Use consistent, RST menu notation; fix some build warnings (#144)

source/_static/css/opnsense.css

@@ -4495,3 +4495,7 @@ span[id*='MathJax-Span'] {
   font-style: normal;
   font-weight: 700;
   src: local("Roboto Slab Bold"), local("RobotoSlab-Bold"), url(../fonts/RobotoSlab-Bold.ttf) format("truetype"); }
+
+.menuselection {
+  font-weight: bold;
+}

source/development/components/authentication.rst

@@ -29,7 +29,7 @@ Authenticators & Connections
 ------------------------------
 
 
-Services within OPNsense can use different authentication methods, for which connections can be configured in **System-->Access-->Servers**
+Services within OPNsense can use different authentication methods, for which connections can be configured in :menuselection:`System --> Access --> Servers`
 (e.g. the method can be **radius** which is offered through a server at a location).
 All of these methods use the same api defined in :code:`\OPNSense\Auth\IAuthConnector`, which comes with some simple to use handles.
 
@@ -37,7 +37,7 @@ If a class in :code:`\OPNSense\Auth` implements :code:`IAuthConnector` it is con
 for the authenticator factory named :code:`AuthenticationFactory`.
 
 The factory provides a layer of abstraction around the different authentication concepts, for example a server defined in
-**System-->Access-->Servers** can be requested using a simple :code:`(new AuthenticationFactory())->get('name');`
+:menuselection:`System --> Access --> Servers` can be requested using a simple :code:`(new AuthenticationFactory())->get('name');`
 This connects the authenticator to the configured servers and the response object is ready to handle authentication requests.
 
 

source/manual/aliases.rst

@@ -6,7 +6,7 @@ by selecting the alias name in the various supported sections of the firewall.
 These aliases are particularly useful to condense firewall rules and minimize
 changes.
 
-Aliases can be added, modified and removed via **Firewall->Aliases**.
+Aliases can be added, modified and removed via :menuselection:`Firewall --> Aliases`.
 
 -----------
 Alias Types
@@ -41,7 +41,7 @@ Sample
       :width: 100%
 
 **Apply changes** and look at the content of our newly created pf table.
-Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube table.
+Go to :menuselection:`Firewall --> Diagnostics --> pfTables` and select our newly created youtube table.
 
 .. image:: images/pftable_youtube.png
     :width: 100%

source/manual/certificates.rst

@@ -5,7 +5,7 @@ Using certificates
 In OPNsense, certificates are used for ensuring trust between peers. To make using them easier, OPNsense allows creating
 certificates from the front-end. In addition to that, it also allows creating certificates for other purposes,
 avoiding the need to use the ``openssl`` command line tool. Certificates in OPNsense can be managed from
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 Examples of OPNsense components that use certificates:
 * OpenVPN

source/manual/dashboard.rst

@@ -3,7 +3,7 @@ Dashboard
 =========
 
 The Dashboard is the first page you will see after you log into OPNsense.
-Additionally, it can be accessed via **Lobby->Dashboard**. The Dashboard provides an overview of your system status.
+Additionally, it can be accessed via :menuselection:`Lobby --> Dashboard`. The Dashboard provides an overview of your system status.
 
 -------------
 Configuration

source/manual/dhcp.rst

@@ -9,7 +9,7 @@ DHCP is available for both IPv4 and IPv6 clients, referred to as DHCPv4 and DHCP
 Settings overview
 -----------------
 
-DHCPv4 settings can be found at **Services -> DHCPv4**. DHCPv6 settings can be found at **Services -> DHCPv6**.
+DHCPv4 settings can be found at :menuselection:`Services --> DHCPv4`. DHCPv6 settings can be found at :menuselection:`Services --> DHCPv6`.
 
 The DHCPv4 submenu further consists of:
 
@@ -35,9 +35,9 @@ described in `RFC 1918 <https://tools.ietf.org/html/rfc1918#section-3>`_.)
 The LAN IP of the OPNsense device that serves DHCP to the LAN should fall in the same DHCP IP range. Typically, it gets
 the address ending in .1 (so 192.168.1.1) in this example.
 
-To set the LAN IP, go to **Interfaces -> [LAN]**, set “IPv4 Configuration Type” to “Static”, and under
+To set the LAN IP, go to :menuselection:`Interfaces --> [LAN]`, set “IPv4 Configuration Type” to “Static”, and under
 “Static IPv4 configuration”, set “IPv4 address” to ``192.168.1.1`` and the subnet dropdown to “24”. Then click Save.
 
