From 5cb6b3a32504b96b77e3cbab003a4c9da0e83fee Mon Sep 17 00:00:00 2001 From: Michael Steenbeek <42928941+MichaelDeciso@users.noreply.github.com> Date: Wed, 6 Mar 2019 18:27:21 +0100 Subject: [PATCH] Use consistent, RST menu notation; fix some build warnings (#144) --- source/_static/css/opnsense.css | 4 ++ .../development/components/authentication.rst | 4 +- source/manual/aliases.rst | 4 +- source/manual/certificates.rst | 2 +- source/manual/dashboard.rst | 2 +- source/manual/dhcp.rst | 6 +- source/manual/diagnostics.rst | 42 ++++++------- source/manual/dynamic_routing.rst | 2 +- source/manual/etpro_telemetry.rst | 12 ++-- source/manual/gui.rst | 2 +- source/manual/how-tos/IPv6_ZenUK.rst | 12 ++-- source/manual/how-tos/bind.rst | 8 +-- source/manual/how-tos/cachingproxy.rst | 10 +-- source/manual/how-tos/carp.rst | 18 +++--- source/manual/how-tos/cellular.rst | 12 ++-- source/manual/how-tos/changelog.rst | 2 +- source/manual/how-tos/cloud_backup.rst | 8 +-- source/manual/how-tos/dnscrypt-proxy.rst | 2 +- source/manual/how-tos/edrop.rst | 8 +-- source/manual/how-tos/guestnet.rst | 18 +++--- source/manual/how-tos/haproxy_howtos.rst | 2 +- source/manual/how-tos/insight.rst | 2 +- source/manual/how-tos/ips-feodo.rst | 6 +- source/manual/how-tos/ips-sslfingerprint.rst | 11 ++-- source/manual/how-tos/ipsec-road.rst | 17 +++-- source/manual/how-tos/ipsec-rw-android.rst | 2 +- .../manual/how-tos/ipsec-rw-srv-eapradius.rst | 14 ++--- source/manual/how-tos/ipsec-rw-srv-eaptls.rst | 14 ++--- .../how-tos/ipsec-rw-srv-ikev1xauth.rst | 16 ++--- .../manual/how-tos/ipsec-rw-srv-mschapv2.rst | 14 ++--- .../how-tos/ipsec-rw-srv-rsamschapv2.rst | 16 ++--- source/manual/how-tos/ipsec-rw-w7.rst | 6 +- source/manual/how-tos/ipsec-rw.rst | 18 +++--- source/manual/how-tos/ipsec-s2s.rst | 12 ++-- source/manual/how-tos/ipv6_dsl.rst | 8 +-- source/manual/how-tos/ipv6_tunnelbroker.rst | 10 +-- source/manual/how-tos/lan_bridge.rst | 12 ++-- source/manual/how-tos/multiwan.rst | 14 ++--- source/manual/how-tos/netflow_exporter.rst | 2 +- source/manual/how-tos/nginx_ip_acl.rst | 2 +- .../manual/how-tos/nginx_tls_fingerprints.rst | 2 +- source/manual/how-tos/ntopng.rst | 4 +- source/manual/how-tos/openconnect.rst | 4 +- source/manual/how-tos/orange_fr_fttp.rst | 4 +- source/manual/how-tos/pac.rst | 12 ++-- source/manual/how-tos/proxyicapantivirus.rst | 2 +- .../how-tos/proxyicapantivirusinternal.rst | 2 +- source/manual/how-tos/proxytransparent.rst | 8 +-- source/manual/how-tos/proxywebfilter.rst | 6 +- source/manual/how-tos/serial_access.rst | 2 +- source/manual/how-tos/shaper.rst | 8 +-- source/manual/how-tos/sslvpn_client.rst | 20 +++--- source/manual/how-tos/sslvpn_s2s.rst | 10 +-- source/manual/how-tos/transparent_bridge.rst | 22 +++---- source/manual/how-tos/two_factor.rst | 6 +- source/manual/how-tos/user-ldap.rst | 10 +-- source/manual/how-tos/user-local.rst | 8 +-- source/manual/how-tos/user-radius.rst | 4 +- .../manual/how-tos/wireguard-client-azire.rst | 2 +- .../how-tos/wireguard-client-mullvad.rst | 2 +- source/manual/how-tos/wireguard-client.rst | 14 ++--- source/manual/how-tos/wireguard-s2s.rst | 8 +-- source/manual/install.rst | 10 +-- source/manual/logging.rst | 62 +++++++++---------- source/manual/monit.rst | 6 +- source/manual/netflow.rst | 2 +- source/manual/nptv6.rst | 2 +- source/manual/systemhealth.rst | 2 +- source/manual/updates.rst | 4 +- source/manual/users.rst | 6 +- source/manual/virtuals.rst | 6 +- 71 files changed, 320 insertions(+), 316 deletions(-) diff --git a/source/_static/css/opnsense.css b/source/_static/css/opnsense.css index 1ee92f11..68df6649 100644 --- a/source/_static/css/opnsense.css +++ b/source/_static/css/opnsense.css @@ -4495,3 +4495,7 @@ span[id*='MathJax-Span'] { font-style: normal; font-weight: 700; src: local("Roboto Slab Bold"), local("RobotoSlab-Bold"), url(../fonts/RobotoSlab-Bold.ttf) format("truetype"); } + +.menuselection { + font-weight: bold; +} diff --git a/source/development/components/authentication.rst b/source/development/components/authentication.rst index e53250af..235b6e28 100644 --- a/source/development/components/authentication.rst +++ b/source/development/components/authentication.rst @@ -29,7 +29,7 @@ Authenticators & Connections ------------------------------ -Services within OPNsense can use different authentication methods, for which connections can be configured in **System-->Access-->Servers** +Services within OPNsense can use different authentication methods, for which connections can be configured in :menuselection:`System --> Access --> Servers` (e.g. the method can be **radius** which is offered through a server at a location). All of these methods use the same api defined in :code:`\OPNSense\Auth\IAuthConnector`, which comes with some simple to use handles. @@ -37,7 +37,7 @@ If a class in :code:`\OPNSense\Auth` implements :code:`IAuthConnector` it is con for the authenticator factory named :code:`AuthenticationFactory`. The factory provides a layer of abstraction around the different authentication concepts, for example a server defined in -**System-->Access-->Servers** can be requested using a simple :code:`(new AuthenticationFactory())->get('name');` +:menuselection:`System --> Access --> Servers` can be requested using a simple :code:`(new AuthenticationFactory())->get('name');` This connects the authenticator to the configured servers and the response object is ready to handle authentication requests. diff --git a/source/manual/aliases.rst b/source/manual/aliases.rst index ed691e95..07dba3bd 100644 --- a/source/manual/aliases.rst +++ b/source/manual/aliases.rst @@ -6,7 +6,7 @@ by selecting the alias name in the various supported sections of the firewall. These aliases are particularly useful to condense firewall rules and minimize changes. -Aliases can be added, modified and removed via **Firewall->Aliases**. +Aliases can be added, modified and removed via :menuselection:`Firewall --> Aliases`. ----------- Alias Types @@ -41,7 +41,7 @@ Sample :width: 100% **Apply changes** and look at the content of our newly created pf table. -Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube table. +Go to :menuselection:`Firewall --> Diagnostics --> pfTables` and select our newly created youtube table. .. image:: images/pftable_youtube.png :width: 100% diff --git a/source/manual/certificates.rst b/source/manual/certificates.rst index 23cb608d..81782f8d 100644 --- a/source/manual/certificates.rst +++ b/source/manual/certificates.rst @@ -5,7 +5,7 @@ Using certificates In OPNsense, certificates are used for ensuring trust between peers. To make using them easier, OPNsense allows creating certificates from the front-end. In addition to that, it also allows creating certificates for other purposes, avoiding the need to use the ``openssl`` command line tool. Certificates in OPNsense can be managed from -**System->Trust->Certificates**. +:menuselection:`System --> Trust --> Certificates`. Examples of OPNsense components that use certificates: * OpenVPN diff --git a/source/manual/dashboard.rst b/source/manual/dashboard.rst index 58d6757c..e83a8222 100644 --- a/source/manual/dashboard.rst +++ b/source/manual/dashboard.rst @@ -3,7 +3,7 @@ Dashboard ========= The Dashboard is the first page you will see after you log into OPNsense. -Additionally, it can be accessed via **Lobby->Dashboard**. The Dashboard provides an overview of your system status. +Additionally, it can be accessed via :menuselection:`Lobby --> Dashboard`. The Dashboard provides an overview of your system status. ------------- Configuration diff --git a/source/manual/dhcp.rst b/source/manual/dhcp.rst index 547b1cd5..56f9db9c 100644 --- a/source/manual/dhcp.rst +++ b/source/manual/dhcp.rst @@ -9,7 +9,7 @@ DHCP is available for both IPv4 and IPv6 clients, referred to as DHCPv4 and DHCP Settings overview ----------------- -DHCPv4 settings can be found at **Services -> DHCPv4**. DHCPv6 settings can be found at **Services -> DHCPv6**. +DHCPv4 settings can be found at :menuselection:`Services --> DHCPv4`. DHCPv6 settings can be found at :menuselection:`Services --> DHCPv6`. The DHCPv4 submenu further consists of: @@ -35,9 +35,9 @@ described in `RFC 1918 `_.) The LAN IP of the OPNsense device that serves DHCP to the LAN should fall in the same DHCP IP range. Typically, it gets the address ending in .1 (so 192.168.1.1) in this example. -To set the LAN IP, go to **Interfaces -> [LAN]**, set “IPv4 Configuration Type” to “Static”, and under +To set the LAN IP, go to :menuselection:`Interfaces --> [LAN]`, set “IPv4 Configuration Type” to “Static”, and under “Static IPv4 configuration”, set “IPv4 address” to ``192.168.1.1`` and the subnet dropdown to “24”. Then click Save. -To set the DHCP settings, go to **Services -> DHCPv4 -> [LAN]**. Under “Gateway”, put ``192.168.1.1``. Under range, +To set the DHCP settings, go to :menuselection:`Services --> DHCPv4 --> [LAN]`. Under “Gateway”, put ``192.168.1.1``. Under range, put ``192.168.1.100`` as the start address and ``192.168.1.200`` as the end address. Then click Save. After saving, click the “Apply Settings” button. \ No newline at end of file diff --git a/source/manual/diagnostics.rst b/source/manual/diagnostics.rst index 11224c05..51f94e44 100644 --- a/source/manual/diagnostics.rst +++ b/source/manual/diagnostics.rst @@ -6,27 +6,27 @@ In order to get more insight into your network, and to help solve problems, OPNs The tools can be found in three places: -* **System -> Diagnostics** -* **Interfaces -> Diagnostics** -* **Firewall -> Diagnostics** +* :menuselection:`System --> Diagnostics` +* :menuselection:`Interfaces --> Diagnostics` +* :menuselection:`Firewall --> Diagnostics` The following tools are available: -=================================================== =========================================================================== - **System -> Diagnostics -> Activity** Show executed commands - **System -> Diagnostics -> Services** Shows running services, allows starting/stopping/restarting - **Interfaces -> Diagnostics -> ARP Table** Show ARP table, which lists local connected IPv4 peers - **Interfaces -> Diagnostics -> DNS Lookup** Easy lookup of IPs and A records that belong to a hostname - **Interfaces -> Diagnostics -> NDP Table** Show NDP table, which lists local connected IPv6 peers - **Interfaces -> Diagnostics -> Packet capture** Capture packets travelling through an interface - **Interfaces -> Diagnostics -> Ping** Ping a hostname or IP address - **Interfaces -> Diagnostics -> Port Probe** Test if a host has a certain TCP port open and accepts connections on it - **Interfaces -> Diagnostics -> Trace Route** Trace route to a hostname or IP address - **Firewall -> Diagnostics -> pfInfo** General information and statistics for pf - **Firewall -> Diagnostics -> pfTop** Currently active pf states and routes - **Firewall -> Diagnostics -> pfTables** Shows IP addresses belonging to aliases - **Firewall -> Diagnostics -> Sockets** Shows listening sockets for IPv4 and IPv6 - **Firewall -> Diagnostics -> States Dump** Currently active states - **Firewall -> Diagnostics -> States Reset** Delete active states and source tracking (cancels connections) - **Firewall -> Diagnostics -> States Summary** Show states sorted by criteria like source IP, destination IP, … -=================================================== =========================================================================== +================================================================== =========================================================================== + :menuselection:`System --> Diagnostics --> Activity` Show executed commands + :menuselection:`System --> Diagnostics --> Services` Shows running services, allows starting/stopping/restarting + :menuselection:`Interfaces --> Diagnostics --> ARP Table` Show ARP table, which lists local connected IPv4 peers + :menuselection:`Interfaces --> Diagnostics --> DNS Lookup` Easy lookup of IPs and A records that belong to a hostname + :menuselection:`Interfaces --> Diagnostics --> NDP Table` Show NDP table, which lists local connected IPv6 peers + :menuselection:`Interfaces --> Diagnostics --> Packet capture` Capture packets travelling through an interface + :menuselection:`Interfaces --> Diagnostics --> Ping` Ping a hostname or IP address + :menuselection:`Interfaces --> Diagnostics --> Port Probe` Test if a host has a certain TCP port open and accepts connections on it + :menuselection:`Interfaces --> Diagnostics --> Trace Route` Trace route to a hostname or IP address + :menuselection:`Firewall --> Diagnostics --> pfInfo` General information and statistics for pf + :menuselection:`Firewall --> Diagnostics --> pfTop` Currently active pf states and routes + :menuselection:`Firewall --> Diagnostics --> pfTables` Shows IP addresses belonging to aliases + :menuselection:`Firewall --> Diagnostics --> Sockets` Shows listening sockets for IPv4 and IPv6 + :menuselection:`Firewall --> Diagnostics --> States Dump` Currently active states + :menuselection:`Firewall --> Diagnostics --> States Reset` Delete active states and source tracking (cancels connections) + :menuselection:`Firewall --> Diagnostics --> States Summary` Show states sorted by criteria like source IP, destination IP, … +================================================================== =========================================================================== diff --git a/source/manual/dynamic_routing.rst b/source/manual/dynamic_routing.rst index 69c3b23d..19844890 100644 --- a/source/manual/dynamic_routing.rst +++ b/source/manual/dynamic_routing.rst @@ -4,7 +4,7 @@ Dynamic Routing .. Warning:: With OPNsense version 19.1 the FRR package was updated to version 5. It's strongly advised to increase - the kern.ipc.maxsockbuf value via **Tunables**. Go to **System->Settings->Tunables** and check if there + the kern.ipc.maxsockbuf value via **Tunables**. Go to :menuselection:`System --> Settings --> Tunables` and check if there is already a tunable for maxsockbuf and set it to 16777216 if it's lower. Otherwise add a new one with name above and the specified value. diff --git a/source/manual/etpro_telemetry.rst b/source/manual/etpro_telemetry.rst index 26aca69b..b6b51d16 100644 --- a/source/manual/etpro_telemetry.rst +++ b/source/manual/etpro_telemetry.rst @@ -65,7 +65,7 @@ plugin First we need to install the required plugin, which is responsible for collecting the telemetry data and provides access to the ET Pro ruleset. -1. Go to **System->Firmware->Updates** +1. Go to :menuselection:`System --> Firmware --> Updates` 2. press "Check for updates" in the upper right corner. 3. open the tab "Plugins" and search for `os-etpro-telemetry` 4. when found, click on the [+] sign on the right to install the plugin @@ -78,7 +78,7 @@ register token Next step is to register your token in OPNsense and enable rulesets. -1. Go to **Services->Intrusion Detection->Administration** +1. Go to :menuselection:`Services --> Intrusion Detection --> Administration` 2. Click on the "Download" tab, which should show you a list of available rules. 