upstream/opnsense-docs
1
0
Fork 0
mirror of https://github.com/opnsense/docs.git synced 2026-04-22 23:01:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'origin/master' into firewall-rules-new

Browse source
This commit is contained in:
Monviech 2026-01-22 10:38:10 +01:00
commit 5d44cad51f
126 changed files with 589 additions and 334 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/phply/phplex.py
View file

@ -158,7 +158,7 @@ def t_php_OBJECT_OPERATOR(t):
return t
# Delimeters
# Delimiters
t_php_LPAREN = r'\('
t_php_RPAREN = r'\)'
t_php_DOLLAR = r'\$'

2
source/CE_releases.rst
View file

@ -8,7 +8,7 @@ Community Edition
:width: 600px
:align: center
As of January 2015 there have been *329* releases leading to the latest version *25.7.10*
As of January 2015 there have been *330* releases leading to the latest version *25.7.11*
named "Visionary Viper".

2
source/development/api.rst
View file

@ -44,7 +44,7 @@ Since almost 99% of our endpoints are actually being used by the gui, it's not v
parameters, you just need a browser and open an inspect pane. Calls being executed from the gui can easily be found
by filtering the requests starting with :code:`/api/`.
For exampe, when looking at the search grid in :menuselection:`System --> Diagnostics --> Services`, pressing the reload
For example, when looking at the search grid in :menuselection:`System --> Diagnostics --> Services`, pressing the reload
button will execute a :code:`POST` to :code:`https://my.firewall/api/core/service/search` containing the following raw
json data:

2
source/development/api/be/OPNBEcore.rst
View file

@ -17,7 +17,7 @@ OPNBECore
Sync API explained
-----------------------
The :code:`sync` API is being used to process central actions in parallell from the OPNcentral dashboard.
The :code:`sync` API is being used to process central actions in parallel from the OPNcentral dashboard.
As explained in the documentation for OPNcentral, provisioning is able to detect change on the sections it may
distribute. In order to do this the :code:`listClasses` API action plays a large role here.

2
source/development/architecture.rst
View file

@ -123,7 +123,7 @@ Currently there are four types of services implemented in the daemon:
- script : execute external (rc) scripts, report back success or failure
- script_output: execute external scripts, report back their contents, usually in json format
- stream_output: open streams to backend components
- inline : perform inline actions which are part of configd, most notable template generation and maintanance.
- inline : perform inline actions which are part of configd, most notable template generation and maintenance.
|
| Template generation is handled by Jinja2 (https://jinja.palletsprojects.com/en/stable/),

2
source/development/backend/configd.rst
View file

@ -113,7 +113,7 @@ Extending the Environment
-----------------------------
Configd's own configuration can be found in the `configd.conf <https://github.com/opnsense/core/blob/master/src/opnsense/service/conf/configd.conf>`__ file.
In some cases it can be practical to extend the envrionment with additional settings for the configd actions to use.
In some cases it can be practical to extend the environment with additional settings for the configd actions to use.
To add environment variables, create a new config file in the :code:`conf/configd.conf.d/` directory
using the :code:`.conf` extension containing an :code:`[environment]` section.

2
source/development/backend/legacy.rst
View file

@ -239,7 +239,7 @@ amongst others. Available settings are described below:
+-----------------------+------------------------+--------------------------------------------------------------+
| pattern | text | Regex to identify device names in bulk |
+-----------------------+------------------------+--------------------------------------------------------------+
| type | text | Unqiue type setting required for assignments page |
| type | text | Unique type setting required for assignments page |
+-----------------------+------------------------+--------------------------------------------------------------+
| names | array [ see below ] | List of devices with individual names as associative keys |
+-----------------------+------------------------+--------------------------------------------------------------+

2
source/development/components/acl.rst
View file

@ -22,7 +22,7 @@ The following steps determine if a page can be accessed by a user:
Access controls for most legacy components are stored in models/OPNsense/Core/ACL/ACL.xml, most new components add their own
ACL's in the model belonging to the component. All stored :code:`ACL.xml` files combined determine the full set of options available
in the user/group manager. There is no expicit requirement which model services which ACL.
in the user/group manager. There is no explicit requirement which model services which ACL.
.. Note::

2
source/development/components/authentication.rst
View file

@ -18,7 +18,7 @@ Authentication in OPNsense consists of three basic concepts, which are available
* Connections
- A connection uses an authenticator and defines the properties needed, for example our Radius server available at our domain using specfic settings.
- A connection uses an authenticator and defines the properties needed, for example our Radius server available at our domain using specific settings.
* Services

2
source/development/frontend/dashboard.rst
View file

@ -439,7 +439,7 @@ this widget is accessible for the current logged in user. To do this, you must c
The `Core XML file <https://github.com/opnsense/core/blob/master/src/opnsense/www/js/widgets/Metadata/Core.xml>`__ shows
how widget metadata is structured.
If any of the defined endpoints is inaccesible, the widget will not be available for the user. Note that the same rules
If any of the defined endpoints is inaccessible, the widget will not be available for the user. Note that the same rules
as for any other `ACL <../../development/examples/helloworld.html#plugin-to-access-control-acl>`__ applies here.
Translations are provided in the same XML file, you can access these values by using the :code:`this.translations.<key>` variables

6
source/development/frontend/models_design.rst
View file

@ -143,7 +143,7 @@ In memory models
In same cases it might be practical to use all of the standard model tools, but prevent data from being persisted.
For this purpose the memory model may be used. Examples of such applications are diagnostic tools, which do require
user input, but is only relevant for that perticular call.
user input, but is only relevant for that particular call.
To use these models, use the following mountpoint: :code:`<mount>:memory:</mount>`
@ -155,7 +155,7 @@ one (being a fully validated model) is hard to overcome.
It's not always clear which type of data is being used, and when moving data inside a new model and changing it's access
path, a proper validation is mandatory.
When data lives inside it's own easy to distinct "container", a standard model may be overlayed. An example of such a
When data lives inside it's own easy to distinct "container", a standard model may be overlaid. An example of such a
case is the static route component. Which underneath looks like this (without payload):
@ -206,7 +206,7 @@ separated lists.
The first block :code:`actionPostLoadingEvent()` just collects the available options, which is part of the :code:`BaseListField`
type. The :code:`setValue()` is where the magic happens, when the input is of type :code:`SimpleXMLElement`, we know
this is being set by the loader, if in that case the underlaying config contains multiple values, we merge them into
this is being set by the loader, if in that case the underlying config contains multiple values, we merge them into
a single list.
.. code-block:: php

10
source/development/frontend/models_fieldtypes.rst
View file

@ -65,7 +65,7 @@ Select and validate authentication providers, maintained in :menuselection:`Syst
"ValidationMessage", ":code:`text`", "Error message on validation failure"
"BlankDesc", ":code:`text`", "Set a label for the empty option"
"Multiple", "Y,N", "Allow to select multiple options"
"Filters", "Y,N", "A structure of regex filters per atribute to exclude certain options from the list"
"Filters", "Y,N", "A structure of regex filters per attribute to exclude certain options from the list"
AutoNumberField
------------------------------------
@ -167,7 +167,7 @@ only shows actions which have a description.
"ValidationMessage", ":code:`text`", "Error message on validation failure"
"BlankDesc", ":code:`text`", "Set a label for the empty option"
"Multiple", "Y,N", "Allow to select multiple options"
"Filters", "Y,N", "A structure of regex filters per atribute to exclude certain options from the list"
"Filters", "Y,N", "A structure of regex filters per attribute to exclude certain options from the list"
@ -185,7 +185,7 @@ Select and validate countries in the world.
"ValidationMessage", ":code:`text`", "Error message on validation failure"
"BlankDesc", ":code:`text`", "Set a label for the empty option"
"Multiple", "Y,N", "Allow to select multiple options"
"AddInverted", "Y,N", "Add 'inverted'/excluded countries to the list, copies contry codes prefixes an :code:`!` (e.g. :code:`!NL`)"
"AddInverted", "Y,N", "Add 'inverted'/excluded countries to the list, copies country codes prefixes an :code:`!` (e.g. :code:`!NL`)"
DescriptionField
@ -269,7 +269,7 @@ should be. It defaults to :code:`lan`
"ValidationMessage", ":code:`text`", "Error message on validation failure"
"BlankDesc", ":code:`text`", "Set a label for the empty option"
"Multiple", "Y,N", "Allow to select multiple options"
"Filters", "Y,N", "A structure of regex filters per atribute to exclude certain options from the list"
"Filters", "Y,N", "A structure of regex filters per attribute to exclude certain options from the list"
"AddParentDevices", "Y,N", "Add parent devices in the list when not assigned"
"AllowDynamic", "Y,N,S", "Allow dynamic (hotplug) interfaces, when set to :code:`S` hotplug interfaces without a static address are ignored"
@ -307,7 +307,7 @@ enforce either ipv4 or ipv6 addresses.
JsonKeyValueStoreField
------------------------------------
A construct to validate against a json dataset retreived via configd, such as
A construct to validate against a json dataset retrieved via configd, such as
.. code-block:: xml

2
source/development/frontend/models_migrations.rst
View file

@ -6,7 +6,7 @@ When using the :code:`<version/>` tag in the model xml you automatically allow u
tag is missing, it will automatically assume your at version :code:`0.0.0` (initial version).
The migration feature provides a pluggable framework to offer new and changed attributes after installation of new software and
is therefor automatically triggered when performing upgrades or installing packages.
is therefore automatically triggered when performing upgrades or installing packages.
.. Tip::

4
source/development/frontend/view_js_helpers.rst
View file

@ -182,7 +182,7 @@ Dialog wrappers
----------------------------
We are using `BootstrapDialog <https://nakupanda.github.io/bootstrap3-dialog/>`__ to display standard dialogs, to limit
the boilerplates needed to show these dialog we added the following wrapper funcitons:
the boilerplates needed to show these dialog we added the following wrapper functions:
stdDialogInform(title, message, close, callback, type, cssClass)
@ -265,7 +265,7 @@ To utilize the callbacks, one could use:
$.UIBootgrid
----------------------------
The UIBootgrid jQuery extension is a wrappper around a slightly modified `jquery-bootgrid <http://www.jquery-bootgrid.com/>`__
The UIBootgrid jQuery extension is a wrapper around a slightly modified `jquery-bootgrid <http://www.jquery-bootgrid.com/>`__
component, the pattern we implement with our wrapper is inspired by `this <http://www.jquery-bootgrid.com/Examples#command-buttons>`__ example.

2
source/development/how-tos/dtrace.rst
View file

@ -157,7 +157,7 @@ Let it run for a while, and exit using :code:`CTRL-C`
You will see all `stack frames <https://en.wikipedia.org/wiki/Call_stack>`__ associated with
:code:`uiomove()` that have taken place, aggregated to only unique frames. The number below the individual
frame represents the amount of times that particular frame was executed. Although this is nice,
it isn't particulary visually pleasing or helpful in spotting potential bottlenecks.
it isn't particularly visually pleasing or helpful in spotting potential bottlenecks.
A senior performance analyst at Netflix, named Brendan Gregg, developed the
`FlameGraph <https://github.com/brendangregg/FlameGraph>`__ for use with DTrace (and other profiling tools).

