upstream/opnsense-docs
1
0
Fork 0
mirror of https://github.com/opnsense/docs.git synced 2026-05-28 04:02:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

scale vs wodth for images...

Browse source
This commit is contained in:
Ad Schellevis 2018-07-31 16:51:11 +02:00
parent 896f94e78c
commit 52aa7c2b06
43 changed files with 268 additions and 273 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
source/manual/aliases.rst
View file

@ -36,13 +36,13 @@ Sample
Lets say we want to create an alias table for **www.youtube.com**
.. image:: images/aliases_host.png
:scale: 100%
:width: 100%
**Apply changes** and look at the content of our newly created pf table.
Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube table.
.. image:: images/pftable_youtube.png
:scale: 100%
:width: 100%
As you can see there are multiple ip addresses for this domain.
@ -73,12 +73,12 @@ GeoIP
-----
With GeoIP alias you can select one or more countries or whole continents to block
or allow. Use the *toggle all* checkbox to select all countries within the given
region.
region.
This feature was reworked with 17.7.7 and supersedes the GeoIP blocking via IPS.
.. image:: images/firewall_geoip_alias.png
:scale: 100%
:width: 100%
--------------
Import Feature
@ -131,12 +131,12 @@ the ipsec server for a site to site tunnel connection:
* 192.168.300.3
.. image:: images/alias_remote_ipsec.png
:scale: 100%
:width: 100%
We call our list remote_ipsec and update our firewall rules accordingly.
.. image:: images/alias_firewall_rules.png
:scale: 100%
:width: 100%
Notice the list icon to identify a rule with an alias (list).

2
source/manual/antivirus.rst
View file

@ -3,7 +3,7 @@
===================
.. image:: images/eye_on_virus_new.jpg
:scale: 100%
:width: 100%
**OPNsense** offers the industry standard ICAP to protect http and https
connections against ransomware, trojans, viruses and other malware .

4
source/manual/captiveportal.rst
View file

@ -7,7 +7,7 @@ but is also widely used in corporate networks for an additional layer of securit
on wireless or Internet access.
.. image:: images/hotspot_login.png
:scale: 100%
:width: 100%
--------------------
Typical Applications
@ -27,7 +27,7 @@ task. At the same time it offers additional functionalities, such as:
* Custom Splash page
.. image:: images/captiveportal_template_folder.png
:scale: 100%
:width: 100%
---------------
Zone Management

2
source/manual/gui.rst
View file

@ -21,7 +21,7 @@ GUI Layout & Main Components
The GUI consists out of the following main components:
.. image:: images/gui_layout.png
:scale: 100%
:width: 100%
Logo & Link to Lobby

2
source/manual/hacarp.rst
View file

@ -11,7 +11,7 @@ with automatic and seamless fail-over. While switching to the backup network
connections will stay active with minimal interruption for the users.
.. image:: images/light_bulbs.png
:scale: 100%
:width: 100%
------------------
Automatic failover

26
source/manual/how-tos/IPv6_ZenUK.rst
View file

@ -27,14 +27,14 @@ connection, for IPv6 using DHCP, select DHCPv6 in the IPv6 connection as
shown below.
.. image:: images/ZenUK_image1.png
:scale: 100%
:width: 100%
The next step is to configure the parameters required for DHCPv6, these
are located in the DHCPv6 client configuration section of the WAN
interface shown below.
.. image:: images/ZenUK_image2.png
:scale: 100%
:width: 100%
As stated before, Zen provide a /48 prefix, so select the prefix size
accordingly. We directly send the solicit as in this case we do not wish
@ -59,14 +59,14 @@ Select Interfaces->LAN and set the IPv6 Configuration Type to Track
Interface
.. image:: images/ZenUK_image3.png
:scale: 100%
:width: 100%
Finally, set the Track IPv6 Interface to WAN, unless there is a special
requirement which this document does not cover, set the IPv6 Prefix ID
to 0.
.. image:: images/ZenUK_image4.png
:scale: 100%
:width: 100%
Click Save and then Apply.
@ -107,7 +107,7 @@ Set up the gateway like this:
.. image:: images/ZenUK_image5.png
:scale: 100%
:width: 100%
Click Save.
@ -119,7 +119,7 @@ Select Interfaces->WAN.
Go to IPv6 Configuration Type and Select Static IPv6.
.. image:: images/ZenUK_image6.png
:scale: 100%
:width: 100%
Go to Static IPv6 Configuration and set the IPv6 Static address:
@ -127,7 +127,7 @@ Go to Static IPv6 Configuration and set the IPv6 Static address:
DHCPv6.**
.. image:: images/ZenUK_image7.png
:scale: 100%
:width: 100%
Select Use IPv4 connectivity, all IPv6 traffic goes via the PPPoE link.
@ -135,7 +135,7 @@ Finally, select the IPv6 Upstream Gateway, this is the gateway you
created earlier.
.. image:: images/ZenUK_image8.png
:scale: 100%
:width: 100%
Click Save and Apply.
@ -146,7 +146,7 @@ The LAN interface is very simple to set up, all we need to do is set the
IPv6 Configuration Type to Static, and enter our static address.
.. image:: images/ZenUK_image9.png
:scale: 100%
:width: 100%
Zen give us a /48 prefix to use on the LAN, so pick an address from that
range. For example our prefix is:
@ -158,7 +158,7 @@ So
2a02:8242:55AB:0:4:3:2:1 would suffice.
.. image:: images/ZenUK_image10.png
:scale: 100%
:width: 100%
We want to use a /64 prefix on this interface.
@ -177,7 +177,7 @@ Services->DHCPv6[LAN]
Firstly, enable the server.
.. image:: images/ZenUK_image11.png
:scale: 100%
:width: 100%
You will notice that the subnet already has a range, and the subnet mask
is the /64 we set on the LAN. There is also a range we must use, the
@ -192,7 +192,7 @@ Enter the upper end range that the server will use.
2a02:8231:d256::eeee:ffff:ffff:ffff
.. image:: images/ZenUK_image12.png
:scale: 100%
:width: 100%
This should cover most LAN subnets, the range given here gives
281,474.976.710,655 addresses.
@ -204,7 +204,7 @@ example we will only be giving out 64 bit prefixes. We know we have been
given a /48 prefix by Zen, so we enter our prefix range like this:
.. image:: images/ZenUK_image13.png
:scale: 100%
:width: 100%
Our prefix range is the upper 48 bits, plus some of the next 16 bits,
but we must not cross into the range we have used for our LAN addresses.