3. Enable all categories you would like to monitor in the "ET telemetry" section, if in doubt enable all and monitor the alerts later (select on the right and use the enable selected button on top) @@ -93,7 +93,7 @@ Schedule updates To download the rulesets automatically on a daily bases, you can add a schedule for this task. -1. Go to **Services->Intrusion Detection->Administration** +1. Go to :menuselection:`Services --> Intrusion Detection --> Administration` 2. Click on the "Schedule" tab 3. A popup for the update task appears, enable it using the checkbox on top, and click "save changes" @@ -104,10 +104,10 @@ Subscription status To validate your subscription, we recommend to add the widget to the dashboard. -1. Go to the dashboard **Lobby->Dashboard** +1. Go to the dashboard :menuselection:`Lobby --> Dashboard` 2. Click on "Add widget" in the top right corner, click "Telemetry status" in the list 3. Close dialog and click "Save settings" on the right top of the dashboard -4. Open **Lobby->Dashboard** again to refresh the content +4. Open :menuselection:`Lobby --> Dashboard` again to refresh the content When everything is setup properly and the plugin can reach Proofpoint, it will show something like: @@ -131,7 +131,7 @@ In case your sensor can't communicate to the outside world, the widget shows an .. Note:: - The system log (**System->Log Files->General**) might contain more information, search for *emergingthreats* + The system log (:menuselection:`System --> Log Files --> General`) might contain more information, search for *emergingthreats* -------------------------------------- diff --git a/source/manual/gui.rst b/source/manual/gui.rst index b8727c3f..a31990b1 100644 --- a/source/manual/gui.rst +++ b/source/manual/gui.rst @@ -70,7 +70,7 @@ User & Local domain ------------------- In the right corner just to the left of the quick navigation you will see your username and the full domain name the firewall is configured with -(to change firewall name, go to **System->Setting->General**). +(to change firewall name, go to :menuselection:`System --> Setting --> General`). Content Area diff --git a/source/manual/how-tos/IPv6_ZenUK.rst b/source/manual/how-tos/IPv6_ZenUK.rst index 86caebbd..2419e443 100644 --- a/source/manual/how-tos/IPv6_ZenUK.rst +++ b/source/manual/how-tos/IPv6_ZenUK.rst @@ -55,7 +55,7 @@ Click ‘Save’ and then ‘Apply’. All that is required now is to set the LAN interface to use assigned IPv6 prefix. -Select Interfaces->LAN and set the IPv6 Configuration Type to ‘Track +Select :menuselection:`Interfaces --> [LAN]` and set the IPv6 Configuration Type to ‘Track Interface’ .. image:: images/ZenUK_image3.png @@ -88,7 +88,7 @@ servers. **Create Gateway** ------------------ Firstly, we do need to set up a gateway, this is for monitoring more -than anything else. Select Gateways->All then click ‘Add Gateway’. +than anything else. Select :menuselection:`Gateways --> All` then click ‘Add Gateway’. Now, we know that Zen give us a /64 on our WAN interface, for example. @@ -114,9 +114,9 @@ Click Save. **WAN Interface** ----------------- Once we have our gateway in place we can then set up the WAN interface. -Select Interfaces->WAN. +Select :menuselection:`Interfaces --> [WAN]`. -Go to IPv6 Configuration Type and Select Static IPv6. +Go to IPv6 Configuration Type and select Static IPv6. .. image:: images/ZenUK_image6.png :width: 100% @@ -171,8 +171,8 @@ Click Save and Apply. ----------------- When using DHCPv6 on the WAN, our DHCPv6 LAN server is set -automatically, however when using statics, we need to set it up. Goto -Services->DHCPv6[LAN] +automatically, however when using statics, we need to set it up. Go to +:menuselection:`Services --> DHCPv6[LAN]`. Firstly, enable the server. diff --git a/source/manual/how-tos/bind.rst b/source/manual/how-tos/bind.rst index 1775b950..67555a02 100644 --- a/source/manual/how-tos/bind.rst +++ b/source/manual/how-tos/bind.rst @@ -22,8 +22,8 @@ For version 2.0 it is planned to offer full zone-file management. Installation ------------ -First of all, go to **System->Firmware->Plugins** and install **os-bind**. -You will finde the plugin at **Services->BIND**. +First of all, go to :menuselection:`System --> Firmware --> Plugins` and install **os-bind**. +You will finde the plugin at :menuselection:`Services --> BIND`. ---------------- General Settings @@ -70,7 +70,7 @@ DNSBL so it is whitelisted before the blacklists come into play. The Blacklists are downloaded and updated with every **Save** within BIND configuration. -For production use you can go to **System->Settings->Cron** and add a cronjob. On the +For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the dropdown list you'll find the corret task under **Command**. Set the refresh interval as you wish and save. This will trigger an update of the selected lists and reload BIND. @@ -89,7 +89,7 @@ Advanced -------- Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting, -you can set in **Services->Unbound DNS->General->Custom Options**. +you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`. .. code-block:: none diff --git a/source/manual/how-tos/cachingproxy.rst b/source/manual/how-tos/cachingproxy.rst index a7812edd..e6e3bdd3 100644 --- a/source/manual/how-tos/cachingproxy.rst +++ b/source/manual/how-tos/cachingproxy.rst @@ -9,7 +9,7 @@ Setup Caching Proxy Enable / Disable ---------------- The proxy is delivered with sane default settings for easy setup. -To enable the proxy just go to **Services->Web Proxy->Administration** and +To enable the proxy just go to :menuselection:`Services --> Web Proxy --> Administration` and check **Enable proxy** en click on **Apply**. The default will enable the proxy with User Authentication based on the local user database and runs on port 3128 of the lan interface. @@ -42,7 +42,7 @@ Check the **Enable local cache** and click **Apply**. .. Important:: As the cache is not created by default you will need to stop and start the service - under **Services->Diagnostics**, this will ensure correct creation of the cache. + under :menuselection:`Services --> Diagnostics`, this will ensure correct creation of the cache. Advanced -------- @@ -60,7 +60,7 @@ Now select **Authentication Settings** and select the desired Authenticator(s) i the field **Authentication method**. Click on **Clear All** if you do not want to use any authentication. -Depending on the Authentication Servers you have setup under **System->Access->Servers** +Depending on the Authentication Servers you have setup under :menuselection:`System --> Access --> Servers` You can select one or more of the following: * No Authentication (leave field blank) @@ -118,7 +118,7 @@ This list is a simple flat list that looks like this: 207.net 247media.com -Go to **Services->Web Proxy->Administration** and click on the tab **Remote +Go to :menuselection:`Services --> Web Proxy --> Administration` and click on the tab **Remote Access Control Lists** Now click on the **+** at the bottom right corner of the form to add a new list. @@ -146,7 +146,7 @@ Now click on **Download ACLSs & Apply** to enable the blacklist/ad blocker. Firewall Rule No Proxy Bypass ----------------------------- To make sure no-one can bypass the proxy you need to add a firewall rule. -Go to **Firewall->Rules** and add the following to the top of the list rule on the +Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the LAN interface (if LAN is where your clients and proxy are on). ============================ ===================== diff --git a/source/manual/how-tos/carp.rst b/source/manual/how-tos/carp.rst index 76d3a9d1..b1c33621 100644 --- a/source/manual/how-tos/carp.rst +++ b/source/manual/how-tos/carp.rst @@ -65,7 +65,7 @@ security reasons (state injection) as for performance. OPNsense includes a mechanism to keep the configuration of the backup server in sync with the master. This mechanism is called XMLRPC sync and -can be found under System -> High Availability. +can be found under :menuselection:`System --> High Availability --> Settings`. ----------------------------------------- Setup interfaces & basic firewall rules @@ -73,7 +73,7 @@ Setup interfaces & basic firewall rules .. Warning:: Make sure the interface assignments on both systems are identical! - Via **Interfaces->Overview** you can check if e.g. DMZ is opt1 on + Via :menuselection:`Interfaces --> Overview` you can check if e.g. DMZ is opt1 on both machines. When the assigments differ you will have mixed Master and Backup IPs on both machines. @@ -95,7 +95,7 @@ setup the following addresses and subnets: +-----------------------+ Next we need to make sure the appropriate protocols can be used on the -different interfaces, go to firewall -> rules and make sure both LAN and +different interfaces, go to :menuselection:`Firewall --> Rules` and make sure both LAN and WAN accept at least CARP packets (see protocol selection). Because we're connecting both firewalls using a direct cable connection, we will add a single rule to accept all traffic on all protocols for that specific @@ -132,7 +132,7 @@ Setup Virtual IPs On the master node we are going to setup our Virtual IP addresses, which will also be used for the backup node after synchronisation. Go to -Firewall -> Virtual IPs and add a new one with the following +:menuselection:`Firewall --> Virtual IPs` and add a new one with the following characteristics: +-------------------------+------------------------------------+ @@ -178,7 +178,7 @@ IP address to make a seamless migration possible. The default for OPNsense is to use the interfaces IP address, which is in our case the wrong one. -Go to Firewall -> NAT and select outbound nat. Choose manual outbound +Go to :menuselection:`Firewall --> NAT --> Outbound`. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100). @@ -207,7 +207,7 @@ Setup HA sync (xmlrpc) and pfSync --------------------------------- First we should enable pfSync using our dedicated interface using the -master firewall. Go to System -> High Availability, enable pfSync and +master firewall. Go to :menuselection:`System --> High Availability --> Settings`, enable pfSync and select the interface used for pfSync. Next setup the peer IP to the other hosts address (10.0.0.2). @@ -236,13 +236,13 @@ firewalls before testing. Testing setup ------------- -First go to Status -> Carp in the OPNsense webinterface and check if +First go to :menuselection:`System --> High availability --> Status` in the OPNsense webinterface and check if both machines are properly initialized. To test our setup, we will connect a client to the local area network and open a ssh connection to a host behind both firewalls. Now when connected you should be able to look at the state table on both OPNsense -firewalls (Diagnostics -> States) and they should both display the same +firewalls (:menuselection:`Firewall --> Diagnostics --> States Dump`) and they should both display the same connection. Next try to pull the network plug from the master firewall and it should move over to the backup without loosing (or freezing) the ssh connection. @@ -271,7 +271,7 @@ downtime. To keep the downtime at a minimum when running updates just follow these steps: - Update your secondary unit and wait until it is online again -- On your primary unit go to **Firewall->Virtual IP's->Status** and hit **Enter Persistent CARP Maintenance Mode** +- On your primary unit go to :menuselection:`Firewall --> Virtual IPs --> Status` and click **Enter Persistent CARP Maintenance Mode** - You secondary unit is now *MASTER*, check if all services like DHCP, VPN, NAT are working correctly - If you ensured the update was fine, update your primary unit and hit **Leave Persistent CARP Maintenance Mode** diff --git a/source/manual/how-tos/cellular.rst b/source/manual/how-tos/cellular.rst index d5435e52..629bec7c 100644 --- a/source/manual/how-tos/cellular.rst +++ b/source/manual/how-tos/cellular.rst @@ -99,7 +99,7 @@ Once the SIM card is ready, quit ``cu`` with ``~.``. Step 2 - Configure Point to Point device ---------------------------------------- -Go to **Interfaces->Point-to-Point->Devices** and click on **Add** in the upper +Go to :menuselection:`Interfaces --> Point-to-Point --> Devices` and click on **Add** in the upper right corner of the form. Fill in the form like this (Example is for Dutch Mobile 4G KPN Subscription): @@ -129,7 +129,7 @@ Click **Save** to apply the settings. --------------------------------- Step 3 - Assign the WAN interface --------------------------------- -To assign the interface go to **Interfaces->Assignments** in our case we will make +To assign the interface go to :menuselection:`Interfaces --> Assignments` in our case we will make this our primary internet connection and change the WAN assignment accordingly. To do so just change the **Network port** for **WAN** to **ppp0 (/dev/cuaU0.0) - 4G Cellular Network**. @@ -145,7 +145,8 @@ the one of you cellular connection. ------------------------ Step 4 - Troubleshooting ------------------------ -In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to: **Interfaces->Point-to-Point->Log File**. If you are +In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to: +:menuselection:`Interfaces --> Point-to-Point --> Log File`. If you are lucky you can see what went wrong directly in the log. Unfortunately, the PPP log is not very informative so it might not help at all. @@ -164,10 +165,11 @@ providers required factory resets (for whatever reason) to get them to work prop Some Sierra Wireless modems still seem to need a specific init string to work properly. One that seems to work for multiple users and LTE cards is ``&F0E1Q0 +CMEE=2``. In any case you should first try without init string and only give it - a try if you could not get any connection without. You can add this in **Interfaces->Point-to-Point->Devices->Your particular device->Advanced Options->Init String**. + a try if you could not get any connection without. You can add this in + :menuselection:`Interfaces --> Point-to-Point --> Devices --> Your particular device --> Advanced Options --> Init String`. When the device seems to work properly then checkout if the interface was assigned -an IP address, go to **Interfaces->Overview** and click on the WAN interface to +an IP address, go to :menuselection:`Interfaces --> Overview` and click on the WAN interface to see the details. You should see an IP address, Gateway IP and ISP DNS server(s). diff --git a/source/manual/how-tos/changelog.rst b/source/manual/how-tos/changelog.rst index e008eb93..33a629d1 100644 --- a/source/manual/how-tos/changelog.rst +++ b/source/manual/how-tos/changelog.rst @@ -8,7 +8,7 @@ if they are growing rapidly so the changelog does not fit into core anymore. Core ==== -Core offers a changelog section in the area **System -> Firmware** as an own menu or the dialog will +Core offers a changelog section in the area :menuselection:`System --> Firmware` as an own menu or the dialog will automatically open in case of an available update. To open a changelog manually, you can open the Changelog tab, and click the book: diff --git a/source/manual/how-tos/cloud_backup.rst b/source/manual/how-tos/cloud_backup.rst index bac00657..08f08c38 100644 --- a/source/manual/how-tos/cloud_backup.rst +++ b/source/manual/how-tos/cloud_backup.rst @@ -65,11 +65,11 @@ First we need to have a project in the google developer console: doesn't really matter for this. - Enable the Drive API - - In the left menu APIs -> "Drive API" -> Enable + - In the left menu :menuselection:`APIs --> "Drive API" --> Enable` - Open the project and start to create an API key - - In the left menu : APIs & auth -> Credentials + - In the left menu: :menuselection:`APIs & auth --> Credentials` - Click on the button "Create new Client ID" - Choose "Service account", followed by "Create Client ID" @@ -98,7 +98,7 @@ Next thing is to create a folder in Google Drive and share it to the :name: setup-the-account-in-opnsense Now we can put it all together, login to your OPNsense firewall and go -to the backup feature. It is located at **System->Configuration->Backups**. +to the backup feature. It is located at :menuselection:`System --> Configuration --> Backups`. .. image:: ./images/600px-Google_Drive_Backup_screenshot.png :width: 100% @@ -145,7 +145,7 @@ Copy and store the generated password. .. image:: images/nextcloud_config.png -Scroll to the Nextcloud Section in System -> Config -> Backup and enter the +Scroll to the Nextcloud Section in :menuselection:`System --> Config --> Backup` and enter the following values: ================ ====================================================================== diff --git a/source/manual/how-tos/dnscrypt-proxy.rst b/source/manual/how-tos/dnscrypt-proxy.rst index c5e4dd29..19c4361f 100644 --- a/source/manual/how-tos/dnscrypt-proxy.rst +++ b/source/manual/how-tos/dnscrypt-proxy.rst @@ -7,7 +7,7 @@ Installation ------------ First of all, you have to install the dnscrypt-proxy plugin (os-dnscrypt-proxy) from the plugins view -reachable via **System->Firmware->Plugins**. +reachable via :menuselection:`System --> Firmware --> Plugins`. After a page reload you will get a new menu entry under **Services** for DNSCrypt-Proxy. diff --git a/source/manual/how-tos/edrop.rst b/source/manual/how-tos/edrop.rst index 96ae4768..19a131ce 100644 --- a/source/manual/how-tos/edrop.rst +++ b/source/manual/how-tos/edrop.rst @@ -20,7 +20,7 @@ The lists for this example are located here: ------------------------------------- Step 1 - Create an Alias for Spamhaus ------------------------------------- -Go to **Firewall->Aliases->All** and press the **Add a new alias** button in the +Go to :menuselection:`Firewall --> Aliases --> All` and press the **Add a new alias** button in the top right corner of the form. Enter the following data: @@ -60,7 +60,7 @@ Step 2 - Firewall Rules Inbound Traffic --------------------------------------- We will block incoming connections and outgoing connections for the drop and edrop lists. To do so we will start with inbound traffic on the WAN interface. -Go to **Firewall->Rules** Select the **WAN** tab and press the **+** icon in the +Go to :menuselection:`Firewall --> Rules` Select the **WAN** tab and press the **+** icon in the lower right corner. @@ -97,7 +97,7 @@ Step 3 - Firewall Rules Outbound Traffic ---------------------------------------- Now do the same for outbound traffic traffic on the LAN interface. -Go to **Firewall->Rules** Select the **LAN** tab and press the **+** icon in the +Go to :menuselection:`Firewall --> Rules` Select the **LAN** tab and press the **+** icon in the lower right corner. =================== ============== ============================================= @@ -131,7 +131,7 @@ lower right corner. Check pf Tables --------------- To list the IP addresses that are currently in the DROP and EDROP lists go to -**Firewall->Diagnostics->pfTables** and select the list you want to see: +:menuselection:`Firewall --> Diagnostics --> pfTables` and select the list you want to see: .. image:: images/spamhaus_pftable.png :width: 100% diff --git a/source/manual/how-tos/guestnet.rst b/source/manual/how-tos/guestnet.rst index 54da75d5..3b4d577f 100644 --- a/source/manual/how-tos/guestnet.rst +++ b/source/manual/how-tos/guestnet.rst @@ -54,7 +54,7 @@ with that and after finishing add/change the specifics to match the Hotel Guest Step 1 - Configure Interface ---------------------------- For the Guest Network we will add a new interface. -Go to **Interfaces->Assignments** And use the **+** to add a new interface. +Go to :menuselection:`Interfaces --> Assignments` And use the **+** to add a new interface. Press **Save**. The new interface will be called **OPT1**, click on [OPT1] in the left menu to change its settings. @@ -80,7 +80,7 @@ Press **Save** and then **Apply changes**. ------------------------------ Step 2 - Configure DHCP Server ------------------------------ -Go to **Services->DHCPv4->[GUESTNET]**. +Go to :menuselection:`Services --> DHCPv4 --> [GUESTNET]`. Fill in the following to setup the DHCP server for our guest net (leave everything else on its default setting): @@ -98,7 +98,7 @@ Click **Save**. --------------------------- Step 3 - Add Firewall Rules --------------------------- -Go to **Firewall->Rules** to add a new rule. +Go to :menuselection:`Firewall --> Rules` to add a new rule. Now add the following rules (in order of prevalence): @@ -196,7 +196,7 @@ Your rules should look similar to the screenshot below: ------------------------------ Step 4 - Create Captive Portal ------------------------------ -Go to **Services->Captive Portal->Administration** +Go to :menuselection:`Services --> Captive Portal --> Administration` To add a new Zone press the **+** in the lower right corner of the form. @@ -322,7 +322,7 @@ Internet Access. This bandwidth will be shared evenly between connected clients. that would be 1 Mbps down stream (download). It is also possible to limit the traffic per user see also :doc:`shaper` -Go to: **Firewall->Traffic Shaper->Settings**. +Go to: :menuselection:`Firewall --> Traffic Shaper --> Settings`. Create a pipe for the Download by pressing the **+** in the lower right corner of the form and enter the following details: @@ -408,7 +408,7 @@ This example will be for our "Royal Hotel". --------------------------- Step 8 - Add Voucher Server --------------------------- -To add a Voucher Server go to: **System->Access->Servers** and click on +To add a Voucher Server go to: :menuselection:`System --> Access --> Servers` and click on **Add server** in the top right corner of the screen. Fill in: @@ -423,7 +423,7 @@ Click on **Save**. ------------------------ Step 9 - Create Vouchers ------------------------ -Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**). +Go back to the Captive portal and select Vouchers (:menuselection:`Services --> Captive Portal --> Vouchers`). Click on **Create Vouchers** in the lower right corner of the form. Let's create 1-day vouchers for our guests: @@ -503,7 +503,7 @@ Now users will see the login form as part of your template: -------------- Check Sessions -------------- -To check the active sessions go to **Services->Captive Portal->Sessions** +To check the active sessions go to :menuselection:`Services --> Captive Portal --> Sessions` Our current session looks like this: .. image:: images/cp_active_sessions.png @@ -520,7 +520,7 @@ You can drop an active session by clicking on the trashcan. Check Voucher Status -------------------- You can check the validity and active status of a voucher by going to the voucher -page of the captive portal (**Services->Captive Portal->Vouchers**) and select +page of the captive portal (:menuselection:`Services --> Captive Portal --> Vouchers`) and select the correct database (Wi-Fi day pass in our example). .. image:: images/cp_active_vouchers.png diff --git a/source/manual/how-tos/haproxy_howtos.rst b/source/manual/how-tos/haproxy_howtos.rst index da6df377..2bcc06fb 100644 --- a/source/manual/how-tos/haproxy_howtos.rst +++ b/source/manual/how-tos/haproxy_howtos.rst @@ -70,7 +70,7 @@ Execute function http-request auth" .. image:: images/haproxy_frontend_add_authentication.png -* Go to "Settings" -> "Global Parameters", enable the advanced mode (top left), and add your users to configuration +* Go to :menuselection:`Settings --> Global Parameters`, enable the advanced mode (top left), and add your users to configuration via the "Custom options" .. image:: images/haproxy_settings_global_params_auth.png diff --git a/source/manual/how-tos/insight.rst b/source/manual/how-tos/insight.rst index 6c3c15f1..6251f839 100644 --- a/source/manual/how-tos/insight.rst +++ b/source/manual/how-tos/insight.rst @@ -9,7 +9,7 @@ of Netflow data. To do so take a look at :doc:`netflow_exporter`. User Interface -------------- Insight is a fully integrated part of OPNsense. Its User Interface is simple yet -powerful. It can be accessed via **Reporting->Insight**. +powerful. It can be accessed via :menuselection:`Reporting --> Insight`. .. image:: images/insight_gui.png :width: 100% diff --git a/source/manual/how-tos/ips-feodo.rst b/source/manual/how-tos/ips-feodo.rst index 1c71f821..03f5984e 100644 --- a/source/manual/how-tos/ips-feodo.rst +++ b/source/manual/how-tos/ips-feodo.rst @@ -14,7 +14,7 @@ Prerequisites ------------- * Always upgrade to latest release first. See :doc:`/manual/install` and/or upgrade to latest release: - **System->Firmware: Fetch updates** + :menuselection:`System --> Firmware --> Fetch updates` .. image:: images/firmware.png :width: 100% @@ -42,8 +42,8 @@ Prerequisites -------------------------------------- Setup Intrusion Detection & Prevention -------------------------------------- -To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled -& IPS mode**. Make sure you have selected the right interface for the intrusion +To enable IDS/IPS just go to :menuselection:`Services -> Intrusion Detection` and select +**enabled & IPS mode**. Make sure you have selected the right interface for the intrusion detection system too run on. For our example we will use the WAN interface, as that will most likely be you connection with the public Internet. diff --git a/source/manual/how-tos/ips-sslfingerprint.rst b/source/manual/how-tos/ips-sslfingerprint.rst index 751edd2a..47e86ab7 100644 --- a/source/manual/how-tos/ips-sslfingerprint.rst +++ b/source/manual/how-tos/ips-sslfingerprint.rst @@ -10,7 +10,7 @@ Prerequisites ------------- * Always upgrade to latest release first. See :doc:`/manual/install` and/or upgrade to latest release: - **System->Firmware: Fetch updates** + :menuselection:`System --> Firmware --> Fetch updates`. .. image:: images/firmware.png :width: 100% @@ -29,7 +29,7 @@ Prerequisites After applying you need to reboot OPNsense otherwise offloading may not completely be disabled and IPS mode will not function. -To start go to **Services->Intrusion Detection** +To start go to :menuselection:`Services --> Intrusion Detection` |ids_menu| @@ -91,10 +91,9 @@ And click **Save changes** |save| --------------------------------------- Enable Intrusion Detection & Prevention --------------------------------------- -To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled -& IPS mode**. Make sure you have selected the right interface for the intrusion -detection system too run on. For our example we will use the WAN interface, as -that will most likely be you connection with the public Internet. +To enable IDS/IPS just go to :menuselection:`Services --> Intrusion Detection` and select **enabled & IPS mode**. +Make sure you have selected the right interface for the intrusion detection system too run on. For our example +we will use the WAN interface, as that will most likely be you connection with the public Internet. .. image:: images/idps.png :width: 100% diff --git a/source/manual/how-tos/ipsec-road.rst b/source/manual/how-tos/ipsec-road.rst index 6de133a9..30e45f4a 100644 --- a/source/manual/how-tos/ipsec-road.rst +++ b/source/manual/how-tos/ipsec-road.rst @@ -18,7 +18,7 @@ OPNsense and give you configuration examples for: For the sample we will use a private IP for our WAN connection. This requires us to disable the default block rule on wan to allow private traffic. - To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks". + To do so, go to the :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks". *(Dont forget to save and apply)* .. image:: images/block_private_networks.png @@ -95,7 +95,7 @@ interface. Step 1 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication methods. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example will use the following settings: @@ -241,7 +241,7 @@ And Apply changes: If you already had IPsec enabled and added Road Warrior setup, it's important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongswan. ------------------------ @@ -249,7 +249,7 @@ Step 4 - Add IPsec Users ------------------------ For this example we will create a new user who may access the mobile IPsec vpn. -Go to **System->Access->Users** and press the **+** sign in the lower right corner +Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner to add a new user. Enter the following into the form: @@ -282,7 +282,7 @@ some screenshots. The configurations for Android and iOS will be settings only. Configure macOS Client ---------------------- -Start with opening your network settings (System Preferences -> Network) and +Start with opening your network settings (:menuselection:`System Preferences --> Network)` and Add a new network by pressing the + in the lower left corner. Now select **VPN** and **Cisco IPSec**, give your connection a name and press **Create**. @@ -312,7 +312,7 @@ Now test the connection by selecting it from the list and hit **Connect**. -------------------- Configure iOS Client -------------------- -To add a VPN connection on an iOS device go to **Setting->General->VPN**. +To add a VPN connection on an iOS device go to :menuselection:`Settings --> General --> VPN`. Select **Add VPN Configuration** chose **IPsec** and use the Following Settings: ========================== ======================= ======================================== @@ -326,9 +326,8 @@ Select **Add VPN Configuration** chose **IPsec** and use the Following Settings: ------------------------ Configure Android Client ------------------------ -To add a VPN connection on an Android device go to **Settings -> Connections -> -more networks** , select **VPN**. Press the **+** in the top right corner to add -a new vpn connection. +To add a VPN connection on an Android device go to :menuselection:`Settings --> Connections --> more networks`, +select **VPN**. Press the **+** in the top right corner to add a new VPN connection. Use the Following Settings: diff --git a/source/manual/how-tos/ipsec-rw-android.rst b/source/manual/how-tos/ipsec-rw-android.rst index a8e24474..ec24680b 100644 --- a/source/manual/how-tos/ipsec-rw-android.rst +++ b/source/manual/how-tos/ipsec-rw-android.rst @@ -23,7 +23,7 @@ the client certificate. Step 2 - Add VPN Connection --------------------------- -Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need. +Add a new VPN connection via :menuselection:`Settings --> More --> VPN`, enter a **Name** and choose the type you need. Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers** or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN. diff --git a/source/manual/how-tos/ipsec-rw-srv-eapradius.rst b/source/manual/how-tos/ipsec-rw-srv-eapradius.rst index beaa577c..a041607b 100644 --- a/source/manual/how-tos/ipsec-rw-srv-eapradius.rst +++ b/source/manual/how-tos/ipsec-rw-srv-eapradius.rst @@ -14,23 +14,23 @@ Step 1 - Create Certificates For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. -Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method** +Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method** choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields -matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for +matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side. This is most important as your VPN will drop when the FQDN does not match the ones of the certificate. If you already have a CA roll out a server certificate and import -the CA itself via **System->Trust->Authorities** and the certificate with the key in -**System->Trust->Certificates**. +the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in +:menuselection:`System --> Trust --> Certificates`. --------------------- Step 2 - Setup Radius --------------------- If you already have a local Radius server, add a new client with the IP address of your Firewall, -set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance: +set a shared secret, go to OPNsense UI to :menuselection:`System --> Access --> Servers` and add a new instance: ============================ ================ ==================================== **Descriptive Name** Name *Give it a name* @@ -46,7 +46,7 @@ When you do not have an own Radius instance just use the OPNsense plugin and fol Step 3 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication source. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example will use the following settings: @@ -146,7 +146,7 @@ Phase 2 proposal (SA/Key Exchange) If you already had IPsec enabled and added Road Warrior setup, it is important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongSwan. ------------------------ diff --git a/source/manual/how-tos/ipsec-rw-srv-eaptls.rst b/source/manual/how-tos/ipsec-rw-srv-eaptls.rst index 74264fe8..15dc9f5b 100644 --- a/source/manual/how-tos/ipsec-rw-srv-eaptls.rst +++ b/source/manual/how-tos/ipsec-rw-srv-eaptls.rst @@ -13,22 +13,22 @@ Step 1 - Create Certificates For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. -Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method** +Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method** choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields -matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for +matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side. This is most important as your VPN will drop when the FQDN does not match the ones of the certificate. If you already have a CA roll out a server certificate and import -the CA itself via **System->Trust->Authorities** and the certificate with the key in -**System->Trust->Certificates**. +the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in +:menuselection:`System --> Trust --> Certificates`. ----------------------- Step 2 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication source. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example we will use the following settings: @@ -133,14 +133,14 @@ Phase 2 proposal (SA/Key Exchange) If you already had IPsec enabled and added Road Warrior setup, it's important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongSwan. ------------------------ Step 4 - Add IPsec Users ------------------------ -Go to **System->Trust->Certificates** and create a new client certificate. +Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate. Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides the CN can be left default. Give a **Common Name** and **Save**. Download the newly created certificate as PKCS12 and export it to your end user device. diff --git a/source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst b/source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst index 6e86e660..7e613c24 100644 --- a/source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst +++ b/source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst @@ -27,22 +27,22 @@ Step 1 - Create Certificates (only for RSA variants) For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate for your Firewall. -Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method** +Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method** choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields -matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for +matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side. This is most important as your VPN will drop when the FQDN does not match the ones of the certificate. If you already have a CA roll out a server certificate and import -the CA itself via **System->Trust->Authorities** and the certificate with the key in -**System->Trust->Certificates**. +the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in +:menuselection:`System --> Trust --> Certificates`. ----------------------- Step 2 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication source. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example will use the following settings: @@ -144,14 +144,14 @@ Phase 2 proposal (SA/Key Exchange) If you already had IPsec enabled and added Road Warrior setup, it is important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongSwan. ------------------------ Step 4 - Add IPsec Users ------------------------ -Go to **System->Access->Users** and press the **+** sign in the lower right corner +Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner to add a new user. Enter the following into the form: @@ -169,7 +169,7 @@ Step 5 - Add client certificate (for Mutual RSA) This step is only needed for Mutual RSA + XAuth! -Go to **System->Trust->Certificates** and create a new client certificate. +Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate. Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides the CN can be left default. Give a **Common Name** and **Save**. Download the newly created certificate as PKCS12 and export it to you enduser device. diff --git a/source/manual/how-tos/ipsec-rw-srv-mschapv2.rst b/source/manual/how-tos/ipsec-rw-srv-mschapv2.rst index 9e08f337..a64af27b 100644 --- a/source/manual/how-tos/ipsec-rw-srv-mschapv2.rst +++ b/source/manual/how-tos/ipsec-rw-srv-mschapv2.rst @@ -15,22 +15,22 @@ Step 1 - Create Certificates For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate for your Firewall. -Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method** +Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method** choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields -matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for +matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side. This is most important as your VPN will drop when the FQDN does not match the ones of the certificate. If you already have a CA roll out a server certificate and import -the CA itself via **System->Trust->Authorities** and the certificate with the key in -**System->Trust->Certificates**. +the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in +:menuselection:`System --> Trust --> Certificates`. ----------------------- Step 2 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication source. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example will use the following settings: @@ -130,14 +130,14 @@ Phase 2 proposal (SA/Key Exchange) If you already had IPsec enabled and added Road Warrior setup, it is important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongSwan. ------------------------ Step 4 - Add IPsec Users ------------------------ -Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**. +Go to :menuselection:`VPN --> IPsec --> Pre-Shared Keys` and press **Add**. Enter the following into the form: diff --git a/source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst b/source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst index 9f416747..5e0e1da8 100644 --- a/source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst +++ b/source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst @@ -15,22 +15,22 @@ Step 1 - Create Certificates For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate for your Firewall. -Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method** +Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method** choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields -matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for +matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side. This is most important as your VPN will drop when the FQDN does not match the ones of the certificate. If you already have a CA roll out a server certificate and import -the CA itself via **System->Trust->Authorities** and the certificate with the key in -**System->Trust->Certificates**. +the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in +:menuselection:`System --> Trust --> Certificates`. ----------------------- Step 2 - Mobile Clients ----------------------- First we will need to setup the mobile clients network and authentication source. -Go to **VPN->IPsec->Mobile Clients** +Go to :menuselection:`VPN --> IPsec --> Mobile Clients` For our example will use the following settings: @@ -131,20 +131,20 @@ Phase 2 proposal (SA/Key Exchange) If you already had IPsec enabled and added Road Warrior setup, it is important to restart the whole service via services widget in the upper right corner of IPSec pages - or via **System->Diagnostics->Services->Strongswan** since applying configuration only + or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only reloads it, but a restart also loads the required modules of strongSwan. ------------------------ Step 4 - Add IPsec Users ------------------------ -Go to **System->Trust->Certificates** and create a new client certificate. +Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate. Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides the CN can be left default. Give a **Common Name** and **Save**. Download the newly created certificate as PKCS12 and export it to you enduser device. -Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**. +Switch to :menuselection:`VPN -> IPsec -> Pre-Shared Keys` and press **Add**. Enter the following into the form: ==================== ========== diff --git a/source/manual/how-tos/ipsec-rw-w7.rst b/source/manual/how-tos/ipsec-rw-w7.rst index 0a7d4994..e408a8ba 100644 --- a/source/manual/how-tos/ipsec-rw-w7.rst +++ b/source/manual/how-tos/ipsec-rw-w7.rst @@ -9,15 +9,15 @@ We assume that you are familiar with adding a new VPN connection. The tests were done with Windows 7 and 10. -All screenshot were taken from **Network and Sharing Center->Change adapter settings**. +All screenshot were taken from :menuselection:`Network and Sharing Center --> Change adapter settings`. --------------------------- Step 1 - Install Certificte --------------------------- Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority. -Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**. -Choose **Certificates->Add->Computer account**. +Hit the Windows Start button and type *mmc* in search box. Go to :menuselection:`File --> Add/Remove Snap-In`. +Choose :menuselection:`Certificates --> Add --> Computer account`. Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click, **All taks** and import. Select the Root CA and install. diff --git a/source/manual/how-tos/ipsec-rw.rst b/source/manual/how-tos/ipsec-rw.rst index eb0920db..2f3e6b7d 100644 --- a/source/manual/how-tos/ipsec-rw.rst +++ b/source/manual/how-tos/ipsec-rw.rst @@ -24,7 +24,7 @@ authentication methods e.g. For the sample we will use a private ip for our WAN connection. This requires us to disable the default block rule on WAN to allow private traffic. - To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks". + To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”. *(Don't forget to save and apply)* .. image:: images/block_private_networks.png @@ -113,11 +113,11 @@ very error prone we will not cover it here. :header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config" :widths: 40, 20, 20, 20, 20, 20, 20, 20 - "IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`" - "IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`" - "IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`" - "IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`" - "IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`" - "IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`" - "IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`" - "IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`" + "IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`" + "IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`" + "IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`" + "IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`" + "IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`" + "IKEv2 EAP-MSCHAPv2","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-mschapv2`" + "IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-rsamschapv2`" + "IKEv2 EAP-RADIUS","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eapradius`" diff --git a/source/manual/how-tos/ipsec-s2s.rst b/source/manual/how-tos/ipsec-s2s.rst index 71c5b1b8..cb91970b 100644 --- a/source/manual/how-tos/ipsec-s2s.rst +++ b/source/manual/how-tos/ipsec-s2s.rst @@ -18,7 +18,7 @@ connection (you local network need to different than that of the remote network) For the sample we will use a private IP for our WAN connection. This requires us to disable the default block rule on wan to allow private traffic. - To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks". + To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”. *(Dont forget to save and apply)* .. image:: images/block_private_networks.png @@ -174,7 +174,7 @@ Full Network Diagram Including IPsec Tunnel Firewall Rules Site A & Site B (part 1) --------------------------------------- To allow IPsec Tunnel Connections, the following should be allowed on WAN for on -sites (under **Firewall->Rules->WAN**): +sites (under :menuselection:`Firewall --> Rules --> WAN`): * Protocol ESP * UDP Traffic on Port 500 (ISAKMP) @@ -190,7 +190,7 @@ sites (under **Firewall->Rules->WAN**): ----------------------- Step 1 - Phase 1 Site A ----------------------- -(Under **VPN->IPsec->Tunnel Settings** Press **+**) +(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**) We will use the following settings: General information @@ -322,7 +322,7 @@ And Apply changes: ----------------------- Step 3 - Phase 1 Site B ----------------------- -(Under **VPN->IPsec->Tunnel Settings** Press **+**) +(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**) We will use the following settings: General information @@ -455,7 +455,7 @@ Firewall Rules Site A & Site B (part 2) --------------------------------------- To allow traffic passing to your LAN subnet you need to add a rule to the IPsec -interface (under **Firewall->Rules->IPsec**). +interface (under :menuselection:`Firewall --> Rules --> IPsec`). .. image:: images/ipsec_ipsec_lan_rule.png :width: 100% @@ -465,7 +465,7 @@ IPsec Tunnel Ready ------------------ The tunnel should now be up and routing the both networks. -Go to **VPN->IPsec->Status Overview** to see current status. +Go to :menuselection:`VPN --> IPsec --> Status Overview` to see current status. Press on the **(i)** to see the details of the phase 2 tunnel(s), like this: .. image:: images/ipsec_status.png diff --git a/source/manual/how-tos/ipv6_dsl.rst b/source/manual/how-tos/ipv6_dsl.rst index d9f38041..1322ad73 100644 --- a/source/manual/how-tos/ipv6_dsl.rst +++ b/source/manual/how-tos/ipv6_dsl.rst @@ -17,7 +17,7 @@ It's compatible and tested for but not limited to: Step 1 - General Settings ------------------------- -Go to **System->Settings->General->** and check that **Prefer IPv4 over IPv6** +Go to :menuselection:`System --> Settings --> General` and check that **Prefer IPv4 over IPv6** is not ticked. This value is default so just check if it has been touched. Also enable **Allow DNS server list to be overridden by DHCP/PPP on WAN** at the @@ -27,13 +27,13 @@ bottom, so you get the correct DNS servers if you just use IPv4 ones. Step 2 - Allow