2
source/hardware/quickstart.rst
View file

@ -14,7 +14,7 @@ the following series:
========= ============ ============================= ==================
Serie Formfactor Range Network driver(s)
Series Formfactor Range Network driver(s)
========= ============ ============================= ==================
DEC6XX Desktop Entry level igb
DEC7XX Desktop Midrange igb, ax

2
source/hardware/serial_connectivity.rst
View file

@ -7,7 +7,7 @@ Serial Console connectivity
The following device families offer a mini-usb connection which can be used for serial communication:
========= ============ =============================
Serie Formfactor Range
Series Formfactor Range
========= ============ =============================
DEC6XX Desktop Entry level
DEC7XX Desktop Midrange

8
source/manual/aliases.rst
View file

@ -266,7 +266,7 @@ Below you will find a detailed specification our software can detect and process
.. tab:: zip format (MaxMind)
This format requires a [zip] file containg the the following csv files:
This format requires a [zip] file containing the the following csv files:
.. list-table:: Title
:widths: 50 25 25 25
@ -324,7 +324,7 @@ containing an address of a client such as a server on the LAN would no longer be
For example, you obtain a prefix 2001:db8:2222:2800::/56. You have a /56 prefix and if the tracking id was set to 0 for your
LAN, you would have an address range on your LAN of 2001:db8:2222:2800:: to 2001:db8:2222:2800:FFFF:FFFF:FFFF:FFFF.
You want to run a server on your LAN that is accessable from the WAN so you give it a static address of
You want to run a server on your LAN that is accessible from the WAN so you give it a static address of
2001:db8:2222:2800:1000:1000::1 and create a rule allowing traffic to access the server.
When your prefix changes, that static address is no longer valid, so you must use the Dynamic IPv6 Host to create an alias
@ -337,7 +337,7 @@ Create a new IPv6 Dynamic Host alias and enter only the suffix of the address, i
bits of the address, you would enter ::1000:1000:0000:1, note the '::' at the start of the address, you MUST always start
the address with a '::'. You do not need to enter a size after the address i.e. /128 as that is automatically assumed.
Select the interface you wish to use for the source of the uppper 64 bits, in this case we will select the LAN interface.
Select the interface you wish to use for the source of the upper 64 bits, in this case we will select the LAN interface.
When the prefix changes, the alias address will then be updated in the firewall rules, let's say your prefix changes to
2001:db8:2222:3200::/56 the rule updates and the entry for your server in the firewall would update automatically to be
@ -380,7 +380,7 @@ BGP ASN
..................
With this alias type you are able to select networks by their responsible parties.
Using BGP parties announce the addresses they are responsible for to eachother.
Using BGP parties announce the addresses they are responsible for to each other.
For example Cloudflare uses AS number :code:`13335`, Microsoft is known to use :code:`8075`.
More background and how addresses are assigned is explained on `wikipedia <https://en.wikipedia.org/wiki/Autonomous_system_(Internet)>`__

2
source/manual/backups.rst
View file

@ -69,7 +69,7 @@ When OPNcentral is installed on the firewall and backups are being performed, th
top of the page to select which host should be inspected.
Each backup preserved on this machine will be presented as an item in the dropdown, when selecting an item, the previous backup
(when availabe) will be selected automatically as comparison target. The final pane on the screen contains the changes
(when available) will be selected automatically as comparison target. The final pane on the screen contains the changes
between both selected versions in `unified diff <https://en.wikipedia.org/wiki/Diff#Unified_format>`__ format.
The following buttons are available in the "backups (compare)" pane:

17
source/manual/captiveportal.rst
View file

@ -116,7 +116,7 @@ solved by utilizing this new standard instead.
To configure this, a few steps are required:
- You must install a valid, publically trusted certificate on the Captive Portal zone.
- You must install a valid, publicly trusted certificate on the Captive Portal zone.
For example, you can use ACME client to automate this process. Doing so is best
practice regardless of redirection method.
- The DHCPv4 server running in your Captive Portal zone must present option 114, of which
@ -303,6 +303,21 @@ in the same zone.
The Filter Rule Association is set to "Pass" so clients who are redirected are automatically
allowed to access the zone webserver as well, preventing the need for an explicit allow rule.
.. Attention::
If you use :doc:`OIDC </vendor/deciso/oidc>` for authentication, the HTTPS requests would also be redirected before authentication is possible.
To solve this, create an additional "No RDR (NOT)" rule **before** the other NAT rules with the identity provider IP addresses as destination.
============================ ===============================
**Type** Destination NAT (Port Forward)
**No RDR (NOT)** Yes
**Interface** <Zone interface>
**Protocol** TCP
**Source** any
**Destination** identity_provider_ip_addresses
**Destination port range** 443
============================ ===============================
Allow DNS
---------
In order to allow the client to resolve at least the OPNsense hostname, DNS must be allowed.

8
source/manual/certificates.rst
View file

@ -26,7 +26,7 @@ The following types of certificate can be generated in OPNsense:
* Certificate Authority
In addition to this, OPNsense can generate a Certificate Signing Request (CSR). This can be used if you want to create a
certficate signed by an external CA.
certificate signed by an external CA.
.. warning::
@ -52,7 +52,7 @@ For compliance reasons, it is possible to implement certain constraints when a d
**Options** **Description**
===================================== =======================================================================================================================
Store intermediate Allow local defined intermediate certificate authorities to be used in the local trust store.
Be careful with deploying intermediate certificats as cross signed ones may causing breakage when included
Be careful with deploying intermediate certificates as cross signed ones may causing breakage when included
but expired later in the chain.
Store CRL's Store all configured CRL's in the default trust store. If the client or service support CRL's,
deploying to the default location eases maintenance.
@ -80,7 +80,7 @@ Some services in OPNsense can use these to validate if a certificate is still va
be expired.
Defining a CRL in OPNsense is not very complicated, just go to :menuselection:`System --> Trust --> Revocation`
and click on the [+] sign for your (local) certficate authority to create a new CRL. When a CRL exists, you may
and click on the [+] sign for your (local) certificate authority to create a new CRL. When a CRL exists, you may
edit it and add or remove certificates in it (using the pencil icon).
.. Note::
@ -137,7 +137,7 @@ certificates "online" and offers a whitelising instead of a blacklisting method.
Certificates are checked against an online known set of certificates after which the server responds with
'good', 'revoked', or 'unknown'. Only good responses are considered valid.
In order to explain the client verifying a certificate where to check it's validity, the :code:`AuthorityInfoAccess` extenstion
In order to explain the client verifying a certificate where to check it's validity, the :code:`AuthorityInfoAccess` extension
should be provided in the certificate authority (The parameter :code:`OCSP uri` adds this to the certificate in OPNsense).
.. Tip::

2
source/manual/cpu-microcode.rst
View file

@ -6,7 +6,7 @@ CPU Microcode updates [AMD/Intel]
Introduction
--------------------------------------
Processor manufacturers like AMD and Intel often release microcode updates to increase the stabilty and security of their products.
Processor manufacturers like AMD and Intel often release microcode updates to increase the stability and security of their products.
Microcode updates can close the gap between BIOS/UEFI updates, which are generally less frequently available,
to fix issues found after the product's release.

12
source/manual/dhcp.rst
View file

@ -11,11 +11,16 @@ Available Options
There are different DHCP servers/relays to choose from:
- :ref:`Dnsmasq <dnsmasq-dhcp>`
- :ref:`Dnsmasq <dnsmasq-dhcp>` (default)
- :ref:`KEA <kea-dhcp>`
- :ref:`Dhcrelay <dhcrelay>`
- :ref:`ISC <isc-dhcp>` (EOL)
For DHCPv6 these services can offer Router Advertisements:
- :doc:`radvd </manual/radvd>`
- :ref:`Dnsmasq <dnsmasq-dhcp>`
.. _dnsmasq-dhcp:
@ -35,7 +40,10 @@ The dnsmasq DHCPv6 server provides the same set of features as the DHCPv4 server
neat feature which allows naming for clients which use DHCPv4 and stateless autoconfiguration only for IPv6 configuration.
There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
.. Tip:: `Dnsmasq` is the perfect DNS & DHCP server for small and medium sized setups (less than 1000 unique clients)
.. Tip::
`Dnsmasq` is the perfect DNS & DHCP server for small and medium sized setups (less than 1000 unique clients).
It is the default for DHCPv4, DHCPv6 and Router Advertisements out of the box.
.. _kea-dhcp:

2
source/manual/diagnostics_firewall.rst
View file

@ -61,7 +61,7 @@ opened the state view, you will see a button that allows you to kill all states
.. Note::
The state table tries to connect states to rules, but since these are refered to by rule number (sequence) in :code:`pf(4)`
The state table tries to connect states to rules, but since these are referred to by rule number (sequence) in :code:`pf(4)`
these aren't always accurate after changes to the rules.
The following fields are available in the grid:

2
source/manual/diagnostics_interfaces.rst
View file

@ -182,7 +182,7 @@ Description Description to be displayed in "jobs" tab
.. Tip::
When the default ping is not able to reach the target, but one with a preset source address is, one usally
When the default ping is not able to reach the target, but one with a preset source address is, one usually
needs to add a static route to force traffic using the correct source address. This is for example common
for IPsec policy based tunnels which install a kernel trap on the specified source network.

81
source/manual/dnsmasq.rst
View file

@ -10,7 +10,7 @@ Dnsmasq DNS & DHCP
It is considered the replacement for `ISC-DHCP` in small and medium sized setups
and synergizes well with `Unbound DNS`, our standard enabled forward/resolver service.
Our system setup wizard configures `Unbound DNS` for DNS and `Dnsmasq` for DHCP.
Our system setup wizard configures `Unbound DNS` for DNS and `Dnsmasq` for DHCPv4, DHCPv6 and Router Advertisements.
---------------------------------
Considerations before deployment
@ -46,7 +46,7 @@ of all existing leases and do not need split pools. It is also far more scalable
The tradeoff using `KEA DHCP` is a more complicated setup, especially when custom DHCP options are needed. DNS registration is also not possible.
With this in mind, pick the right choice for your setup. When in doubt, our advise is to use `Dnsmasq` .
With this in mind, pick the right choice for your setup. When in doubt, our advise is to use `Dnsmasq`.
.. Attention::
@ -134,7 +134,7 @@ when received from the network. DHCP requires at least one dhcp-range and matchi
override then a "not found" answer is immediately returned.
**Add MAC** Add the MAC address of the requestor to DNS queries which are forwarded upstream.
The MAC address will only be added if the upstream DNS Server is in the same subnet
as the requestor. Since this is not standardized, it should be considered experiemental.
as the requestor. Since this is not standardized, it should be considered experimental.
This is useful for selective DNS filtering on the upstream DNS server.
**Add subnet** Add the real client IPv4 and IPv6 addresses (add-subnet=32,128) to DNS queries which are
forwarded upstream. Be careful setting this option as it can undermine privacy. This is
@ -175,6 +175,8 @@ when received from the network. DHCP requires at least one dhcp-range and matchi
Setting Router Advertisement modes in DHCPv6 ranges will have no effect without
this global option enabled.
**Disable HA sync** Ignore the DHCP general settings from being updated using HA sync.
**Log DHCP options and tags** Extra logging for DHCP, log all the options sent to DHCP clients and the tags used to determine them.
**Quiet log messages** Suppress logging of the routine operation of DHCP, RA and TFTP. Errors and problems will still be logged.
========================================= ====================================================================================
.. tab:: ISC / KEA DHCP (legacy)
@ -290,7 +292,7 @@ DHCP Settings
**RA MTU** Optional MTU to send to clients via Router Advertisements. If unsure leave empty.
**RA Interval** Time (seconds) between Router Advertisements.
**RA Router Lifetime** The lifetime of the route may be changed or set to zero, which allows a router to advertise prefixes
but not a route via itself. When using HA, setting a short timespan here is adviced for faster IPv6
but not a route via itself. When using HA, setting a short timespan here is advised for faster IPv6
failover. A good combination could be 10 seconds RA interval and 30 seconds RA router lifetime.
Going lower than that can pose issues in busy networks.
**Mode** Mode flags to set for this range, 'static' means no addresses will be automatically assigned.
@ -490,7 +492,7 @@ In our example, we configure query forwarding for 2 networks:
.. Note::
``.internal`` is the IANA and ICANN approved TLD (Top Level Domain) for internal use. If you instead own a TLD, e.g., ``example.com``, you could create a zone
thats not used on the internet, e.g., ``lan.internal.example.com``.
that is not used on the internet, e.g., ``lan.internal.example.com``.
Now that we have the DNS infrastructure set up, we can configure DHCP.
@ -565,7 +567,7 @@ As next step we define the DHCP ranges for our interfaces.
.. Tip::
Creating a DHCP range will automatically send out common DHCP options to requesting clients, without explicitely configuring them.
Creating a DHCP range will automatically send out common DHCP options to requesting clients, without explicitly configuring them.
This is an incomplete overview which highlights some default DHCP options:
@ -623,7 +625,7 @@ As you can see, this is a highly integrated and simple setup which leverages jus
DHCPv6 and Router Advertisements
------------------------------------------------------
DHCPv6 can run at the same time as DHCPv4, just specify another range.
DHCPv6 and Router Advertisements can run at the same time as DHCPv4, just specify another range.
.. Attention::
@ -639,64 +641,31 @@ DHCPv6 and SLAAC. This means clients will use a SLAAC address but query addition
Option Value
================================== =======================================================================================================
**Interface** ``LAN``
**Start address** ``::``
**Start address** ``::1000``
**End address** ``::2000``
**Constructor** ``LAN``
**RA Mode** ``ra-stateless``
**RA Mode** ``slaac``
================================== =======================================================================================================
With the mode set to ``slaac``, clients will generate a SLAAC address and an additional DHCPv6 address (stateful DHCPv6).
If clients should only generate a SLAAC address, set the mode to ``ra-stateless`` (stateless DHCPv6).
.. Attention::
With ``ra-stateless``, clients will only generate a SLAAC address. If clients should additionally receive a DHCPv6 address, set ``slaac``
instead.
If you use a constructor and a custom domain for the range, enable the advanced mode and set **Domain Type** to ``Interface``.
This will register any subnets on the chosen interface to the selected domain. Otherwise all names fall back to the default system domain.
.. Tip::
Set ``ra-names`` in addition to ``ra-stateless`` if DNS names should be registered automatically for SLAAC addresses. Please note that this
does not work for clients using the IPv6 privacy extensions.
.. Attention::
If you plan to use partial IPv6 addresses in ranges with a constructor, enable the advanced mode and set **Domain Type** to ``Interface``.
This will register any subnets on the chosen interface to the selected domain. This is the only way dynamic DNS registration succeeds
when the IPv6 prefix is dynamic.
.. Note::
If do not want to use Router Advertisements, leave the RA Mode on default, and do not enable the Router Advertisement global setting. Ensure
that the RA service you use allows for an assisted setup with SLAAC and DHCPv6.
- Press **Save** and go to :menuselection:`Services --> Dnsmasq DNS & DHCP --> DHCP options`
We now add an additional DHCPv6 option for the DNS Server.
================================== =======================================================================================================
Option Value
================================== =======================================================================================================
**Type** Set
**Option** ``None``
**Option6** ``dns-server [23]``
**Interface** ``LAN``
**Value** ``[::]``
================================== =======================================================================================================
.. Tip::
To use the same ``dns-server [23]`` option on all interfaces, set the interface to any. You do not need to create them for each
interface individually. The correct IPv6 DNS server will be automatically calculated via ``[::]`` anyway.
.. Note::
When entering DHCPv6 options, enclosing them in brackets ``[]`` is mandatory. ``[::]`` is a special address and will return the GUA of
this server Dnsmasq is running on.
Press **Save**
As final step, go to :menuselection:`Services --> Dnsmasq DNS & DHCP --> General`
Enable the checkbox ``Router Advertisements`` if you want to use them.
As final step, go to :menuselection:`Services --> Dnsmasq DNS & DHCP --> General` and enable ``Router Advertisements``.
Press **Apply** to activate the new configuration.
.. Tip::
The DNS server will be sent automatically via RDNSS and DHCPv6 option. The IP address will be this firewall.
If you want to change this behavior, create your own DHCPv6 options in :menuselection:`Services --> Dnsmasq DNS & DHCP --> DHCP options`
DHCP reservations
------------------------------------------
@ -1013,7 +982,7 @@ KEA DHCP might be the better choice due to its robust HA synchronization options
DHCPv6 and Router Advertisements for small HA setups
-----------------------------------------------------
Just as with DHCPv4, the same type of configuration can be done for DHCPv6 with a few minor adjustements.
Just as with DHCPv4, the same type of configuration can be done for DHCPv6 with a few minor adjustments.
Since IPv6 uses DAD (Duplicate Address Detection), you do not need to create separate pools. SLAAC and DAD will take care of avoiding duplicates.

