Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use consistent, RST menu notation; fix some build warnings (#144)

Browse Source
pull/151/head
Michael Steenbeek 5 years ago committed by Ad Schellevis
parent 4badbe49e1
commit 5cb6b3a325
71 changed files with 320 additions and 316 deletions
Show Stats Download Patch File Download Diff File

4
source/_static/css/opnsense.css
Unescape Escape View File

@ -4495,3 +4495,7 @@ span[id*='MathJax-Span'] {
font-style: normal;
font-weight: 700;
src: local("Roboto Slab Bold"), local("RobotoSlab-Bold"), url(../fonts/RobotoSlab-Bold.ttf) format("truetype"); }
.menuselection {
font-weight: bold;
}

4
source/development/components/authentication.rst
Unescape Escape View File

@ -29,7 +29,7 @@ Authenticators & Connections
------------------------------
Services within OPNsense can use different authentication methods, for which connections can be configured in **System-->Access-->Servers**
Services within OPNsense can use different authentication methods, for which connections can be configured in :menuselection:`System --> Access --> Servers`
(e.g. the method can be **radius** which is offered through a server at a location).
All of these methods use the same api defined in :code:`\OPNSense\Auth\IAuthConnector`, which comes with some simple to use handles.
@ -37,7 +37,7 @@ If a class in :code:`\OPNSense\Auth` implements :code:`IAuthConnector` it is con
for the authenticator factory named :code:`AuthenticationFactory`.
The factory provides a layer of abstraction around the different authentication concepts, for example a server defined in
**System-->Access-->Servers** can be requested using a simple :code:`(new AuthenticationFactory())->get('name');`
:menuselection:`System --> Access --> Servers` can be requested using a simple :code:`(new AuthenticationFactory())->get('name');`
This connects the authenticator to the configured servers and the response object is ready to handle authentication requests.

4
source/manual/aliases.rst
Unescape Escape View File

@ -6,7 +6,7 @@ by selecting the alias name in the various supported sections of the firewall.
These aliases are particularly useful to condense firewall rules and minimize
changes.
Aliases can be added, modified and removed via **Firewall->Aliases**.
Aliases can be added, modified and removed via :menuselection:`Firewall --> Aliases`.
-----------
Alias Types
@ -41,7 +41,7 @@ Sample
:width: 100%
**Apply changes** and look at the content of our newly created pf table.
Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube table.
Go to :menuselection:`Firewall --> Diagnostics --> pfTables` and select our newly created youtube table.
.. image:: images/pftable_youtube.png
:width: 100%

2
source/manual/certificates.rst
Unescape Escape View File

@ -5,7 +5,7 @@ Using certificates
In OPNsense, certificates are used for ensuring trust between peers. To make using them easier, OPNsense allows creating
certificates from the front-end. In addition to that, it also allows creating certificates for other purposes,
avoiding the need to use the ``openssl`` command line tool. Certificates in OPNsense can be managed from
**System->Trust->Certificates**.
:menuselection:`System --> Trust --> Certificates`.
Examples of OPNsense components that use certificates:
* OpenVPN

2
source/manual/dashboard.rst
Unescape Escape View File

@ -3,7 +3,7 @@ Dashboard
=========
The Dashboard is the first page you will see after you log into OPNsense.
Additionally, it can be accessed via **Lobby->Dashboard**. The Dashboard provides an overview of your system status.
Additionally, it can be accessed via :menuselection:`Lobby --> Dashboard`. The Dashboard provides an overview of your system status.
-------------
Configuration

6
source/manual/dhcp.rst
Unescape Escape View File

@ -9,7 +9,7 @@ DHCP is available for both IPv4 and IPv6 clients, referred to as DHCPv4 and DHCP
Settings overview
-----------------
DHCPv4 settings can be found at **Services -> DHCPv4**. DHCPv6 settings can be found at **Services -> DHCPv6**.
DHCPv4 settings can be found at :menuselection:`Services --> DHCPv4`. DHCPv6 settings can be found at :menuselection:`Services --> DHCPv6`.
The DHCPv4 submenu further consists of:
@ -35,9 +35,9 @@ described in `RFC 1918 <https://tools.ietf.org/html/rfc1918#section-3>`_.)
The LAN IP of the OPNsense device that serves DHCP to the LAN should fall in the same DHCP IP range. Typically, it gets
the address ending in .1 (so 192.168.1.1) in this example.
To set the LAN IP, go to **Interfaces -> [LAN]**, set “IPv4 Configuration Type” to “Static”, and under
To set the LAN IP, go to :menuselection:`Interfaces --> [LAN]`, set “IPv4 Configuration Type” to “Static”, and under
“Static IPv4 configuration”, set “IPv4 address” to ``192.168.1.1`` and the subnet dropdown to “24”. Then click Save.
To set the DHCP settings, go to **Services -> DHCPv4 -> [LAN]**. Under “Gateway”, put ``192.168.1.1``. Under range,
To set the DHCP settings, go to :menuselection:`Services --> DHCPv4 --> [LAN]`. Under “Gateway”, put ``192.168.1.1``. Under range,
put ``192.168.1.100`` as the start address and ``192.168.1.200`` as the end address. Then click Save. After saving,
click the “Apply Settings” button.

42
source/manual/diagnostics.rst
Unescape Escape View File

@ -6,27 +6,27 @@ In order to get more insight into your network, and to help solve problems, OPNs
The tools can be found in three places:
* **System -> Diagnostics**
* **Interfaces -> Diagnostics**
* **Firewall -> Diagnostics**
* :menuselection:`System --> Diagnostics`
* :menuselection:`Interfaces --> Diagnostics`
* :menuselection:`Firewall --> Diagnostics`
The following tools are available:
=================================================== ===========================================================================
**System -> Diagnostics -> Activity** Show executed commands
**System -> Diagnostics -> Services** Shows running services, allows starting/stopping/restarting
**Interfaces -> Diagnostics -> ARP Table** Show ARP table, which lists local connected IPv4 peers
**Interfaces -> Diagnostics -> DNS Lookup** Easy lookup of IPs and A records that belong to a hostname
**Interfaces -> Diagnostics -> NDP Table** Show NDP table, which lists local connected IPv6 peers
**Interfaces -> Diagnostics -> Packet capture** Capture packets travelling through an interface
**Interfaces -> Diagnostics -> Ping** Ping a hostname or IP address
**Interfaces -> Diagnostics -> Port Probe** Test if a host has a certain TCP port open and accepts connections on it
**Interfaces -> Diagnostics -> Trace Route** Trace route to a hostname or IP address
**Firewall -> Diagnostics -> pfInfo** General information and statistics for pf
**Firewall -> Diagnostics -> pfTop** Currently active pf states and routes
**Firewall -> Diagnostics -> pfTables** Shows IP addresses belonging to aliases
**Firewall -> Diagnostics -> Sockets** Shows listening sockets for IPv4 and IPv6
**Firewall -> Diagnostics -> States Dump** Currently active states
**Firewall -> Diagnostics -> States Reset** Delete active states and source tracking (cancels connections)
**Firewall -> Diagnostics -> States Summary** Show states sorted by criteria like source IP, destination IP, …
=================================================== ===========================================================================
================================================================== ===========================================================================
:menuselection:`System --> Diagnostics --> Activity` Show executed commands
:menuselection:`System --> Diagnostics --> Services` Shows running services, allows starting/stopping/restarting
:menuselection:`Interfaces --> Diagnostics --> ARP Table` Show ARP table, which lists local connected IPv4 peers
:menuselection:`Interfaces --> Diagnostics --> DNS Lookup` Easy lookup of IPs and A records that belong to a hostname
:menuselection:`Interfaces --> Diagnostics --> NDP Table` Show NDP table, which lists local connected IPv6 peers
:menuselection:`Interfaces --> Diagnostics --> Packet capture` Capture packets travelling through an interface
:menuselection:`Interfaces --> Diagnostics --> Ping` Ping a hostname or IP address
:menuselection:`Interfaces --> Diagnostics --> Port Probe` Test if a host has a certain TCP port open and accepts connections on it
:menuselection:`Interfaces --> Diagnostics --> Trace Route` Trace route to a hostname or IP address
:menuselection:`Firewall --> Diagnostics --> pfInfo` General information and statistics for pf
:menuselection:`Firewall --> Diagnostics --> pfTop` Currently active pf states and routes
:menuselection:`Firewall --> Diagnostics --> pfTables` Shows IP addresses belonging to aliases
:menuselection:`Firewall --> Diagnostics --> Sockets` Shows listening sockets for IPv4 and IPv6
:menuselection:`Firewall --> Diagnostics --> States Dump` Currently active states
:menuselection:`Firewall --> Diagnostics --> States Reset` Delete active states and source tracking (cancels connections)
:menuselection:`Firewall --> Diagnostics --> States Summary` Show states sorted by criteria like source IP, destination IP, …
================================================================== ===========================================================================

2
source/manual/dynamic_routing.rst
Unescape Escape View File

@ -4,7 +4,7 @@ Dynamic Routing
.. Warning::
With OPNsense version 19.1 the FRR package was updated to version 5. It's strongly advised to increase
the kern.ipc.maxsockbuf value via **Tunables**. Go to **System->Settings->Tunables** and check if there
the kern.ipc.maxsockbuf value via **Tunables**. Go to :menuselection:`System --> Settings --> Tunables` and check if there
is already a tunable for maxsockbuf and set it to 16777216 if it's lower. Otherwise add a new one with
name above and the specified value.

12
source/manual/etpro_telemetry.rst
Unescape Escape View File

@ -65,7 +65,7 @@ plugin
First we need to install the required plugin, which is responsible for collecting the telemetry data and provides access
to the ET Pro ruleset.
1. Go to **System->Firmware->Updates**
1. Go to :menuselection:`System --> Firmware --> Updates`
2. press "Check for updates" in the upper right corner.
3. open the tab "Plugins" and search for `os-etpro-telemetry`
4. when found, click on the [+] sign on the right to install the plugin
@ -78,7 +78,7 @@ register token
Next step is to register your token in OPNsense and enable rulesets.
1. Go to **Services->Intrusion Detection->Administration**
1. Go to :menuselection:`Services --> Intrusion Detection --> Administration`
2. Click on the "Download" tab, which should show you a list of available rules.
3. Enable all categories you would like to monitor in the "ET telemetry" section,
if in doubt enable all and monitor the alerts later (select on the right and use the enable selected button on top)
@ -93,7 +93,7 @@ Schedule updates
To download the rulesets automatically on a daily bases, you can add a schedule for this task.
1. Go to **Services->Intrusion Detection->Administration**
1. Go to :menuselection:`Services --> Intrusion Detection --> Administration`
2. Click on the "Schedule" tab
3. A popup for the update task appears, enable it using the checkbox on top, and click "save changes"
@ -104,10 +104,10 @@ Subscription status
To validate your subscription, we recommend to add the widget to the dashboard.
1. Go to the dashboard **Lobby->Dashboard**
1. Go to the dashboard :menuselection:`Lobby --> Dashboard`
2. Click on "Add widget" in the top right corner, click "Telemetry status" in the list
3. Close dialog and click "Save settings" on the right top of the dashboard
4. Open **Lobby->Dashboard** again to refresh the content
4. Open :menuselection:`Lobby --> Dashboard` again to refresh the content
When everything is setup properly and the plugin can reach Proofpoint, it will show something like:
@ -131,7 +131,7 @@ In case your sensor can't communicate to the outside world, the widget shows an
.. Note::
The system log (**System->Log Files->General**) might contain more information, search for *emergingthreats*
The system log (:menuselection:`System --> Log Files --> General`) might contain more information, search for *emergingthreats*
--------------------------------------