27
source/manual/how-tos/SkyUK.rst
View file

@ -17,19 +17,19 @@ in the modem itself.
Set both IPv4 and IPv6 configuration type to DHCP and DHCPv6 respectively.
.. image:: images/skyuk_wan_1.png
:scale: 100%
:width: 100%
**Option61 - dhcp-client-identifier**
-------------------------------------
We now need to send the Sky login credentials. When using VDSL we do not
need to use specific credentials, as long as they are correctly formatted
anything will do.
anything will do.
Under DHCP Client Configuration select the Advanced button.
.. image:: images/skyuk_lan_2.png
:scale: 100%
:width: 100%
There is an entry 'Send Options', enter the UserID & Password here in the
format:
@ -52,13 +52,13 @@ So the full entry for the 'Lease Requirements' Send Options would be:
*dhcp-client-identifier "12345678@skydsl|12345678",dhcp-class-identifier "7.16a4N_UNI|PCBAFAST2504Nv1.0"*
The next step is to configure the parameters required for DHCPv6, these
are located in the DHCPv6 client configuration section of the WAN
interface shown below.
.. image:: images/skyuk_wan_2.png
:scale: 100%
:width: 100%
Sky provide a /56 IPv6 delegation, they do not provide a global IPv6 address
on the WAN interface, this is link local only. The setting of the option
@ -81,12 +81,12 @@ again would probably result in a new prefix being given, therefore an option
to enter and store a DUID is given in the Interface:Settings menu.
.. image:: images/skyuk_wan_3.png
:scale: 100%
:width: 100%
The Identifier can either be entered manually or if the user clicks on the 'i'
icon, the existing DUID can be automatically entered into the field by clicking
on the 'Insert the existing DUID here' legend.
on the 'Insert the existing DUID here' legend.
Click Save.
**LAN Interface**
@ -97,17 +97,17 @@ Interfaces:[LAN] menu.
It is my recommendation not to use the private subnet range 192.168.*.0, as
this range is often used by hotels and other public networks for access, this
can cause issues when using a VPN. My preferred address method is using the
can cause issues when using a VPN. My preferred address method is using the
10.*.*.0 subnet where the second and third quartet are birth dates or some
other easily memorable number. i.e. 10.1.11.0 would be the first of November.
This is more random and the chances of the same range on a public network is
greatly reduced, however the address range is easily memorable.
.. image:: images/ZenUK_image3.png
:scale: 100%
:width: 100%
.. image:: images/skyuk_lan_1.png
:scale: 100%
:width: 100%
Once the LAN IPv4 address is set then all that remains in the LAN interface
is to set the interface to use the assigned IPv6 prefix.
@ -117,7 +117,7 @@ requirement which this document does not cover, set the IPv6 Prefix ID
to 0.
.. image:: images/ZenUK_image4.png
:scale: 100%
:width: 100%
Click Save and then Apply.
@ -125,4 +125,3 @@ Setting up the IPv4 DHCP server is not covered in this document, but is
required.
It is advisable at this point to reboot the system.

10
source/manual/how-tos/cachingproxy.rst
View file

@ -3,7 +3,7 @@ Setup Caching Proxy
===================
.. image:: images/proxy_basics.png
:scale: 100%
:width: 100%
----------------
Enable / Disable
@ -36,7 +36,7 @@ To enable caching click on the arrow next to the **General Proxy Settings** to
see the dropdown menu and click on **Local Cache Settings**.
.. image:: images/proxy_cache.png
:scale: 100%
:width: 100%
Check the **Enable local cache** and click **Apply**.
@ -137,7 +137,7 @@ Fill in:
Looks like (screenshots of version 16.1.4):
.. image:: images/proxy_blacklist.png
:scale: 100%
:width: 100%
**Save changes**
@ -177,7 +177,7 @@ And one more rule to block HTTPS access:
**Save** & **Apply changes**
.. image:: images/proxy_firewall.png
:scale: 100%
:width: 100%
-------------------------
Configure Browser/Firefox
@ -186,7 +186,7 @@ To configure you browser for use with the proxy, just go to your network setting
and configure a proxy like this in firefox:
.. image:: images/proxy_firefox.png
:scale: 100%
:width: 100%
For a set-for-step guide on full category based web filtering see :doc:`proxywebfilter`.

2
source/manual/how-tos/carp.rst
View file

@ -15,7 +15,7 @@ will be used for the internal network and 172.8.0.0/24 will be used to
route our traffic to the internet.
.. image:: ./images/900px-Carp_setup_example.png
:scale: 100%
:width: 100%
When using CARP ( `FreeBSD handbook on CARP <https://www.freebsd.org/doc/handbook/carp.html>`__ ), all
fail-safe interfaces should have a dedicated ip address which will be

6
source/manual/how-tos/cellular.rst
View file

@ -40,11 +40,11 @@ If you need to enter a PIN number then click on **Advanced Options**
Click **Save** to apply the settings.
.. image:: images/4g_configure_ppp.png
:scale: 100%
:width: 100%
.. image:: images/ppp_celular_configured.png
:scale: 100%
:width: 100%
---------------------------------
Step 2 - Assign the WAN interface
@ -60,7 +60,7 @@ If everything went fine then your are all setup and the default gateway will be
the one of you cellular connection.
.. image:: images/Interface_assignment_4g.png
:scale: 100%
:width: 100%
-------------------------
Step 3 - Trouble shooting

2
source/manual/how-tos/cloud_backup.rst
View file

@ -101,7 +101,7 @@ Now we can put it all together, login to your OPNsense firewall and go
to the backup feature (default : https://192.168.1.1/diag_backup.php )
.. image:: ./images/600px-Google_Drive_Backup_screenshot.png
:scale: 100%
:width: 100%
On the bottom of the page are the options for the Google Drive backup,
enable the feature and fill in the parameters. Email address is acquired

8
source/manual/how-tos/edrop.rst
View file

@ -53,7 +53,7 @@ Set the update frequency to 1 for each day.
Press **Save** and then **Apply changes**.
.. image:: images/spamhaus_drop_edrop.png
:scale: 100%
:width: 100%
---------------------------------------
Step 2 - Firewall Rules Inbound Traffic
@ -87,7 +87,7 @@ Enter the following configuration and leave all other parameters on default valu
=================== =============== =============================================
.. image:: images/spamhaus_wan_rules.png
:scale: 100%
:width: 100%
**Save**
@ -123,7 +123,7 @@ lower right corner.
**Save** and **Apply changes**
.. image:: images/spamhaus_lan.png
:scale: 100%
:width: 100%
**DONE**
@ -134,4 +134,4 @@ To list the ip addresses that are currently in the DROP and EDROP lists go to
**Firewall->Diagnostics->pfTables** and select the list you want to see:
.. image:: images/spamhaus_pftable.png
:scale: 100%
:width: 100%

10
source/manual/how-tos/fwcategory.rst
View file

@ -16,7 +16,7 @@ Then just add you category, if this is the first rule with a category no selecti
options will be visible.
.. image:: images/Rule_Category.png
:scale: 100%
:width: 100%
---------------------------------
Firewall Rules Filter by category
@ -27,7 +27,7 @@ becomes visible at the bottom of the table.
If you click it is will look like this:
.. image:: images/Filter_by_Category.png
:scale: 100%
:width: 100%
If you have a large number of categories, then just start typing and in search
box to make a quick selection.
@ -38,7 +38,7 @@ Before Selection
Take a look at this simple rule set before selecting our "My IP's" category.
.. image:: images/Rules_Full.png
:scale: 100%
:width: 100%
--------------------
And after selection
@ -46,7 +46,7 @@ Take a look at this simple rule set before selecting our "My IP's" category.
Now when selecting our test category it will look like this:
.. image:: images/Filter_Category_Result.png
:scale: 100%
:width: 100%
That is all there is to it to organize your rules without messing anything up.
@ -59,4 +59,4 @@ This features makes it possible to select rules from more than one category.
Example:
.. image:: images/fw_category_multiselect.png
:scale: 100%
:width: 100%