8
source/manual/dynamic_routing.rst
View file

@ -16,7 +16,7 @@ These routing protocols are used to:
* Improve fault tolerance (if a connection breaks, a new route will be found if possible)
* Simplify administration (you have to add fewer routes manually)
It is not adviseable to use dynamic routing in the following scenarios:
It is not advisable to use dynamic routing in the following scenarios:
* When your network is small (it would be simpler to use static routes)
* If you are working in a highly isolated environment, where you have to be in control of every route in your network
@ -55,7 +55,7 @@ General setup
To use one or more of the protocols included, the plugin must be enabled in
:menuselection:`Routing --> General`. Without any other service enabled this makes sure the zebra service is being
configured, which is the coordinating master service which handles generic features such as logging and acccess to kernel
configured, which is the coordinating master service which handles generic features such as logging and access to kernel
routing.
.. Tip::
@ -200,7 +200,7 @@ For more detailed information, check out the `FRR documentation <https://docs.fr
.. Attention::
Any route received with dynamic routing protocols will only be installed if no similiar local route already exists. E.g., if a neighbor advertises
Any route received with dynamic routing protocols will only be installed if no similar local route already exists. E.g., if a neighbor advertises
a default gateway route, but a directly attached default gateway route already exists, the local route will be preferred and the advertised route will be discarded.
@ -295,7 +295,7 @@ OSPF/OSPFv3 (Open Shortest Path First)
=================================== =======================================================================================================================
**Enabled** (OSPF only) Enable / Disable
**Area ID** (OSPF only) Enter area ID in dotted (e.g. 0.0.0.1) format. You only need to define areas that are not normal.
All areas defined in the network or interface tab will automatically be normal, unless explicitely overwritten
All areas defined in the network or interface tab will automatically be normal, unless explicitly overwritten
here with a different area type.
**Area Type** (OSPF only) Select area behavior (e.g. stub no-summary)
=================================== =======================================================================================================================

2
source/manual/firewall_generic.rst
View file

@ -16,7 +16,7 @@ To explain what the different options mean when being presented, we will summari
========================================================================================================================================================
==================================== ==================================================================================================================
Alias Flexible type of network or address definition for easy reuse, expained in
Alias Flexible type of network or address definition for easy reuse, explained in
:doc:`aliases </manual/aliases>`
Single host or network Standard host or network in `CIDR notation <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`__
any All IPv4 and/or IPv6 addresses (in the world)

6
source/manual/firewall_settings.rst
View file

@ -86,7 +86,7 @@ Shared forwarding
.....................................
Using policy routing in the packet filter rules causes packets to skip processing for the traffic shaper and captive portal tasks.
Using this option enables the sharing of such forwarding decisions between all components to accomodate complex setups.
Using this option enables the sharing of such forwarding decisions between all components to accommodate complex setups.
Disable force gateway
@ -121,7 +121,7 @@ Miscellaneous
Firewall Optimization
.....................................
Firewall state table optimization to use, influences the number of active states in the system, only to be changed in specfic implementation scenarios.
Firewall state table optimization to use, influences the number of active states in the system, only to be changed in specific implementation scenarios.
* [normal] (default)As the name says, it is the normal optimization algorithm
* [high-latency] Used for high latency links, such as satellite links. Expires idle connections later than default
@ -192,7 +192,7 @@ When using bridging, you must disable this behavior if the WAN gateway IP is dif
to every "wan" type rule. When allowing traffic originating from the same network as the interface is attached to, it will
still reply the packet to the configured gateway.
To prevent this behvior, you can either disable :code:`reply-to` here and configure the desired behaviour on a per-rule basis or
To prevent this behavior, you can either disable :code:`reply-to` here and configure the desired behaviour on a per-rule basis or
add a rule for local traffic above the one for outbound traffic disabling :code:`reply-to` (in rule advanced).
Disable anti-lockout

2
source/manual/firmware.rst
View file

@ -71,7 +71,7 @@ in our experience most common:
* Misconfigured DNS settings, check :menuselection:`System --> Settings --> General` for configured servers the firewall is allowed to use
* Misconfigured IPv6, in which case "Prefer IPv4 over IPv6" in :menuselection:`System --> Settings --> General` might help to prevent the system from using IPv6 in these cases
* In HA (carp) setups, using the wrong extrenal IPaddress, usually caused by a misconfigued outbound nat rule, easy to check by disabling manual outbound nat rules in :menuselection:`Firewall --> NAT --> Outbound`.
* In HA (carp) setups, using the wrong external IPaddress, usually caused by a misconfigued outbound nat rule, easy to check by disabling manual outbound nat rules in :menuselection:`Firewall --> NAT --> Outbound`.
The heath audit can also help with uncovering installation and disk / file system issues.
Additionally, major ugpgrades may not pass certain sanity checks that need to be corrected first which may include the command line:

4
source/manual/git-backup.rst
View file

@ -9,7 +9,7 @@ In order to use this feature, one has to install the git-backup plugin first (in
.. Warning:
Since backups using git are stored unecrypted and contain sensitive data, we generally advise not to use public cloud
Since backups using git are stored unencrypted and contain sensitive data, we generally advise not to use public cloud
providers to store this data. Only use this option if you can guarantee the security of your git backup server.
--------------------------
@ -190,7 +190,7 @@ Cleanup
--------------------------
The repository is saved locally on the firewall in :code:`/conf/backup/git`, if for some reason one would like to remove the
collected history and start over from scratch, one can safetly remove this directory.
collected history and start over from scratch, one can safely remove this directory.
Login using a (ssh) console and remove the git directory in that case (:code:`rm -rf /conf/backup/git`)

4
source/manual/gui.rst
View file

@ -77,7 +77,7 @@ wrong. You can click on it to review any of the pending messages, if any:
The colors indicate the severity of the issue. They are:
* Red. Indicates that an error has occured during system operation. Click it to go to the
* Red. Indicates that an error has occurred during system operation. Click it to go to the
relevant page. In most cases this will be the crash reporter, which you can use
to send us information about the crash.
@ -218,6 +218,6 @@ selected data.
Although the page numbers and last page button (:code:`»`) are always visible, they can only be used when the size
of the dataset is known upfront. In case of large datasets, such as intrusion alerts and log views the number of records
is not known upfront, since there's no relation between the size of the underlaying data and the number of records.
is not known upfront, since there's no relation between the size of the underlying data and the number of records.
The record count in these cases is more or less a guestimate based on the number of records already shown.

2
source/manual/hacarp.rst
View file

@ -116,7 +116,7 @@ OPNsense includes configuration synchronization capabilities. Configuration
changes made on the primary system are synchronized on demand to the secondary firewall.
A backup node should never contain settings for Configuration synchronization in :menuselection:`System --> High Availability --> Settings`. If this is the case
an adminstrator can accidentally synchronize the backup with the master, causing all kinds of configuration errors.
an administrator can accidentally synchronize the backup with the master, causing all kinds of configuration errors.
.. Tip::

4
source/manual/how-tos/bind.rst
View file

@ -21,7 +21,7 @@ Installation
------------
First of all, go to :menuselection:`System --> Firmware --> Plugins` and install **os-bind**.
You will finde the plugin at :menuselection:`Services --> BIND`.
You will find the plugin at :menuselection:`Services --> BIND`.
----------------
General Settings
@ -70,7 +70,7 @@ DNSBL
The Blacklists are downloaded and updated with every **Save** within BIND configuration.
For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
dropdown list you'll find the corret task under **Command**. Set the refresh interval
dropdown list you'll find the correct task under **Command**. Set the refresh interval
as you wish and save. This will trigger an update of the selected lists and reload
BIND.

2
source/manual/how-tos/caddy.rst
View file

@ -856,7 +856,7 @@ FAQ
* | Firewall rules to allow Caddy to reach internal services are not required. OPNsense has a default rule that allows all traffic originating from itself to be allowed.
* | ACME clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 Challenge Redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
* | When using Caddy with IPv6, the best choice is to have a GUA (Global Unicast Address) on the WAN interface, since otherwise the TLS-ALPN-01 challenge might fail.
* | `Let's Encrypt` or `ZeroSSL` can not be explicitely chosen. Caddy automatically issues one of these options, determined by speed and availability. These certificates can be found in ``/var/db/caddy/data/caddy/certificates``.
* | `Let's Encrypt` or `ZeroSSL` can not be explicitly chosen. Caddy automatically issues one of these options, determined by speed and availability. These certificates can be found in ``/var/db/caddy/data/caddy/certificates``.
* | When an `Upstream Destination` only supports TLS connections, yet does not offer a valid certificate, enable ``TLS Insecure Skip Verify`` in a `Handler` to mitigate connection problems.
* | Caddy upgrades all connections automatically from HTTP to HTTPS. When cookies do not have have the ``secure`` flag set by the application serving them, they can still be transmitted unencrypted before the connection is upgraded. If these cookies contain very sensitive information, it might be a good choice to close port 80.
* | There is optional Layer4 TCP/UDP routing support. In the scope of this plugin, only traffic that looks like TLS and has SNI can be routed. The `HTTP App` and `Layer4 App` can work together at the same time.