2
source/manual/gui.rst
Unescape Escape View File

@ -70,7 +70,7 @@ User & Local domain
-------------------
In the right corner just to the left of the quick navigation you will see your
username and the full domain name the firewall is configured with
(to change firewall name, go to **System->Setting->General**).
(to change firewall name, go to :menuselection:`System --> Setting --> General`).
Content Area

12
source/manual/how-tos/IPv6_ZenUK.rst
Unescape Escape View File

@ -55,7 +55,7 @@ Click Save and then Apply.
All that is required now is to set the LAN interface to use assigned
IPv6 prefix.
Select Interfaces->LAN and set the IPv6 Configuration Type to Track
Select :menuselection:`Interfaces --> [LAN]` and set the IPv6 Configuration Type to Track
Interface
.. image:: images/ZenUK_image3.png
@ -88,7 +88,7 @@ servers.
**Create Gateway**
------------------
Firstly, we do need to set up a gateway, this is for monitoring more
than anything else. Select Gateways->All then click Add Gateway.
than anything else. Select :menuselection:`Gateways --> All` then click Add Gateway.
Now, we know that Zen give us a /64 on our WAN interface, for example.
@ -114,9 +114,9 @@ Click Save.
**WAN Interface**
-----------------
Once we have our gateway in place we can then set up the WAN interface.
Select Interfaces->WAN.
Select :menuselection:`Interfaces --> [WAN]`.
Go to IPv6 Configuration Type and Select Static IPv6.
Go to IPv6 Configuration Type and select Static IPv6.
.. image:: images/ZenUK_image6.png
:width: 100%
@ -171,8 +171,8 @@ Click Save and Apply.
-----------------
When using DHCPv6 on the WAN, our DHCPv6 LAN server is set
automatically, however when using statics, we need to set it up. Goto
Services->DHCPv6[LAN]
automatically, however when using statics, we need to set it up. Go to
:menuselection:`Services --> DHCPv6[LAN]`.
Firstly, enable the server.

8
source/manual/how-tos/bind.rst
Unescape Escape View File

@ -22,8 +22,8 @@ For version 2.0 it is planned to offer full zone-file management.
Installation
------------
First of all, go to **System->Firmware->Plugins** and install **os-bind**.
You will finde the plugin at **Services->BIND**.
First of all, go to :menuselection:`System --> Firmware --> Plugins` and install **os-bind**.
You will finde the plugin at :menuselection:`Services --> BIND`.
----------------
General Settings
@ -70,7 +70,7 @@ DNSBL
so it is whitelisted before the blacklists come into play.
The Blacklists are downloaded and updated with every **Save** within BIND configuration.
For production use you can go to **System->Settings->Cron** and add a cronjob. On the
For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
dropdown list you'll find the corret task under **Command**. Set the refresh interval
as you wish and save. This will trigger an update of the selected lists and reload
BIND.
@ -89,7 +89,7 @@ Advanced
--------
Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting,
you can set in **Services->Unbound DNS->General->Custom Options**.
you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`.
.. code-block:: none

10
source/manual/how-tos/cachingproxy.rst
Unescape Escape View File

@ -9,7 +9,7 @@ Setup Caching Proxy
Enable / Disable
----------------
The proxy is delivered with sane default settings for easy setup.
To enable the proxy just go to **Services->Web Proxy->Administration** and
To enable the proxy just go to :menuselection:`Services --> Web Proxy --> Administration` and
check **Enable proxy** en click on **Apply**. The default will enable the proxy
with User Authentication based on the local user database and runs on port 3128
of the lan interface.
@ -42,7 +42,7 @@ Check the **Enable local cache** and click **Apply**.
.. Important::
As the cache is not created by default you will need to stop and start the service
under **Services->Diagnostics**, this will ensure correct creation of the cache.
under :menuselection:`Services --> Diagnostics`, this will ensure correct creation of the cache.
Advanced
--------
@ -60,7 +60,7 @@ Now select **Authentication Settings** and select the desired Authenticator(s) i
the field **Authentication method**. Click on **Clear All** if you do not want to
use any authentication.
Depending on the Authentication Servers you have setup under **System->Access->Servers**
Depending on the Authentication Servers you have setup under :menuselection:`System --> Access --> Servers`
You can select one or more of the following:
* No Authentication (leave field blank)
@ -118,7 +118,7 @@ This list is a simple flat list that looks like this:
207.net
247media.com
Go to **Services->Web Proxy->Administration** and click on the tab **Remote
Go to :menuselection:`Services --> Web Proxy --> Administration` and click on the tab **Remote
Access Control Lists**
Now click on the **+** at the bottom right corner of the form to add a new list.
@ -146,7 +146,7 @@ Now click on **Download ACLSs & Apply** to enable the blacklist/ad blocker.
Firewall Rule No Proxy Bypass
-----------------------------
To make sure no-one can bypass the proxy you need to add a firewall rule.
Go to **Firewall->Rules** and add the following to the top of the list rule on the
Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the
LAN interface (if LAN is where your clients and proxy are on).
============================ =====================

18
source/manual/how-tos/carp.rst
Unescape Escape View File

@ -65,7 +65,7 @@ security reasons (state injection) as for performance.
OPNsense includes a mechanism to keep the configuration of the backup
server in sync with the master. This mechanism is called XMLRPC sync and
can be found under System -> High Availability.
can be found under :menuselection:`System --> High Availability --> Settings`.
-----------------------------------------
Setup interfaces & basic firewall rules
@ -73,7 +73,7 @@ Setup interfaces & basic firewall rules
.. Warning::
Make sure the interface assignments on both systems are identical!
Via **Interfaces->Overview** you can check if e.g. DMZ is opt1 on
Via :menuselection:`Interfaces --> Overview` you can check if e.g. DMZ is opt1 on
both machines. When the assigments differ you will have mixed
Master and Backup IPs on both machines.
@ -95,7 +95,7 @@ setup the following addresses and subnets:
+-----------------------+
Next we need to make sure the appropriate protocols can be used on the
different interfaces, go to firewall -> rules and make sure both LAN and
different interfaces, go to :menuselection:`Firewall --> Rules` and make sure both LAN and
WAN accept at least CARP packets (see protocol selection). Because we're
connecting both firewalls using a direct cable connection, we will add a
single rule to accept all traffic on all protocols for that specific
@ -132,7 +132,7 @@ Setup Virtual IPs
On the master node we are going to setup our Virtual IP addresses, which
will also be used for the backup node after synchronisation. Go to
Firewall -> Virtual IPs and add a new one with the following
:menuselection:`Firewall --> Virtual IPs` and add a new one with the following
characteristics:
+-------------------------+------------------------------------+
@ -178,7 +178,7 @@ IP address to make a seamless migration possible. The default for
OPNsense is to use the interfaces IP address, which is in our case the
wrong one.
Go to Firewall -> NAT and select outbound nat. Choose manual outbound
Go to :menuselection:`Firewall --> NAT --> Outbound`. Choose manual outbound
nat on this page and change the rules originating from the
192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).
@ -207,7 +207,7 @@ Setup HA sync (xmlrpc) and pfSync
---------------------------------
First we should enable pfSync using our dedicated interface using the
master firewall. Go to System -> High Availability, enable pfSync and
master firewall. Go to :menuselection:`System --> High Availability --> Settings`, enable pfSync and
select the interface used for pfSync. Next setup the peer IP to the
other hosts address (10.0.0.2).
@ -236,13 +236,13 @@ firewalls before testing.
Testing setup
-------------
First go to Status -> Carp in the OPNsense webinterface and check if
First go to :menuselection:`System --> High availability --> Status` in the OPNsense webinterface and check if
both machines are properly initialized.
To test our setup, we will connect a client to the local area network
and open a ssh connection to a host behind both firewalls. Now when
connected you should be able to look at the state table on both OPNsense
firewalls (Diagnostics -> States) and they should both display the same
firewalls (:menuselection:`Firewall --> Diagnostics --> States Dump`) and they should both display the same
connection. Next try to pull the network plug from the master firewall
and it should move over to the backup without loosing (or freezing) the
ssh connection.
@ -271,7 +271,7 @@ downtime. To keep the downtime at a minimum when running updates just follow
these steps:
- Update your secondary unit and wait until it is online again
- On your primary unit go to **Firewall->Virtual IP's->Status** and hit **Enter Persistent CARP Maintenance Mode**
- On your primary unit go to :menuselection:`Firewall --> Virtual IPs --> Status` and click **Enter Persistent CARP Maintenance Mode**
- You secondary unit is now *MASTER*, check if all services like DHCP, VPN, NAT are working correctly
- If you ensured the update was fine, update your primary unit and hit **Leave Persistent CARP Maintenance Mode**

12
source/manual/how-tos/cellular.rst
Unescape Escape View File

@ -99,7 +99,7 @@ Once the SIM card is ready, quit ``cu`` with ``~.``.
Step 2 - Configure Point to Point device
----------------------------------------
Go to **Interfaces->Point-to-Point->Devices** and click on **Add** in the upper
Go to :menuselection:`Interfaces --> Point-to-Point --> Devices` and click on **Add** in the upper
right corner of the form.
Fill in the form like this (Example is for Dutch Mobile 4G KPN Subscription):
@ -129,7 +129,7 @@ Click **Save** to apply the settings.
---------------------------------
Step 3 - Assign the WAN interface
---------------------------------
To assign the interface go to **Interfaces->Assignments** in our case we will make
To assign the interface go to :menuselection:`Interfaces --> Assignments` in our case we will make
this our primary internet connection and change the WAN assignment accordingly.
To do so just change the **Network port** for **WAN** to **ppp0 (/dev/cuaU0.0) - 4G Cellular Network**.
@ -145,7 +145,8 @@ the one of you cellular connection.
------------------------
Step 4 - Troubleshooting
------------------------
In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to: **Interfaces->Point-to-Point->Log File**. If you are
In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to:
:menuselection:`Interfaces --> Point-to-Point --> Log File`. If you are
lucky you can see what went wrong directly in the log. Unfortunately, the PPP log is
not very informative so it might not help at all.
@ -164,10 +165,11 @@ providers required factory resets (for whatever reason) to get them to work prop
Some Sierra Wireless modems still seem to need a specific init string to work
properly. One that seems to work for multiple users and LTE cards is ``&F0E1Q0 +CMEE=2``. In any case you should first try without init string and only give it
a try if you could not get any connection without. You can add this in **Interfaces->Point-to-Point->Devices->Your particular device->Advanced Options->Init String**.
a try if you could not get any connection without. You can add this in
:menuselection:`Interfaces --> Point-to-Point --> Devices --> Your particular device --> Advanced Options --> Init String`.
When the device seems to work properly then checkout if the interface was assigned
an IP address, go to **Interfaces->Overview** and click on the WAN interface to
an IP address, go to :menuselection:`Interfaces --> Overview` and click on the WAN interface to
see the details.
You should see an IP address, Gateway IP and ISP DNS server(s).