30
source/manual/how-tos/guestnet.rst
View file

@ -6,7 +6,7 @@ Guest Networks are widely used to allow guests controlled internet access at
hotels, RV Parks or businesses.
.. image:: images/opnsense_hotspot_controller.png
:scale: 100%
:width: 100%
.. Note::
For the example we expect the GUESTNET interface to be connected with your
@ -190,7 +190,7 @@ Click **Save** and then **Apply changes**
Your rules should look similar to the screenshot below:
.. image:: images/guestnet_fwrules.png
:scale: 100%
:width: 100%
------------------------------
@ -232,13 +232,13 @@ Lets create a custom landing page, to do so click on the tab **Templates** and
click on the download icon in the lower right corner ( |download| ).
.. image:: images/template_download.png
:scale: 100%
:width: 100%
Now download the default template, we will use this to create our own.
Unpack the template zip file, you should have something similar to this:
.. image:: images/template_filelisting.png
:scale: 100%
:width: 100%
Most files of the template can be modified, but some are default and may not be
changes. Upon upload any changes to the files listed in **exclude.list** will be
@ -247,7 +247,7 @@ ignored. Currently these include the bootstrap java scripting and some fonts.
With the captive portal enabled the default screen looks like:
.. image:: images/default_login_no_authenticator.png
:scale: 100%
:width: 100%
Lets change this default with a new logo and a welcome message, to this:
@ -305,10 +305,10 @@ Enter a **Template Name**, for this example we use **Company**.
Hit Upload ( |upload| )
.. |download| image:: images/btn_download.png
:scale: 100%
:width: 100%
.. |upload| image:: images/btn_upload.png
:scale: 100%
:width: 100%
To enable the captive portal on the GUESTNET interface just click on **Apply**.
@ -393,7 +393,7 @@ After testing your result should be similar to this (if your internet connection
has sufficient bandwidth).
.. image:: images/cp-traffic-shaping.png
:scale: 100%
:width: 100%
.. Note::
Keep in mind we have only one connected client in this test, so all reserved
@ -431,7 +431,7 @@ Click on **Create Vouchers** in the lower right corner of the form.
Lets create 1 Day vouchers for our guests:
.. image:: images/create_vouchers.png
:scale: 100%
:width: 100%
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wifi day pass f.i.).
@ -474,7 +474,7 @@ the cvs data with word, open office or any other dtp/text editor.
Create something like this:
.. image:: images/cp_royalhotel_voucher.png
:scale: 100%
:width: 100%
You can select a database to and remove it entirely. This way you can
create a voucher database for the arrival date of guest per guest group
@ -501,7 +501,7 @@ When done click **Save changes** and the **Apply** to apply the new settings.
Now users will see the login form as part of your template:
.. image:: images/cp_voucher_login.png
:scale: 100%
:width: 100%
--------------
Check Sessions
@ -510,7 +510,7 @@ To check the active sessions go to **Services->Captive Portal->Sessions**
Our current session looks like this:
.. image:: images/cp_active_sessions.png
:scale: 100%
:width: 100%
You can drop an active session by clicking on the trashcan.
@ -527,7 +527,7 @@ page of the captive portal (**Services->Captive Protal->Vouchers**) and select
the correct database (Wifi day pass in our example).
.. image:: images/cp_active_vouchers.png
:scale: 100%
:width: 100%
.. Note::
The state valid means it is activated but still valid.
@ -583,7 +583,7 @@ like this (shown with a bit of context):
window.open("session_popup.html","Session Status & Logout","width=400, height=400");
.. image:: images/captiveportal_popup.png
:scale: 100%
:width: 100%
-----------------------------
Advanced - CLI Session Status
@ -601,4 +601,4 @@ Type the following on the cli prompt to do so (for zone id 0):
The output will be something similar to this:
.. image:: images/cli_list_captiveportalsessions.png
:scale: 100%
:width: 100%

20
source/manual/how-tos/insight.rst
View file

@ -12,7 +12,7 @@ Insight is a fully integrated part of OPNsense. Its User Interface is simple yet
powerful.
.. image:: images/insight_gui.png
:scale: 100%
:width: 100%
Insight offers a full set of analysis tools, ranging from a graphical overview to
@ -40,17 +40,17 @@ to compare usage with different interfaces.
**Stacked**
.. image:: images/stacked_view.png
:scale: 100%
:width: 100%
**Stream**
.. image:: images/stream_view.png
:scale: 100%
:width: 100%
**Expanded**
.. image:: images/expanded_view.png
:scale: 100%
:width: 100%
Interfaces
----------
@ -74,10 +74,10 @@ view by clicking or double clicking on one of the shown port names/numbers.
Clicking on a piece of the pie will open a detailed view for further analysis.
.. image:: images/pie_piece.png
:scale: 100%
:width: 100%
.. image:: images/pie_details.png
:scale: 100%
:width: 100%
IP Addresses Pie Chart
@ -103,14 +103,14 @@ click on the tab **Details**.
When opening the details view by clicking on the tab one can make a new query.
.. image:: images/insight_details_view.png
:scale: 100%
:width: 100%
After selecting a valid date range (form/to) and interface one can further limit
the output by filtering on port or ip address. Select the refresh icon to update
the detailed output. Leave Port and Address empty for a full detailed listing.
.. image:: images/insight_full_details.png
:scale: 100%
:width: 100%
-----------
@ -120,7 +120,7 @@ The **Export** view allows you to export the data for further analysis in your f
spreadsheet or other data analysis application.
.. image:: images/insight_export_view.png
:scale: 100%
:width: 100%
To export data, select a **Collection** :
@ -134,4 +134,4 @@ Select the **Resolution** in seconds (300,3600,86400)
Then select a date range (from/to) and click the **export** button.
.. image:: images/insight_export.png
:scale: 100%
:width: 100%

20
source/manual/how-tos/installaws.rst
View file

@ -2,7 +2,7 @@
Installing OPNsense AWS image
=============================
.. image:: images/amazon-web-services.png
:scale: 100%
:width: 100%
To apply for access to the OPNsense Amazon AWS EC2 cloud image, you need:
@ -24,7 +24,7 @@ Step 2 - Select Type
Choose an instance type
.. image:: images/aws_launch_new_image.png
:scale: 100%
:width: 100%
---------------------------------
Step 3 - Configure security group
@ -32,7 +32,7 @@ Step 3 - Configure security group
To configure security group, make sure you allow https access from your own network.
.. image:: images/aws_configure_security_group.png
:scale: 100%
:width: 100%
-------------------------
@ -40,7 +40,7 @@ Step 4 - Configure a disk
-------------------------
.. image:: images/aws_choose_disc.png
:scale: 100%
:width: 100%
-----------------------------
@ -48,7 +48,7 @@ Step 5 - Review your settings
-----------------------------
.. image:: images/aws_review_settings.png
:scale: 100%
:width: 100%
--------------------
Step 6 - SSH keypair
@ -56,14 +56,14 @@ Step 6 - SSH keypair
Select ssh keypair or skip, the ssh key isnt used for OPNsense, ssh is disabled by default.
.. image:: images/aws_ssh_keypair.png
:scale: 100%
:width: 100%
---------------------------
Step 7 - Review status page
---------------------------
.. image:: images/aws_status.png
:scale: 100%
:width: 100%
----------------------
Step 8 - AWS instances
@ -71,7 +71,7 @@ Step 8 - AWS instances
Go to your AWS instances
.. image:: images/aws_instances.png
:scale: 100%
:width: 100%
Select the image, go to “image settings” then “get system log” to obtain the
initial password
@ -82,14 +82,14 @@ Step 9 - Initial root password
Copy your initial root password (line ** set initial….)
.. image:: images/aws_capture_initial_password.png
:scale: 100%
:width: 100%
--------------------------------
Step 10 - Search current address
--------------------------------
.. image:: images/aws_search_current_ip.png
:scale: 100%
:width: 100%
Login to OPNsense using the address provided.