14
source/manual/how-tos/carp.rst
View file

@ -200,7 +200,7 @@ The rule should contain the following:
+-------------------------+------------------------------------+
| Interface | WAN |
+-------------------------+------------------------------------+
| Source addresss | LAN net (192.168.1.0/24) |
| Source address | LAN net (192.168.1.0/24) |
+-------------------------+------------------------------------+
| Translation / target | 172.18.0.100 (CARP virtual IP) |
+-------------------------+------------------------------------+
@ -277,7 +277,7 @@ and open a ssh connection to a host behind both firewalls. Now when
connected you should be able to look at the state table on both OPNsense
firewalls (:menuselection:`Firewall --> Diagnostics --> States Dump`) and they should both display the same
connection. Next try to pull the network plug from the master firewall
and it should move over to the backup without loosing (or freezing) the
and it should move over to the backup without losing (or freezing) the
ssh connection.
@ -440,19 +440,19 @@ characteristics:
* Don't use Global Unicast Addresses, many devices ignore them as IPv6 Gateway.
Setup Router Advertisments
--------------------------
Setup Router Advertisements
---------------------------
.. rubric:: WAN
:name: wan-radvd
* Go to :menuselection:`Services --> Router Advertisments` and select the WAN interface.
* Go to :menuselection:`Services --> Router Advertisements` and select the WAN interface.
* Make sure *Router Advertisements* is set to *Disabled*
.. rubric:: LAN
:name: lan-radvd
* Go to :menuselection:`Services --> Router Advertisments` and select the LAN interface.
* Go to :menuselection:`Services --> Router Advertisements` and select the LAN interface.
* Change the *Source Address* from *automatic* to *VIP LAN IPv6 (fe80::/64)*.
@ -589,7 +589,7 @@ To reset the current carp demotion you can use either:
:menuselection:`Interfaces --> Virtual IPs --> Status`
Press `Enter Persistent CARP Maintainance Mode` twice to enter and exit it, this will reset the current demotion to 0.
Press `Enter Persistent CARP Maintenance Mode` twice to enter and exit it, this will reset the current demotion to 0.
.. group-tab:: Shell (advanced)

2
source/manual/how-tos/changelog.rst
View file

@ -33,4 +33,4 @@ The plugins changelogs can be found in the plugins section after clicking the in
.. image:: images/changelog_plugins_info_nginx.png
After the description of the software behind the plugin or the plugin itsef, the changelog follows.
After the description of the software behind the plugin or the plugin itself, the changelog follows.

6
source/manual/how-tos/clamav.rst
View file

@ -59,7 +59,7 @@ Configuration Options
:Idle Timeout:
The connection will be dropped if it is inactive for this amount of time.
If the other socket endpoint is a machine, this value can be low but if you
plan to use it for develpoment reasons, you may set it to a higher value.
plan to use it for development reasons, you may set it to a higher value.
:Max directory recursion:
Limit the depth of the directory tree.
In the worst case there is a loop which causes the scanner to run endlessly and
@ -71,13 +71,13 @@ Configuration Options
If this is checked, clamav will follow symlinks to regular files.
This may expose information about the filesystem, the user should not have access to.
:Disable cache:
If you check this, the results are not cached. This is only useful in develpoment
If you check this, the results are not cached. This is only useful in development
environments as it slows down the response time.
:Scan portable executable:
Check this box, if you want to scan PE files.
If you are using PE-files (\*.exe, \*.dll etc.) files in your network,
checking this box is recommended.
:Scan executeable and linking format:
:Scan executable and linking format:
Check this box, if you want to scan ELF-files.
ELF is for example used on Linux based operating systems and on \*BSD.
:Detect broken executables:

2
source/manual/how-tos/cloud_backup.rst
View file

@ -51,7 +51,7 @@ following values:
================ ======================================================================
Enable checked
URL Base URL of your Nextcloud installation like https://cloud.example.com
User your choosen username
User your chosen username
Password paste your app password from step 2
Backup Directory a name consisting of alphanumeric characters (keep default)
================ ======================================================================

4
source/manual/how-tos/dynamic_routing_bgp.rst
View file

@ -317,8 +317,8 @@ temporarly disabled by the ISP.
.. Attention::
More complex setups like announcing provider independant address spaces or using the Router as ISP router are out of scope for this setup guide. These setups
must be created and maintained by BGP experts. Since BGP has no built-in automatic safety mechanisms, an invalid configuraton can disrupt global internet
More complex setups like announcing provider independent address spaces or using the Router as ISP router are out of scope for this setup guide. These setups
must be created and maintained by BGP experts. Since BGP has no built-in automatic safety mechanisms, an invalid configuration can disrupt global internet
routing (e.g., announcing the wrong networks or subnet masks).
Network Diagram

4
source/manual/how-tos/dynamic_routing_ospf.rst
View file

@ -352,7 +352,7 @@ Follow the steps as the `previous setup guide </manual/how-tos/dynamic_routing_o
.. Note::
The lower cost of ``ipsec1`` will make this interface prefered as route as long as it is available.
The lower cost of ``ipsec1`` will make this interface preferred as route as long as it is available.
.. group-tab:: Step 5
@ -444,7 +444,7 @@ Follow the steps as the `previous setup guide </manual/how-tos/dynamic_routing_o
.. Note::
The lower cost of ``gre1`` will make this interface prefered as route as long as it is available.
The lower cost of ``gre1`` will make this interface preferred as route as long as it is available.
.. group-tab:: Step 5

4
source/manual/how-tos/guestnet.rst
View file

@ -86,7 +86,7 @@ Fill in the following to setup the DHCP server for our guest net (leave everythi
================ ==================================== =======================================
**Enable** Checked *Enable the DCHP server on GUESTNET*
**Enable** Checked *Enable the DHCP server on GUESTNET*
**Range** 192.168.200.100 to 192.168.200.200 *Serve IPs from this range*
**DNS servers** 192.168.200.1 *Supply a DNS with the lease*
**Gateway** 192.168.200.1 *Supply a gateway with the lease*
@ -254,7 +254,7 @@ And change to:
<img class="brand-logo" src="images/company-logo.png">
</a>
<h1>Welcome to My Company Guest Network.</h1>
<h2>Feel free to use the guest network for profesional usage</h2>
<h2>Feel free to use the guest network for professional usage</h2>
<h3>See our website for more details: <a href="https://www.opnsense.org">My Company</a></h3>
</div>
</header>

4
source/manual/how-tos/installaws.rst
View file

@ -31,7 +31,7 @@ Choose an instance type
Step 3 - Configure Instance Details
------------------------------------
Here you can configure your network details, by default a network is assigned which is accesible from an external IPv4
Here you can configure your network details, by default a network is assigned which is accessible from an external IPv4
address.
At the bottom of the page you can also supply "User data" in the "Advanced Details" section, you can use this to
@ -39,7 +39,7 @@ set an initial password for the `ec2-user`.
.. Note::
When a password is omited, one will be automatically generated for you and displayed on the console (get system log).
When a password is omitted, one will be automatically generated for you and displayed on the console (get system log).
.. Note:

2
source/manual/how-tos/ipsec-rw-linux.rst
View file

@ -26,7 +26,7 @@ Download the Root CA from the OPNsense Firewall since it is needed for all EAP t
Step 2 - Add VPN Connection
---------------------------
Open the network manager and add a new VPN connction. Choose **IPSec/IKEv2**, enter a **Name** and set
Open the network manager and add a new VPN connection. Choose **IPSec/IKEv2**, enter a **Name** and set
the **Address** to the FQDN matching the one of the certificate at your Firewall.
----------------------------------

2
source/manual/how-tos/ipsec-rw-srv-eapradius.rst
View file

@ -81,7 +81,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**Hash algorithm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================

2
source/manual/how-tos/ipsec-rw-srv-eaptls.rst
View file

@ -68,7 +68,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**Hash algorithm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================

2
source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst
View file

@ -79,7 +79,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**Hash algorithm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================

2
source/manual/how-tos/ipsec-rw-srv-mschapv2.rst
View file

@ -74,7 +74,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**Hash algorithm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================

2
source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst
View file

@ -66,7 +66,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== ================ ============================================
**Encryption algorithm** AES *For our example we will use AES/256 bits*
**Hash algoritm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**Hash algorithm** SHA1, SHA256 *SHA1 and SHA256 for compatibility*
**DH key group** 1024, 2048 bit *1024 and 2048 bit for compatibility*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== ================ ============================================

4
source/manual/how-tos/ipsec-rw-w7.rst
View file

@ -35,7 +35,7 @@ Step 2 - Add VPN Connection
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
and the one in the certificate has to match!
Then set a **Username** and **Password** and leave **Domain** emtpy.
Then set a **Username** and **Password** and leave **Domain** empty.
-------------------
Step 3 - Finetuning
@ -47,7 +47,7 @@ of your newly created adapter. Check that the FQDN is correct:
.. image:: images/ipsec-rw-w7-1.png
:width: 60%
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use default gateway on remote network**.
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
to set specific routes sent via VPN.

2
source/manual/how-tos/ipsec-rw.rst
View file

@ -105,7 +105,7 @@ In the next table you can see the existing VPN authentication mechanisms and whi
operating systems support it, with links to their configurations.
For Linux testing was done with Ubuntu 18.4 Desktop and *network-manager-strongswan* and
*libcharon-extra-plugins* installed.
As Andoid does not support IKEv2 yet we added notes for combinations with strongSwan
As Android does not support IKEv2 yet we added notes for combinations with strongSwan
app installed to have a broader compatibility for all systems.
Mutual RSA and PSK without XAuth requires L2TP, since this legacy technology is
very error prone we will not cover it here.

4
source/manual/how-tos/ipsec-s2s-conn.rst
View file

@ -54,7 +54,7 @@ Key pairs
..................................
Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
from Site A to Site B and vice versa. Keys may easily be generated with the gear button in the Key type field.
--------------------------------
@ -120,7 +120,7 @@ Public Keys **hostB-key** **hostA-key**
.. Note::
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the opposite.
.....................

4
source/manual/how-tos/ipsec-s2s-route-azure.rst
View file

@ -102,7 +102,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== =============== ===========================================
**Encryption algorithm** AES 256 *refer to Azure docs for details*
**Hash algoritm** SHA256
**Hash algorithm** SHA256
**DH key group** 2 (1024 bit)
**Lifetime** 28800 sec *Lifetime before renegotiation*
========================== =============== ===========================================
@ -158,7 +158,7 @@ Phase 2 proposal (SA/Key Exchange)
========================== =========== ===================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *refer to Azure docs for details*
**Hash algortihms** SHA256
**Hash algorithms** SHA256
**PFS Key group** off *Not supported*
**Lifetime** 27000 sec
========================== =========== ===================================

10
source/manual/how-tos/ipsec-s2s-route.rst
View file

@ -28,7 +28,7 @@ or software-defined networks.
Before you start
----------------
Before starting with the configuration of an IPsec tunnel you need to have a
working OPNsense installation wit a unique LAN IP subnet for each side of your
working OPNsense installation with a unique LAN IP subnet for each side of your
connection (your local network needs a different one than the remote network).
------------
@ -225,7 +225,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**Hash algorithm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *Lifetime before renegotiation*
========================== =============== ===========================================
@ -277,7 +277,7 @@ Phase 2 proposal (SA/Key Exchange)
========================== ================ =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**Hash algorithms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
========================== ================ =======================================
@ -343,7 +343,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**Hash algorithm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *Lifetime before renegotiation*
========================== =============== ===========================================
@ -391,7 +391,7 @@ Phase 2 proposal (SA/Key Exchange)
=========================== =============== =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**Hash algorithms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
=========================== =============== =======================================

8
source/manual/how-tos/ipsec-s2s.rst
View file

@ -221,7 +221,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**Hash algorithm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== =============== ===========================================
@ -279,7 +279,7 @@ Phase 2 proposal (SA/Key Exchange)
=========================== =============== =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**Hash algorithms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
=========================== =============== =======================================
@ -345,7 +345,7 @@ Phase 1 proposal (Algorithms)
-----------------------------
========================== =============== ===========================================
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
**Hash algorithm** SHA512 *Use a strong hash like SHA512*
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
**Lifetime** 28800 sec *lifetime before renegotiation*
========================== =============== ===========================================
@ -404,7 +404,7 @@ Phase 2 proposal (SA/Key Exchange)
=========================== =============== =======================================
**Protocol** ESP *Choose ESP for encryption*
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
**Hash algorithms** SHA512 *Choose a strong hash like SHA512*
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
**Lifetime** 3600 sec
=========================== =============== =======================================

4
source/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.rst
View file

@ -749,7 +749,7 @@ Create the following aliases:
============================================== ====================================================================================================
Additionally, if you created seperate IP pools for individual roadwarriors (Method 2), create the following aliases so you are able to create individual firewall rules per roadwarrior:
Additionally, if you created separate IP pools for individual roadwarriors (Method 2), create the following aliases so you are able to create individual firewall rules per roadwarrior:
============================================== ====================================================================================================
**Name:** ``host_pool_roadwarrior_john``
@ -877,7 +877,7 @@ Services: Unbound DNS
If you do not serve internal DNS records (Split DNS) or do not use an Active Directory you can skip the DNS configuration.
For full control over DNS, you should either use Unbound on the OPNsense or the DNS servers in your own network. If you provide your roadwarriors with external DNS servers (like ``8.8.8.8``), they cannot resolve your internal ressources and will send those requests to external DNS servers, thus exposing your internal DNS records. (DNS Leak)
For full control over DNS, you should either use Unbound on the OPNsense or the DNS servers in your own network. If you provide your roadwarriors with external DNS servers (like ``8.8.8.8``), they cannot resolve your internal resources and will send those requests to external DNS servers, thus exposing your internal DNS records. (DNS Leak)
.. Attention::
If you created a full tunnel for IPv4 only (``0.0.0.0/0`` without ``::/0``), and your roadwarriors are in IPv4+IPv6 dual stack networks, their devices will prefer the link local IPv6 DNS servers provided by SLAAC or DHCPv6 over your IPv4 VPN DNS server.