2
source/manual/how-tos/changelog.rst
Unescape Escape View File

@ -8,7 +8,7 @@ if they are growing rapidly so the changelog does not fit into core anymore.
Core
====
Core offers a changelog section in the area **System -> Firmware** as an own menu or the dialog will
Core offers a changelog section in the area :menuselection:`System --> Firmware` as an own menu or the dialog will
automatically open in case of an available update.
To open a changelog manually, you can open the Changelog tab, and click the book:

8
source/manual/how-tos/cloud_backup.rst
Unescape Escape View File

@ -65,11 +65,11 @@ First we need to have a project in the google developer console:
doesn't really matter for this.
- Enable the Drive API
- In the left menu APIs -> "Drive API" -> Enable
- In the left menu :menuselection:`APIs --> "Drive API" --> Enable`
- Open the project and start to create an API key
- In the left menu : APIs & auth -> Credentials
- In the left menu: :menuselection:`APIs & auth --> Credentials`
- Click on the button "Create new Client ID"
- Choose "Service account", followed by "Create Client ID"
@ -98,7 +98,7 @@ Next thing is to create a folder in Google Drive and share it to the
:name: setup-the-account-in-opnsense
Now we can put it all together, login to your OPNsense firewall and go
to the backup feature. It is located at **System->Configuration->Backups**.
to the backup feature. It is located at :menuselection:`System --> Configuration --> Backups`.
.. image:: ./images/600px-Google_Drive_Backup_screenshot.png
:width: 100%
@ -145,7 +145,7 @@ Copy and store the generated password.
.. image:: images/nextcloud_config.png
Scroll to the Nextcloud Section in System -> Config -> Backup and enter the
Scroll to the Nextcloud Section in :menuselection:`System --> Config --> Backup` and enter the
following values:
================ ======================================================================

2
source/manual/how-tos/dnscrypt-proxy.rst
Unescape Escape View File

@ -7,7 +7,7 @@ Installation
------------
First of all, you have to install the dnscrypt-proxy plugin (os-dnscrypt-proxy) from the plugins view
reachable via **System->Firmware->Plugins**.
reachable via :menuselection:`System --> Firmware --> Plugins`.
After a page reload you will get a new menu entry under **Services** for DNSCrypt-Proxy.

8
source/manual/how-tos/edrop.rst
Unescape Escape View File

@ -20,7 +20,7 @@ The lists for this example are located here:
-------------------------------------
Step 1 - Create an Alias for Spamhaus
-------------------------------------
Go to **Firewall->Aliases->All** and press the **Add a new alias** button in the
Go to :menuselection:`Firewall --> Aliases --> All` and press the **Add a new alias** button in the
top right corner of the form.
Enter the following data:
@ -60,7 +60,7 @@ Step 2 - Firewall Rules Inbound Traffic
---------------------------------------
We will block incoming connections and outgoing connections for the drop and edrop lists.
To do so we will start with inbound traffic on the WAN interface.
Go to **Firewall->Rules** Select the **WAN** tab and press the **+** icon in the
Go to :menuselection:`Firewall --> Rules` Select the **WAN** tab and press the **+** icon in the
lower right corner.
@ -97,7 +97,7 @@ Step 3 - Firewall Rules Outbound Traffic
----------------------------------------
Now do the same for outbound traffic traffic on the LAN interface.
Go to **Firewall->Rules** Select the **LAN** tab and press the **+** icon in the
Go to :menuselection:`Firewall --> Rules` Select the **LAN** tab and press the **+** icon in the
lower right corner.
=================== ============== =============================================
@ -131,7 +131,7 @@ lower right corner.
Check pf Tables
---------------
To list the IP addresses that are currently in the DROP and EDROP lists go to
**Firewall->Diagnostics->pfTables** and select the list you want to see:
:menuselection:`Firewall --> Diagnostics --> pfTables` and select the list you want to see:
.. image:: images/spamhaus_pftable.png
:width: 100%

18
source/manual/how-tos/guestnet.rst
Unescape Escape View File

@ -54,7 +54,7 @@ with that and after finishing add/change the specifics to match the Hotel Guest
Step 1 - Configure Interface
----------------------------
For the Guest Network we will add a new interface.
Go to **Interfaces->Assignments** And use the **+** to add a new interface.
Go to :menuselection:`Interfaces --> Assignments` And use the **+** to add a new interface.
Press **Save**. The new interface will be called **OPT1**, click on [OPT1] in the
left menu to change its settings.
@ -80,7 +80,7 @@ Press **Save** and then **Apply changes**.
------------------------------
Step 2 - Configure DHCP Server
------------------------------
Go to **Services->DHCPv4->[GUESTNET]**.
Go to :menuselection:`Services --> DHCPv4 --> [GUESTNET]`.
Fill in the following to setup the DHCP server for our guest net (leave everything
else on its default setting):
@ -98,7 +98,7 @@ Click **Save**.
---------------------------
Step 3 - Add Firewall Rules
---------------------------
Go to **Firewall->Rules** to add a new rule.
Go to :menuselection:`Firewall --> Rules` to add a new rule.
Now add the following rules (in order of prevalence):
@ -196,7 +196,7 @@ Your rules should look similar to the screenshot below:
------------------------------
Step 4 - Create Captive Portal
------------------------------
Go to **Services->Captive Portal->Administration**
Go to :menuselection:`Services --> Captive Portal --> Administration`
To add a new Zone press the **+** in the lower right corner of the form.
@ -322,7 +322,7 @@ Internet Access. This bandwidth will be shared evenly between connected clients.
that would be 1 Mbps down stream (download). It is also possible to limit
the traffic per user see also :doc:`shaper`
Go to: **Firewall->Traffic Shaper->Settings**.
Go to: :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Create a pipe for the Download by pressing the **+** in the lower right corner of
the form and enter the following details:
@ -408,7 +408,7 @@ This example will be for our "Royal Hotel".
---------------------------
Step 8 - Add Voucher Server
---------------------------
To add a Voucher Server go to: **System->Access->Servers** and click on
To add a Voucher Server go to: :menuselection:`System --> Access --> Servers` and click on
**Add server** in the top right corner of the screen.
Fill in:
@ -423,7 +423,7 @@ Click on **Save**.
------------------------
Step 9 - Create Vouchers
------------------------
Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**).
Go back to the Captive portal and select Vouchers (:menuselection:`Services --> Captive Portal --> Vouchers`).
Click on **Create Vouchers** in the lower right corner of the form.
Let's create 1-day vouchers for our guests:
@ -503,7 +503,7 @@ Now users will see the login form as part of your template:
--------------
Check Sessions
--------------
To check the active sessions go to **Services->Captive Portal->Sessions**
To check the active sessions go to :menuselection:`Services --> Captive Portal --> Sessions`
Our current session looks like this:
.. image:: images/cp_active_sessions.png
@ -520,7 +520,7 @@ You can drop an active session by clicking on the trashcan.
Check Voucher Status
--------------------
You can check the validity and active status of a voucher by going to the voucher
page of the captive portal (**Services->Captive Portal->Vouchers**) and select
page of the captive portal (:menuselection:`Services --> Captive Portal --> Vouchers`) and select
the correct database (Wi-Fi day pass in our example).
.. image:: images/cp_active_vouchers.png

2
source/manual/how-tos/haproxy_howtos.rst
Unescape Escape View File

@ -70,7 +70,7 @@ Execute function http-request auth"
.. image:: images/haproxy_frontend_add_authentication.png
* Go to "Settings" -> "Global Parameters", enable the advanced mode (top left), and add your users to configuration
* Go to :menuselection:`Settings --> Global Parameters`, enable the advanced mode (top left), and add your users to configuration
via the "Custom options"
.. image:: images/haproxy_settings_global_params_auth.png

2
source/manual/how-tos/insight.rst
Unescape Escape View File

@ -9,7 +9,7 @@ of Netflow data. To do so take a look at :doc:`netflow_exporter`.
User Interface
--------------
Insight is a fully integrated part of OPNsense. Its User Interface is simple yet
powerful. It can be accessed via **Reporting->Insight**.
powerful. It can be accessed via :menuselection:`Reporting --> Insight`.
.. image:: images/insight_gui.png
:width: 100%

6
source/manual/how-tos/ips-feodo.rst
Unescape Escape View File

@ -14,7 +14,7 @@ Prerequisites
-------------
* Always upgrade to latest release first.
See :doc:`/manual/install` and/or upgrade to latest release:
**System->Firmware: Fetch updates**
:menuselection:`System --> Firmware --> Fetch updates`
.. image:: images/firmware.png
:width: 100%
@ -42,8 +42,8 @@ Prerequisites
--------------------------------------
Setup Intrusion Detection & Prevention
--------------------------------------
To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled
& IPS mode**. Make sure you have selected the right interface for the intrusion
To enable IDS/IPS just go to :menuselection:`Services -> Intrusion Detection` and select
**enabled & IPS mode**. Make sure you have selected the right interface for the intrusion
detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.

11
source/manual/how-tos/ips-sslfingerprint.rst
Unescape Escape View File

@ -10,7 +10,7 @@ Prerequisites
-------------
* Always upgrade to latest release first.
See :doc:`/manual/install` and/or upgrade to latest release:
**System->Firmware: Fetch updates**
:menuselection:`System --> Firmware --> Fetch updates`.
.. image:: images/firmware.png
:width: 100%
@ -29,7 +29,7 @@ Prerequisites
After applying you need to reboot OPNsense otherwise offloading may not
completely be disabled and IPS mode will not function.
To start go to **Services->Intrusion Detection**
To start go to :menuselection:`Services --> Intrusion Detection`
|ids_menu|
@ -91,10 +91,9 @@ And click **Save changes** |save|
---------------------------------------
Enable Intrusion Detection & Prevention
---------------------------------------
To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled
& IPS mode**. Make sure you have selected the right interface for the intrusion
detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.
To enable IDS/IPS just go to :menuselection:`Services --> Intrusion Detection` and select **enabled & IPS mode**.
Make sure you have selected the right interface for the intrusion detection system too run on. For our example
we will use the WAN interface, as that will most likely be you connection with the public Internet.
.. image:: images/idps.png
:width: 100%

17
source/manual/how-tos/ipsec-road.rst
Unescape Escape View File

@ -18,7 +18,7 @@ OPNsense and give you configuration examples for:
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
To do so, go to the :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
*(Dont forget to save and apply)*
.. image:: images/block_private_networks.png
@ -95,7 +95,7 @@ interface.
Step 1 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication methods.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example will use the following settings:
@ -241,7 +241,7 @@ And Apply changes:
If you already had IPsec enabled and added Road Warrior setup, it's important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongswan.
------------------------
@ -249,7 +249,7 @@ Step 4 - Add IPsec Users
------------------------
For this example we will create a new user who may access the mobile IPsec vpn.
Go to **System->Access->Users** and press the **+** sign in the lower right corner
Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner
to add a new user.
Enter the following into the form:
@ -282,7 +282,7 @@ some screenshots. The configurations for Android and iOS will be settings only.
Configure macOS Client
----------------------
Start with opening your network settings (System Preferences -> Network) and
Start with opening your network settings (:menuselection:`System Preferences --> Network)` and
Add a new network by pressing the + in the lower left corner.
Now select **VPN** and **Cisco IPSec**, give your connection a name and press **Create**.
@ -312,7 +312,7 @@ Now test the connection by selecting it from the list and hit **Connect**.
--------------------
Configure iOS Client
--------------------
To add a VPN connection on an iOS device go to **Setting->General->VPN**.
To add a VPN connection on an iOS device go to :menuselection:`Settings --> General --> VPN`.
Select **Add VPN Configuration** chose **IPsec** and use the Following Settings:
========================== ======================= ========================================
@ -326,9 +326,8 @@ Select **Add VPN Configuration** chose **IPsec** and use the Following Settings:
------------------------
Configure Android Client
------------------------
To add a VPN connection on an Android device go to **Settings -> Connections ->
more networks** , select **VPN**. Press the **+** in the top right corner to add
a new vpn connection.
To add a VPN connection on an Android device go to :menuselection:`Settings --> Connections --> more networks`,
select **VPN**. Press the **+** in the top right corner to add a new VPN connection.
Use the Following Settings:

2
source/manual/how-tos/ipsec-rw-android.rst
Unescape Escape View File

@ -23,7 +23,7 @@ the client certificate.
Step 2 - Add VPN Connection
---------------------------
Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need.
Add a new VPN connection via :menuselection:`Settings --> More --> VPN`, enter a **Name** and choose the type you need.
Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.