22
source/manual/how-tos/ips-feodo.rst
View file

@ -17,7 +17,7 @@ Prerequisites
**System->Firmware: Fetch updates**
.. image:: images/firmware.png
:scale: 100%
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
@ -26,7 +26,7 @@ Prerequisites
Under **Interface-Settings**
.. image:: images/disable_offloading.png
:scale: 100%
:width: 100%
.. warning::
@ -48,7 +48,7 @@ detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.
.. image:: images/idps.png
:scale: 100%
:width: 100%
-------------------
Apply configuration
@ -57,7 +57,7 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:scale: 100%
:width: 100%
---------------
Fetch Rule sets
@ -66,12 +66,12 @@ For this example we will only fetch the abuse.ch SSL & Dodo Tracker rulesets.
To do so: select Enabled after each one.
.. image:: images/rulesets_enable.png
:scale: 100%
:width: 100%
To download the rule sets press **Download & Update Rules**.
.. image:: images/downloadbtn.png
:scale: 100%
:width: 100%
-----------------------
Change default behavior
@ -80,12 +80,12 @@ Now click on the info button right after each rule and change Input Filter
from none to drop actions.
.. image:: images/changefilter.png
:scale: 100%
:width: 100%
When done it should like this:
.. image:: images/rulesdrop.png
:scale: 100%
:width: 100%
------------------------
Apply fraud drop actions
@ -93,7 +93,7 @@ Apply fraud drop actions
Now press **Download & Update Rules** again to change the behavior to drop.
.. image:: images/downloadbtn.png
:scale: 100%
:width: 100%
---------------
Keep up to date
@ -103,7 +103,7 @@ Now schedule a regular fetch to keep your server up to date.
Click on schedule, a popup window will appear:
.. image:: images/schedule.png
:scale: 100%
:width: 100%
Select **enabled** and choose a time. For the example it is set to each day at 11:12.
Select **Save changes** and wait until you have returned to the IDS screen.
@ -122,4 +122,4 @@ Currently there is no test service available to check your block rules against,
however here is a sample of an actual alert that has been blocked:
.. image:: images/alerts.jpg
:scale: 100%
:width: 100%

18
source/manual/how-tos/ips-geoip.rst
View file

@ -14,7 +14,7 @@ Prerequisites
**System->Firmware: Fetch updates**
.. image:: images/firmware.png
:scale: 100%
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
@ -23,7 +23,7 @@ Prerequisites
Under **Interface-Settings**
.. image:: images/disable_offloading.png
:scale: 100%
:width: 100%
.. warning::
@ -51,7 +51,7 @@ Select |add| to add a new rule.
Select Country:
.. image:: images/ips_rule_add_geoip.png
:scale: 100%
:width: 100%
We selected **Netherlands(not)** as this server needs to be accessible within
The Netherlands, this will drop all other traffic in both directions.
@ -59,12 +59,12 @@ The Netherlands, this will drop all other traffic in both directions.
Select the Action (Alert or Drop):
.. image:: images/ips_action.png
:scale: 100%
:width: 100%
Add a description:
.. image:: images/ips_description_country.png
:scale: 100%
:width: 100%
And click **Save changes** |save|
@ -79,7 +79,7 @@ detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.
.. image:: images/idps.png
:scale: 100%
:width: 100%
-------------------
Apply configuration
@ -87,13 +87,13 @@ Apply configuration
If this is the first GeoIP rule you add then you need to **Download & Update Rules**
.. image:: images/downloadbtn.png
:scale: 100%
:width: 100%
Then apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:scale: 100%
:width: 100%
------------
@ -102,7 +102,7 @@ Sample Alert
See a sample of an alert message below.
.. image:: images/ips_geoip_alert.png
:scale: 100%
:width: 100%
.. |save| image:: images/ips_save.png

20
source/manual/how-tos/ips-sslfingerprint.rst
View file

@ -13,7 +13,7 @@ Prerequisites
**System->Firmware: Fetch updates**
.. image:: images/firmware.png
:scale: 100%
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10GB advisable).
@ -22,7 +22,7 @@ Prerequisites
Under **Interface-Settings**
.. image:: images/disable_offloading.png
:scale: 100%
:width: 100%
.. warning::
@ -58,13 +58,13 @@ next to the address : |lock|.
Now you will see something similar to:
.. image:: images/facebook_click.png
:scale: 100%
:width: 100%
Click on the arrow ( **>** ) and then Select **More Information**
Now open the certificate details and you will see something that looks like this:
.. image:: images/certificate.png
:scale: 100%
:width: 100%
Copy the SHA1 certificate fingerprint (A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9).
@ -72,17 +72,17 @@ Copy the SHA1 certificate fingerprint (A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33
Paste this into the new rule:
.. image:: images/ips_rule_details.png
:scale: 100%
:width: 100%
Select the Action (Alert or Drop):
.. image:: images/ips_action.png
:scale: 100%
:width: 100%
Add a description:
.. image:: images/ips_description.png
:scale: 100%
:width: 100%
And click **Save changes** |save|
@ -97,7 +97,7 @@ detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.
.. image:: images/idps.png
:scale: 100%
:width: 100%
-------------------
Apply configuration
@ -106,7 +106,7 @@ First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
:scale: 100%
:width: 100%
----------------------------
Clear Browser Cache and test
@ -115,7 +115,7 @@ Since your browser has cached the ssl certificate you will need to clear your
cache first. After that you can test and will see the following in **Alerts**:
.. image:: images/ips_facebook_alert.png
:scale: 100%
:width: 100%
.. Note::

30
source/manual/how-tos/ipsec-road.rst
View file

@ -83,13 +83,13 @@ To allow IPsec Tunnel Connections, the following should be allowed on WAN.
* UDP Traffic on Port 4500 (NAT-T)
.. image:: images/ipsec_wan_rules.png
:scale: 100%
:width: 100%
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface.
.. image:: images/ipsec_ipsec_lan_rule.png
:scale: 100%
:width: 100%
-----------------------
Step 1 - Mobile Clients
@ -163,12 +163,12 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
Now you should see the following screen:
.. image:: images/ipsec_road_vpn_p1a.png
:scale: 100%
:width: 100%
-------------------------------
@ -177,12 +177,12 @@ Step 3 - Phase 2 Mobile Clients
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:scale: 100%
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:scale: 100%
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
@ -212,29 +212,29 @@ Phase 2 proposal (SA/Key Exchange)
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
-----------------------------
Enable IPsec, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:scale: 100%
:width: 100%
Save:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
And Apply changes:
.. image:: images/ipsec_s2s_vpn_p1a_apply.png
:scale: 100%
:width: 100%
------------------
.. image:: images/ipsec_s2s_vpn_p1a_success.png
:scale: 100%
:width: 100%
-----------------------------
@ -282,24 +282,24 @@ Add a new network by pressing the + in the lower left corner.
Now select **VPN** and **Cisco IPSec**, give your connection a name and press **Create**.
.. image:: images/osx-ipsec-new.png
:scale: 100%
:width: 100%
Now enter the details for our connection:
.. image:: images/osx-ipsec-conf1.png
:scale: 100%
:width: 100%
Next press **Authentication Settings** to add the group name and pre-shared key.
.. image:: images/osx-ipsec-conf2.png
:scale: 100%
:width: 100%
Press **OK** to save these settings and then **Apply** to apply them.
Now test the connection by selecting it from the list and hit **Connect**.
.. image:: images/osx-ipsec-connected.png
:scale: 100%
:width: 100%
**Done**