2
source/manual/how-tos/ipv6_dsl.rst
View file

@ -27,7 +27,7 @@ bottom, so you get the correct DNS servers if you just use IPv4 ones.
Step 2 - Allow IPv6
-------------------
Next go to :menuselection:`Interfaces --> Settings` and verfiy that **Allow IPv6** is enabled.
Next go to :menuselection:`Interfaces --> Settings` and verify that **Allow IPv6** is enabled.
--------------------------------
Step 3 - Interface Configuration

2
source/manual/how-tos/ipv6_fb.rst
View file

@ -138,7 +138,7 @@ By default outgoing traffic should already be possible but traffic from the Inte
There are different philosophies on how to manage firewall rules. Just use a similar strategy as with your IPv4 setup so rule management
is consistent.
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The build-in macros like `DMZ net` will work for the whole network.
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The built-in macros like `DMZ net` will work for the whole network.
But if you need a rule for a single server your should setup an alias pointing to your (fixed) DHCP IP and use this instead.
---------------

2
source/manual/how-tos/nat_reflection.rst
View file

@ -154,7 +154,7 @@ Repeat :ref:`Method 1 <nat-method1>` until all additional servers are reachable.
If you encounter any issues, check :ref:`Troubleshooting NAT Rules <troubleshooting-nat-rules>` for a few tips.
.. Warning::
The following methods are not adviced, but are still explained in order to prevent misconfigurations. There is more information in :doc:`/manual/firewall_settings`.
The following methods are not advised, but are still explained in order to prevent misconfigurations. There is more information in :doc:`/manual/firewall_settings`.
.. _nat-method2:

2
source/manual/how-tos/nginx_basic_auth.rst
View file

@ -11,7 +11,7 @@ nginx: Basic Authentication & Authorization
Please also note that basic authentication transfers the credentials in plain text
to the server. It is recommended that you only use it via HTTPS because otherwise
every attacker with a network sniffer such as Wireshark_ (and mabe some additional
every attacker with a network sniffer such as Wireshark_ (and maybe some additional
man in the middle tools like ettercap_ or fake_router6_) will be able to intercept
your connection to the server and read your password.

4
source/manual/how-tos/nginx_header_hardening.rst
View file

@ -45,7 +45,7 @@ Well known Test tools are:
When it is downloaded, you usually have to unpack it into a fitting directory.``
When it is unpacked, you need to run it. In case of ZAP, doubleclick the
When it is unpacked, you need to run it. In case of ZAP, double-click the
``zap.sh`` or ``zap.bat`` depending on your operating system.
Next regenerate and export the certificate under
@ -128,5 +128,5 @@ Content Security Policy Controls resources and JS functions
.. [1] If you switch the certificate without announcing its public key first
via this header in a rollover time span, you will lock this clients out
because they expect being targetted by a MITM attack and refuse the connection
because they expect being targeted by a MITM attack and refuse the connection
and it is hard to reset this pin in the browser.

10
source/manual/how-tos/nginx_hosting.rst
View file

@ -13,7 +13,7 @@ Prepare
=======
First of all, a directory has to be created. For example `/srv/web_application1`. Please note that this directory must be
accessable by nginx and PHP (both running as `www`).
accessible by nginx and PHP (both running as `www`).
For example, you can chmod it (+rx for directories, +r for files for this user) or `chown` it.
@ -30,7 +30,7 @@ For example, you can chmod it (+rx for directories, +r for files for this user)
#
# as you can see, everyone can read (r) and switch into the directory (x))
#
# do this if the directory is not readable or excutable:
# do this if the directory is not readable or executable:
chmod +rx web_application1
.. Warning::
@ -80,7 +80,7 @@ For a location, the following directives are important:
Directive Description
=============================== ======================================================================
Match Type and URL Pattern How to match the location and the pattern
File System Root Directory of web applicaton
File System Root Directory of web application
Upstream Servers Send it to a remote interpreter instead of using the local one
Pass Request To PHP Interpreter Check if you want to enable PHP (runs locally as user www) or remotely
Router Script Sends all request to a specific script (entry point of application)
@ -90,7 +90,7 @@ Router Script Sends all request to a specific script (entry po
=============================== ============================
Directive Value
=============================== ============================
Match Type and URL Pattern ~* .*.php or simmilar
Match Type and URL Pattern ~* .*.php or similar
File System Root /srv/web_application1
Upstream Servers empty
Pass Request To PHP Interpreter checked
@ -105,7 +105,7 @@ Configure HTTP Server
Configuring the HTTP server is simple. You need a hostname (for example website.test), a port (8080/TCP is the
HTTP alternative port, so it is good for testing. For production sites you should stick with the defaults).
Please select the prevously created location to serve web content. Please also configure a root here,
Please select the previously created location to serve web content. Please also configure a root here,
because all requests, which do not match, will be handled by the server default. The default server will
just serve the static file.

2
source/manual/how-tos/nginx_streams.rst
View file

@ -74,7 +74,7 @@ If you route directly with upstream property, the upstream TLS settings
are used, to choose if the backend connection should be TLS encrypted (again).
If you want to use an SNI Upstream Map, switch the entry in "Route With"
and choose a mapping in the coresponding entry.
and choose a mapping in the corresponding entry.
.. _standard: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

2
source/manual/how-tos/ntopng.rst
View file

@ -23,7 +23,7 @@ General Settings
:Interfaces:
Here you set the interfaces ntopng should listen on. If you don't select any interface
it listens to the first in the system, e.g. em0, but you can change the interfaces
within ntopng's UI on demand; while setting an explicit interface you wont get any
within ntopng's UI on demand; while setting an explicit interface you will not get any
other interface presented in its own UI.
:HTTP Port:
The port ntopng's UI should listen on. When you leave it on the default just open a

4
source/manual/how-tos/pac.rst
View file

@ -87,7 +87,7 @@ Now switch to :menuselection:`PAC --> Proxies` and add new proxy servers.
Name Enter a name which will be shown at the rules view for selection
Description You can add an optional description for this proxy
Proxy Type Enter a Proxy type or DIRECT if no proxy should be used
URL Enter the Proxy URL unless DIRECT has been choosen
URL Enter the Proxy URL unless DIRECT has been chosen
=========== ================================================================
In this case it is assumed that only a single LAN and a DMZ exists and that
@ -108,7 +108,7 @@ Proxy Type Direct Connection
URL empty
=========== =================
For outgoing connectins we need the proxy:
For outgoing connections we need the proxy:
.. image:: images/pac_proxy_lan.png

2
source/manual/how-tos/pppoe_isp_setup.rst
View file

@ -29,7 +29,7 @@ Your ISP provides you the following information to connect via PPPoE:
For this example setup, we assume the default WAN interface is ``igc1``.
Though this default interface can have different names depending on
your environment, e.g., ``igb1``, ``hn1``, ``vtnet1`` or similiar.
your environment, e.g., ``igb1``, ``hn1``, ``vtnet1`` or similar.
----------------------------
Configuration

2
source/manual/how-tos/proxyicapantivirus.rst
View file

@ -40,7 +40,7 @@ We installed the Engine for Web Proxy purpose and enabled ICAP with its default
Step 4 - Connect the Engine
---------------------------
Now connect the server that the engine is installed on to OPNsense trough either
Now connect the server that the engine is installed on to OPNsense through either
a switch or a direct cable connection. Preferable use a separate network for this
traffic to make sure the unencrypted ICAP traffic can't be tapped.

2
source/manual/how-tos/sfr_red_fr_ftth.rst
View file

@ -237,7 +237,7 @@ Add parameters to let SFR/RED Box discover the SIP proxy:
:width: 100%
.. Warning::
It appears OPNSense will drop support of functionnality of **advanced** parameters so I don't know if it will be possible in future releases
It appears OPNSense will drop support of functionality of **advanced** parameters so I don't know if it will be possible in future releases
to define the DNS stuff using:
* local-data: "_sip._udp.firewall.localdomain.intra. 180 IN SRV 10 60 5060 firewall.localdomain.intra."

8
source/manual/how-tos/shaper_bufferbloat.rst
View file

@ -68,7 +68,7 @@ FQ_CoDel uses the following parameters in its algorithm.
Configuring FQ_CoDel for OPNsense
---------------------------------
In the configuration steps below, assume these advertized ISP speeds:
In the configuration steps below, assume these advertised ISP speeds:
+----------------+----------+-----------------+
| | Download | Upload |
@ -93,7 +93,7 @@ Create Pipe For Download
Setting Default Description
========================= ============= ===========================================================================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 495 *Set initially to 85% of ISP advertized BW, tune later - numeric*
**bandwidth** 495 *Set initially to 85% of ISP advertised BW, tune later - numeric*
**bandwidth Metric** Mbit/s *Metric associated with the bandwidth*
**queue** (empty) *Leave empty: queues are configured separately*
**mask** (none) *Leave empty*
@ -232,7 +232,7 @@ Run several tests to get average data rates and latency.
Write those values down.
While you are configuring FQ_CoDel, enter an initial value for the
"bandwidth" that is 85% of the advertized rate from the ISP.
"bandwidth" that is 85% of the advertised rate from the ISP.
(That is, if the download service is 100 Mbit/s, set the speed to 85 Mbit/s;
for 40 Mbit/s upload, set it to 40 x 85%, or 34 Mbit/s.)
@ -341,7 +341,7 @@ The over-large packet limit leads to bad results during slow start on some bench
.. Note::
For FreeBSD there is a `BUG <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276890>`_ opened for CPU hogging due to excessive logging caused when the limit queue is exceeded.
Additionaly one of the creators of CoDel raised a `discussion <https://marc.info/?t=170776797300003&r=1&w=2>`_ to improve the implementation of FQ_CoDel on FreeBSD.
Additionally one of the creators of CoDel raised a `discussion <https://marc.info/?t=170776797300003&r=1&w=2>`_ to improve the implementation of FQ_CoDel on FreeBSD.
.. Note::

2
source/manual/how-tos/stunnel.rst
View file

@ -128,7 +128,7 @@ To add a new tunnel, go to :menuselection:`VPN -> Stunnel -> Configuration` and
For additional security you can enable :code:`chroot` mode in :menuselection:`VPN -> Stunnel -> General`, there is
however a downside in using this feature. If for some reason the system logging facility (syslog) is restarted, stunnel
will loose connection to that facility, causing a lack of visibilty afterwards.
will loose connection to that facility, causing a lack of visibility afterwards.
Configure the client

22
source/manual/how-tos/tor.rst
View file

@ -51,13 +51,13 @@ Tor Service Settings
Please note that this is not compatible with other features like "Hidden Services".
:Fascist Firewall Ports:
These are the unfiltered ports of the firewall. The defaults of 80 and 443 are
choosen, because they are commonly open.
chosen, because they are commonly open.
Forward Proxy
-------------
.. Note::
The SOCKS proxy is only useable from localhost (127.0.0.1 and ::1)
The SOCKS proxy is only usable from localhost (127.0.0.1 and ::1)
unless an ACL is added in the "SOCKS Proxy ACL" section.
:Listen Interfaces:
@ -178,7 +178,7 @@ in the Tor network it gets on port 80 to 127.0.0.1:8080
In addition to regular onion services, the services can be protected even more
by requireing the client to know a secret cookie.
by requiring the client to know a secret cookie.
This setting needs to be configured on both ends. On the server hosting the
onion service, you need to configure it on the configuration tab for the onion
@ -251,15 +251,15 @@ Relays And Bridges
:Nickname:
A nickname can be used to identify your network but it must only
consist of alphanumeric characters.
:Bandwith Rate:
You can limit the bandwith Tor will use. By default, Tor will use the
maximum amount of bandwith available.
:Bandwidth Rate:
You can limit the bandwidth Tor will use. By default, Tor will use the
maximum amount of bandwidth available.
The value must be at least 72 kilobits per second.
:Bandwith Burst:
See Bandwith Rate.
:Bandwidth Burst:
See Bandwidth Rate.
:Directory Port:
If you have a lot of bandwith, you can also configure a directory port.
You should not enable this port if your bandwith is small.
If you have a lot of bandwidth, you can also configure a directory port.
You should not enable this port if your bandwidth is small.
:Reject Private IPs:
**IMPORTANT** DO NOT DISABLE UNLESS YOU KNOW WHAT YOU ARE DOING.
This option blocks access to RFC1918 addresses regardless of the
@ -305,4 +305,4 @@ Click on `+` to add a new ACL.
:Action:
If you select "Reject", no exit node traffic will be sent to this host
and it will not be forwarded. If you choose "Accept", your host may
be choosen as an exit node in a circuit.
be chosen as an exit node in a circuit.