14
source/manual/how-tos/ipsec-rw-srv-eapradius.rst
Unescape Escape View File

@ -14,23 +14,23 @@ Step 1 - Create Certificates
For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
:menuselection:`System --> Trust --> Certificates`.
---------------------
Step 2 - Setup Radius
---------------------
If you already have a local Radius server, add a new client with the IP address of your Firewall,
set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance:
set a shared secret, go to OPNsense UI to :menuselection:`System --> Access --> Servers` and add a new instance:
============================ ================ ====================================
**Descriptive Name** Name *Give it a name*
@ -46,7 +46,7 @@ When you do not have an own Radius instance just use the OPNsense plugin and fol
Step 3 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example will use the following settings:
@ -146,7 +146,7 @@ Phase 2 proposal (SA/Key Exchange)
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------

14
source/manual/how-tos/ipsec-rw-srv-eaptls.rst
Unescape Escape View File

@ -13,22 +13,22 @@ Step 1 - Create Certificates
For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
:menuselection:`System --> Trust --> Certificates`.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example we will use the following settings:
@ -133,14 +133,14 @@ Phase 2 proposal (SA/Key Exchange)
If you already had IPsec enabled and added Road Warrior setup, it's important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Trust->Certificates** and create a new client certificate.
Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to your end user device.

16
source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst
Unescape Escape View File

@ -27,22 +27,22 @@ Step 1 - Create Certificates (only for RSA variants)
For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
:menuselection:`System --> Trust --> Certificates`.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example will use the following settings:
@ -144,14 +144,14 @@ Phase 2 proposal (SA/Key Exchange)
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Access->Users** and press the **+** sign in the lower right corner
Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner
to add a new user.
Enter the following into the form:
@ -169,7 +169,7 @@ Step 5 - Add client certificate (for Mutual RSA)
This step is only needed for Mutual RSA + XAuth!
Go to **System->Trust->Certificates** and create a new client certificate.
Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to you enduser device.

14
source/manual/how-tos/ipsec-rw-srv-mschapv2.rst
Unescape Escape View File

@ -15,22 +15,22 @@ Step 1 - Create Certificates
For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
:menuselection:`System --> Trust --> Certificates`.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example will use the following settings:
@ -130,14 +130,14 @@ Phase 2 proposal (SA/Key Exchange)
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
Go to :menuselection:`VPN --> IPsec --> Pre-Shared Keys` and press **Add**.
Enter the following into the form:

16
source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst
Unescape Escape View File

@ -15,22 +15,22 @@ Step 1 - Create Certificates
For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
for your Firewall.
Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields
matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for
matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
If you already have a CA roll out a server certificate and import
the CA itself via **System->Trust->Authorities** and the certificate with the key in
**System->Trust->Certificates**.
the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
:menuselection:`System --> Trust --> Certificates`.
-----------------------
Step 2 - Mobile Clients
-----------------------
First we will need to setup the mobile clients network and authentication source.
Go to **VPN->IPsec->Mobile Clients**
Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
For our example will use the following settings:
@ -131,20 +131,20 @@ Phase 2 proposal (SA/Key Exchange)
If you already had IPsec enabled and added Road Warrior setup, it is important to
restart the whole service via services widget in the upper right corner of IPSec pages
or via **System->Diagnostics->Services->Strongswan** since applying configuration only
or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
reloads it, but a restart also loads the required modules of strongSwan.
------------------------
Step 4 - Add IPsec Users
------------------------
Go to **System->Trust->Certificates** and create a new client certificate.
Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
certificate as PKCS12 and export it to you enduser device.
Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
Switch to :menuselection:`VPN -> IPsec -> Pre-Shared Keys` and press **Add**.
Enter the following into the form:
==================== ==========

6
source/manual/how-tos/ipsec-rw-w7.rst
Unescape Escape View File

@ -9,15 +9,15 @@ We assume that you are familiar with adding a new VPN connection.
The tests were done with Windows 7 and 10.
All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
All screenshot were taken from :menuselection:`Network and Sharing Center --> Change adapter settings`.
---------------------------
Step 1 - Install Certificte
---------------------------
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
Choose **Certificates->Add->Computer account**.
Hit the Windows Start button and type *mmc* in search box. Go to :menuselection:`File --> Add/Remove Snap-In`.
Choose :menuselection:`Certificates --> Add --> Computer account`.
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
**All taks** and import. Select the Root CA and install.

18
source/manual/how-tos/ipsec-rw.rst
Unescape Escape View File

@ -24,7 +24,7 @@ authentication methods e.g.
For the sample we will use a private ip for our WAN connection.
This requires us to disable the default block rule on WAN to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”.
*(Don't forget to save and apply)*
.. image:: images/block_private_networks.png
@ -113,11 +113,11 @@ very error prone we will not cover it here.
:header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"
:widths: 40, 20, 20, 20, 20, 20, 20, 20
"IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`"
"IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`"
"IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`"
"IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
"IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`"
"IKEv2 EAP-MSCHAPv2","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-mschapv2`"
"IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-rsamschapv2`"
"IKEv2 EAP-RADIUS","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eapradius`"

12
source/manual/how-tos/ipsec-s2s.rst
Unescape Escape View File

@ -18,7 +18,7 @@ connection (you local network need to different than that of the remote network)
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”.
*(Dont forget to save and apply)*
.. image:: images/block_private_networks.png
@ -174,7 +174,7 @@ Full Network Diagram Including IPsec Tunnel
Firewall Rules Site A & Site B (part 1)
---------------------------------------
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
sites (under **Firewall->Rules->WAN**):
sites (under :menuselection:`Firewall --> Rules --> WAN`):
* Protocol ESP
* UDP Traffic on Port 500 (ISAKMP)
@ -190,7 +190,7 @@ sites (under **Firewall->Rules->WAN**):
-----------------------
Step 1 - Phase 1 Site A
-----------------------
(Under **VPN->IPsec->Tunnel Settings** Press **+**)
(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**)
We will use the following settings:
General information
@ -322,7 +322,7 @@ And Apply changes:
-----------------------
Step 3 - Phase 1 Site B
-----------------------
(Under **VPN->IPsec->Tunnel Settings** Press **+**)
(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**)
We will use the following settings:
General information
@ -455,7 +455,7 @@ Firewall Rules Site A & Site B (part 2)
---------------------------------------
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface (under **Firewall->Rules->IPsec**).
interface (under :menuselection:`Firewall --> Rules --> IPsec`).
.. image:: images/ipsec_ipsec_lan_rule.png
:width: 100%
@ -465,7 +465,7 @@ IPsec Tunnel Ready
------------------
The tunnel should now be up and routing the both networks.
Go to **VPN->IPsec->Status Overview** to see current status.
Go to :menuselection:`VPN --> IPsec --> Status Overview` to see current status.
Press on the **(i)** to see the details of the phase 2 tunnel(s), like this:
.. image:: images/ipsec_status.png

8
source/manual/how-tos/ipv6_dsl.rst
Unescape Escape View File

@ -17,7 +17,7 @@ It's compatible and tested for but not limited to:
Step 1 - General Settings
-------------------------
Go to **System->Settings->General->** and check that **Prefer IPv4 over IPv6**
Go to :menuselection:`System --> Settings --> General` and check that **Prefer IPv4 over IPv6**
is not ticked. This value is default so just check if it has been touched.
Also enable **Allow DNS server list to be overridden by DHCP/PPP on WAN** at the
@ -27,13 +27,13 @@ bottom, so you get the correct DNS servers if you just use IPv4 ones.
Step 2 - Allow IPv6
-------------------
Next go to **Firewall->Settings->Advanced** and verfiy that **Allow IPv6** is enabled.
Next go to :menuselection:`Firewall --> Settings --> Advanced` and verfiy that **Allow IPv6** is enabled.
--------------------------------
Step 3 - Interface Configuration
--------------------------------
In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in section
In :menuselection:`Interfaces --> [WAN]` and set **IPv6 Configuration Type** to DHCPv6 and in section
**DHCPv6 client configuration** at the bottom tick:
- Request only an IPv6 prefix
@ -42,7 +42,7 @@ In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in sect
Set the prefix size to the one your provider delegates, mostly /56 or 64, sometimes /48.
Then change to **Interfaces->LAN** and set **IPv6 Configuration Type** to **Track Interface**.
Then change to :menuselection:`Interfaces --> [LAN]` and set **IPv6 Configuration Type** to **Track Interface**.
At the bottom in section **Track IPv6 Interface** choose **IPv6 Interface** as WAN and for
**IPv6 Prefix ID** a value of 0 is perfectly fine.

10
source/manual/how-tos/ipv6_tunnelbroker.rst
Unescape Escape View File

@ -41,7 +41,7 @@ Step 1 - Add GIF tunnel
-----------------------
To configure OPNsense start with adding a new gif interface.
Go to **Interfaces->Other Types->GIF** and click on **Add** in the upper tight corner
Go to :menuselection:`Interfaces --> Other Types --> GIF` and click on **Add** in the upper tight corner
of the form.
Use the following settings and copy in the IPv4&6 addresses from your TunnelBroker's UI.
@ -64,14 +64,14 @@ Step 2 - Configure the GIF tunnel as a new interface
----------------------------------------------------
The newly created GIF tunnel must now be assigned as a new interface.
Go to **Interfaces->Assignments**, select the GIF tunnel for **New interface**
Go to :menuselection:`Interfaces --> Assignments`, select the GIF tunnel for **New interface**
and click the **+** sign next to it.
Then under **Interfaces->[OPTX]** check **Enable Interface** and change the
Then under :menuselection:`Interfaces -> [OPTX]` check **Enable Interface** and change the
description to e.g. TUNNELBROKER before hitting **Save**.
The newly created interface must now be set as the default IPv6 gateway
under **System->Gateways->Single** by editing the new gateway entry
under :menuselection:`System --> Gateways --> Single` by editing the new gateway entry
TUNNELBROKER_TUNNELV6 and checking **Default Gateway** before saving.
-----------------------------
@ -103,7 +103,7 @@ Step 5 - Configure DHCPv6 SLAAC
-------------------------------
We'll next configure OPNsense for Stateless Address Auto Configuration (SLAAC).
We're going to set up the DHCPv6 service. Go to **Services->DHCPv6->Server**.
We're going to set up the DHCPv6 service. Go to :menuselection:`Services --> DHCPv6 --> Server`.
Simply choose a range for clients to use. Save your settings. Next go to the
Router Advertisements sub tab on that same page. Set the **Router Advertisements**