42
source/manual/how-tos/ipsec-s2s.rst
View file

@ -181,7 +181,7 @@ sites:
* UDP Traffic on Port 4500 (NAT-T)
.. image:: images/ipsec_wan_rules.png
:scale: 100%
:width: 100%
.. Note::
@ -191,7 +191,7 @@ To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface.
.. image:: images/ipsec_ipsec_lan_rule.png
:scale: 100%
:width: 100%
-----------------------
Step 1 - Phase 1 Site A
@ -245,12 +245,12 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
Now you should see the following screen:
.. image:: images/ipsec_s2s_vpn_p1a_4.png
:scale: 100%
:width: 100%
-----------------------
@ -259,12 +259,12 @@ Step 2 - Phase 2 Site A
Press the button that says '+ Show 0 Phase-2 entries'
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
:scale: 100%
:width: 100%
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:scale: 100%
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
@ -302,29 +302,29 @@ Phase 2 proposal (SA/Key Exchange)
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
-----------------------------
Enable IPsec for Site A, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:scale: 100%
:width: 100%
Save:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
And Apply changes:
.. image:: images/ipsec_s2s_vpn_p1a_apply.png
:scale: 100%
:width: 100%
------------------
.. image:: images/ipsec_s2s_vpn_p1a_success.png
:scale: 100%
:width: 100%
**You are done configuring Site A.**
@ -382,12 +382,12 @@ Advanced Options
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
Now you should see the following screen:
.. image:: images/ipsec_s2s_vpn_p1b_4.png
:scale: 100%
:width: 100%
-----------------------
@ -401,7 +401,7 @@ Press the button that says '+ Show 0 Phase-2 entries'
You will see an empty list:
.. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png
:scale: 100%
:width: 100%
Now press the *+* at the right of this list to add a Phase 2 entry.
@ -441,29 +441,29 @@ Phase 2 proposal (SA/Key Exchange)
Save your setting by pressing:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
-----------------------------
Enable IPsec for Site B, Select:
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
:scale: 100%
:width: 100%
Save:
.. image:: images/btn_save.png
:scale: 100%
:width: 100%
And Apply changes:
.. image:: images/ipsec_s2s_vpn_p1a_apply.png
:scale: 100%
:width: 100%
-----------------------------
.. image:: images/ipsec_s2s_vpn_p1a_success.png
:scale: 100%
:width: 100%
**You are done configuring Site B.**
@ -477,7 +477,7 @@ Go to **VPN->IPsec->Status Overview** to see current status.
Press on the **(i)** to see the details of the phase 2 tunnel(s), like this:
.. image:: images/ipsec_status.png
:scale: 100%
:width: 100%
.. Note::
@ -491,7 +491,7 @@ cross-cable between the WAN ports.
.. image:: images/OPN20322R_870px.png
:target: https://www.deciso.com/product-catalog/opn20322r/
:scale: 100%
:width: 100%
To route traffic the WAN interfaces have been configured to use a /16 segment and
they are each others default gateway. Other than that the sample is equal to this

10
source/manual/how-tos/ipv6_tunnelbroker.rst
View file

@ -34,7 +34,7 @@ individual /64 slices to each network. Once configured, your tunnel settings
should look like this:
.. image:: images/tunnelbroker_setup.png
:scale: 100%
:width: 100%
-----------------------
Step 1 - Add GIF tunnel
@ -61,7 +61,7 @@ Use the following settings and copy in the IPv4&6 addresses from your TunnelBrok
Make sure to include the **/64** prefixes!
.. image:: images/opnsense_add_gif.png
:scale: 100%
:width: 100%
----------------------------------------------------
Step 2 - Configure the GIF tunnel as a new interface
@ -88,7 +88,7 @@ have servers on LAN whereas most of my clients are on WLAN (Wireless LAN).
I block all incoming to LAN and WLAN. Of course, outbound connections are fine.
.. image:: images/tunnelbroker_fw_rules.png
:scale: 100%
:width: 100%
--------------------------------
Step 4 - Configure LAN interface
@ -100,7 +100,7 @@ because it's the very same. You'll repeat the same process for further networks,
but assigning the next interface a separate **/64** address.
.. image:: images/tunnelbroker_configure_lan.png
:scale: 100%
:width: 100%
-------------------------------
Step 5 - Configure DHCPv6 SLAAC
@ -114,7 +114,7 @@ Router Advertisements sub tab on that same page. Set the **Router Advertisements
setting to *Assisted* and the **Router Priority** setting to *Normal*.
.. image:: images/tunnelbroker_dhcpv6.png
:scale: 100%
:width: 100%
Save your settings.

42
source/manual/how-tos/orange_fr_fttp.rst
View file

@ -15,39 +15,39 @@ The guide deals with just the internet connection. Setting up of TV or Phone is
Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
.. image:: images/OF_image0.png
:scale: 100%
.. image:: images/OF_image0.png
:width: 100%
and the WAN interface assignment should hence look something like this
and the WAN interface assignment should hence look something like this
.. image:: images/OF_image1.png
:scale: 100%
:width: 100%
**Configuring the WAN Interface**
---------------------------------
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
requests respectively
select options DHCP and DHCPv6 in general configuration
.. image:: images/OF_image2.png
:scale: 100%
:width: 100%
**On the DHCP request it is a requirement to pass the following:**
* dhcp-class-identifier "sagem"
* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
The eleven leading hex 00 pairs to be prefixed to the converted userID
These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request
These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request
.. image:: images/OF_image3.png
:scale: 100%
:width: 100%
.. Note::
It is necessary to specify the following 'Request Options'
@ -61,25 +61,25 @@ These parameters should be passed as comma separated options in the 'Send Option
* domain-name-servers
* option-90
These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request
These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request
Now for the regional specific part.
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
this can be done via the 'Option Modifiers'.
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
this can be done via the 'Option Modifiers'.
.. Note::
The vlan-parent is the physical WAN interface - igb0, em0 etc.
.. image:: images/OF_image4.png
:scale: 100%
:width: 100%
On the DHCP6 request we need to use raw options
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
.. image:: images/OF_image5.png
:scale: 100%
:width: 100%
then add the following options in the 'Send Options' field
@ -87,7 +87,7 @@ then add the following options in the 'Send Options' field
* raw-option 6 00:0b:00:11:00:17:00:18
* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
.. Note::
@ -96,7 +96,7 @@ then add the following options in the 'Send Options' field
Finally set the Identity Association and Prefix interface as shown
.. image:: images/OF_image6.png
:scale: 100%
:width: 100%
Click Save and then Apply.
@ -109,19 +109,15 @@ Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type
Interface
.. image:: images/OF_image7.png
:scale: 100%
:width: 100%
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
.. image:: images/OF_image8.png
:scale: 100%
:width: 100%
Click Save and then Apply.
It is advisable at this point to reboot the system.