-To set the DHCP settings, go to **Services -> DHCPv4 -> [LAN]**. Under “Gateway”, put ``192.168.1.1``. Under range,
+To set the DHCP settings, go to :menuselection:`Services  -->  DHCPv4  -->  [LAN]`. Under “Gateway”, put ``192.168.1.1``. Under range,
 put ``192.168.1.100`` as the start address and ``192.168.1.200`` as the end address. Then click Save. After saving,
 click the “Apply Settings” button.

source/manual/diagnostics.rst

@@ -6,27 +6,27 @@ In order to get more insight into your network, and to help solve problems, OPNs
 
 The tools can be found in three places:
 
-* **System -> Diagnostics**
+* :menuselection:`System --> Diagnostics`
-* **Interfaces -> Diagnostics**
+* :menuselection:`Interfaces --> Diagnostics`
-* **Firewall -> Diagnostics**
+* :menuselection:`Firewall --> Diagnostics`
 
 The following tools are available:
 
-=================================================== ===========================================================================
+================================================================== ===========================================================================
- **System -> Diagnostics -> Activity**               Show executed commands
+ :menuselection:`System --> Diagnostics --> Activity`               Show executed commands
- **System -> Diagnostics -> Services**               Shows running services, allows starting/stopping/restarting
+ :menuselection:`System --> Diagnostics --> Services`               Shows running services, allows starting/stopping/restarting
- **Interfaces -> Diagnostics -> ARP Table**          Show ARP table, which lists local connected IPv4 peers
+ :menuselection:`Interfaces --> Diagnostics --> ARP Table`          Show ARP table, which lists local connected IPv4 peers
- **Interfaces -> Diagnostics -> DNS Lookup**         Easy lookup of IPs and A records that belong to a hostname
+ :menuselection:`Interfaces --> Diagnostics --> DNS Lookup`         Easy lookup of IPs and A records that belong to a hostname
- **Interfaces -> Diagnostics -> NDP Table**          Show NDP table, which lists local connected IPv6 peers
+ :menuselection:`Interfaces --> Diagnostics --> NDP Table`          Show NDP table, which lists local connected IPv6 peers
- **Interfaces -> Diagnostics -> Packet capture**     Capture packets travelling through an interface
+ :menuselection:`Interfaces --> Diagnostics --> Packet capture`     Capture packets travelling through an interface
- **Interfaces -> Diagnostics -> Ping**               Ping a hostname or IP address
+ :menuselection:`Interfaces --> Diagnostics --> Ping`               Ping a hostname or IP address
- **Interfaces -> Diagnostics -> Port Probe**         Test if a host has a certain TCP port open and accepts connections on it
+ :menuselection:`Interfaces --> Diagnostics --> Port Probe`         Test if a host has a certain TCP port open and accepts connections on it
- **Interfaces -> Diagnostics -> Trace Route**        Trace route to a hostname or IP address
+ :menuselection:`Interfaces --> Diagnostics --> Trace Route`        Trace route to a hostname or IP address
- **Firewall -> Diagnostics -> pfInfo**               General information and statistics for pf
+ :menuselection:`Firewall --> Diagnostics --> pfInfo`               General information and statistics for pf
- **Firewall -> Diagnostics -> pfTop**                Currently active pf states and routes
+ :menuselection:`Firewall --> Diagnostics --> pfTop`                Currently active pf states and routes
- **Firewall -> Diagnostics -> pfTables**             Shows IP addresses belonging to aliases
+ :menuselection:`Firewall --> Diagnostics --> pfTables`             Shows IP addresses belonging to aliases
- **Firewall -> Diagnostics -> Sockets**              Shows listening sockets for IPv4 and IPv6
+ :menuselection:`Firewall --> Diagnostics --> Sockets`              Shows listening sockets for IPv4 and IPv6
- **Firewall -> Diagnostics -> States Dump**          Currently active states
+ :menuselection:`Firewall --> Diagnostics --> States Dump`          Currently active states
- **Firewall -> Diagnostics -> States Reset**         Delete active states and source tracking (cancels connections)
+ :menuselection:`Firewall --> Diagnostics --> States Reset`         Delete active states and source tracking (cancels connections)
- **Firewall -> Diagnostics -> States Summary**       Show states sorted by criteria like source IP, destination IP, …
+ :menuselection:`Firewall --> Diagnostics --> States Summary`       Show states sorted by criteria like source IP, destination IP, …
-=================================================== ===========================================================================
+================================================================== ===========================================================================

source/manual/dynamic_routing.rst

@@ -4,7 +4,7 @@ Dynamic Routing
 
 .. Warning::
     With OPNsense version 19.1 the FRR package was updated to version 5. It's strongly advised to increase
-    the kern.ipc.maxsockbuf value via **Tunables**. Go to **System->Settings->Tunables** and check if there
+    the kern.ipc.maxsockbuf value via **Tunables**. Go to :menuselection:`System --> Settings --> Tunables` and check if there
     is already a tunable for maxsockbuf and set it to 16777216 if it's lower. Otherwise add a new one with 
     name above and the specified value.
 

source/manual/etpro_telemetry.rst

@@ -65,7 +65,7 @@ plugin
 First we need to install the required plugin, which is responsible for collecting the telemetry data and provides access
 to the ET Pro ruleset.
 