12
source/manual/how-tos/lan_bridge.rst
Unescape Escape View File

@ -20,7 +20,7 @@ It's a good idea to add the extra NIC interfaces ( OPTx ) during installation.
**Step Two**
-----------------
Create the bridge itself. Select Interfaces->Other Types->Bridge and ADD a new bridge. Select
Create the bridge itself. Select :menuselection:`Interfaces --> Other Types --> Bridge` and ADD a new bridge. Select
from the member interfaces the unused interfaces you wish to add to the bridge, OPT2,OPT3 etc.
.. image:: images/lan_bridge_1.png
@ -37,7 +37,7 @@ Now Save the new bridge.
**Step Three**
-----------------
Select Interfaces->Assignments and for the LAN interface, select the bridge previously created
Select :menuselection:`Interfaces --> Assignments` and for the LAN interface, select the bridge previously created
and Save.
.. image:: images/lan_bridge_3.png
@ -50,7 +50,7 @@ time for the interface to come back up, but keep refreshing the web interface un
**Step Four**
-----------------
The Original LAN interface is now unassigned and will need to be re-assigned. Go to
Interfaces->Assignments and in the New Interface box you will see the NIC itself ( igb*, em* ),
:menuselection:`Interfaces --> Assignments` and in the New Interface box you will see the NIC itself ( igb*, em* ),
select it and hit the '+' button to add an assignment, then click Save.
.. image:: images/lan_bridge_5.png
@ -58,7 +58,7 @@ select it and hit the '+' button to add an assignment, then click Save.
**Step Five**
-----------------
Select Interfaces->Other Types->Bridge and add the interface created in Step Four to the bridge
Select :menuselection:`Interfaces --> Other Types --> Bridge` and add the interface created in Step Four to the bridge
and Save, remember to check the new interface and ensure it is enabled as in Step Two.
.. image:: images/lan_bridge_4.png
@ -67,7 +67,7 @@ and Save, remember to check the new interface and ensure it is enabled as in Ste
**Step Six**
-----------------
We now need to make two changes to the System Tunables to ensure that filtering is carried
out on the bridge itself, and not on the member interfaces. Go to System->Settings->Tunables
out on the bridge itself, and not on the member interfaces. Go to :menuselection:`System --> Settings --> Tunables`
and select using the pen button net.link.bridge.pfil_member and set the value to 0.
.. image:: images/lan_bridge_6.png
@ -80,7 +80,7 @@ Select the tunable net.link.bridge.pfil_bridge and set the value to 1
**Final**
-----------------
Once complete, the Interface->Assignments should look similar to this:
Once complete, the :menuselection:`Interface --> Assignments` page should look similar to this:
.. image:: images/lan_bridge_8.png
:width: 100%

14
source/manual/how-tos/multiwan.rst
Unescape Escape View File

@ -50,7 +50,7 @@ Step 1 - Add monitor IPs
You may skip this step if you already have setup the monitoring IP and both gateways
are shown as online.
To add a monitoring IP go to **System->Gateways->Single** and click on the first pencil
To add a monitoring IP go to :menuselection:`System --> Gateways --> Single` and click on the first pencil
symbol to edit the first gateway.
Now make sure the following is configured:
@ -73,7 +73,7 @@ Now make sure the following is configured:
Step 2 - Add Gateway Group
--------------------------
Go to **System->Gateways->Group** and press **+ Add Group** in the upper right
Go to :menuselection:`System --> Gateways --> Group` and press **+ Add Group** in the upper right
corner.
Use the following settings:
@ -100,7 +100,7 @@ Use the following settings:
Step 3 - Configure DNS for each gateway
---------------------------------------
Go to **System->Settings->General** and make sure each gateway has its own DNS
Go to :menuselection:`System --> Settings --> General` and make sure each gateway has its own DNS
setup: like this:
DNS servers
@ -112,7 +112,7 @@ DNS servers
Step 4 - Policy based routing
-----------------------------
Go to **Firewall->Rules**
Go to :menuselection:`Firewall --> Rules`
For our example we will update the default LAN pass rule. Click on the pencil
next to this rule (*Default allow LAN to any rule*).
@ -155,7 +155,7 @@ Advanced Options
----------------
For each gateway there are several advanced options you can use to change the
default behavior/thresholds. These option can be changed under
**System->Gateways->Single**, press the pencil icon next to the Gateway you want
:menuselection:`System --> Gateways --> Single`, press the pencil icon next to the Gateway you want
to update.
The current options are:
@ -190,7 +190,7 @@ lead to unexpected behavior. To solve this you can use the option **Sticky Conne
this will make sure each subsequent request from the same user to the same website
is send through the same gateway.
To set this option can be set under **Firewall->Settings->Advanced**.
To set this option can be set under :menuselection:`Firewall --> Settings --> Advanced`.
Unequal Balancing (Weight)
--------------------------
@ -200,7 +200,7 @@ load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps th
set the weight of the first one to 1 and the second one to 2. This way the second
gateway will get twice as many traffic to handle than the first.
To do so, go to **System->Gateways->Single** and press the pencil icon next to the
To do so, go to :menuselection:`System --> Gateways --> Single` and press the pencil icon next to the
Gateway you want to update. The weight is defined under the advanced section.
------------------------------

2
source/manual/how-tos/netflow_exporter.rst
Unescape Escape View File

@ -4,7 +4,7 @@ Configure Netflow Exporter
.. image:: images/netflow_exporter.png
Configuring the Netflow Exporter is a simple task. Go to **Reporting->NetFlow**.
Configuring the Netflow Exporter is a simple task. Go to :menuselection:`Reporting --> NetFlow`.
Select all **Interfaces** you want to collect/export data from, usually one would
select all available interfaces here.

2
source/manual/how-tos/nginx_ip_acl.rst
Unescape Escape View File

@ -29,7 +29,7 @@ Configuration
Create Users
------------
Navigate to the "Accss -> IP ACL" tab.
Navigate to the :menuselection:`Access --> IP ACL` tab.
.. image:: images/nginx_ip_acl_01_list_view.png

2
source/manual/how-tos/nginx_tls_fingerprints.rst
Unescape Escape View File

@ -88,7 +88,7 @@ shown in the following screenshot:
Configuration Page
==================
Now in the configuration page under HTTP -> TLS Fingerprints there will be an
Now in the configuration page under :menuselection:`HTTP --> TLS Fingerprints` there will be an
entry for the created fingerprint, so it can be edited:
.. image:: images/nginx_fingerprint_settings.png

4
source/manual/how-tos/ntopng.rst
Unescape Escape View File

@ -7,11 +7,11 @@ Installation
------------
First of all, you have to install the ntopng plugin (os-ntopng) from the plugins view
reachable via **System->Firmware->Plugins**.
reachable via :menuselection:`System --> Firmware --> Plugins`.
After a page reload you will get a new menu entry under **Services** for ntopng. If you
don't have Redis plugin installed, you'll receive a warning in ntopng main menu. Please
go back to **System->Firmware->Plugins**, install os-redis, change to **Services->Redis**
go back to :menuselection:`System --> Firmware --> Plugins`, install os-redis, change to :menuselection:`Services --> Redis`
and just enable the service. That's enough to run ntopng.
----------------

4
source/manual/how-tos/openconnect.rst
Unescape Escape View File

@ -15,9 +15,9 @@ Palo Altos Global Protect will also be supported in future and of course the own
Step 1 - Installation
---------------------
Go to **System->Firmware->Plugins->** and search for **os-openconnect**.
Go to :menuselection:`System --> Firmware --> Plugins` and search for **os-openconnect**.
Install the plugin as usual, refresh and page and the you'll find the client via
**VPN->OpenConnect**.
:menuselection:`VPN --> OpenConnect`.
--------------
Step 2 - Setup

4
source/manual/how-tos/orange_fr_fttp.rst
Unescape Escape View File

@ -105,8 +105,8 @@ Click Save and then Apply.
-----------------
Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to Track
Interface
Select :menuselection:`Interfaces --> [LAN]` and set IPv4 to “Static IPv4” and IPv6 Configuration Type to
“Track Interface”.
.. image:: images/OF_image7.png
:width: 100%

12
source/manual/how-tos/pac.rst
Unescape Escape View File

@ -35,7 +35,7 @@ Configuring PAC
First Step: Creating Matches
----------------------------
Go to 'Services' -> Proxy -> Configuration and open Match
Go to :menuselection:`Services --> Proxy --> Configuration` and open Match
.. image:: images/pac_menu_match.png
@ -81,7 +81,7 @@ Host Pattern Wildcard for your internal domain
Second Step: Create Proxy Servers
---------------------------------
Now switch to PAC -> Proxies and add new proxy servers.
Now switch to :menuselection:`PAC --> Proxies` and add new proxy servers.
=========== ================================================================
Name Enter a name which will be shown at the rules view for selection
@ -124,7 +124,7 @@ Third Step: Create Rules
------------------------
Now as the matches and the proxies exist, rules can be built.
For that, switching to PAC -> Rules is required.
For that, switching to :menuselection:`PAC --> Rules` is required.
Now the following rule needs to be created:
@ -175,7 +175,7 @@ Variant 2: Manual Configuration
.. Warning::
When DNS is used, OPNsense must respond via HTTP on port 80.
Open the page Services -> Unbound DNS -> Overrides and add a new host override
Open the page :menuselection:`Services --> Unbound DNS --> Overrides` and add a new host override
for the `wpad` host:
.. image:: images/wpad_dns_unbound.png
@ -211,14 +211,14 @@ created:
http://wpad.example.com:80/wpad.dat
.. Warning::
If you have **HTTP Redirect** enabled via **System->Settings->Administration**,
If you have **HTTP Redirect** enabled via :menuselection:`System --> Settings --> Administration`,
make sure your browser accepts the certificate presented by OPNsense, as it won't
download wpad.dat if the certificate is untrusted.
Variant 2: Manual Configuration
-------------------------------
Open the page Services -> DHCP -> Server, select the correct interface and
Open the page :menuselection:`Services --> DHCP --> Server`, select the correct interface and
scroll down to the "Additional Options".
Add this line and save:

2
source/manual/how-tos/proxyicapantivirus.rst
Unescape Escape View File

@ -52,7 +52,7 @@ traffic to make sure the unencrypted ICAP traffic can't be tapped.
Step 5 - Configure ICAP
-----------------------
To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings**
To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings**
for the **Forward Proxy** tab.
Select enable ICAP and filling the Request and Response URLs.

2
source/manual/how-tos/proxyicapantivirusinternal.rst
Unescape Escape View File

@ -44,7 +44,7 @@ Step 3 - Install and Configure the ClamAV and the C-ICAP plugins
Step 4 - Configure ICAP
-----------------------
To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings**
To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings**
for the **Forward Proxy** tab.
Select enable ICAP and filling the Request and Response URLs.