4
source/manual/how-tos/proxyicapantivirus.rst
View file

@ -17,7 +17,7 @@ support ICAP will work just as well.
forms of infection such as through emails or usb stick.
.. image:: images/SPE_home.png
:scale: 100%
:width: 100%
Step 1 - Setup the Proxy
------------------------
@ -36,7 +36,7 @@ full installation and configuration instructions.
We installed the Engine for Web Proxy purpose and enabled ICAP with its default settings.
.. image:: images/SPE_ICAP.png
:scale: 100%
:width: 100%
Step 4 - Connect the Engine
---------------------------

12
source/manual/how-tos/proxytransparent.rst
View file

@ -37,7 +37,7 @@ A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the
left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**.
.. image:: images/screenshot_enable_transparent_http.png
:scale: 100%
:width: 100%
**For reference, these are the default settings:**
@ -65,7 +65,7 @@ Authority. Go to **System->Trust->Authorities** or use the search box to get the
fast.
.. image:: images/search_ca.png
:scale: 100%
:width: 100%
Click on **add or import ca** in the upper right corner of the screen to create
a new CA.
@ -121,7 +121,7 @@ A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the
left of the **Enable SSL mode** option and click on **add a new firewall rule**.
.. image:: images/screenshot_enable_transparent_http.png
:scale: 100%
:width: 100%
**For reference, these are the default settings:**
@ -151,13 +151,13 @@ certificate for each page manually, but for some pages that may not work well un
not bumped.
.. image:: images/export_CA_cert.png
:scale: 100%
:width: 100%
Import and change trust settings on your favorite OS. Per example on OSX it looks
like this:
.. image:: images/Trust_Settings_OSX.png
:scale: 100%
:width: 100%
.. Warning::
Again be very careful with this as your system will accept any page signed with
@ -171,7 +171,7 @@ like this:
connection against man in the middle attacks otherwise trusted certificates.
If you want to make the connection work again, you have to whitelist the following
Google domains in your "No Bump Hosts" settings.
* Your local Google domain (for example: google.at for Austria, google.de for Germany, …)
* .google.com
* .googleapis.com

8
source/manual/how-tos/proxywebfilter.rst
View file

@ -54,7 +54,7 @@ The URL of the full compressed UT1 category based list is:
ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
.. image:: images/proxy_ut1.png
:scale: 100%
:width: 100%
Press **Save Changes**.
@ -72,13 +72,13 @@ to the description of the list. This will open the edit window again, but now yo
will see all available categories extracted from the list.
.. image:: images/proxy_categories.png
:scale: 100%
:width: 100%
For our example we will filter ads and adult content. The easiest way to do so is
clear the list and select the following from the drop down list:
.. image:: images/proxy_catgegory.png
:scale: 100%
:width: 100%
Now **Save changes** and press **Download ACLs** again to download and reconstruct
the list with only the selected categories. This will take roughly the same amount
@ -128,4 +128,4 @@ And one more rule to block HTTPS access:
**Save** & **Apply changes**
.. image:: images/proxy_firewall.png
:scale: 100%
:width: 100%

28
source/manual/how-tos/self-signed-chain.rst
View file

@ -13,7 +13,7 @@ Look at the default install, one certificate is created for the webgui/dashboard
nothing wrong with that certificate if we use a real world CA, but we do not. We
create our own chain so that one has no purpose once done.
Should you even consider using **self-signed certificate chains** in this age of free available
Should you even consider using **self-signed certificate chains** in this age of free available
certificates?
* Self-signed certificate are just as secure as real world certificates.
@ -32,7 +32,7 @@ What you should know about self-signed certificates:
* They are **only** as trustworty as the person, company or organization signing it.
* Using these certificates **can** be a security risk if you are the one trusting them and not a CA.
A chain will need at least a CA and certificate; an intermediate CA is not needed, but in case of a
A chain will need at least a CA and certificate; an intermediate CA is not needed, but in case of a
compromise the CA key would be compromised too.
The chain we are going to create will be made with the following ingredients:
@ -43,7 +43,7 @@ The chain we are going to create will be made with the following ingredients:
.. Note::
This document uses **CN - Common Name** should be read as: **SAN - Subject Alternative Name** and
This document uses **CN - Common Name** should be read as: **SAN - Subject Alternative Name** and
will be used if present.
Please backup before you proceed.
@ -79,7 +79,7 @@ When you are done save the form, the CA is now generated.
====================== =================================== ========================================
.. image:: images/CA.png
:scale: 15%
:width: 15%
.. Tip::
@ -103,7 +103,7 @@ Have a look at the form, create an intermediate CA and save it.
====================== =================================== ========================================
.. image:: images/CA-inter.png
:scale: 15%
:width: 15%
The Certificate
---------------
@ -122,7 +122,7 @@ Have a look at the next form and notice the common name, create a server certifi
====================== =================================== ========================================
.. image:: images/webgui-cert.png
:scale: 15%
:width: 15%
.. Tip::
@ -141,7 +141,7 @@ Now we need to start using the chain:
* Go back to the dashboard & open **System/Settings/Administration**
* Set **SSL-Certificate** to use the new server certificate.
Open your browser and open the OPNsense/webgui page. You should be presented with a certificate that is
Open your browser and open the OPNsense/webgui page. You should be presented with a certificate that is
verified by your intermediate CA.
@ -167,7 +167,7 @@ Go ahead and create a new chain **CA -- intermediate CA -- server cert.**.
.. Tip::
| You can check if **ca-root-nss** has changed:
| You can check if **ca-root-nss** has changed:
| Do a health check before you add the CA.
| If the check was okay add the CA to the store.
| Create a new checksum & save it :
@ -189,7 +189,7 @@ Go to **Trust/Authorities** create a new CA for Nextcloud and save it.
====================== =================================== ========================================
.. image:: images/CA-cloud.png
:scale: 15%
:width: 15%
OPNsense needs to be made aware of the Nextcloud chain we are creating.
@ -231,7 +231,7 @@ Go to **Trust/Authorities** and create an intermediate CA.
====================== =================================== ========================================
.. image:: images/CA-cloud-inter.png
:scale: 15%
:width: 15%
Download the intermediate CA and install it to your browser:
@ -253,7 +253,7 @@ Go to **Trust/Certificates** create a server certificate.
====================== =================================== ========================================
.. image:: images/cloud-cert.png
:scale: 15%
:width: 15%
We need to install this certificate and key to our Nextcloud server, two ways are shown here.
@ -266,10 +266,10 @@ We need to install this certificate and key to our Nextcloud server, two ways ar
openssl pkcs12 -in nextcloud-crt.p12 -nodes -out nextcloud.key -nocerts
openssl pkcs12 -in nextcloud-crt.p12 -clcerts -nokeys -out nextcloud.pem
cp nextcloud.pem nextcloud.crt
- * Or use the next quick and dirty method for a single key/certificate file:
* Upload the ***.p12** archive to your Nextcloud server, in a safe way..
* Extact the archive into a single **PEM** file and create a certificate.
* Extact the archive into a single **PEM** file and create a certificate.
::
@ -278,7 +278,7 @@ We need to install this certificate and key to our Nextcloud server, two ways ar
- * **/etc/ssl/localcerts** will be alright for the certificate or choose your own prefered location.
* If the key was extracted separatly, **/etc/ssl/private** would be a good choice.
* Be sure to set sane permissions on the private directory, ``700`` would do it.
* Be sure to set sane permissions on the private directory, ``700`` would do it.
* You could set ``umask`` too (see) ``man umask`` - on your Linux box.
* Edit the webserver config to use the certificate and key or single key-cert file.
* Sane permissions, ``400`` read only owner is sufficent.