6
source/manual/how-tos/transparent_bridge.rst
View file

@ -74,10 +74,10 @@ Our example appliance has 3 available network ports:
The management interface will be used to access the firewall WebGUI and to enable access
to the internet for firmware updates.
- Go to :menuselection:`Interfaces --> Assignements` and `Assign a new interface`.
- Go to :menuselection:`Interfaces --> Assignments` and `Assign a new interface`.
Select one of the free available ports (e.g. igc2) and assign it, set the description to `Management`.
- Afterwards go to :menuselection:`Interfaces --> Management` and set `IPv4 Configuration Type` to `DHCP` or `Static IPv4` dependant on your usecase.
- Afterwards go to :menuselection:`Interfaces --> Management` and set `IPv4 Configuration Type` to `DHCP` or `Static IPv4` dependent on your usecase.
Next we add a firewall rule to allow access to the WebGUI on this management interface:
@ -118,7 +118,7 @@ Here we change that the firewall rules should match on the bridge, instead of th
Do not select `Enable link-local address`, in this configuration the bridge interface
should stay unnumbered (no IP addresses or any vlans assigned to it or its member interfaces)
- Go to :menuselection:`Interfaces --> Assignements`:
- Go to :menuselection:`Interfaces --> Assignments`:
- Assign the new bridge interface, set the description to `Bridge`

2
source/manual/how-tos/user-ldap.rst
View file

@ -42,7 +42,7 @@ Enter the following information:
**Bind credentials**
User DN: cn=testusr,CN=Users, *Enter your credentials*
DC=opnsense,DC=local
Password: secret *alway use a strong password*
Password: secret *always use a strong password*
**Search scope** Entire Subtree *Select Entire Subtree to retrieve all*
**Base DN:** DC=opnsense,DC=local *Enter the Base DN*

2
source/manual/how-tos/vxlan_bridge.rst
View file

@ -140,7 +140,7 @@ Link-local address `Check if using IPv6` `Check if using IPv6`
- Starting with an any allow rule and restricting it after logging is recommended.
- | If experiencing packet fragmentation issues, set the MTU to 1380 and MSS to 1320 on the ``bridge0`` interfaces. This ensures packets are appropriately sized for the combined overhead from VXLAN and the VPN tunnel. This should not be needed if PMTU (Path MTU Discovery) works correctly. It is essential that ICMP is allowed.
.. Note:: Only the main `Site` should be the DHCP server on ``bridge0``. If you want to use different DHCP servers per `Site`, use external ones and block the DHCP packets on your managed switch before they enter the OPNsense ``LAN`` interface. Ensure that no IP address conflicts emerge with seperate pools in the same IP address space.
.. Note:: Only the main `Site` should be the DHCP server on ``bridge0``. If you want to use different DHCP servers per `Site`, use external ones and block the DHCP packets on your managed switch before they enter the OPNsense ``LAN`` interface. Ensure that no IP address conflicts emerge with separate pools in the same IP address space.
.. Tip:: To prevent traffic of being initially Source NATed and sent out of the default gateway when the VXLAN tunnel is not yet up, an outbound no-nat rule on the WAN interface can be implemented matching internal IP networks that are sent via VXLAN.

4
source/manual/how-tos/wireguard-client-proton.rst
View file

@ -80,7 +80,7 @@ The full configuration looks like this:
section to generate the public key. Both are needed for successful configuration.
.. Warning::
**Do not re-use the private keys in these examples**
**Do not reuse the private keys in these examples**
---------------------------------------------
Step 2 - Generate public key from private key
@ -148,7 +148,7 @@ Step 4 - Configure the peer
- **Save** the Peer configuration, and then click **Apply**
.. Note::
The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different
The UI for configuring the Instances and Peers changed with OPNsense version 23.7.9 so some of the fields may be in different
places.
--------------------------

4
source/manual/how-tos/wireguard-client.rst
View file

@ -251,7 +251,7 @@ Step 5a - Create normalization rules
- **Save** the rule
.. Tip::
- The header size for IPv4 is usually 20 bytes, and for TCP 20 bytes. In total thats 40 bytes for IPv4 TCP.
- The header size for IPv4 is usually 20 bytes, and for TCP 20 bytes. In total that is 40 bytes for IPv4 TCP.
- IPv6 has a larger header size with 40 bytes. That encreases the total to 60 bytes for IPv6 TCP.
.. Note::
@ -289,7 +289,7 @@ Appendix - Example configurations
.. Warning::
**Do not re-use these example keys!**
**Do not reuse these example keys!**
An example client configuration file:

9
source/manual/interfaces.rst
View file

@ -96,12 +96,19 @@ For IPv6:
6RD Border Relay The 6RD IPv4 gateway address assigned by your ISP
6RD IPv4 Prefix length The 6RD IPv4 prefix length. Normally specified by the ISP. A value of 0 means we embed the entire IPv4 address in the 6RD prefix.
6RD IPv4 Prefix address The 6RD IPv4 prefix address. Optionally overrides the automatic detection.
**Track IPv6 interface**
**Identity Association**
IPv6 Interface This selects the dynamic IPv6 WAN interface to track for configuration.
IPv6 Prefix ID The delegated IPv6 prefix ID. This determines the configurable /64 network ID based on the dynamic IPv6 connection.
**Track Interface (legacy)**
IPv6 Interface This selects the dynamic IPv6 WAN interface to track for configuration.
IPv6 Prefix ID The delegated IPv6 prefix ID. This determines the configurable /64 network ID based on the dynamic IPv6 connection.
Manual Configuration If this option is set, you will be able to manually set the DHCPv6 and Router Advertisements service for this interface. Use with care.
================================= ===============================================================================================================================================
.. Note::
*Identity Association* offers similar functionality like *Track Interface (legacy)*, but without automatic ISC-DHCPv6 and Radvd configuration. It is intended
for pure RA and DHCPv6 configuration using Dnsmasq or Kea/Radvd.
-----------------------------
Mobile Networking

4
source/manual/ips.rst
View file

@ -168,7 +168,7 @@ Policies
The **policy** menu item contains a grid where you can define policies to apply
to installed rules. Here you can add, update or remove policies as well as
disabling them. Policies help control which rules you want to use in which
manner and are the prefered method to change behaviour. Although you can still
manner and are the preferred method to change behaviour. Although you can still
update separate rules in the rules tab, adding a lot of custom overwrites there
is more sensitive to change and has the risk of slowing down the
user-interface.
@ -178,7 +178,7 @@ such as the description and if the rule is enabled as well as a priority.
Overlapping policies are taken care of in sequence, the first match with the
lowest priority number is the one to use.
Secondly there are the matching criterias, these contain the **rulesets** a
Secondly there are the matching criteria, these contain the **rulesets** a
policy applies on as well as the action configured on a rule (disabled by
default, alert or drop), finally there is the **rules** section containing the
metadata collected from the installed rules, these contain options as affected

39
source/manual/ipv6.rst
View file

@ -94,7 +94,7 @@ Router Advertisement [RA]
The opposite of the solicitation is the advertisement, which we will also use on our end to inform our clients.
A router advertisement contains vital information for the client to exist within the network.
Usually a link-local (:code:`FE80::/8`) address is used as source adddress in the message, which will then be used as (default) gateway by the client.
Usually a link-local (:code:`FE80::/8`) address is used as source address in the message, which will then be used as (default) gateway by the client.
Certain flags and options are offered to the client, the most prominent flags are the following ones (`rfc4861 <https://www.rfc-editor.org/rfc/rfc4861>`__):
@ -259,7 +259,22 @@ but is currently not being parsed and presented to the user.
You can use this mode for WAN connections only.
Track Interface
Identity Association
-------------------------------
This mode uses a WAN DHCPv6 interface to assign a single (/64) network to your LAN interfaces.
It is similar to Track Interface (legacy), with the important distinction that it does not auto-configure any IPv6 services
like :code:`radvd` or :code:`dnsmasq`.
Configuration of DHCPv6 and Router Advertisements must be done manually via the preferred available services.
.. Note::
You can use this mode for LAN connections only.
Track Interface (legacy)
-------------------------------
This mode uses a WAN DHCPv6 interface to assign a single (/64) network to your LAN interfaces.
@ -287,6 +302,26 @@ and addresses using any of the available dhcpv6 servers.
You can use this mode for LAN connections only.
Link Local
-------------------------------
This mode generates an automatic link-local address on the selected interfaces and does not process router advertisements,
which means SLAAC is not generated and routes are not installed automatically.
The usecases for this mode are more advanced, examples are:
- Distribute a larger prefix that is received via a static or dynamic route (BGP). These routes most likely target
the link-local address of the WAN interface. To delegate a prefix to customers, set the LAN interface to link-local and use KEA for DHCPv6-PD.
KEA will set a route to the next hop link-local address automatically.
- NDP proxying, as link-local prevents the same on-link prefix to appear on multiple links which would cause routing issues.
Such a scenario requires an additional NDP proxy plugin.
.. Note::
You can use this mode for WAN and LAN connections.
Basic setup and troubleshooting
=======================================

2
source/manual/isc.rst
View file

@ -58,7 +58,7 @@ to look at. Like in the IPv4 scenario, you can provide a range here, offer setti
create static assignments based on the clients unique DHCP identifier (`DUID <https://en.wikipedia.org/wiki/DHCPv6>`__).
Always make sure :doc:`Router advertisements </manual/radvd>` are properly configured before debugging DHCPv6 issues, these two
daemons depend on eachother.
daemons depend on each other.
If a Prefix Delegation Range is specified, downstream routers may request prefixes (IA_PD). Routing a delegated prefix to a downstream
router requires OPNsense to be aware of the router's IPv6 WAN address. This can be achieved in two ways:

2
source/manual/multiwan.rst
View file

@ -43,7 +43,7 @@ Gateway Priority If a gateway is configured for a group, th
considered.
Trigger Level When a gateway inside the tier is considered offline, either when its
fully down, has loss or increased latency.
Pool Options Usually left to default, but can influence stickyness for sources on
Pool Options Usually left to default, but can influence stickiness for sources on
a per group basis.
==================================== ===============================================================================

33
source/manual/ndp-proxy-go.rst
View file

@ -340,18 +340,41 @@ that have been created in the `Firewall Rules` step:
Alternatively, `any` could be used as source and destination, though this will match any traffic so be careful.
Router Advertisements
--------------------------------------------------
Per default, the proxy forwards Router Solicitations from downstream to upstream, and Router Advertisements from upstream to downstream.
The only alterations are the sending MAC address, and the Source Link Layer (SLLA) option.
In most setups, the default is the best choice. In more complex environments, having full control over the RAs could be a
requirement. The NDP proxy can be combined with :doc:`radvd </manual/radvd>` to fulfill that requirement.
Go to :menuselection:`Services --> NDP Proxy --> Settings` and disable `Proxy router advertisements`.
Next go to :menuselection:`Services --> Router Advertisements` and create a new entry:
================================== =======================================================================================================
Option Value
================================== =======================================================================================================
**Enabled** ``X``
**Interface** ``LAN``
**Constructor** ``WAN``
================================== =======================================================================================================
Now the LAN interface will send RAs advertising the prefix constructed from the WAN SLAAC address.
You can set custom RDNSS and DNSSL options, or set a different mode to additionally use a DHCPv6 server.
High Availability
--------------------------------------------------
To use the proxy in HA, enable the advanced mode in :menuselection:`Services --> NDP Proxy --> Settings` and toggle `Enable CARP failover`.
Ensure that you use `Proxy router advertisements` to proxy the RAs of the ISP. Deactivate any other RA daemon on the selected downstream interfaces.
The simplest is using `Proxy router advertisements` to proxy the RAs of the ISP.
When using :doc:`radvd </manual/radvd>` instead, advertise a CARP link-local address as source.
Since Neighbor Discovery relies on a single link-layer router identity, a brief interruption may occur during failover while both the
upstream ISP router and downstream clients relearn the routers MAC address.
Do not configure any virtual IPv6 addresses on any of the upstream and downstream interfaces, the proxy will only use the real
interface link-local and MAC addresses.
upstream ISP router and downstream clients relearn the router's MAC address.
.. Tip::