8
source/manual/how-tos/proxytransparent.rst
Unescape Escape View File

@ -24,7 +24,7 @@ For basic configuration please refer to :doc:`cachingproxy`.
Step 2 - Transparent HTTP
--------------------------------
Go to **Services->Proxy->Administration**
Go to :menuselection:`Services --> Proxy --> Administration`
Then select **General Forward Settings** under the **Forward Proxy Tab**.
@ -61,7 +61,7 @@ The defaults should be alright, just press **Save** and **Apply Changes**.
Step 4 - CA for Transparent SSL
--------------------------------------
Before we can setup transparent SSL/HTTPS proxy we need to create a Certificate
Authority. Go to **System->Trust->Authorities** or use the search box to get there
Authority. Go to :menuselection:`System --> Trust --> Authorities` or use the search box to get there
fast.
.. image:: images/search_ca.png
@ -90,7 +90,7 @@ For our example we use the following data:
Step 5 - Transparent SSL
-------------------------------------
Go to **Services->Proxy->Administration**
Go to :menuselection:`Services --> Proxy --> Administration`
Then select **General Forward Settings** under the **Forward Proxy Tab**.
Select **Enable SSL mode** and set **CA to use** to the CA you have just created.
@ -145,7 +145,7 @@ Step 8 - Configure OS/Browser
-----------------------------
Since the CA is not trusted by your browser, you will get a message about this
for each page you visit. To solve this you can import the Key into your OS and
set as trusted. To export the Key go to **System->Trust->Authorities** and click
set as trusted. To export the Key go to :menuselection:`System --> Trust --> Authorities` and click
on the icon to export the CA certificate. Of course one may choose to accept the
certificate for each page manually, but for some pages that may not work well unless
not bumped.

6
source/manual/how-tos/proxywebfilter.rst
Unescape Escape View File

@ -28,7 +28,7 @@ For this tutorial we will assume:
-------------------------------
Step 1 - Disable Authentication
-------------------------------
To start go to **Services->Web Proxy->Administration**.
To start go to :menuselection:`Services --> Web Proxy --> Administration`.
Click on the arrow next to the **Forward Proxy** tab to show the drop down menu.
Now select **Authentication Settings** and click on **Clear All** to disable user
@ -87,7 +87,7 @@ of time as the first fetch as the adult alone section is ~15 MB.
---------------------
Step 5 - Enable Proxy
---------------------
To enable the proxy just go to **Services->Proxy Server->Administration** and
To enable the proxy just go to :menuselection:`Services --> Proxy Server --> Administration` and
check **Enable proxy** en click on **Apply**. The proxy will bind to LAN and port 3128.
It may take a while for the proxy to start and the play icon on the top right corner
@ -98,7 +98,7 @@ of the screen will turn red. Refresh the page to see if the proxy is done loadin
Step 6 - Disable Proxy Bypass
-----------------------------
To make sure no-one can bypass the proxy you need to add a firewall rule.
Go to **Firewall->Rules** and add the following to the top of the list rule on the
Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the
LAN interface (if LAN is where your clients and proxy are on).
============================ =====================

2
source/manual/how-tos/serial_access.rst
Unescape Escape View File

@ -27,7 +27,7 @@ Connecting to the serial console
--------------------------------
If you already installed OPNsense via a non-serial installer, serial access needs to be turned on. To do this, open
the web interface, navigate to **System->Settings->Administration**, scroll down to 'Console' and set the primary or
the web interface, navigate to :menuselection:`System --> Settings --> Administration`, scroll down to 'Console' and set the primary or
secondary console to 'Serial console'. Note: this is **only** necessary if you already installed OPNsense, and did not
use the serial installer to do so. In all other cases (accessing BIOS, running the serial installer, connecting to an
installation that was done via serial), serial access is already available.

8
source/manual/how-tos/shaper.rst
Unescape Escape View File

@ -55,7 +55,7 @@ has 10 Mbps Download and 1 Mbps Upload.
}
}
To start go to **Firewall->Shaper->Settings**.
To start go to :menuselection:`Firewall --> Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
@ -215,7 +215,7 @@ Upload that we want to share evenly between all users.
}
To start go to **Firewall->Traffic Shaper->Settings**.
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
@ -344,7 +344,7 @@ users in such manner that each user will receive up to a maximum of 1 Mbps.
}
To start go to **Firewall->Traffic Shaper->Settings**.
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
@ -420,7 +420,7 @@ for the upload traffic.
| HTTPS (443) | | |
+----------------+--------+-------------------+
To start go to **Firewall->Traffic Shaper->Settings**.
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Download Pipe
------------------------------

20
source/manual/how-tos/sslvpn_client.rst
Unescape Escape View File

@ -31,7 +31,7 @@ and give you configuration examples for:
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
*(Dont forget to save and apply)*
.. image:: images/block_private_networks.png
@ -98,7 +98,7 @@ For completeness of this how-to we will also prepare a user.
Configure TOTP server
---------------------
To configure a Time based One Time Password server go to **System->Access->Servers**
To configure a Time based One Time Password server go to :menuselection:`System --> Access --> Servers`
and click **Add** in the top right corner of the form.
.. TIP::
@ -125,7 +125,7 @@ Add Certificate Authority
-------------------------
The VPN server needs a certificate authority to sign client or server certificates.
To setup a new certificate authority go to **System->Trust->Authorities** and click
To setup a new certificate authority go to :menuselection:`System --> Trust --> Authorities` and click
**Add** in the top right corner of the form.
For our example we will use the following setting:
@ -149,7 +149,7 @@ Click **Save** to add the new Certificate Authority.
Create a Certificate
---------------------
After creating the Authority we will also need a certificate.
To create a new certificate, go to **System->Trust->Certificates** and click
To create a new certificate, go to :menuselection:`System --> Trust --> Certificates` and click
**Add** in the upper right corner of the form.
Fill in the form with (leave the rest default):
@ -174,7 +174,7 @@ Click **Save** to create the certificate.
Adding a User
-------------
To add a new user go to **System->Access->Users** and click **Add** in the top
To add a new user go to :menuselection:`System --> Access --> Users` and click **Add** in the top
right corner.
Creating a user will be done in two steps, the first one is adding a basic user
@ -220,7 +220,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding one that
uses our two factor authentication. This setup offers a good protection and it is
easy to setup on the clients as each client can use the same configuration.
Go to **VPN->OpenVPN->Servers** and click **Add** in the top right corner
Go to :menuselection:`VPN --> OpenVPN --> Servers` and click **Add** in the top right corner
of the form.
For our example will use the following settings:
@ -313,7 +313,7 @@ macOS & Windows
For macOS & Windows users we recommend using Viscosity from Sparklabs (https://www.sparklabs.com/viscosity/).
Viscosity is very easy to setup and use and works well on both platforms.
Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
the list. Leave everything default and Download the **Viscosity Bundle** from the
list of export options under **Client Install Packages**.
@ -351,7 +351,7 @@ Android
For Android users we recommend using OpenVPN for Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn)
from Arne Schwabe.
Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
the list. Leave everything default and Download the inline **Android** configuration from the
list of export options under **Client Install Packages**.
@ -366,7 +366,7 @@ iOS
For iOS users we recommend using OpenVPN Connect (https://itunes.apple.com/us/app/openvpn-connect/id590379981)
from OpenVPN Technologies.
Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
the list. Leave everything default and Download the inline **OpenVPN Connect** configuration from the
list of export options under **Client Install Packages**.
@ -388,7 +388,7 @@ factors are:
* Username/Password
* Token (TOTP)
Go to **VPN->OpenVPN->Servers** and click the pencil icon next to the server
Go to :menuselection:`VPN --> OpenVPN --> Servers` and click the pencil icon next to the server
we just created to change the 2FA to multi factor authentication.
Now change **Server Mode** to *Remote Access (SSL/TLS + User Auth)* and leave

10
source/manual/how-tos/sslvpn_s2s.rst
Unescape Escape View File

@ -19,7 +19,7 @@ network).
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on WAN to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
*(Don't forget to save and apply)*
.. image:: images/block_private_networks.png
@ -181,7 +181,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding a server
that uses a shared key. This setup offers a good protection and it is
easy to setup.
Go to **VPN->OpenVPN->Servers** and click on click **Add** in the top right corner
Go to :menuselection:`VPN --> OpenVPN --> Servers` and click on click **Add** in the top right corner
of the form.
For our example will use the following settings (leave everything else on its default):
@ -279,7 +279,7 @@ however you may decide just to allow traffic to one or more IPs.
Step 4 - Site B Client
----------------------
Now we will have to setup the client.
Login to the second firewall, go to **VPN->OpenVPN->Clients** and click on
Login to the second firewall, go to :menuselection:`VPN --> OpenVPN --> Clients` and click on
**add client** in the upper right corner of the form.
Now enter the following into the form (and leave everything else default):
@ -306,7 +306,7 @@ Now enter the following into the form (and leave everything else default):
Now click on **Save** to apply your settings.
The Connection Status can be viewed under **VPN->OpenVPN->Connection Status**
The Connection Status can be viewed under :menuselection:`VPN --> OpenVPN --> Connection Status`
.. image:: images/sslvpn_connection_status.png
:width: 100%
@ -314,7 +314,7 @@ The Connection Status can be viewed under **VPN->OpenVPN->Connection Status**
------------------------------
Step 5 - Client Firewall Rules
------------------------------
To allow traffic from the remote network just add a rule under **Firewall->Rules**
To allow traffic from the remote network just add a rule under :menuselection:`Firewall --> Rules`
OpenVPN tab.
.. image:: images/sslvpn_firewall_rule_client.png

22
source/manual/how-tos/transparent_bridge.rst
Unescape Escape View File

@ -60,7 +60,7 @@ Configuration in 10 easy steps
---------------------------------------
To disable outbound NAT, go to
**Firewall** -> **NAT** -> **Outbound**: Disable Outbound NAT rule generation
:menuselection:`Firewall --> NAT --> Outbound` and select “Disable Outbound NAT rule generation”.
|Filtering Bridge Step 1.png|
@ -68,13 +68,13 @@ To disable outbound NAT, go to
--------------------------
Enable filtering bridge by changing **net.link.bridge.pfil\_bridge**
from default to 1 in **System** -> **Settings** -> **System Tuneables**
from default to 1 in :menuselection:`System --> Settings --> System Tuneables`.
|Filtering Bridge Step 2.png|
And disable filtering on member interfaces by changing
**net.link.bridge.pfil\_member** from default to 0 in
**System** -> **Settings** -> **System Tuneables**
:menuselection:`System --> Settings --> System Tuneables`.
|Filtering Bridge Step2a.png|
@ -82,7 +82,7 @@ And disable filtering on member interfaces by changing
--------------------
Create a bridge of LAN and WAN, go to
**Interfaces** -> **Other Types** -> **Bridge** :Add Select LAN and WAN.
:menuselection:`Interfaces --> Other Types --> Bridge`. Add Select LAN and WAN.
|Filtering Bridge Step 3a.png|
@ -95,13 +95,13 @@ To be able to configure and manage the filtering bridge (OPNsense)
afterwards, we will need to assign a new interface to the bridge and
setup an IP address.
Go to **Interfaces** -> **Assign** -> **Available network ports** , select
Go to :menuselection:`Interfaces --> Assign --> Available network port`, select
the bridge from the list and hit **+**.
|Filtering Bridge Step 4.png|
Now Add an IP address to the interface that you would like to use to
manage the bridge. Go to **Interfaces** -> **OPT1** enable the interface
manage the bridge. Go to :menuselection:`Interfaces --> [OPT1]`, enable the interface
and fill-in the ip/netmask.
5. Disable Block private networks & bogon
@ -109,7 +109,7 @@ and fill-in the ip/netmask.
For the WAN interface we nee to disable blocking of private networks & bogus IPs.
Goto **Interfaces** -> **WAN** and unselect **Block private networks**
Go to :menuselection:`Interfaces --> [WAN]` and unselect **Block private networks**
and **Block bogon networks**.
|Filtering Bridge Step 5.png|
@ -117,7 +117,7 @@ and **Block bogon networks**.
6. Disable the DHCP server on LAN
---------------------------------
To disable the DCP server on LAN goto **Services** -> **DHCP Server** -> **LAN** and
To disable the DHCP server on LAN go to :menuselection:`Services --> DHCPv4 --> [LAN]` and
unselect enable.
|Filtering Bridge Step 6.png|
@ -133,7 +133,7 @@ This step is to ensure we have a full transparent bridge without any filtering
taking place. You can setup the correct rules when you have confirmed the bridge
to work properly.
Goto **Firewall** -> **Rules** and add a rule per interface to allow all traffic
Go to :menuselection:`Firewall --> Rules` and add a rule per interface to allow all traffic
of any type.
|Filtering Bridge Step 7.png|
@ -146,14 +146,14 @@ ignored. So you can skip this step.
As we now have setup allow rules for each interface we can safely remove
the Anti Lockout rule on LAN
Goto **Firewall** -> **Settings** -> **Admin Access** :Anti-lockout and select
Go to :menuselection:`Firewall --> Settings --> Admin Access`: Anti-lockout and select
this option to disable
9. Set LAN and WAN interface type to 'none'
-------------------------------------------
Now remove the IP subnets in use for LAN and WAN by changing the
interface type to none. Goto **Interfaces** -> **LAN** & **Interfaces** -> **WAN**
interface type to none. Go to :menuselection:`Interfaces --> [LAN]` and :menuselection:`Interfaces --> [WAN]`
to do so.
|Filtering Bridge Step 9.png|