IPv6 ------------------- -Next go to **Firewall->Settings->Advanced** and verfiy that **Allow IPv6** is enabled. +Next go to :menuselection:`Firewall --> Settings --> Advanced` and verfiy that **Allow IPv6** is enabled. -------------------------------- Step 3 - Interface Configuration -------------------------------- -In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in section +In :menuselection:`Interfaces --> [WAN]` and set **IPv6 Configuration Type** to DHCPv6 and in section **DHCPv6 client configuration** at the bottom tick: - Request only an IPv6 prefix @@ -42,7 +42,7 @@ In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in sect Set the prefix size to the one your provider delegates, mostly /56 or 64, sometimes /48. -Then change to **Interfaces->LAN** and set **IPv6 Configuration Type** to **Track Interface**. +Then change to :menuselection:`Interfaces --> [LAN]` and set **IPv6 Configuration Type** to **Track Interface**. At the bottom in section **Track IPv6 Interface** choose **IPv6 Interface** as WAN and for **IPv6 Prefix ID** a value of 0 is perfectly fine. diff --git a/source/manual/how-tos/ipv6_tunnelbroker.rst b/source/manual/how-tos/ipv6_tunnelbroker.rst index 9409ca7b..4aa73b9b 100644 --- a/source/manual/how-tos/ipv6_tunnelbroker.rst +++ b/source/manual/how-tos/ipv6_tunnelbroker.rst @@ -41,7 +41,7 @@ Step 1 - Add GIF tunnel ----------------------- To configure OPNsense start with adding a new gif interface. -Go to **Interfaces->Other Types->GIF** and click on **Add** in the upper tight corner +Go to :menuselection:`Interfaces --> Other Types --> GIF` and click on **Add** in the upper tight corner of the form. Use the following settings and copy in the IPv4&6 addresses from your TunnelBroker's UI. @@ -64,14 +64,14 @@ Step 2 - Configure the GIF tunnel as a new interface ---------------------------------------------------- The newly created GIF tunnel must now be assigned as a new interface. -Go to **Interfaces->Assignments**, select the GIF tunnel for **New interface** +Go to :menuselection:`Interfaces --> Assignments`, select the GIF tunnel for **New interface** and click the **+** sign next to it. -Then under **Interfaces->[OPTX]** check **Enable Interface** and change the +Then under :menuselection:`Interfaces -> [OPTX]` check **Enable Interface** and change the description to e.g. TUNNELBROKER before hitting **Save**. The newly created interface must now be set as the default IPv6 gateway -under **System->Gateways->Single** by editing the new gateway entry +under :menuselection:`System --> Gateways --> Single` by editing the new gateway entry TUNNELBROKER_TUNNELV6 and checking **Default Gateway** before saving. ----------------------------- @@ -103,7 +103,7 @@ Step 5 - Configure DHCPv6 SLAAC ------------------------------- We'll next configure OPNsense for Stateless Address Auto Configuration (SLAAC). -We're going to set up the DHCPv6 service. Go to **Services->DHCPv6->Server**. +We're going to set up the DHCPv6 service. Go to :menuselection:`Services --> DHCPv6 --> Server`. Simply choose a range for clients to use. Save your settings. Next go to the Router Advertisements sub tab on that same page. Set the **Router Advertisements** diff --git a/source/manual/how-tos/lan_bridge.rst b/source/manual/how-tos/lan_bridge.rst index 50cf1e83..b1eee954 100644 --- a/source/manual/how-tos/lan_bridge.rst +++ b/source/manual/how-tos/lan_bridge.rst @@ -20,7 +20,7 @@ It's a good idea to add the extra NIC interfaces ( OPTx ) during installation. **Step Two** ----------------- -Create the bridge itself. Select Interfaces->Other Types->Bridge and ADD a new bridge. Select +Create the bridge itself. Select :menuselection:`Interfaces --> Other Types --> Bridge` and ADD a new bridge. Select from the member interfaces the unused interfaces you wish to add to the bridge, OPT2,OPT3 etc. .. image:: images/lan_bridge_1.png @@ -37,7 +37,7 @@ Now Save the new bridge. **Step Three** ----------------- -Select Interfaces->Assignments and for the LAN interface, select the bridge previously created +Select :menuselection:`Interfaces --> Assignments` and for the LAN interface, select the bridge previously created and Save. .. image:: images/lan_bridge_3.png @@ -50,7 +50,7 @@ time for the interface to come back up, but keep refreshing the web interface un **Step Four** ----------------- The Original LAN interface is now unassigned and will need to be re-assigned. Go to -Interfaces->Assignments and in the New Interface box you will see the NIC itself ( igb*, em* ), +:menuselection:`Interfaces --> Assignments` and in the New Interface box you will see the NIC itself ( igb*, em* ), select it and hit the '+' button to add an assignment, then click Save. .. image:: images/lan_bridge_5.png @@ -58,7 +58,7 @@ select it and hit the '+' button to add an assignment, then click Save. **Step Five** ----------------- -Select Interfaces->Other Types->Bridge and add the interface created in Step Four to the bridge +Select :menuselection:`Interfaces --> Other Types --> Bridge` and add the interface created in Step Four to the bridge and Save, remember to check the new interface and ensure it is enabled as in Step Two. .. image:: images/lan_bridge_4.png @@ -67,7 +67,7 @@ and Save, remember to check the new interface and ensure it is enabled as in Ste **Step Six** ----------------- We now need to make two changes to the System Tunables to ensure that filtering is carried -out on the bridge itself, and not on the member interfaces. Go to System->Settings->Tunables +out on the bridge itself, and not on the member interfaces. Go to :menuselection:`System --> Settings --> Tunables` and select using the pen button net.link.bridge.pfil_member and set the value to 0. .. image:: images/lan_bridge_6.png @@ -80,7 +80,7 @@ Select the tunable net.link.bridge.pfil_bridge and set the value to 1 **Final** ----------------- -Once complete, the Interface->Assignments should look similar to this: +Once complete, the :menuselection:`Interface --> Assignments` page should look similar to this: .. image:: images/lan_bridge_8.png :width: 100% diff --git a/source/manual/how-tos/multiwan.rst b/source/manual/how-tos/multiwan.rst index 9b459966..b01d4747 100644 --- a/source/manual/how-tos/multiwan.rst +++ b/source/manual/how-tos/multiwan.rst @@ -50,7 +50,7 @@ Step 1 - Add monitor IPs You may skip this step if you already have setup the monitoring IP and both gateways are shown as online. -To add a monitoring IP go to **System->Gateways->Single** and click on the first pencil +To add a monitoring IP go to :menuselection:`System --> Gateways --> Single` and click on the first pencil symbol to edit the first gateway. Now make sure the following is configured: @@ -73,7 +73,7 @@ Now make sure the following is configured: Step 2 - Add Gateway Group -------------------------- -Go to **System->Gateways->Group** and press **+ Add Group** in the upper right +Go to :menuselection:`System --> Gateways --> Group` and press **+ Add Group** in the upper right corner. Use the following settings: @@ -100,7 +100,7 @@ Use the following settings: Step 3 - Configure DNS for each gateway --------------------------------------- -Go to **System->Settings->General** and make sure each gateway has its own DNS +Go to :menuselection:`System --> Settings --> General` and make sure each gateway has its own DNS setup: like this: DNS servers @@ -112,7 +112,7 @@ DNS servers Step 4 - Policy based routing ----------------------------- -Go to **Firewall->Rules** +Go to :menuselection:`Firewall --> Rules` For our example we will update the default LAN pass rule. Click on the pencil next to this rule (*Default allow LAN to any rule*). @@ -155,7 +155,7 @@ Advanced Options ---------------- For each gateway there are several advanced options you can use to change the default behavior/thresholds. These option can be changed under -**System->Gateways->Single**, press the pencil icon next to the Gateway you want +:menuselection:`System --> Gateways --> Single`, press the pencil icon next to the Gateway you want to update. The current options are: @@ -190,7 +190,7 @@ lead to unexpected behavior. To solve this you can use the option **Sticky Conne this will make sure each subsequent request from the same user to the same website is send through the same gateway. -To set this option can be set under **Firewall->Settings->Advanced**. +To set this option can be set under :menuselection:`Firewall --> Settings --> Advanced`. Unequal Balancing (Weight) -------------------------- @@ -200,7 +200,7 @@ load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps th set the weight of the first one to 1 and the second one to 2. This way the second gateway will get twice as many traffic to handle than the first. -To do so, go to **System->Gateways->Single** and press the pencil icon next to the +To do so, go to :menuselection:`System --> Gateways --> Single` and press the pencil icon next to the Gateway you want to update. The weight is defined under the advanced section. ------------------------------ diff --git a/source/manual/how-tos/netflow_exporter.rst b/source/manual/how-tos/netflow_exporter.rst index 1bdd5910..291bf2d4 100644 --- a/source/manual/how-tos/netflow_exporter.rst +++ b/source/manual/how-tos/netflow_exporter.rst @@ -4,7 +4,7 @@ Configure Netflow Exporter .. image:: images/netflow_exporter.png -Configuring the Netflow Exporter is a simple task. Go to **Reporting->NetFlow**. +Configuring the Netflow Exporter is a simple task. Go to :menuselection:`Reporting --> NetFlow`. Select all **Interfaces** you want to collect/export data from, usually one would select all available interfaces here. diff --git a/source/manual/how-tos/nginx_ip_acl.rst b/source/manual/how-tos/nginx_ip_acl.rst index 617bd49a..7f74b47f 100644 --- a/source/manual/how-tos/nginx_ip_acl.rst +++ b/source/manual/how-tos/nginx_ip_acl.rst @@ -29,7 +29,7 @@ Configuration Create Users ------------ -Navigate to the "Accss -> IP ACL" tab. +Navigate to the :menuselection:`Access --> IP ACL` tab. .. image:: images/nginx_ip_acl_01_list_view.png diff --git a/source/manual/how-tos/nginx_tls_fingerprints.rst b/source/manual/how-tos/nginx_tls_fingerprints.rst index 30a223d7..323a3afa 100644 --- a/source/manual/how-tos/nginx_tls_fingerprints.rst +++ b/source/manual/how-tos/nginx_tls_fingerprints.rst @@ -88,7 +88,7 @@ shown in the following screenshot: Configuration Page ================== -Now in the configuration page under HTTP -> TLS Fingerprints there will be an +Now in the configuration page under :menuselection:`HTTP --> TLS Fingerprints` there will be an entry for the created fingerprint, so it can be edited: .. image:: images/nginx_fingerprint_settings.png diff --git a/source/manual/how-tos/ntopng.rst b/source/manual/how-tos/ntopng.rst index dc0f34f0..738ebe04 100644 --- a/source/manual/how-tos/ntopng.rst +++ b/source/manual/how-tos/ntopng.rst @@ -7,11 +7,11 @@ Installation ------------ First of all, you have to install the ntopng plugin (os-ntopng) from the plugins view -reachable via **System->Firmware->Plugins**. +reachable via :menuselection:`System --> Firmware --> Plugins`. After a page reload you will get a new menu entry under **Services** for ntopng. If you don't have Redis plugin installed, you'll receive a warning in ntopng main menu. Please -go back to **System->Firmware->Plugins**, install os-redis, change to **Services->Redis** +go back to :menuselection:`System --> Firmware --> Plugins`, install os-redis, change to :menuselection:`Services --> Redis` and just enable the service. That's enough to run ntopng. ---------------- diff --git a/source/manual/how-tos/openconnect.rst b/source/manual/how-tos/openconnect.rst index abfc0a15..10061579 100644 --- a/source/manual/how-tos/openconnect.rst +++ b/source/manual/how-tos/openconnect.rst @@ -15,9 +15,9 @@ Palo Altos Global Protect will also be supported in future and of course the own Step 1 - Installation --------------------- -Go to **System->Firmware->Plugins->** and search for **os-openconnect**. +Go to :menuselection:`System --> Firmware --> Plugins` and search for **os-openconnect**. Install the plugin as usual, refresh and page and the you'll find the client via -**VPN->OpenConnect**. +:menuselection:`VPN --> OpenConnect`. -------------- Step 2 - Setup diff --git a/source/manual/how-tos/orange_fr_fttp.rst b/source/manual/how-tos/orange_fr_fttp.rst index fca71e4c..8e397927 100644 --- a/source/manual/how-tos/orange_fr_fttp.rst +++ b/source/manual/how-tos/orange_fr_fttp.rst @@ -105,8 +105,8 @@ Click ‘Save’ and then ‘Apply’. ----------------- -Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track -Interface’ +Select :menuselection:`Interfaces --> [LAN]` and set IPv4 to “Static IPv4” and IPv6 Configuration Type to +“Track Interface”. .. image:: images/OF_image7.png :width: 100% diff --git a/source/manual/how-tos/pac.rst b/source/manual/how-tos/pac.rst index eb79cb6e..aaab9c37 100644 --- a/source/manual/how-tos/pac.rst +++ b/source/manual/how-tos/pac.rst @@ -35,7 +35,7 @@ Configuring PAC First Step: Creating Matches ---------------------------- -Go to 'Services' -> Proxy -> Configuration and open Match +Go to :menuselection:`Services --> Proxy --> Configuration` and open Match .. image:: images/pac_menu_match.png @@ -81,7 +81,7 @@ Host Pattern Wildcard for your internal domain Second Step: Create Proxy Servers --------------------------------- -Now switch to PAC -> Proxies and add new proxy servers. +Now switch to :menuselection:`PAC --> Proxies` and add new proxy servers. =========== ================================================================ Name Enter a name which will be shown at the rules view for selection @@ -124,7 +124,7 @@ Third Step: Create Rules ------------------------ Now as the matches and the proxies exist, rules can be built. -For that, switching to PAC -> Rules is required. +For that, switching to :menuselection:`PAC --> Rules` is required. Now the following rule needs to be created: @@ -175,7 +175,7 @@ Variant 2: Manual Configuration .. Warning:: When DNS is used, OPNsense must respond via HTTP on port 80. -Open the page Services -> Unbound DNS -> Overrides and add a new host override +Open the page :menuselection:`Services --> Unbound DNS --> Overrides` and add a new host override for the `wpad` host: .. image:: images/wpad_dns_unbound.png @@ -211,14 +211,14 @@ created: http://wpad.example.com:80/wpad.dat .. Warning:: - If you have **HTTP Redirect** enabled via **System->Settings->Administration**, + If you have **HTTP Redirect** enabled via :menuselection:`System --> Settings --> Administration`, make sure your browser accepts the certificate presented by OPNsense, as it won't download wpad.dat if the certificate is untrusted. Variant 2: Manual Configuration ------------------------------- -Open the page Services -> DHCP -> Server, select the correct interface and +Open the page :menuselection:`Services --> DHCP --> Server`, select the correct interface and scroll down to the "Additional Options". Add this line and save: diff --git a/source/manual/how-tos/proxyicapantivirus.rst b/source/manual/how-tos/proxyicapantivirus.rst index bcbca4f1..3c0c2eeb 100644 --- a/source/manual/how-tos/proxyicapantivirus.rst +++ b/source/manual/how-tos/proxyicapantivirus.rst @@ -52,7 +52,7 @@ traffic to make sure the unencrypted ICAP traffic can't be tapped. Step 5 - Configure ICAP ----------------------- -To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings** +To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings** for