8
source/manual/how-tos/shaper.rst
View file

@ -176,7 +176,7 @@ Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s1.png
:scale: 100%
:width: 100%
.. |apply| image:: images/applybtn.png
@ -308,7 +308,7 @@ Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s2.png
:scale: 100%
:width: 100%
------------------------
Limit bandwidth per user
@ -392,7 +392,7 @@ Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s3.png
:scale: 100%
:width: 100%
-----------------------
Prioritize using Queues
@ -522,7 +522,7 @@ Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s4.png
:scale: 100%
:width: 100%
--------------------------------------
Multi Interface shaping for a GuestNet

22
source/manual/how-tos/sslvpn_client.rst
View file

@ -3,7 +3,7 @@ Setup SSL VPN Road Warrior
==========================
.. image:: images/sslvpn_image_new.png
:scale: 100%
:width: 100%
Road Warriors are remote users who need secure access to the companies infrastructure.
OPNsense uses OpenVPN for its SSL VPN Road Warrior setup and offers OTP (One Time Password)
@ -107,7 +107,7 @@ and click on **Add server** in the top right corner of the form.
configuration. Try it by typing *Ac...* and see for yourself:
.. image:: images/qs-access_server.png
:scale: 100%
:width: 100%
:align: center
Now first change the **Type** to **Local + Timebased One time Password**
@ -207,7 +207,7 @@ For the first step we enter:
Click **Save** and you will be redirected to the User page.
Now we will activate your newly created seed with your Google Authenticator
compatible app. To do so click in the **Click to unhide** button in the
compatible app. To do so click in the **Click to unhide** button in the
**OTP QR code** row and you will get a QR code to scan with your smartphone.
See also: :doc:`/manual/how-tos/two_factor`
@ -280,7 +280,7 @@ For our example will use the following settings:
Click **Save** to add the new server.
.. image:: images/sslvpn_server.png
:scale: 100%
:width: 100%
----------------------
@ -293,14 +293,14 @@ port on the WAN interface. When using multiple servers we need to open up each p
For our configuration we only use one server accessible on udp port 1194.
.. image:: images/sslvpn_wan_rule.png
:scale: 100%
:width: 100%
Next we also need to allow traffic from the VPN clients to our LAN interface.
For our example we will allow client to access anything on our local area network,
however you may decide just to allow traffic to one or more servers.
.. image:: images/sslvpn_openvpn_rule.png
:scale: 100%
:width: 100%
-----------------------------
@ -324,25 +324,25 @@ to open the file with search and select Viscosity.
Some sample screenshots (Mac OSX):
.. image:: images/viscosity_files.png
:scale: 100%
:width: 100%
**Import Configuration**
.. image:: images/viscosity_imported.png
:scale: 100%
:width: 100%
**Connect & login**
In the password field enter your TOTP token first followed by your password.
.. image:: images/viscosity_login.png
:scale: 100%
:width: 100%
**Connected**
.. image:: images/viscosity_connected.png
:scale: 100%
:width: 100%
-----------------------------
@ -400,4 +400,4 @@ exactly the same as before, the only difference is that each user requires a Use
and therefore their own configuration.
.. image:: images/sslvpn_client_certificate.png
:scale: 100%
:width: 100%

10
source/manual/how-tos/sslvpn_s2s.rst
View file

@ -212,7 +212,7 @@ For our example will use the following settings (leave everything else on its de
Click **Save** to add the new server.
.. image:: images/sslvpn_server.png
:scale: 100%
:width: 100%
----------------------
@ -261,14 +261,14 @@ port on the WAN interface. When using multiple servers we need to open up each p
For our configuration we only use one server accessible on UDP port 1194.
.. image:: images/sslvpn_wan_rule.png
:scale: 100%
:width: 100%
Next we also need to allow traffic from the VPN client network (192.168.2.0/24).
For our example we will allow client to access anything on our local network(s),
however you may decide just to allow traffic to one or more IP's.
.. image:: images/sslvpn_openvpn_rule.png
:scale: 100%
:width: 100%
**You are done configuring Site A.**
@ -308,7 +308,7 @@ Now click on **Save** to apply your settings.
The Connection Status can be viewed under **VPN->OpenVPN->Connection Status**
.. image:: images/sslvpn_connection_status.png
:scale: 100%
:width: 100%
------------------------------
Step 5 - Client Firewall Rules
@ -317,7 +317,7 @@ To allow traffic from the remote network just add a rule under **Firewall->Rules
OpenVPN tab.
.. image:: images/sslvpn_firewall_rule_client.png
:scale: 100%
:width: 100%
**Done**

20
source/manual/how-tos/two_factor.rst
View file

@ -6,7 +6,7 @@ using OPNsense and Google's Authenticator. All services of OPNsense can be used
with this 2FA solution.
.. image:: /manual/images/two_factor_authentication.png
:scale: 100%
:width: 100%
.. Note::
@ -52,12 +52,12 @@ To activate your new OTP seed on the Google Authenticator, first reopen the user
you just created by clicking on the pencil icon.
.. image:: images/OTP_seed.png
:scale: 100%
:width: 100%
Now it will show a QR code:
.. image:: images/otp_qr_code.png
:scale: 100%
:width: 100%
.. Warning::
@ -72,18 +72,18 @@ directly.
In case of SailOTP the configuration works like this:
.. image:: images/sailotp_menu.jpg
:scale: 100%
:width: 100%
Pull down to open the application menu and choose the entry to add a new Token.
.. image:: images/sailotp_scan_qr.jpg
:scale: 100%
:width: 100%
In the next step, you have to scan the previously created QR code by clicking
on the screen.
.. image:: images/sailotp_scanresult.jpg
:scale: 100%
:width: 100%
When the QR code is scanned, a new view will open where you can
see the details of the result. This view can be used to check if the generated
@ -122,7 +122,7 @@ is token and then password **in the same field**.
Hit the test button and if all goes well you should see *successfully authenticated*.
.. image:: images/system_access_tester.png
:scale: 100%
:width: 100%
------------------------
Step 6 - Using the token
@ -131,8 +131,8 @@ To use the token in any application/service that you have configured, just open
the Google Authenticator and add the created token/key **before** your regular password.
.. Warning::
Remember, you need to enter the token **before** or **after** you password
(depending on your configuration)! And the password field should be used to enter
Remember, you need to enter the token **before** or **after** you password
(depending on your configuration)! And the password field should be used to enter
both token and your password, like: **Password:** 123456PASSWORD
@ -140,4 +140,4 @@ The code will change every 30 seconds.
Sample code:
.. image:: images/google_token_sample.png
:scale: 25%
:width: 25%