4
source/manual/netflow.rst
View file

@ -37,13 +37,13 @@ Traffic to or coming from the firewall.
Egress
------
Traffic passing trough the firewall.
Traffic passing through the firewall.
Ingress + Egress = Double flow count
------------------------------------
When enabling both ingress and egress, traffic gets counted double due to Network
Address Translation as all packets going to the WAN coming from the LAN pass the
Network translation of the firewall therefor also creating an ingress flow.
Network translation of the firewall therefore also creating an ingress flow.
If you are not interested in ingress traffic then OPNsense offers the option to
filter this traffic. When utilizing a proxy on the same device its important to

2
source/manual/nptv6.rst
View file

@ -15,5 +15,5 @@ corner. A quick overview of the fields:
Internal IPv6 Prefix The internal IPv6 prefix used in the LAN(s). This will replace the prefix of the destination address in inbound packets. The prefix size specified here will also be applied to the external prefix.
External IPv6 Prefix The external IPv6 prefix. This will replace the prefix of the source address in outbound packets.
Category The category this rule belongs to, can be used as a filter in the overview.
Description A description to easily indentify the purpose of this rule in the overview.
Description A description to easily identify the purpose of this rule in the overview.
============================= =======================================================================================================================================================================

8
source/manual/opnproxy.rst
View file

@ -31,7 +31,7 @@ Installation
Installation of this plugin is rather easy, go to :menuselection:`System --> Firmware --> Plugins` and search for **os-OPNProxy**,
use the [+] button to install it.
Next go to :menuselection:`Services --> Web Proxy --> Access control` to start configuring polcies.
Next go to :menuselection:`Services --> Web Proxy --> Access control` to start configuring policies.
.. Note::
@ -69,10 +69,10 @@ to import/add the users in OPNsense in order to user their authorisation setting
(it's not possible to block no bump sites in full inspection mode)
Transparant proxies
Transparent proxies
---------------------------
It is possible to use the proxy in transparant mode, but there are some constraints and ceveats to take into account when doing so.
It is possible to use the proxy in transparent mode, but there are some constraints and ceveats to take into account when doing so.
This paragraph tries to explain them one by one.
* Using "Log SNI information only" is not supported in a useful way. As the browser is not aware of the proxy, it will request
@ -117,7 +117,7 @@ Policy types
Part of OPNproxy is a standard list of categorized locations, which can be easily added to a policy, these type of policies
are the default ones. You will find categories here like :code:`adult`, :code:`advertisements`, :code:`malware` and many others.
In some cases however our defaults are not enough, for this reason we also offer the posibility to push your own list of
In some cases however our defaults are not enough, for this reason we also offer the possibility to push your own list of
domains and locations into a custom policy.
Every policy contains what to match (either a standard category or a list of domains and paths), what to do (allow or deny)

2
source/manual/proxy.rst
View file

@ -105,7 +105,7 @@ configuration via WPAD / PAC.
.. Warning::
WPAD via DNS requires the web interface to run on the default HTTP port
(TCP/80) which is also a security risk (MITM attacks). In such cases you
should proxy the connection or avoid configuring the applicance from an
should proxy the connection or avoid configuring the appliance from an
untrusted network.
-----------------------

4
source/manual/qfeeds.rst
View file

@ -20,7 +20,7 @@ the latest threat information.
Two types of lists are supported by this plugin, IPs using firewall aliases and domains using an integration with our
unbound blocklists.
This document exaplains how to install and use Q-Feeds on your OPNsense firewall.
This document explains how to install and use Q-Feeds on your OPNsense firewall.
--------------------------------------
External resources
@ -101,7 +101,7 @@ Below you will find their purpose.
========================================= ====================================================================================
**Field** **Description**
========================================= ====================================================================================
Timestamp Time the event occured
Timestamp Time the event occurred
Interface Which interface it was logged on
Direction Did this concern in(bound) or out(bound) traffic
Source Source IP address

155
source/manual/radvd.rst
View file

@ -2,6 +2,9 @@
Router Advertisements
==========================
.. contents:: Index
radvd (the service responsible for this functionality) is the router advertisement daemon for IPv6.
It listens to router solicitations and sends router advertisements as described in
"Neighbor Discovery for IP Version 6 (IPv6)" (`RFC 4861 <https://tools.ietf.org/html/rfc4861>`__).
@ -9,6 +12,74 @@ With these advertisements hosts can automatically configure their addresses and
It also defines "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)"
(`RFC6775 <https://tools.ietf.org/html/rfc6775>`__). They also can choose a default router based on these advertisements.
.. Attention::
:doc:`Dnsmasq </manual/dnsmasq>` is the default RA daemon in new installations, deactivate its *Router Advertisement*
setting if you want to use radvd.
-------------------------
General Settings
-------------------------
The service can be configured in :menuselection:`Services --> Router Advertisements`.
.. tabs::
.. tab:: General Settings
========================================= ====================================================================================
**Option** **Description**
========================================= ====================================================================================
**Enabled** Enable or disable this entry. If "Track Interface (legacy)" is used, an existing
disabled entry will also deactivate advertisements on that interface. Alternatively,
switch to "Identity association" for full manual configuration if needed.
**Interface** Choose the interface that should send Router Advertisements. A prefix will be constructed
from the primary IP of that interface, which is assigned by "Identity association" or
"Track interface (legacy)" IPv6 modes of said interface. If additional virtual IP addresses exist on
this interface, their prefixes will also be advertised.
**Mode** Select which flags to set in Router Advertisements sent from this interface.
**Minimum interval** The minimum time allowed between sending unsolicited multicast router advertisements
from the interface, in seconds.
**Maximum interval** The maximum time allowed between sending unsolicited multicast router advertisements
from the interface, in seconds.
**Recursive DNS Servers (RDNSS)** The default is to use this interface IP address with an enabled DNS service or the
configured global DNS servers. You may specify up to three explicit servers here instead.
**DNS Search List (DNSSL)** The default is to use the domain name of this system as the DNSSL option.
You may specify explicit domains here instead.
**Routes** Routes are specified in CIDR format. The prefix of a route definition should be network prefix;
it can be used to advertise more specific routes to the hosts.
========================================= ====================================================================================
.. tab:: Advanced Settings
========================================= ====================================================================================
**Option** **Description**
========================================= ====================================================================================
**Constructor** Per default, the primary prefix of the given *Interface* in
*General Settings* is used. When setting a constructor,
the primary prefix of a WAN interface can be used instead.
An :doc:`NDP proxy </manual/ndp-proxy-go>` is required if the same WAN prefix is
shared by multiple LAN interfaces.
**Preference** Select the Priority for the Router Advertisement (RA) Daemon.
**Deprecate Prefix** Deprecate advertised prefixes on shutdown by announcing a zero preferred lifetime.
**Shutdown Advertisement** Upon shutdown, send a final advertisement with zero router lifetime.
**Default Lifetime** Lifetime in seconds this router is considered a valid default router.
**Preferred Lifetime** Lifetime in seconds addresses remain preferred for new connections.
**Valid Lifetime** Lifetime in seconds addresses remain valid before becoming unusable.
**Source Address** Select the source address embedded in the RA messages.
If a CARP address is used DeprecatePrefix and RemoveRoute are both set to "off" by default.
**NAT64 prefix** The NAT64 prefix included in the router advertisements.
The "well-known prefix" reserved for this service is 64:ff9b::/96.
**Link MTU** Advertise a specific MTU to clients. Must be equal or greater than 1280 and valid for the link.
**Enable DNS** Control the sending of the embedded DNS configuration (RFC 8106).
**Recursive DNS Servers Lifetime** Lifetime in seconds for advertised recursive DNS servers.
**DNS Search List Lifetime** Lifetime in seconds for advertised DNS search domains.
**Route Lifetime** Lifetime in seconds for advertised routes.
**Remove Route** Withdraw advertised routes on shutdown by sending a zero lifetime.
========================================= ====================================================================================
.. _radvd-mode:
--------------------------------
Router Advertisements (Mode)
@ -50,47 +121,63 @@ A detailed overview of the :code:`radvd` settings determined by the mode can be
Technical details about the options can be found in the `man <https://www.freebsd.org/cgi/man.cgi?query=radvd.conf>`__ page of radvd
--------------------------------
General
Configuration examples
--------------------------------
==================================== ===============================================================================
Priority The preference associated with the default router,
as either "low", "medium" (default), or "high".
RA Interface Interface to use prefix from.
Advertise Default Gateway uses :code:`AdvDefaultLifetime` to disable advertising as default router when
unset.
Advertise Routes Advertise more specific specific routes to the clients.
==================================== ===============================================================================
Advertise a prefix on LAN
--------------------------------------------------
The most common configuration would be DHCPv6 on the WAN interface and receiving a routed prefix via DHCPv6-PD.
When setting the LAN IPv6 configuration to either of "Track Interface (legacy)" or "Identity association" with a unique prefix ID,
router advertisements can send that prefix and a default route to clients.
Go to :menuselection:`Services --> Router Advertisements` and add a new entry:
========================================= ====================================================================================
**Option** **Description**
========================================= ====================================================================================
**Enabled** X
**Interface** LAN
========================================= ====================================================================================
Press **Save** and **Apply**
Per default, RDNSS and DNSSL options will be sent to clients, containing the IPv6 address of the LAN interface, and the default system domain.
--------------------------------
DNS
--------------------------------
Advertise multiple prefixes on LAN
--------------------------------------------------
For supported clients, DNS settings can also be propagated by radvd as detailed in `RFC 8106 <https://tools.ietf.org/html/rfc8106>`__
If an ULA (Unique Local Address) prefix should be sent in addition to a GUA (Global Unicast Address) prefix, create a virtual IPv6 address
in :menuselection:`Interfaces --> Virtual IPs`. Configure it on the LAN interface, make sure the prefix length is /64.
==================================== ===============================================================================
DNS servers Define which dns servers to publish to the clients, either the ones
defined here or (when **Use the DNS settings of the DHCPv6 server** is set)
the ones defined in the DHCPv6 server for this interface.
(:code:`RDNSS` in :code:`radvd`)
Domain search list Domain search list to push to the clients, when not specified the local
domain name from this firewall is used. (:code:`DNSSL` in :code:`radvd`)
==================================== ===============================================================================
Afterwards, applying the configuration in :menuselection:`Services --> Router Advertisements` will configure the additional prefix.
--------------------------------
Intervals
--------------------------------
The time between unsolicited multicast router advertisement can be configured, using the following settings,
usually these are left default.
DHCPv6
--------------------------------------------------
==================================== ===============================================================================
Minimum Interval The minimum time allowed between sending unsolicited multicast
router advertisements from the interface, in seconds.
Must be no less than 3 seconds and no greater than 0.75 * "Maximum Interval".
Maximum Interval The maximum time allowed between sending unsolicited multicast
router advertisements from the interface, in seconds.
Must be no less than 4 seconds and no greater than 1800 seconds.
==================================== ===============================================================================
Router Advertisements are sufficient for clients to auto-generate a SLAAC address, receive a default gateway and a DNS server.
These are the basic requirement for IPv6 connectivity.
There can be advanced requirements like hostname registration, static reservations and DHCPv6 options.
For these cases, there are two DHCPv6 servers available: :doc:`KEA </manual/kea>` and :doc:`Dnsmasq </manual/dnsmasq>`.
As Dnsmasq is best used with its own router advertisement functionality, KEA is the most logical choice to pair with radvd.
This is especially true for HA setups, as KEA can synchronize IPv6 leases.
.. Attention::
A combination of KEA and radvd requires a static WAN prefix, as KEA cannot track prefixes dynamically.
To advertise a DHCPv6 server to clients, configure the available :ref:`modes <radvd-mode>` to your requirements.
High availability
--------------------------------------------------
For high availability with IPv6, static prefixes are a requirement for seamless failover.
You can follow this setup example: :doc:`Configure CARP </manual/how-tos/carp>`

8
source/manual/relayd.rst
View file

@ -5,7 +5,7 @@ Relayd
The relayd plugin offers a load balancer which is capable of handling OSI layer 3 or 7 forwarding services to
various backend servers while validating their availability.
One of the main advantages over other forwarding services available for OPNsense is that relayd offers a transparant
One of the main advantages over other forwarding services available for OPNsense is that relayd offers a transparent
forwarding mode in layer 3 (redirection), which is lightweight and forwards the unmodified session to the target host.
@ -46,9 +46,9 @@ Virtual Server
.......................................
A virtual server is where it all comes together, this type of object defines where to accept traffic from (bind address and port)
and how to handle traffic when being recieved.
and how to handle traffic when being received.
The server type is one of the most important settings and defines if this virtual host is acting either as a redirection (using the firewall/transparant)
The server type is one of the most important settings and defines if this virtual host is acting either as a redirection (using the firewall/transparent)
or a relay (layer 7 mode).
It is possible to choose two different tables to forward to here, in standard (non advanced mode) only the primary table is visible
@ -153,4 +153,4 @@ In order to set up the example scenario, configure the following settings:
* Scheduler: Round Robin
* Table Check: ICMP
Make sure to enable relayd on the generic settings tab, save settings and the new vritual host should be active.
Make sure to enable relayd on the generic settings tab, save settings and the new virtual host should be active.