the **Forward Proxy** tab. Select enable ICAP and filling the Request and Response URLs. diff --git a/source/manual/how-tos/proxyicapantivirusinternal.rst b/source/manual/how-tos/proxyicapantivirusinternal.rst index 69daa23c..bcc439de 100644 --- a/source/manual/how-tos/proxyicapantivirusinternal.rst +++ b/source/manual/how-tos/proxyicapantivirusinternal.rst @@ -44,7 +44,7 @@ Step 3 - Install and Configure the ClamAV and the C-ICAP plugins Step 4 - Configure ICAP ----------------------- -To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings** +To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings** for the **Forward Proxy** tab. Select enable ICAP and filling the Request and Response URLs. diff --git a/source/manual/how-tos/proxytransparent.rst b/source/manual/how-tos/proxytransparent.rst index 27718b6e..6db31032 100644 --- a/source/manual/how-tos/proxytransparent.rst +++ b/source/manual/how-tos/proxytransparent.rst @@ -24,7 +24,7 @@ For basic configuration please refer to :doc:`cachingproxy`. Step 2 - Transparent HTTP -------------------------------- -Go to **Services->Proxy->Administration** +Go to :menuselection:`Services --> Proxy --> Administration` Then select **General Forward Settings** under the **Forward Proxy Tab**. @@ -61,7 +61,7 @@ The defaults should be alright, just press **Save** and **Apply Changes**. Step 4 - CA for Transparent SSL -------------------------------------- Before we can setup transparent SSL/HTTPS proxy we need to create a Certificate -Authority. Go to **System->Trust->Authorities** or use the search box to get there +Authority. Go to :menuselection:`System --> Trust --> Authorities` or use the search box to get there fast. .. image:: images/search_ca.png @@ -90,7 +90,7 @@ For our example we use the following data: Step 5 - Transparent SSL ------------------------------------- -Go to **Services->Proxy->Administration** +Go to :menuselection:`Services --> Proxy --> Administration` Then select **General Forward Settings** under the **Forward Proxy Tab**. Select **Enable SSL mode** and set **CA to use** to the CA you have just created. @@ -145,7 +145,7 @@ Step 8 - Configure OS/Browser ----------------------------- Since the CA is not trusted by your browser, you will get a message about this for each page you visit. To solve this you can import the Key into your OS and -set as trusted. To export the Key go to **System->Trust->Authorities** and click +set as trusted. To export the Key go to :menuselection:`System --> Trust --> Authorities` and click on the icon to export the CA certificate. Of course one may choose to accept the certificate for each page manually, but for some pages that may not work well unless not bumped. diff --git a/source/manual/how-tos/proxywebfilter.rst b/source/manual/how-tos/proxywebfilter.rst index 6e123d6d..e3da4b57 100644 --- a/source/manual/how-tos/proxywebfilter.rst +++ b/source/manual/how-tos/proxywebfilter.rst @@ -28,7 +28,7 @@ For this tutorial we will assume: ------------------------------- Step 1 - Disable Authentication ------------------------------- -To start go to **Services->Web Proxy->Administration**. +To start go to :menuselection:`Services --> Web Proxy --> Administration`. Click on the arrow next to the **Forward Proxy** tab to show the drop down menu. Now select **Authentication Settings** and click on **Clear All** to disable user @@ -87,7 +87,7 @@ of time as the first fetch as the adult alone section is ~15 MB. --------------------- Step 5 - Enable Proxy --------------------- -To enable the proxy just go to **Services->Proxy Server->Administration** and +To enable the proxy just go to :menuselection:`Services --> Proxy Server --> Administration` and check **Enable proxy** en click on **Apply**. The proxy will bind to LAN and port 3128. It may take a while for the proxy to start and the play icon on the top right corner @@ -98,7 +98,7 @@ of the screen will turn red. Refresh the page to see if the proxy is done loadin Step 6 - Disable Proxy Bypass ----------------------------- To make sure no-one can bypass the proxy you need to add a firewall rule. -Go to **Firewall->Rules** and add the following to the top of the list rule on the +Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the LAN interface (if LAN is where your clients and proxy are on). ============================ ===================== diff --git a/source/manual/how-tos/serial_access.rst b/source/manual/how-tos/serial_access.rst index d05dd4ab..ecd47d82 100644 --- a/source/manual/how-tos/serial_access.rst +++ b/source/manual/how-tos/serial_access.rst @@ -27,7 +27,7 @@ Connecting to the serial console -------------------------------- If you already installed OPNsense via a non-serial installer, serial access needs to be turned on. To do this, open -the web interface, navigate to **System->Settings->Administration**, scroll down to 'Console' and set the primary or +the web interface, navigate to :menuselection:`System --> Settings --> Administration`, scroll down to 'Console' and set the primary or secondary console to 'Serial console'. Note: this is **only** necessary if you already installed OPNsense, and did not use the serial installer to do so. In all other cases (accessing BIOS, running the serial installer, connecting to an installation that was done via serial), serial access is already available. diff --git a/source/manual/how-tos/shaper.rst b/source/manual/how-tos/shaper.rst index 25736f0c..ad0daf77 100644 --- a/source/manual/how-tos/shaper.rst +++ b/source/manual/how-tos/shaper.rst @@ -55,7 +55,7 @@ has 10 Mbps Download and 1 Mbps Upload. } } -To start go to **Firewall->Shaper->Settings**. +To start go to :menuselection:`Firewall --> Shaper --> Settings`. Step 1 - Create Upload and Download Pipes ----------------------------------------- @@ -215,7 +215,7 @@ Upload that we want to share evenly between all users. } -To start go to **Firewall->Traffic Shaper->Settings**. +To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`. Step 1 - Create Upload and Download Pipes ----------------------------------------- @@ -344,7 +344,7 @@ users in such manner that each user will receive up to a maximum of 1 Mbps. } -To start go to **Firewall->Traffic Shaper->Settings**. +To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`. Step 1 - Create Upload and Download Pipes ----------------------------------------- @@ -420,7 +420,7 @@ for the upload traffic. | HTTPS (443) | | | +----------------+--------+-------------------+ -To start go to **Firewall->Traffic Shaper->Settings**. +To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`. Step 1 - Create Download Pipe ------------------------------ diff --git a/source/manual/how-tos/sslvpn_client.rst b/source/manual/how-tos/sslvpn_client.rst index 776ba658..975a4e37 100644 --- a/source/manual/how-tos/sslvpn_client.rst +++ b/source/manual/how-tos/sslvpn_client.rst @@ -31,7 +31,7 @@ and give you configuration examples for: For the sample we will use a private IP for our WAN connection. This requires us to disable the default block rule on wan to allow private traffic. - To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks". + To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks". *(Dont forget to save and apply)* .. image:: images/block_private_networks.png @@ -98,7 +98,7 @@ For completeness of this how-to we will also prepare a user. Configure TOTP server --------------------- -To configure a Time based One Time Password server go to **System->Access->Servers** +To configure a Time based One Time Password server go to :menuselection:`System --> Access --> Servers` and click **Add** in the top right corner of the form. .. TIP:: @@ -125,7 +125,7 @@ Add Certificate Authority ------------------------- The VPN server needs a certificate authority to sign client or server certificates. -To setup a new certificate authority go to **System->Trust->Authorities** and click +To setup a new certificate authority go to :menuselection:`System --> Trust --> Authorities` and click **Add** in the top right corner of the form. For our example we will use the following setting: @@ -149,7 +149,7 @@ Click **Save** to add the new Certificate Authority. Create a Certificate --------------------- After creating the Authority we will also need a certificate. -To create a new certificate, go to **System->Trust->Certificates** and click +To create a new certificate, go to :menuselection:`System --> Trust --> Certificates` and click **Add** in the upper right corner of the form. Fill in the form with (leave the rest default): @@ -174,7 +174,7 @@ Click **Save** to create the certificate. Adding a User ------------- -To add a new user go to **System->Access->Users** and click **Add** in the top +To add a new user go to :menuselection:`System --> Access --> Users` and click **Add** in the top right corner. Creating a user will be done in two steps, the first one is adding a basic user @@ -220,7 +220,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding one that uses our two factor authentication. This setup offers a good protection and it is easy to setup on the clients as each client can use the same configuration. -Go to **VPN->OpenVPN->Servers** and click **Add** in the top right corner +Go to :menuselection:`VPN --> OpenVPN --> Servers` and click **Add** in the top right corner of the form. For our example will use the following settings: @@ -313,7 +313,7 @@ macOS & Windows For macOS & Windows users we recommend using Viscosity from Sparklabs (https://www.sparklabs.com/viscosity/). Viscosity is very easy to setup and use and works well on both platforms. -Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from +Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from the list. Leave everything default and Download the **Viscosity Bundle** from the list of export options under **Client Install Packages**. @@ -351,7 +351,7 @@ Android For Android users we recommend using OpenVPN for Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Arne Schwabe. -Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from +Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from the list. Leave everything default and Download the inline **Android** configuration from the list of export options under **Client Install Packages**. @@ -366,7 +366,7 @@ iOS For iOS users we recommend using OpenVPN Connect (https://itunes.apple.com/us/app/openvpn-connect/id590379981) from OpenVPN Technologies. -Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from +Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from the list. Leave everything default and Download the inline **OpenVPN Connect** configuration from the list of export options under **Client Install Packages**. @@ -388,7 +388,7 @@ factors are: * Username/Password * Token (TOTP) -Go to **VPN->OpenVPN->Servers** and click the pencil icon next to the server +Go to :menuselection:`VPN --> OpenVPN --> Servers` and click the pencil icon next to the server we just created to change the 2FA to multi factor authentication. Now change **Server Mode** to *Remote Access (SSL/TLS + User Auth)* and leave diff --git a/source/manual/how-tos/sslvpn_s2s.rst b/source/manual/how-tos/sslvpn_s2s.rst index b12c62ba..9a40d956 100644 --- a/source/manual/how-tos/sslvpn_s2s.rst +++ b/source/manual/how-tos/sslvpn_s2s.rst @@ -19,7 +19,7 @@ network). For the sample we will use a private IP for our WAN connection. This requires us to disable the default block rule on WAN to allow private traffic. - To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks". + To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks". *(Don't forget to save and apply)* .. image:: images/block_private_networks.png @@ -181,7 +181,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding a server that uses a shared key. This setup offers a good protection and it is easy to setup. -Go to **VPN->OpenVPN->Servers** and click on click **Add** in the top right corner +Go to :menuselection:`VPN --> OpenVPN --> Servers` and click on click **Add** in the top right corner of the form. For our example will use the following settings (leave everything else on its default): @@ -279,7 +279,7 @@ however you may decide just to allow traffic to one or more IPs. Step 4 - Site B Client ---------------------- Now we will have to setup the client. -Login to the second firewall, go to **VPN->OpenVPN->Clients** and click on +Login to the second firewall, go to :menuselection:`VPN --> OpenVPN --> Clients` and click on **add client** in the upper right corner of the form. Now enter the following into the form (and leave everything else default): @@ -306,7 +306,7 @@ Now enter the following into the form (and leave everything else default): Now click on **Save** to apply your settings. -The Connection Status can be viewed under **VPN->OpenVPN->Connection Status** +The Connection Status can be viewed under :menuselection:`VPN --> OpenVPN --> Connection Status` .. image:: images/sslvpn_connection_status.png :width: 100% @@ -314,7 +314,7 @@ The Connection Status can be viewed under **VPN->OpenVPN->Connection Status** ------------------------------ Step 5 - Client Firewall Rules ------------------------------ -To allow traffic from the remote network just add a rule under **Firewall->Rules** +To allow traffic from the remote network just add a rule under :menuselection:`Firewall --> Rules` OpenVPN tab. .. image:: images/sslvpn_firewall_rule_client.png diff --git a/source/manual/how-tos/transparent_bridge.rst b/source/manual/how-tos/transparent_bridge.rst index b278d871..da8577d3 100644 --- a/source/manual/how-tos/transparent_bridge.rst +++ b/source/manual/how-tos/transparent_bridge.rst @@ -60,7 +60,7 @@ Configuration in 10 easy steps --------------------------------------- To disable outbound NAT, go to -**Firewall** -> **NAT** -> **Outbound**: Disable Outbound NAT rule generation +:menuselection:`Firewall --> NAT --> Outbound` and select “Disable Outbound NAT rule generation”. |Filtering Bridge Step 1.png| @@ -68,13 +68,13 @@ To disable outbound NAT, go to -------------------------- Enable filtering bridge by changing **net.link.bridge.pfil\_bridge** -from default to 1 in **System** -> **Settings** -> **System Tuneables** +from default to 1 in :menuselection:`System --> Settings --> System Tuneables`. |Filtering Bridge Step 2.png| And disable filtering on member interfaces by changing **net.link.bridge.pfil\_member** from default to 0 in -**System** -> **Settings** -> **System Tuneables** +:menuselection:`System --> Settings --> System Tuneables`. |Filtering Bridge Step2a.png| @@ -82,7 +82,7 @@ And disable filtering on member interfaces by changing -------------------- Create a bridge of LAN and WAN, go to -**Interfaces** -> **Other Types** -> **Bridge** :Add Select LAN and WAN. +:menuselection:`Interfaces --> Other Types --> Bridge`. Add Select LAN and WAN. |Filtering Bridge Step 3a.png| @@ -95,13 +95,13 @@ To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address. -Go to **Interfaces** -> **Assign** -> **Available network ports** , select +Go to :menuselection:`Interfaces --> Assign --> Available network port`, select the bridge from the list and hit **+**. |Filtering Bridge Step 4.png| Now Add an IP address to the interface that you would like to use to -manage the bridge. Go to **Interfaces** -> **OPT1** enable the interface +manage the bridge. Go to :menuselection:`Interfaces --> [OPT1]`, enable the interface and fill-in the ip/netmask. 