14
source/manual/how-tos/user-ldap.rst
View file

@ -50,7 +50,7 @@ Enter the following information:
something similar to will show up:
.. image:: images/ldap_selectcontainer.png
:scale: 100%
:width: 100%
.. TIP::
The **Extended Query** can be used to select users who are member of a specific
@ -61,7 +61,7 @@ Enter the following information:
**Members**.
.. image:: images/ldap_mygroup_properties.png
:scale: 100%
:width: 100%
Step 2 - Test
@ -71,7 +71,7 @@ and select your LDAP server and enter a valid username + password. Click on
**Test** and if everything is setup correctly it will show:
.. image:: images/ldap_testok.png
:scale: 100%
:width: 100%
.. Note::
When limited to just one group, the group name will not be shown in the listing.
@ -79,7 +79,7 @@ and select your LDAP server and enter a valid username + password. Click on
If not (or your entered invalid credentials) it shows:
.. image:: images/ldap_testfail.png
:scale: 100%
:width: 100%
Step 3 - Import Users
---------------------
@ -88,7 +88,7 @@ to import the users into the local user manager. Go to **System->Access->Users**
you will see a cloud import icon at the lower right corner of the form.
.. image:: images/user_cloudimport.png
:scale: 100%
:width: 100%
Click on the cloud import icon to start importing users.
@ -105,7 +105,7 @@ notice the difference as the **User Distinguished name** will be shown from the
LDAP server, just like this:
.. image:: images/user_ldap_distinguishedname.png
:scale: 100%
:width: 100%
.. TIP::
See :doc:`user-local` for more information on User, Groups and privileges.
@ -122,4 +122,4 @@ Go to **System->Access->Settings** and change the Authentication Server from
The test result should look like this:
.. image:: images/user_testresult_ldap.png
:scale: 80%
:width: 80%

4
source/manual/how-tos/user-local.rst
View file

@ -3,7 +3,7 @@ Creating Users & Groups
=======================
.. image:: images/usermanager_groups.png
:scale: 100%
:width: 100%
With the local user manager of OPNsense one can add users and groups and define
the privileges for granting access to certain parts of the GUI (Web Configurator).
@ -47,6 +47,6 @@ The search bottom at the top of this form can be used to quickly find the right
page.
.. image:: images/user_privileges.png
:scale: 100%
:width: 100%
After making the right selection click on **Save** to store the new settings.

4
source/manual/install.rst
View file

@ -368,7 +368,7 @@ Minimum installation actions
**Enable RAM disk manually**
.. image:: ./images/Screenshot_Use_RAMdisks.png
:scale: 100%
:width: 100%
Then via console, check your /etc/fstab and make sure your primary
partition has **rw,noatime** instead of just **rw**.
@ -410,4 +410,4 @@ The other method to upgrade the system is via console option **12) Upgrade from
An update can be done through the GUI via **System⇒Firmware⇒Updates**.
.. image:: ./images/firmware-update.png
:scale: 100%
:width: 100%

2
source/manual/ipv6.rst
View file

@ -3,7 +3,7 @@ Using IPv6
==========
.. image:: images/IPv6.png
:scale: 100%
:width: 100%
OPNsense fully supports IPv6 for routing and firewall. However there are lots of
different options to utilize IPv6. Currently these scenario's are known to work:

2
source/manual/mobile_wan.rst
View file

@ -3,7 +3,7 @@ Mobile Networking
=================
.. image:: images/OPNsense_4G_new.png
:scale: 100%
:width: 100%
OPNsense supports 3G and 4G (LTE) cellular modems as failsafe or primary WAN
interface. Both USB and (mini)PCIe cards are supported.

4
source/manual/netflow.rst
View file

@ -3,7 +3,7 @@ Netflow Export & Analyses
=========================
.. image:: images/netflow_analyzer_insight.png
:scale: 100%
:width: 100%
Netflow is a monitoring feature, invented by Cisco, it is implemented in the FreeBSD
kernel with ng_netflow (Netgraph). Since Netgraph is a kernel implementation it
@ -59,7 +59,7 @@ and multiple destinations including local capture for analysis by Insight (OPNse
Netflow Analyzer).
.. image:: images/netflow_exporter.png
:scale: 100%
:width: 100%
--------------------------
Netflow Analyzer - Insight

18
source/manual/systemhealth.rst
View file

@ -3,7 +3,7 @@ System Health & Round Robin Data
================================
.. image:: images/systemhealth_sample.png
:scale: 100%
:width: 100%
System Health is a dynamic view on RRD data gathered by the system. It allows you
to dive into different statistics that show the overall health and performance of
@ -41,7 +41,7 @@ Please see the screenshot below for all element of the system health module.
Each element will be explained in the next chapters.
.. image:: images/systemhealth_gui.png
:scale: 100%
:width: 100%
Toggle menu collapse
--------------------
@ -68,7 +68,7 @@ this is especially useful for traffic flows where you can plot ingoing and outgo
in different directions.
.. image:: images/systemhealth_inverse.png
:scale: 100%
:width: 100%
Resolution
----------
@ -94,7 +94,7 @@ and show you the current detail level in this area.
Label filter
------------
.. image:: images/systemhealth_labelfilter.png
:scale: 100%
:width: 100%
The label filter can be used to filer out data you do not want to see. Click once
to disable or double click to select only this set.
@ -102,13 +102,13 @@ to disable or double click to select only this set.
A nice sample can be seen here, where the *processes* obscure all other data.
.. image:: images/systemhealth_obscureddata.png
:scale: 100%
:width: 100%
Just click once on *processes* to hide this data set, notice that the scales will
adapt as well.
.. image:: images/systemhealth_filtered.png
:scale: 100%
:width: 100%
Main graph area
---------------
@ -131,13 +131,13 @@ selected area.
A sample selection:
.. image:: images/systemhealt_selection.png
:scale: 100%
:width: 100%
And the result:
.. image:: images/systemhealth_zoomed.png
:scale: 100%
:width: 100%
Min/max/average table
---------------------
@ -155,4 +155,4 @@ values and export the data to as comma separated file (.CSV).
The exported dataset can be used for your own reporting.
.. image:: images/systemhealth_excel.png
:scale: 100%
:width: 100%

4
source/manual/two_factor.rst
View file

@ -3,7 +3,7 @@ Two-factor authentication
=========================
.. image:: images/two_factor_authentication.png
:scale: 100%
:width: 100%
Two-factor authentication also known as 2FA or 2-Step Verification is an authentication
method that requires two components, such as a pin/password + a token.
@ -27,7 +27,7 @@ has a default fallback to the local database. In case of 2FA for the GUI one nee
to disable the fallback option to make sure no local user can gain access without 2FA.
.. image:: images/auth_server_fallback.png
:scale: 100%
:width: 100%
----------------------------

2
source/manual/users.rst
View file

@ -3,7 +3,7 @@
=================
.. image:: images/user_manager.png
:scale: 100%
:width: 100%
The user manager of OPNsense allows for controlling access to the different
part (pages) of the configurator as well as controlling access to particular

2
source/manual/virtuals.rst
View file

@ -86,7 +86,7 @@ opnsense bootstrap is available for our
Amazon AWS EC2 Cloud
--------------------
.. image:: how-tos/images/amazon-web-services.png
:scale: 100%
:width: 100%
Installing OPNsense into the Amazon cloud can be a dounting task as no console is
offered. As part of Deciso's support packages (see `OPNsense commercial Support

4
source/manual/vpnet.rst
View file

@ -7,7 +7,7 @@ extends the private network into the public network such as internet. With a VPN
you can create large secure networks that can act as one private network.
.. image:: images/Virtual_Private_Network_overview.png
:scale: 100%
:width: 100%
(picture from `wikipedia <https://en.wikipedia.org/wiki/File:Virtual_Private_Network_overview.svg>`__)
@ -29,7 +29,7 @@ well known IPsec as well as older (now considered insecure) legacy options such
L2TP and PPTP.
.. image:: images/vpn.png
:scale: 100%
:width: 100%
.. Note::

2
source/relations/osi.rst
View file

@ -3,7 +3,7 @@ Open Source Initiative
======================
.. image:: ./images/osi_standard_logo.png
:scale: 25%
:width: 25%
-----------------------