including
added support for Korean. Thanks a lot to all contributors for keeping
this going strong!
If you would like to help with translations you can sign up via:
https://poeditor.com/projects/view?id=179921
Of note is also the largely rewritten backend for the WireGuard kernel
module plugin which offers separate services for each instance much
like OpenVPN offers it. The requirement of the wireguard-tools and bash
packages were removed. This also means the plugin will be moved to the
core for 24.1 along with Wireguard go plugin being removed completely
since on FreeBSD 13.2 no external package is needed to enjoy WireGuard
and the permanent existence of a kernel module renders the Go fallback
defunct through wireguard-tools/wg-quick implementation quirks.
Here are the full patch notes:
* system: fix missing config save when RRD data is supplied during backup import
* system: defer config reload to SIGHUP in gateway watcher
* system: handle "force_down" state correctly in gateway watcher
* system: make Gateways class argument optional
* interfaces: tweak UX of interface settings page
* interfaces: further improve PPP MTU handling
* interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist
* firewall: fix group priority handling regression
* firewall: improve filter functionality to combine multiple network clauses in states page
* dhcp: map interfaces to interface names instead of devices
* dhcp: fix iaid_duid parsing in IPv6 lease page
* intrusion detection: support "bypass" keyword in user-defined rules (contributed by Monviech)
* openvpn: fix mismatch issue when pinning a CSO to a specific instance
* openvpn: add advanced option for optional CA selection
* unbound: fix concurrent session closing the handle while still writing data in Python module
* web proxy: remove long deprecated "dns_v4_first" setting from GUI
* mvc: extend PortField to optionally allow port type aliases
* lang: update all languages and add Korean
* plugins: os-firewall 1.4 adds port alias support
* plugins: os-frr 1.35 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__
* plugins: os-wireguard 2.0 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr>`__
* ports: filterlog fix to prevent crash on default rule number -1
--------------------------------------------------------------------------
23.7.2 (August 23, 2023)
--------------------------------------------------------------------------

12
source/vendor/sunnyvalley/zenarmor.rst vendored
View File

@ -5,7 +5,7 @@ Zenarmor (Sensei): Overview
About
----------------------------
Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next-generation features. Zenarmor is developed by Sunny Valley Networks (https://www.zenarmor.com)
Zenarmor is a plugin for the OPNsense firewall which provides state-of-the-art next-generation features. Zenarmor is developed by Sunny Valley Cyber Security Inc (https://www.zenarmor.com)
If you are running a L4 firewall (all open-source firewalls fall into this category) and looking for features like Application Control, Network Analytics, and TLS Inspection, Zenarmor is the product you're looking for.
@ -49,8 +49,8 @@ User Manual
You can get detailed *How to* documents from Zenarmor's Documentation Site located at https://www.zenarmor.com/docs/opnsense
* `Dashboard <https://www.zenarmor.com/docs/opnsense/customizing-dashboard/dashboard>`_
* `Status <https://www.zenarmor.com/docs/opnsense/customizing-dashboard/dashboard>`_
* `Dashboard <https://www.zenarmor.com/docs/opnsense>`_
* `Status <https://www.zenarmor.com/docs/opnsense/viewing-node-status/dashboard>`_
* `Reports <https://www.zenarmor.com/docs/opnsense/reporting-analytics/reports-overview>`_
* `Security <https://www.zenarmor.com/docs/opnsense/policies/security-rules>`_
* `Application Control <https://www.zenarmor.com/docs/opnsense/policies/application-control-rules>`_
@ -81,15 +81,15 @@ When you buy a Zenarmor Premium Subscription, you are entitled to Zenarmor Basic
**Support Options for Channel Partners**
Sunny Valley Networks provides Tier 3 Support Options for Zenarmor Channel Partners. To learn more about them, please contact **sensei-partnership -at- sunnyvalley.io**.
Sunny Valley Cyber Security Inc provides Tier 3 Support Options for Zenarmor Channel Partners. To learn more about them, please contact **sensei-partnership -at- sunnyvalley.io**.
To become a partner, you may apply for a partnership via https://www.zenarmor.com/apply-partnership .
**Connect via Social Media or Websites**
* **Twitter**: `@zenarmor <https://twitter.com/zenarmor>`_
* **Youtube**: `Sunny Valley Networks Hands-on videos <https://www.youtube.com/@zenarmor>`_
* **Youtube**: `Zenarmor Hands-on videos <https://www.youtube.com/@zenarmor>`_
* **Company Website**: https://www.zenarmor.com
* **Product Website**: https://www.zenarmor.com
* **Zenconsole Cloud Management Portal**: https://dash.zenarmor.com
* **Sunny Valley Blog**: https://www.zenarmor.com/blog
* **Zenarmor Blog**: https://www.zenarmor.com/blog

2
source/vendor/sunnyvalley/zenarmor_hardwarerequirements.rst vendored
View File

@ -59,6 +59,6 @@ If you're running a 100 Mbps link \(about 100 users\) that is quite active durin
5 MB x 12 hours x 100 Mbps = 6 GB per day.
6 GB x 7 days a week = 42 GB per week.
42 x 4 weeks a month = 164 GB per month.
42 x 4 weeks a month = 168 GB per month.
As of `version 0.7.0 <https://www.zenarmor.com/docs/support/release-notes#07>`_, Zenarmor expires old report data to free up disk space for the most recent data based on the configured number of days of history to keep.