5. Disable Block private networks & bogon @@ -109,7 +109,7 @@ and fill-in the ip/netmask. For the WAN interface we nee to disable blocking of private networks & bogus IPs. -Goto **Interfaces** -> **WAN** and unselect **Block private networks** +Go to :menuselection:`Interfaces --> [WAN]` and unselect **Block private networks** and **Block bogon networks**. |Filtering Bridge Step 5.png| @@ -117,7 +117,7 @@ and **Block bogon networks**. 6. Disable the DHCP server on LAN --------------------------------- -To disable the DCP server on LAN goto **Services** -> **DHCP Server** -> **LAN** and +To disable the DHCP server on LAN go to :menuselection:`Services --> DHCPv4 --> [LAN]` and unselect enable. |Filtering Bridge Step 6.png| @@ -133,7 +133,7 @@ This step is to ensure we have a full transparent bridge without any filtering taking place. You can setup the correct rules when you have confirmed the bridge to work properly. -Goto **Firewall** -> **Rules** and add a rule per interface to allow all traffic +Go to :menuselection:`Firewall --> Rules` and add a rule per interface to allow all traffic of any type. |Filtering Bridge Step 7.png| @@ -146,14 +146,14 @@ ignored. So you can skip this step. As we now have setup allow rules for each interface we can safely remove the Anti Lockout rule on LAN -Goto **Firewall** -> **Settings** -> **Admin Access** :Anti-lockout and select +Go to :menuselection:`Firewall --> Settings --> Admin Access`: Anti-lockout and select this option to disable 9. Set LAN and WAN interface type to 'none' ------------------------------------------- Now remove the IP subnets in use for LAN and WAN by changing the -interface type to none. Goto **Interfaces** -> **LAN** & **Interfaces** -> **WAN** +interface type to none. Go to :menuselection:`Interfaces --> [LAN]` and :menuselection:`Interfaces --> [WAN]` to do so. |Filtering Bridge Step 9.png| diff --git a/source/manual/how-tos/two_factor.rst b/source/manual/how-tos/two_factor.rst index 846b8fd1..26ef9bed 100644 --- a/source/manual/how-tos/two_factor.rst +++ b/source/manual/how-tos/two_factor.rst @@ -17,7 +17,7 @@ with this 2FA solution. -------------------------------------- Step 1 - Add New Authentication Server -------------------------------------- -To add a TOTP server go to **System->Access-Servers** and press **Add server** in +To add a TOTP server go to :menuselection:`System --> Access --> Servers` and press **Add server** in the top right corner. Then fill in the form as follows: ====================== =================================== ======================================== @@ -37,7 +37,7 @@ Install using the normal procedure for your device. --------------------------- Step 3 - Add or modify user --------------------------- -For this example we will create a new user, go to **System->Access-Users** and click +For this example we will create a new user, go to :menuselection:`System --> Access --> Users` and click on the plus sign in the lower right corner. Enter a **Username** and **Password** and fill in the other fields just as you would @@ -106,7 +106,7 @@ Google Authenticator Android, iOS https://www.google.com/landing/2ste Step 5 - Test the token ----------------------- For testing the user authentication, OPNsense offers a simple tester. -Go to **System->Access->Tester** +Go to :menuselection:`System --> Access --> Tester` Select the Authentication server you have configured, and enter the user name. Then enter the ***token** + **password**, remember the order diff --git a/source/manual/how-tos/user-ldap.rst b/source/manual/how-tos/user-ldap.rst index ee3dcb69..8db1723c 100644 --- a/source/manual/how-tos/user-ldap.rst +++ b/source/manual/how-tos/user-ldap.rst @@ -20,7 +20,7 @@ You OPNsense firewall need to be fully configured and able to access the LDAP se Step 1 - Add New LDAP server ---------------------------- -To add a new LDAP server as authentication source, go to **System->Access->Servers** +To add a new LDAP server as authentication source, go to :menuselection:`System --> Access --> Servers` and click on **Add server** the top right corner, just above the form. Enter the following information: @@ -66,7 +66,7 @@ Enter the following information: Step 2 - Test -------------- -To test if the server is configured correctly, go to **System->Access->Tester** +To test if the server is configured correctly, go to :menuselection:`System --> Access --> Tester` and select your LDAP server and enter a valid username + password. Click on **Test** and if everything is setup correctly it will show: @@ -84,7 +84,7 @@ If not (or your entered invalid credentials) it shows: Step 3 - Import Users --------------------- If you would like to give LDAP/Active Directory users access to the GUI, you need -to import the users into the local user manager. Go to **System->Access->Users** +to import the users into the local user manager. Go to :menuselection:`System --> Access --> Users` you will see a cloud import icon at the lower right corner of the form. .. image:: images/user_cloudimport.png @@ -97,7 +97,7 @@ A new form will be show with the individual users, select the ones you like to i Step 4 - Update ldap user privileges ------------------------------------ -Now if you go to **System->Access->Users** you will see all users including the +Now if you go to :menuselection:`System --> Access --> Users` you will see all users including the newly imported ldap users. You can create a specific group for these users to easily manage the privileges or use one of your earlier created groups. @@ -116,7 +116,7 @@ Step 5 - Update system access settings Now we have configures, verified and imported the users from our LDAP server, we need to change the default settings to allow LDAP users to login. -Go to **System->Access->Settings** and change the Authentication Server from +Go to :menuselection:`System --> Access --> Settings` and change the Authentication Server from **Local Database** to your newly created **LDAP** server. Leave the fallback on **Local Database** and click on **Save and Test**. diff --git a/source/manual/how-tos/user-local.rst b/source/manual/how-tos/user-local.rst index ad1cfc01..33cbb95f 100644 --- a/source/manual/how-tos/user-local.rst +++ b/source/manual/how-tos/user-local.rst @@ -10,7 +10,7 @@ the privileges for granting access to certain parts of the GUI (Web Configurator Adding Users ------------ -To add a new user go to **System->Access->Users** and click on the **+** sign at +To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at the bottom right corner of the form. ========================== =========== ========================================================= @@ -29,7 +29,7 @@ the bottom right corner of the form. Creating Groups --------------- -Go to **System->Access->Groups** and click on the **+** sign in the lower right +Go to :menuselection:`System --> Access --> Groups` and click on the **+** sign in the lower right corner of the form. Enter a **Group name** and a **Description** and add users to the group. @@ -37,7 +37,7 @@ Enter a **Group name** and a **Description** and add users to the group. Add privileges to a group ------------------------- After creating a group the privileges can be added by editing the group. -Go to **System->Access-Groups** and click on the edit symbol (pencil) right next +Go to :menuselection:`System --> Access --> Groups` and click on the edit symbol (pencil) right next to the group you like to change. To assign privileges, just click on the pencil icon on the right of **Assigned Privileges**. @@ -58,7 +58,7 @@ User accounts can be used for logging in to the web frontend, as well as for log serial or SSH). The latter will only work if the user's shell is not set to ``/sbin/nologin`` and if group the user is part of is allowed SSH access. -In order to access OPNsense via SSH, SSH access will need to be configured via **System->Settings->Administration**. +In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`. Under the "Secure Shell" heading, the following options are available: ============================ ========================================================================== diff --git a/source/manual/how-tos/user-radius.rst b/source/manual/how-tos/user-radius.rst index 4bacc6e3..5be0d610 100644 --- a/source/manual/how-tos/user-radius.rst +++ b/source/manual/how-tos/user-radius.rst @@ -2,7 +2,7 @@ Configuring Radius ================== Configuring a Radius server for user authentication in services like vpn or captive portal -is easy just go to **System->Access->Servers** and click on **Add server** in the top right corner. +is easy just go to :menuselection:`System --> Access --> Servers` and click on **Add server** in the top right corner. Fill in the form: @@ -16,6 +16,6 @@ Fill in the form: **Authentication Timeout** 5 *Timeout for Radius to respond on requests* ============================== =============== ========================================================= -Use the tester under **System->Access->Tester** to test the Radius server. +Use the tester under :menuselection:`System --> Access --> Tester` to test the Radius server. If you want to use the FreeRADIUS plugin set up the server as 127.0.0.1 and don't forget to add a **Client** in the FreeRADIUS configuration. diff --git a/source/manual/how-tos/wireguard-client-azire.rst b/source/manual/how-tos/wireguard-client-azire.rst index f811e173..31da75e5 100644 --- a/source/manual/how-tos/wireguard-client-azire.rst +++ b/source/manual/how-tos/wireguard-client-azire.rst @@ -51,7 +51,7 @@ Step 3 - Assignments and Routing -------------------------------- To let you internal clients go through the tunnel you have to add a NAT entry. Go to -**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual +:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your LAN network and set **Translation / target** to **interface address**. diff --git a/source/manual/how-tos/wireguard-client-mullvad.rst b/source/manual/how-tos/wireguard-client-mullvad.rst index cd35a795..a1e70589 100644 --- a/source/manual/how-tos/wireguard-client-mullvad.rst +++ b/source/manual/how-tos/wireguard-client-mullvad.rst @@ -52,7 +52,7 @@ Step 2 - Assignments and Routing -------------------------------- To let you internal clients go through the tunnel you have to add a NAT entry. Go to -**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual +:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your LAN network and set **Translation / target** to **interface address**. diff --git a/source/manual/how-tos/wireguard-client.rst b/source/manual/how-tos/wireguard-client.rst index 77dd3293..6560ea3f 100644 --- a/source/manual/how-tos/wireguard-client.rst +++ b/source/manual/how-tos/wireguard-client.rst @@ -18,10 +18,10 @@ WireGuard as a central server or just as a client. Step 1 - Installation --------------------- -Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings** -the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search +Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings` +the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client -via **VPN->WireGuard**. +via :menuselection:`VPN --> WireGuard`. -------------------------------- Step 2a - Setup WireGuard Server @@ -49,7 +49,7 @@ If you want to add more users just add them in **Endpoints** and link them via * Step 2b - Setup Firewall ------------------------ -On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your +On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can set granular rules on connection inside your tunnel. @@ -61,10 +61,10 @@ Step 2c - Assignments and Routing With this setup your clients can reach your internal networks when they add it vial **Tunnel Address**. But what if you want to push all traffic via VPN in order to filter some streams out of it? -Then we have to assign the interface via **Interface->Assignments**, choose our instance (e.g. instance +Then we have to assign the interface via :menuselection:`Interface --> Assignments`, choose our instance (e.g. instance 0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address. -After this we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set +After this we can go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel Network you use and **Translation / target** set to WAN address. @@ -73,7 +73,7 @@ Internet via your VPN. When assigning interfaces we can also add gateways to them. This would offer you the chance to balance traffic via different VPN providers or do more complex routing scenarios. -To do this, go to **System->Gateways->Single** and add a new gateway. Choose your WireGuard interface +To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose your WireGuard interface and set the Gateway to **dynamic**. ------------------------------- diff --git a/source/manual/how-tos/wireguard-s2s.rst b/source/manual/how-tos/wireguard-s2s.rst index 69d78b55..e7265243 100644 --- a/source/manual/how-tos/wireguard-s2s.rst +++ b/source/manual/how-tos/wireguard-s2s.rst @@ -20,10 +20,10 @@ and widely deployable. It is currently under heavy development. Step 1 - Installation --------------------- -Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings** -the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search +Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings` +the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client -via **VPN->WireGuard**. +via :menuselection:`VPN --> WireGuard`. ------------------------ Step 2 - Setup WireGuard @@ -50,7 +50,7 @@ Now we can **Enable** the VPN in tab **General** and go on with the setup. Step 3 - Setup Firewall ----------------------- -On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your +On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can set granular rules on connection inside your tunnel. diff --git a/source/manual/install.rst b/source/manual/install.rst index 144f0615..948ba5ca 100644 --- a/source/manual/install.rst +++ b/source/manual/install.rst @@ -158,8 +158,8 @@ Depending on you hardware and use case different installation media are provided and re-writes. For embedded (nano) versions memory disks for /var and /tmp are applied by default to prolong CF (flash) card lifetimes. - To enable for non embedded versions: Enable **System⇒Settings⇒Miscellaneous⇒RAM** Disk - Settings; afterwards reboot. Consider to enable an external syslog server as well. + To enable for non embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`, + change the setting, then reboot. Consider to enable an external syslog server as well. ------------------------------ Media Filename Composition @@ -225,7 +225,7 @@ OpenSSL and LibreSSL OPNsense images are provided based upon `OpenSSL `__. The `LibreSSL `__ flavor can be selected from within -the GUI ( System⇒Firmware⇒Settings ). In order to apply your choice an update +the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update must be performed after save, which can include a reboot of the system. .. image:: ./images/firmware_flavour.png @@ -422,7 +422,7 @@ Minimum installation actions In case of a minimum install setup (i.e. on CF cards), OPNsense can be run with all standard features, expect for the ones that require disk writes, e.g. a caching proxy like Squid. Do not create a swap - slice, but a RAM Disk instead. In the GUI enable **System⇒Settings⇒Miscellaneous⇒RAM Disk Settings** + slice, but a RAM Disk instead. In the GUI enable :menuselection:`System --> Settings --> Miscellaneous --> RAM Disk Settings`* and set the size to 100-128 MB or more, depending on your available RAM. Afterwards reboot. @@ -468,7 +468,7 @@ The other method to upgrade the system is via console option **12) Upgrade from .. rubric:: GUI :name: gui -An update can be done through the GUI via **System⇒Firmware⇒Updates**. +An update can be done through the GUI via :menuselection:`System --> Firmware --> Updates`. .. image:: ./images/firmware-update.png :width: 100% diff --git a/source/manual/logging.rst b/source/manual/logging.rst index ff7340d1..5f911d5e 100644 --- a/source/manual/logging.rst +++ b/source/manual/logging.rst @@ -10,14 +10,14 @@ with the settings of the component they belong to. The log files can be found he System ------ -============================= ================================ ============================================================= - **System Log** **System->Log Files->General** *Most of all system related events go here* - **Backend / config daemon** **System->Log Files->Backend** *Here you can find logs for config generation of API usage* - **Web GUI** **System->Log Files->Web GUI** *Lighttpd, the webserver of OPNsense itself, logs here* - **Firmware** **System->Firmware->Log File** *Updates from the packaging system go here* - **Gateways** **System->Gateways->Log File** *Lists Dpinger gateway tracking related log messages* - **Routing** **System->Routes->Log File** *Routing changes or interface events* -============================= ================================ ============================================================= +============================= =================================================== ============================================================= + **System Log** :menuselection:`System --> Log Files --> General` *Most of all system related events go here* + **Backend / config daemon** :menuselection:`System --> Log Files --> Backend` *Here you can find logs for config generation of API usage* + **Web GUI** :menuselection:`System --> Log Files --> Web GUI` *Lighttpd, the webserver of OPNsense itself, logs here* + **Firmware** :menuselection:`System --> Firmware --> Log File` *Updates from the packaging system go here* + **Gateways** :menuselection:`System --> Gateways --> Log File` *Lists Dpinger gateway tracking related log messages* + **Routing** :menuselection:`System --> Routes --> Log File` *Routing changes or interface events* +============================= =================================================== ============================================================= .. Note:: Log files on file system: @@ -32,10 +32,10 @@ System Interfaces ---------- -==================== ========================================== =================================================================== - **Wireless** **Interfaces->Wireless->Log File** *When using wireless features of OPNsense you find the logs here* - **Point-to-Point** **Interfaces->Point-to-Point->Log File** *PPP dialup logs like PPPoE are found here* -==================== ========================================== =================================================================== +==================== ============================================================== =================================================================== + **Wireless** :menuselection:`Interfaces --> Wireless --> Log File` *When using wireless features of OPNsense you find the logs here* + **Point-to-Point** :menuselection:`Interfaces --> Point-to-Point --> Log File` *PPP dialup logs like PPPoE are found here* +==================== ============================================================== =================================================================== .. Note:: Log files on file system: @@ -46,10 +46,10 @@ Interfaces Firewall -------- -================ ===================================== ============================================================================= - **Live View** **Firewall->Log Files->Live View** *View firewall logs in realtime, smart filtering can be applied* - **Plain View** **Firewall->Log Files->Plain View** *Just the plain contents how **pf** logs into **filter.log** * -================ ===================================== ============================================================================= +================ ======================================================== ============================================================================= + **Live View** :menuselection:`Firewall --> Log Files --> Live View` *View firewall logs in realtime, smart filtering can be applied* + **Plain View** :menuselection:`Firewall --> Log Files --> Plain View` *Just the plain contents how **pf** logs into **filter.log** * +================ ======================================================== ============================================================================= .. Note:: Log files on file system: @@ -59,10 +59,10 @@ Firewall VPN --- -================= ============================ ===================================== - **IPsec Log** **VPN->IPsec->Log File** *Everything around IPsec goes here* - **OpenVPN Log** **VPN->OpenVPN->Log File** *OpenVPN logs everything here* -================= ============================ ===================================== +================= =============================================== ===================================== + **IPsec Log** :menuselection:`VPN --> IPsec --> Log File` *Everything around IPsec goes here* + **OpenVPN Log** :menuselection:`VPN --> OpenVPN --> Log File` *OpenVPN logs everything here* +================= =============================================== ===================================== .. Note:: Log files on file system: @@ -73,16 +73,16 @@ VPN Services -------- -========================= ============================================= ============================================= - **Captive Portal** **Services->Captive Portal->Log File** *Events from Captive Portal go here* - **DHCPv4** **Services->DHCPv4->Log File** *DHCP events get logged here* - **Dnsmasq DNS** **Services->Dnsmasq DNS->Log File** *The DNSmasq Forwarder logs* - **HAProxy** **Services->HAProxy->Log File** *The logs of the Reverse Proxy* - **Intrusion Detection** **Services->Intrusion Detection->Log File** *Suricata Logs are here* - **Network Time** **Services->Network Time->Log File** *NTP daemon logs* - **Unbound DNS** **Services->Unbound DNS->Log File** *Unbound resolver logs can be found here* - **Web Proxy** **Services->Web Proxy->Log File** *Squid access.log, store.log and cache.log* -========================= ============================================= ============================================= +========================= ================================================================ ============================================= + **Captive Portal** :menuselection:`Services --> Captive Portal --> Log File` *Events from Captive Portal go here* + **DHCPv4** :menuselection:`Services --> DHCPv4 --> Log File` *DHCP events get logged here* + **Dnsmasq DNS** :menuselection:`Services --> Dnsmasq DNS --> Log File` *The DNSmasq Forwarder logs* + **HAProxy** :menuselection:`Services --> HAProxy --> Log File` *The logs of the Reverse Proxy* + **Intrusion Detection** :menuselection:`Services --> Intrusion Detection --> Log File` *Suricata Logs are here* + **Network Time** :menuselection:`Services --> Network Time --> Log File` *NTP daemon logs* + **Unbound DNS** :menuselection:`Services --> Unbound DNS --> Log File` *Unbound resolver logs can be found here* + **Web Proxy** :menuselection:`Services --> Web Proxy --> Log File` *Squid access.log, store.log and cache.log* +========================= ================================================================ ============================================= .. Note:: Log files on file system: @@ -102,7 +102,7 @@ Circular Logs ------------- Most of the core features log to circular log files so they will not grow bigger -than a predefined size. You can tune this value via **System->Settings->Logging**. +than a predefined size. You can tune this value via :menuselection:`System --> Settings --> Logging`. There, you can also disable the writing of logs to disk or reset them all. You can view the contents via CLI with: diff --git a/source/manual/monit.rst b/source/manual/monit.rst index 3c983921..370036c8 100644 --- a/source/manual/monit.rst +++ b/source/manual/monit.rst @@ -10,7 +10,7 @@ configuration options explained in more detail afterwards, along with some cavea Global setup ------------ -Navigate to **Services->Monit->Settings**. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes. +Navigate to :menuselection:`Services --> Monit --> Settings`. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes. Then, navigate to the “Alert settings” and add one for your e-mail address. If your mail server requires the “From” field to be properly set, enter ``From: sender@example.com`` in the “Mail format” field. Save the alert and apply the changes. @@ -85,7 +85,7 @@ Save and apply. Settings overview ----------------- -Navigate to **Services->Monit->Settings**. You will see four tabs, which we will describe in more detail below +Navigate to :menuselection:`Services --> Monit --> Settings`. You will see four tabs, which we will describe in more detail below ^^^^^^^^^^^^^^^^ General Settings @@ -242,5 +242,5 @@ These include: Status ------ -The Monit status panel can be accessed via **Services->Monit->Status**. For every active service, it will show the status, +The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status, along with extra information if the service provides it. diff --git a/source/manual/netflow.rst b/source/manual/netflow.rst index 38ea9457..442f364c 100644 --- a/source/manual/netflow.rst +++ b/source/manual/netflow.rst @@ -17,7 +17,7 @@ OPNsense offers full support for exporting Netflow data to external collectors a well as a comprehensive Analyzer for on-the-box analysis and live monitoring. OPNsense is the only open source solution with a built-in Netflow analyzer integrated -into its Graphical User Interface. It can be accessed via **Reporting->Netflow**. +into its Graphical User Interface. It can be accessed via :menuselection:`Reporting --> Netflow`. ------------------ Supported Versions diff --git a/source/manual/nptv6.rst b/source/manual/nptv6.rst index affcd1e3..cc94efdd 100644 --- a/source/manual/nptv6.rst +++ b/source/manual/nptv6.rst @@ -6,7 +6,7 @@ Network Prefix Translation, shortened to NPTv6, is used to translate IPv6 addres is to translate global ("WAN") IPs to local ones. In this regard, it is similar to NAT, although NPTv6 can only be used to map addresses one-to-one, unlike NAT which typically translates one external IP to several internal ones. -NPTv6 routes are listed at **Firewall->NAT->NPTv6**. New rules can be added by clicking **Add** in the upper right +NPTv6 routes are listed at :menuselection:`Firewall --> NAT --> NPTv6`. New rules can be added by clicking **Add** in the upper right corner. A quick overview of the fields: ============================= ======================================================================================================================================================================= diff --git a/source/manual/systemhealth.rst b/source/manual/systemhealth.rst index b0982559..4eae0808 100644 --- a/source/manual/systemhealth.rst +++ b/source/manual/systemhealth.rst @@ -5,7 +5,7 @@ System Health & Round Robin Data .. image:: images/systemhealth_sample.png :width: 100% -System Health is a dynamic view on RRD data gathered by the system. It can be accessed via **Reporting->Health**. It allows you +System Health is a dynamic view on RRD data gathered by the system. It can be accessed via :menuselection:`Reporting --> Health`. It allows you to dive into different statistics that show the overall health and performance of the system over time. diff --git a/source/manual/updates.rst b/source/manual/updates.rst index 08d9d234..35a3ade0 100644 --- a/source/manual/updates.rst +++ b/source/manual/updates.rst @@ -10,14 +10,14 @@ the fortnightly updates adding a third number (e.g. 19.1.3 for the third update Installing updates ------------------ -Updates can be installed from the web interface, by going to **System->Firmware->Updates**. On this page, you can click +Updates can be installed from the web interface, by going to :menuselection:`System --> Firmware --> Updates`. On this page, you can click **Check for updates** to search for updates. If they are available, a button will appear to install them. --------------- Update settings --------------- -By navigating to **System->Firmware->Settings**, you can influence the firmware update settings: +By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings: * **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here. * **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL. diff --git a/source/manual/users.rst b/source/manual/users.rst index 41b69ae9..11b8d293 100644 --- a/source/manual/users.rst +++ b/source/manual/users.rst @@ -47,17 +47,17 @@ rights, called privileges. Authentication services ---------------------------------- -Authentication services can be configured using the settings in **System->Access->Servers**. +Authentication services can be configured using the settings in :menuselection:`System --> Access --> Servers`. This includes both local accounts and remote authentication. By default, OPNsense GUI login will use local accounts. This can be changed, however, -by going to **System->Settings->Administration**, scrolling down to the "Authentication" group, +by going to :menuselection:`System --> Settings --> Administration`, scrolling down to the "Authentication" group, and changing the 'Server' option. Local account configuration --------------------------- -Settings for handling login via local accounts can be set by going to **System->Access->Servers**, +Settings for handling login via local accounts can be set by going to :menuselection:`System --> Access --> Servers`, then clicking the 'Edit' icon (a pencil) for 'Local Database'. Here, you can improve security of local user accounts by setting password length and complexity constraints. diff --git a/source/manual/virtuals.rst b/source/manual/virtuals.rst index 06a22e4f..fe982954 100644 --- a/source/manual/virtuals.rst +++ b/source/manual/virtuals.rst @@ -14,7 +14,7 @@ For optimum performance and compatibility, these guides are given: * Minimum required RAM is 1 GB * Minimum recommended virtual disk size of 8 GB -* Disable all off-loading settings in **Interfaces->Settings** +* Disable all off-loading settings in :menuselection:`Interfaces --> Settings` .. image:: images/disableoffloading.png @@ -25,7 +25,7 @@ VMware ESXi VMware offers full instructions for installing FreeBSD, these can be found `here `__. -To install the VMware tools just goto **System->Firmware->Plugins** and install +To install the VMware tools just goto :menuselection:`System --> Firmware --> Plugins` and install **os-vmware** by clicking on the **+** sign next to it. .. image:: images/os-vmware.png @@ -39,7 +39,7 @@ To install the VMware tools just goto **System->Firmware->Plugins** and install Xen --- -To install the Xen tools just goto **System->Firmware->Plugins** and install +To install the Xen tools just goto :menuselection:`System --> Firmware --> Plugins` and install **os-xen** by clicking on the **+** sign next to it. .. image:: images/os-xen.png