2
source/manual/reporting_traffic.rst
View file

@ -17,7 +17,7 @@ The top area of the screen shows an overview of all network adapters for both in
select the desired polling resolution with the dropdown left of the interface selection dropdown.
The graph below shows the top consumers over the same timespan, when you point to a dot it will show you the measured
bandwith for the selected host (the color matches the interface).
bandwidth for the selected host (the color matches the interface).
Top talkers

2
source/manual/reporting_unbound_dns.rst
View file

@ -78,7 +78,7 @@ You can refresh the list by clicking the refresh button on the top right of the
* The action taken by Unbound, this can either be pass, block or drop. The latter only occurs when a query could
not be serviced due to an internal error. "Internal error" can be anything, ranging from a loss of internet connectivity
to a crash of Unbound. The common factor is that Unbound marks the return code as SERVFAIL. If the Unbound logs
do not show any reason for a drop occuring, the most likely candidate will be a loss of connectivity.
do not show any reason for a drop occurring, the most likely candidate will be a loss of connectivity.
* The source of the response. This can be either Recursion, Local, Local-data or cache. 'Local' refers to a decision
made by Unbound to either block or drop the query. 'Local-data' refers to the custom host overrides and its associated
aliases or internal local-data entries generated by the system. 'Cache' shows responses to clients utilizing the cache.

4
source/manual/reverse_proxy.rst
View file

@ -82,8 +82,8 @@ are written in this language or in a C/C++ extension:
============================================= ================================================
**Technology** **Used for**
============================================= ================================================
Passenger Application Server for differnet Languages
nginx Unit_ Application Server for differnet Languages
Passenger Application Server for different Languages
nginx Unit_ Application Server for different Languages
Undertow_ (Raw, JBoss, WildFly) Java application server
Apache Tomcat Java application server
unit_, puma_, unicorn_ Many Rack_ based frameworks (RoR_, Sinatrarb_, …)

2
source/manual/settingsmenu.rst
View file

@ -319,7 +319,7 @@ going to :menuselection:`System --> Settings --> General`. The following setting
| **Networking** |
+---------------------------------+------------------------------------------------------------------------------------+
| Prefer to use IPv4 even | By default if a hostname resolves IPv6 and IPv4 addresses, the IPv6 will be used. |
| if IPv6 is available | If checked, then IPv4 addresss will be used instead of IPv6. |
| if IPv6 is available | If checked, then IPv4 addresses will be used instead of IPv6. |
+---------------------------------+------------------------------------------------------------------------------------+
| DNS servers | A list of DNS servers, optionally with a gateway. These DNS servers are also used |
| | for the DHCP service, DNS services and for PPTP VPN clients. When using multiple |

2
source/manual/sftp-backup.rst
View file

@ -77,7 +77,7 @@ password combination or ssh using public key infrastructure.
Enable Enable backup to the upstream target
URL Target location, which defines protocol, user and path. This may look like:
`sftp://opnsense@192.168.1.10//home/opnsense/config_backups`
SSH private key Upload the `my_new_key` file created during preperation.
SSH private key Upload the `my_new_key` file created during preparation.
Backup Count Number of backups to keep
Encrypt Password Password used to encrypt the backup (optional)
==================================== ===============================================================================

2
source/manual/shaping.rst
View file

@ -97,7 +97,7 @@ changing these settings.
The rules are not shown by default, you can use the "Show rules" checkbox to enabled those,
this option can help you identifying misconfigurations more easily,
since the underlaying technology (:code:`ipfw`) keeps track of data on a per rule basis.
since the underlying technology (:code:`ipfw`) keeps track of data on a per rule basis.
.. Tip::

2
source/manual/unbound.rst
View file

@ -300,7 +300,7 @@ URLs of Blocklists Additional http[s] location to download bl
files containing a list of fqdn's (e.g. :code:`my.evil.domain.com`) OR wildcard domains
(e.g. :code:`*.my.evil.domain.com`) are supported.
Allowlist Domains When a blocklist item contains a pattern defined in this list it will
be ommitted from the results. e.g. :code:`.*\.nl` would exclude all .nl domains.
be omitted from the results. e.g. :code:`.*\.nl` would exclude all .nl domains.
Blocked domains explicitly allowlisted using the :doc:`/manual/reporting_unbound_dns`
page will show up in this list.
Blocklist Domains List of domains to explicitly block. Regular expressions are not supported.

2
source/manual/updates.rst
View file

@ -12,7 +12,7 @@ Update settings
By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
* **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have trouble updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Firmware Mirror:** this influences where OPNsense tries to get its updates from. If you have trouble updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Release Type:** this switches between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on "Production", unless you fully understand the implications of switching.**
.. Tip::

2
source/manual/users.rst
View file

@ -75,7 +75,7 @@ rights, called privileges.
Password Configure a password for local login
Scrambled Password Generate a random password for this login to avoid login
Full name Informational, users full name
E-mail Informational, email adres this user has
E-mail Informational, email address this user has
Comments Informational, custom notes
Preferred landing page Preferred landing page after login or authentication failure
Language Language to use in the GUI

28
source/manual/vpnet.rst
View file

@ -76,7 +76,7 @@ The following functions are available in the menu (as of OPNsense 23.1):
* Status Overview
* Shows tunnel statusses
* Shows tunnel status
* Lease Status
@ -109,14 +109,14 @@ For a full list of changes, the upstream migration `documentation <https://wiki.
is an interesting read as well.
* Phase 1 - The general connection settings, like local/remote addressess and general protocol settings. Choices in authentication to use
* Phase 1 - The general connection settings, like local/remote addresses and general protocol settings. Choices in authentication to use
are also part of this, they may involve multiple rounds.
* Phase 2 - Nowadays Strongswan calls these **children**, as these define the :code:`CHILD_SA` subsections in play. This is where you can define
the networks on both ends. When multiple segments are being added into the same child, these are being treated as one policy
where all of them are able to communicate to eachother.
where all of them are able to communicate to each other.
* Phase 1 / Tunnel Isolation - This option made sure every network defined in phase 2 would be treated as a child of it's own (e.g. two phase 2's would turn into two children)
* Phase 2 / Manual SPD entries - Manual SPD entries, this has been replaced with it's own menu option (Security Policy Database)
offering more flexibilty and visibilty.
offering more flexibility and visibility.
.. Note::
@ -351,7 +351,7 @@ When a peer is assumed dead, an action may be specified, such as closing the CHI
DPD is disabled by default, when using connections, make sure to specify a :code:`DPD delay (s)` > 0 to enable the feature.
Actions may be specified on its children.
When using IKEv1 a :code:`dpdtimeout` can be specified to control when a peer is considered to be inaccesible.
When using IKEv1 a :code:`dpdtimeout` can be specified to control when a peer is considered to be inaccessible.
This setting has no effect on how IKEv2 handles retransmissions, in which case the general settings will be used as specified in the following `document <https://docs.strongswan.org/docs/5.9/config/retransmission.html>`__.
.. Warning::
@ -452,7 +452,7 @@ module one may configure different pools per connection.
If you are configuring Radius authentication using the new Connections module, make sure to select the relevant Radius servers
in :menuselection:`VPN -> IPsec -> Mobile Clients` under Radius (eap-radius). This pool of servers will be shared across
all connections. This option will not be visibile if you have legacy Radius authentication methods configured.
all connections. This option will not be visible if you have legacy Radius authentication methods configured.
The examples section contains various options available in OPNsense. When using the new "connections" option available
as of OPNsense 23.1, different `examples from Strongswan <https://docs.strongswan.org/docs/5.9/interop/windowsClients.html>`__
@ -646,7 +646,7 @@ do support standard includes.
While the :code:`swanctl.conf` and the legacy :code:`ipsec.conf` configuration files are well suited to define IPsec-related configuration parameters,
it is not useful for other strongSwan applications to read options from these files.
To configure these other components, it is possible to manually append options to our default template, in which case files
may be placed in the directory :code:`/usr/local/etc/strongswan.opnsense.d/` using the file extention :code:`.conf`
may be placed in the directory :code:`/usr/local/etc/strongswan.opnsense.d/` using the file extension :code:`.conf`
IPsec configurations are managed in `swantcl.conf <https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html>`__ format (as of 23.1), merging your own additions is possible by
placing files with a :code:`.conf` extension in the directory :code:`/usr/local/etc/swanctl/conf.d/`.
@ -692,7 +692,7 @@ enough time to migrate older setups.
OpenVPN on OPNsense can also be used to create a tunnel between two locations, similar to what IPsec offers. Generally
the performance of IPsec is higher which usually makes this a less common choice.
Mobile usage is really where OpenVPN excells, with various (multifactor) authentication options and
Mobile usage is really where OpenVPN excels, with various (multifactor) authentication options and
a high flexibility in available network options.
@ -720,7 +720,7 @@ The following functions are available in the menu (as of OPNsense 23.7):
* Connection Status
* Show tunnel statusses
* Show tunnel status
* Log File
@ -731,7 +731,7 @@ The following functions are available in the menu (as of OPNsense 23.7):
Public Key Infrastructure (X.509)
....................................
OpenVPN is most commonly used in combination with a public key infrastructure, where we use a certificate autority which
OpenVPN is most commonly used in combination with a public key infrastructure, where we use a certificate authority which
signs certificates for both server and clients (Also know as TLS Mode).
More information about this topic is available in our :doc:`Trust section <certificates>`.
@ -853,7 +853,7 @@ A selection of the most relevant settings can be found in the table below.
.. Tip::
When using topology "subnet" the netmask usually equals the one defined in the instance itself as the gateway
being pushed to the client is the first adress in the network and otherwise unreachable.
being pushed to the client is the first address in the network and otherwise unreachable.
**Troubleshooting common issues**
@ -965,7 +965,7 @@ High availability (using CARP)
.................................
When using wireguard on active/passive high availability clusters, only one instance at a time is allowed to communicate to the
other party. In OPNsense this can be reached by selecting a :code:`vhid` to track as instance dependancy {Depend on (CARP)}.
other party. In OPNsense this can be reached by selecting a :code:`vhid` to track as instance dependency {Depend on (CARP)}.
If an instance depends on a CARP vhid, it will query the current status and determine if the interface should be usable (when MASTER), the
interface status (up/down) will be toggled accordingly.
@ -979,7 +979,7 @@ interface status (up/down) will be toggled accordingly.
.. Tip::
Because the carp dependancy is managed per instance, you are able to keep tunnels available selectively, for example to manage the machines
Because the carp dependency is managed per instance, you are able to keep tunnels available selectively, for example to manage the machines
remotely.
@ -993,7 +993,7 @@ up or down, depending on the carp status described in the previous chapter.
.. Tip::
Althought wireguard itself offers very limit logging, our setup process will make a note of errors and signal about certain events.
Although wireguard itself offers very limit logging, our setup process will make a note of errors and signal about certain events.
When having issues configuring an instance or peer, always make sure to check the logs in :menuselection:`VPN --> WireGuard --> Log File` first.

2
source/releases/BE_19.1.rst
View file

@ -106,7 +106,7 @@ Here are the full patch notes:
* openvpn: add live-search to longer lists in server page
* openvpn: support --cryptoapicert export `[1] <https://www.max-it.de/>`__ (sponsored by m.a.x. it)
* opnevpn: correctly check for translation in get_carp_interface_status()
* openvpn: use waitforpid() to properly wait for instanes to come up
* openvpn: use waitforpid() to properly wait for instances to come up
* openvpn: translate GUI error values when returning them
* openvpn: revamp status page
* unbound: leases watcher file rotation issue

Some files were not shown because too many files have changed in this diff Show more