6
source/manual/how-tos/two_factor.rst
Unescape Escape View File

@ -17,7 +17,7 @@ with this 2FA solution.
--------------------------------------
Step 1 - Add New Authentication Server
--------------------------------------
To add a TOTP server go to **System->Access-Servers** and press **Add server** in
To add a TOTP server go to :menuselection:`System --> Access --> Servers` and press **Add server** in
the top right corner. Then fill in the form as follows:
====================== =================================== ========================================
@ -37,7 +37,7 @@ Install using the normal procedure for your device.
---------------------------
Step 3 - Add or modify user
---------------------------
For this example we will create a new user, go to **System->Access-Users** and click
For this example we will create a new user, go to :menuselection:`System --> Access --> Users` and click
on the plus sign in the lower right corner.
Enter a **Username** and **Password** and fill in the other fields just as you would
@ -106,7 +106,7 @@ Google Authenticator Android, iOS https://www.google.com/landing/2ste
Step 5 - Test the token
-----------------------
For testing the user authentication, OPNsense offers a simple tester.
Go to **System->Access->Tester**
Go to :menuselection:`System --> Access --> Tester`
Select the Authentication server you have configured, and enter the user name.
Then enter the ***token** + **password**, remember the order

10
source/manual/how-tos/user-ldap.rst
Unescape Escape View File

@ -20,7 +20,7 @@ You OPNsense firewall need to be fully configured and able to access the LDAP se
Step 1 - Add New LDAP server
----------------------------
To add a new LDAP server as authentication source, go to **System->Access->Servers**
To add a new LDAP server as authentication source, go to :menuselection:`System --> Access --> Servers`
and click on **Add server** the top right corner, just above the form.
Enter the following information:
@ -66,7 +66,7 @@ Enter the following information:
Step 2 - Test
--------------
To test if the server is configured correctly, go to **System->Access->Tester**
To test if the server is configured correctly, go to :menuselection:`System --> Access --> Tester`
and select your LDAP server and enter a valid username + password. Click on
**Test** and if everything is setup correctly it will show:
@ -84,7 +84,7 @@ If not (or your entered invalid credentials) it shows:
Step 3 - Import Users
---------------------
If you would like to give LDAP/Active Directory users access to the GUI, you need
to import the users into the local user manager. Go to **System->Access->Users**
to import the users into the local user manager. Go to :menuselection:`System --> Access --> Users`
you will see a cloud import icon at the lower right corner of the form.
.. image:: images/user_cloudimport.png
@ -97,7 +97,7 @@ A new form will be show with the individual users, select the ones you like to i
Step 4 - Update ldap user privileges
------------------------------------
Now if you go to **System->Access->Users** you will see all users including the
Now if you go to :menuselection:`System --> Access --> Users` you will see all users including the
newly imported ldap users. You can create a specific group for these users to
easily manage the privileges or use one of your earlier created groups.
@ -116,7 +116,7 @@ Step 5 - Update system access settings
Now we have configures, verified and imported the users from our LDAP server, we
need to change the default settings to allow LDAP users to login.
Go to **System->Access->Settings** and change the Authentication Server from
Go to :menuselection:`System --> Access --> Settings` and change the Authentication Server from
**Local Database** to your newly created **LDAP** server. Leave the fallback on
**Local Database** and click on **Save and Test**.

8
source/manual/how-tos/user-local.rst
Unescape Escape View File

@ -10,7 +10,7 @@ the privileges for granting access to certain parts of the GUI (Web Configurator
Adding Users
------------
To add a new user go to **System->Access->Users** and click on the **+** sign at
To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at
the bottom right corner of the form.
========================== =========== =========================================================
@ -29,7 +29,7 @@ the bottom right corner of the form.
Creating Groups
---------------
Go to **System->Access->Groups** and click on the **+** sign in the lower right
Go to :menuselection:`System --> Access --> Groups` and click on the **+** sign in the lower right
corner of the form.
Enter a **Group name** and a **Description** and add users to the group.
@ -37,7 +37,7 @@ Enter a **Group name** and a **Description** and add users to the group.
Add privileges to a group
-------------------------
After creating a group the privileges can be added by editing the group.
Go to **System->Access-Groups** and click on the edit symbol (pencil) right next
Go to :menuselection:`System --> Access --> Groups` and click on the edit symbol (pencil) right next
to the group you like to change.
To assign privileges, just click on the pencil icon on the right of **Assigned Privileges**.
@ -58,7 +58,7 @@ User accounts can be used for logging in to the web frontend, as well as for log
serial or SSH). The latter will only work if the user's shell is not set to ``/sbin/nologin`` and if group the user is
part of is allowed SSH access.
In order to access OPNsense via SSH, SSH access will need to be configured via **System->Settings->Administration**.
In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`.
Under the "Secure Shell" heading, the following options are available:
============================ ==========================================================================

4
source/manual/how-tos/user-radius.rst
Unescape Escape View File

@ -2,7 +2,7 @@
Configuring Radius
==================
Configuring a Radius server for user authentication in services like vpn or captive portal
is easy just go to **System->Access->Servers** and click on **Add server** in the top right corner.
is easy just go to :menuselection:`System --> Access --> Servers` and click on **Add server** in the top right corner.
Fill in the form:
@ -16,6 +16,6 @@ Fill in the form:
**Authentication Timeout** 5 *Timeout for Radius to respond on requests*
============================== =============== =========================================================
Use the tester under **System->Access->Tester** to test the Radius server.
Use the tester under :menuselection:`System --> Access --> Tester` to test the Radius server.
If you want to use the FreeRADIUS plugin set up the server as 127.0.0.1 and don't forget to add a **Client** in the FreeRADIUS configuration.

2
source/manual/how-tos/wireguard-client-azire.rst
Unescape Escape View File

@ -51,7 +51,7 @@ Step 3 - Assignments and Routing
--------------------------------
To let you internal clients go through the tunnel you have to add a NAT entry. Go to
**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual
:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual
or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
LAN network and set **Translation / target** to **interface address**.

2
source/manual/how-tos/wireguard-client-mullvad.rst
Unescape Escape View File

@ -52,7 +52,7 @@ Step 2 - Assignments and Routing
--------------------------------
To let you internal clients go through the tunnel you have to add a NAT entry. Go to
**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual
:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual
or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
LAN network and set **Translation / target** to **interface address**.

14
source/manual/how-tos/wireguard-client.rst
Unescape Escape View File

@ -18,10 +18,10 @@ WireGuard as a central server or just as a client.
Step 1 - Installation
---------------------
Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings**
the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search
Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings`
the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search
for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client
via **VPN->WireGuard**.
via :menuselection:`VPN --> WireGuard`.
--------------------------------
Step 2a - Setup WireGuard Server
@ -49,7 +49,7 @@ If you want to add more users just add them in **Endpoints** and link them via *
Step 2b - Setup Firewall
------------------------
On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your
On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can
set granular rules on connection inside your tunnel.
@ -61,10 +61,10 @@ Step 2c - Assignments and Routing
With this setup your clients can reach your internal networks when they add it vial **Tunnel Address**.
But what if you want to push all traffic via VPN in order to filter some streams out of it?
Then we have to assign the interface via **Interface->Assignments**, choose our instance (e.g. instance
Then we have to assign the interface via :menuselection:`Interface --> Assignments`, choose our instance (e.g. instance
0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address.
After this we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set
After this we can go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set
to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel
Network you use and **Translation / target** set to WAN address.
@ -73,7 +73,7 @@ Internet via your VPN.
When assigning interfaces we can also add gateways to them. This would offer you the chance to
balance traffic via different VPN providers or do more complex routing scenarios.
To do this, go to **System->Gateways->Single** and add a new gateway. Choose your WireGuard interface
To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose your WireGuard interface
and set the Gateway to **dynamic**.
-------------------------------

8
source/manual/how-tos/wireguard-s2s.rst
Unescape Escape View File

@ -20,10 +20,10 @@ and widely deployable. It is currently under heavy development.
Step 1 - Installation
---------------------
Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings**
the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search
Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings`
the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search
for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client
via **VPN->WireGuard**.
via :menuselection:`VPN --> WireGuard`.
------------------------
Step 2 - Setup WireGuard
@ -50,7 +50,7 @@ Now we can **Enable** the VPN in tab **General** and go on with the setup.
Step 3 - Setup Firewall
-----------------------
On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your
On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can
set granular rules on connection inside your tunnel.

10
source/manual/install.rst
Unescape Escape View File

@ -158,8 +158,8 @@ Depending on you hardware and use case different installation media are provided
and re-writes. For embedded (nano) versions memory disks for /var and /tmp are
applied by default to prolong CF (flash) card lifetimes.
To enable for non embedded versions: Enable **System⇒Settings⇒Miscellaneous⇒RAM** Disk
Settings; afterwards reboot. Consider to enable an external syslog server as well.
To enable for non embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
change the setting, then reboot. Consider to enable an external syslog server as well.
------------------------------
Media Filename Composition
@ -225,7 +225,7 @@ OpenSSL and LibreSSL
OPNsense images are provided based upon `OpenSSL <https://www.openssl.org>`__.
The `LibreSSL <http://www.libressl.org>`__ flavor can be selected from within
the GUI ( System⇒Firmware⇒Settings ). In order to apply your choice an update
the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update
must be performed after save, which can include a reboot of the system.
.. image:: ./images/firmware_flavour.png
@ -422,7 +422,7 @@ Minimum installation actions
In case of a minimum install setup (i.e. on CF cards), OPNsense can
be run with all standard features, expect for the ones that require
disk writes, e.g. a caching proxy like Squid. Do not create a swap
slice, but a RAM Disk instead. In the GUI enable **System⇒Settings⇒Miscellaneous⇒RAM Disk Settings**
slice, but a RAM Disk instead. In the GUI enable :menuselection:`System --> Settings --> Miscellaneous --> RAM Disk Settings`*
and set the size to 100-128 MB or more, depending on your available RAM.
Afterwards reboot.
@ -468,7 +468,7 @@ The other method to upgrade the system is via console option **12) Upgrade from
.. rubric:: GUI
:name: gui
An update can be done through the GUI via **System⇒Firmware⇒Updates**.
An update can be done through the GUI via :menuselection:`System --> Firmware --> Updates`.
.. image:: ./images/firmware-update.png
:width: 100%

62
source/manual/logging.rst
Unescape Escape View File

@ -10,14 +10,14 @@ with the settings of the component they belong to. The log files can be found he
System
------
============================= ================================ =============================================================
**System Log** **System->Log Files->General** *Most of all system related events go here*
**Backend / config daemon** **System->Log Files->Backend** *Here you can find logs for config generation of API usage*
**Web GUI** **System->Log Files->Web GUI** *Lighttpd, the webserver of OPNsense itself, logs here*
**Firmware** **System->Firmware->Log File** *Updates from the packaging system go here*
**Gateways** **System->Gateways->Log File** *Lists Dpinger gateway tracking related log messages*
**Routing** **System->Routes->Log File** *Routing changes or interface events*
============================= ================================ =============================================================
============================= =================================================== =============================================================
**System Log** :menuselection:`System --> Log Files --> General` *Most of all system related events go here*
**Backend / config daemon** :menuselection:`System --> Log Files --> Backend` *Here you can find logs for config generation of API usage*
**Web GUI** :menuselection:`System --> Log Files --> Web GUI` *Lighttpd, the webserver of OPNsense itself, logs here*
**Firmware** :menuselection:`System --> Firmware --> Log File` *Updates from the packaging system go here*
**Gateways** :menuselection:`System --> Gateways --> Log File` *Lists Dpinger gateway tracking related log messages*
**Routing** :menuselection:`System --> Routes --> Log File` *Routing changes or interface events*
============================= =================================================== =============================================================
.. Note::
Log files on file system:
@ -32,10 +32,10 @@ System
Interfaces
----------
==================== ========================================== ===================================================================
**Wireless** **Interfaces->Wireless->Log File** *When using wireless features of OPNsense you find the logs here*
**Point-to-Point** **Interfaces->Point-to-Point->Log File** *PPP dialup logs like PPPoE are found here*
==================== ========================================== ===================================================================
==================== ============================================================== ===================================================================
**Wireless** :menuselection:`Interfaces --> Wireless --> Log File` *When using wireless features of OPNsense you find the logs here*
**Point-to-Point** :menuselection:`Interfaces --> Point-to-Point --> Log File` *PPP dialup logs like PPPoE are found here*
==================== ============================================================== ===================================================================
.. Note::
Log files on file system:
@ -46,10 +46,10 @@ Interfaces
Firewall
--------
================ ===================================== =============================================================================
**Live View** **Firewall->Log Files->Live View** *View firewall logs in realtime, smart filtering can be applied*
**Plain View** **Firewall->Log Files->Plain View** *Just the plain contents how **pf** logs into **filter.log** *
================ ===================================== =============================================================================
================ ======================================================== =============================================================================
**Live View** :menuselection:`Firewall --> Log Files --> Live View` *View firewall logs in realtime, smart filtering can be applied*
**Plain View** :menuselection:`Firewall --> Log Files --> Plain View` *Just the plain contents how **pf** logs into **filter.log** *
================ ======================================================== =============================================================================
.. Note::
Log files on file system:
@ -59,10 +59,10 @@ Firewall
VPN
---
================= ============================ =====================================
**IPsec Log** **VPN->IPsec->Log File** *Everything around IPsec goes here*
**OpenVPN Log** **VPN->OpenVPN->Log File** *OpenVPN logs everything here*
================= ============================ =====================================
================= =============================================== =====================================
**IPsec Log** :menuselection:`VPN --> IPsec --> Log File` *Everything around IPsec goes here*
**OpenVPN Log** :menuselection:`VPN --> OpenVPN --> Log File` *OpenVPN logs everything here*
================= =============================================== =====================================
.. Note::
Log files on file system:
@ -73,16 +73,16 @@ VPN
Services
--------
========================= ============================================= =============================================
**Captive Portal** **Services->Captive Portal->Log File** *Events from Captive Portal go here*
**DHCPv4** **Services->DHCPv4->Log File** *DHCP events get logged here*
**Dnsmasq DNS** **Services->Dnsmasq DNS->Log File** *The DNSmasq Forwarder logs*
**HAProxy** **Services->HAProxy->Log File** *The logs of the Reverse Proxy*
**Intrusion Detection** **Services->Intrusion Detection->Log File** *Suricata Logs are here*
**Network Time** **Services->Network Time->Log File** *NTP daemon logs*
**Unbound DNS** **Services->Unbound DNS->Log File** *Unbound resolver logs can be found here*
**Web Proxy** **Services->Web Proxy->Log File** *Squid access.log, store.log and cache.log*
========================= ============================================= =============================================
========================= ================================================================ =============================================
**Captive Portal** :menuselection:`Services --> Captive Portal --> Log File` *Events from Captive Portal go here*
**DHCPv4** :menuselection:`Services --> DHCPv4 --> Log File` *DHCP events get logged here*
**Dnsmasq DNS** :menuselection:`Services --> Dnsmasq DNS --> Log File` *The DNSmasq Forwarder logs*
**HAProxy** :menuselection:`Services --> HAProxy --> Log File` *The logs of the Reverse Proxy*
**Intrusion Detection** :menuselection:`Services --> Intrusion Detection --> Log File` *Suricata Logs are here*
**Network Time** :menuselection:`Services --> Network Time --> Log File` *NTP daemon logs*
**Unbound DNS** :menuselection:`Services --> Unbound DNS --> Log File` *Unbound resolver logs can be found here*
**Web Proxy** :menuselection:`Services --> Web Proxy --> Log File` *Squid access.log, store.log and cache.log*
========================= ================================================================ =============================================
.. Note::
Log files on file system:
@ -102,7 +102,7 @@ Circular Logs
-------------
Most of the core features log to circular log files so they will not grow bigger
than a predefined size. You can tune this value via **System->Settings->Logging**.
than a predefined size. You can tune this value via :menuselection:`System --> Settings --> Logging`.
There, you can also disable the writing of logs to disk or reset them all.
You can view the contents via CLI with:

6
source/manual/monit.rst
Unescape Escape View File

@ -10,7 +10,7 @@ configuration options explained in more detail afterwards, along with some cavea
Global setup
------------
Navigate to **Services->Monit->Settings**. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes.
Navigate to :menuselection:`Services --> Monit --> Settings`. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes.
Then, navigate to the “Alert settings” and add one for your e-mail address. If your mail server requires the “From” field
to be properly set, enter ``From: sender@example.com`` in the “Mail format” field. Save the alert and apply the changes.
@ -85,7 +85,7 @@ Save and apply.
Settings overview
-----------------
Navigate to **Services->Monit->Settings**. You will see four tabs, which we will describe in more detail below
Navigate to :menuselection:`Services --> Monit --> Settings`. You will see four tabs, which we will describe in more detail below
^^^^^^^^^^^^^^^^
General Settings
@ -242,5 +242,5 @@ These include:
Status
------
The Monit status panel can be accessed via **Services->Monit->Status**. For every active service, it will show the status,
The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status,
along with extra information if the service provides it.

2
source/manual/netflow.rst
Unescape Escape View File

@ -17,7 +17,7 @@ OPNsense offers full support for exporting Netflow data to external collectors a
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
into its Graphical User Interface. It can be accessed via **Reporting->Netflow**.
into its Graphical User Interface. It can be accessed via :menuselection:`Reporting --> Netflow`.
------------------
Supported Versions

2
source/manual/nptv6.rst
Unescape Escape View File

@ -6,7 +6,7 @@ Network Prefix Translation, shortened to NPTv6, is used to translate IPv6 addres
is to translate global ("WAN") IPs to local ones. In this regard, it is similar to NAT, although NPTv6 can only be
used to map addresses one-to-one, unlike NAT which typically translates one external IP to several internal ones.
NPTv6 routes are listed at **Firewall->NAT->NPTv6**. New rules can be added by clicking **Add** in the upper right
NPTv6 routes are listed at :menuselection:`Firewall --> NAT --> NPTv6`. New rules can be added by clicking **Add** in the upper right
corner. A quick overview of the fields:
============================= =======================================================================================================================================================================

2
source/manual/systemhealth.rst
Unescape Escape View File

@ -5,7 +5,7 @@ System Health & Round Robin Data
.. image:: images/systemhealth_sample.png
:width: 100%
System Health is a dynamic view on RRD data gathered by the system. It can be accessed via **Reporting->Health**. It allows you
System Health is a dynamic view on RRD data gathered by the system. It can be accessed via :menuselection:`Reporting --> Health`. It allows you
to dive into different statistics that show the overall health and performance of
the system over time.

4
source/manual/updates.rst
Unescape Escape View File

@ -10,14 +10,14 @@ the fortnightly updates adding a third number (e.g. 19.1.3 for the third update
Installing updates
------------------
Updates can be installed from the web interface, by going to **System->Firmware->Updates**. On this page, you can click
Updates can be installed from the web interface, by going to :menuselection:`System --> Firmware --> Updates`. On this page, you can click
**Check for updates** to search for updates. If they are available, a button will appear to install them.
---------------
Update settings
---------------
By navigating to **System->Firmware->Settings**, you can influence the firmware update settings:
By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
* **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL.

6
source/manual/users.rst
Unescape Escape View File

@ -47,17 +47,17 @@ rights, called privileges.
Authentication services
----------------------------------
Authentication services can be configured using the settings in **System->Access->Servers**.
Authentication services can be configured using the settings in :menuselection:`System --> Access --> Servers`.
This includes both local accounts and remote authentication.
By default, OPNsense GUI login will use local accounts. This can be changed, however,
by going to **System->Settings->Administration**, scrolling down to the "Authentication" group,
by going to :menuselection:`System --> Settings --> Administration`, scrolling down to the "Authentication" group,
and changing the 'Server' option.
Local account configuration
---------------------------
Settings for handling login via local accounts can be set by going to **System->Access->Servers**,
Settings for handling login via local accounts can be set by going to :menuselection:`System --> Access --> Servers`,
then clicking the 'Edit' icon (a pencil) for 'Local Database'. Here, you can improve security of
local user accounts by setting password length and complexity constraints.

6
source/manual/virtuals.rst
Unescape Escape View File

@ -14,7 +14,7 @@ For optimum performance and compatibility, these guides are given:
* Minimum required RAM is 1 GB
* Minimum recommended virtual disk size of 8 GB
* Disable all off-loading settings in **Interfaces->Settings**
* Disable all off-loading settings in :menuselection:`Interfaces --> Settings`
.. image:: images/disableoffloading.png
@ -25,7 +25,7 @@ VMware ESXi
VMware offers full instructions for installing FreeBSD, these can be found
`here <http://partnerweb.vmware.com/GOSIG/FreeBSD_11x.html>`__.
To install the VMware tools just goto **System->Firmware->Plugins** and install
To install the VMware tools just goto :menuselection:`System --> Firmware --> Plugins` and install
**os-vmware** by clicking on the **+** sign next to it.
.. image:: images/os-vmware.png
@ -39,7 +39,7 @@ To install the VMware tools just goto **System->Firmware->Plugins** and install
Xen
---
To install the Xen tools just goto **System->Firmware->Plugins** and install
To install the Xen tools just goto :menuselection:`System --> Firmware --> Plugins` and install
**os-xen** by clicking on the **+** sign next to it.
.. image:: images/os-xen.png

Write Preview
Loading…
Cancel
Save