-1.  Go to **System->Firmware->Updates**
+1.  Go to :menuselection:`System --> Firmware --> Updates`
 2.  press "Check for updates" in the upper right corner.
 3.  open the tab "Plugins" and search for `os-etpro-telemetry`
 4.  when found, click on the [+] sign on the right to install the plugin
@@ -78,7 +78,7 @@ register token
 
 Next step is to register your token in OPNsense and enable rulesets.
 
-1.  Go to **Services->Intrusion Detection->Administration**
+1.  Go to :menuselection:`Services --> Intrusion Detection --> Administration`
 2.  Click on the "Download" tab, which should show you a list of available rules.
 3.  Enable all categories you would like to monitor in the "ET telemetry" section,
     if in doubt enable all and monitor the alerts later (select on the right and use the enable selected button on top)
@@ -93,7 +93,7 @@ Schedule updates
 
 To download the rulesets automatically on a daily bases, you can add a schedule for this task.
 
-1.  Go to **Services->Intrusion Detection->Administration**
+1.  Go to :menuselection:`Services --> Intrusion Detection --> Administration`
 2.  Click on the "Schedule" tab
 3.  A popup for the update task appears, enable it using the checkbox on top, and click "save changes"
 
@@ -104,10 +104,10 @@ Subscription status
 
 To validate your subscription, we recommend to add the widget to the dashboard.
 
-1.  Go to the dashboard **Lobby->Dashboard**
+1.  Go to the dashboard :menuselection:`Lobby --> Dashboard`
 2.  Click on "Add widget" in the top right corner, click "Telemetry status" in the list
 3.  Close dialog and click "Save settings" on the right top of the dashboard
-4.  Open **Lobby->Dashboard** again to refresh the content
+4.  Open :menuselection:`Lobby --> Dashboard` again to refresh the content
 
 When everything is setup properly and the plugin can reach Proofpoint, it will show something like:
 
@@ -131,7 +131,7 @@ In case your sensor can't communicate to the outside world, the widget shows an
 
 .. Note::
 
-    The system log (**System->Log Files->General**) might contain more information, search for *emergingthreats*
+    The system log (:menuselection:`System --> Log Files --> General`) might contain more information, search for *emergingthreats*
 
 
 --------------------------------------

source/manual/gui.rst

@@ -70,7 +70,7 @@ User & Local domain
 -------------------
 In the right corner just to the left of the quick navigation you will see your
 username and the full domain name the firewall is configured with
-(to change firewall name, go to **System->Setting->General**).
+(to change firewall name, go to :menuselection:`System --> Setting --> General`).
 
 
 Content Area

source/manual/how-tos/IPv6_ZenUK.rst

@@ -55,7 +55,7 @@ Click ‘Save’ and then ‘Apply’.
 All that is required now is to set the LAN interface to use assigned
 IPv6 prefix.
 
-Select Interfaces->LAN and set the IPv6 Configuration Type to ‘Track
+Select :menuselection:`Interfaces --> [LAN]` and set the IPv6 Configuration Type to ‘Track
 Interface’
 
 .. image:: images/ZenUK_image3.png
@@ -88,7 +88,7 @@ servers.
 **Create Gateway**
 ------------------
 Firstly, we do need to set up a gateway, this is for monitoring more
-than anything else. Select Gateways->All then click ‘Add Gateway’.
+than anything else. Select :menuselection:`Gateways --> All` then click ‘Add Gateway’.
 
 Now, we know that Zen give us a /64 on our WAN interface, for example.
 
@@ -114,9 +114,9 @@ Click Save.
 **WAN Interface**
 -----------------
 Once we have our gateway in place we can then set up the WAN interface.
-Select Interfaces->WAN.
+Select :menuselection:`Interfaces --> [WAN]`.
 
-Go to IPv6 Configuration Type and Select Static IPv6.
+Go to IPv6 Configuration Type and select Static IPv6.
 
 .. image:: images/ZenUK_image6.png
 	:width: 100%
@@ -171,8 +171,8 @@ Click Save and Apply.
 -----------------
 
 When using DHCPv6 on the WAN, our DHCPv6 LAN server is set
-automatically, however when using statics, we need to set it up. Goto
+automatically, however when using statics, we need to set it up. Go to
-Services->DHCPv6[LAN]
+:menuselection:`Services --> DHCPv6[LAN]`.
 
 Firstly, enable the server.
 

source/manual/how-tos/bind.rst

@@ -22,8 +22,8 @@ For version 2.0 it is planned to offer full zone-file management.
 Installation
 ------------
 
-First of all, go to **System->Firmware->Plugins** and install **os-bind**.
+First of all, go to :menuselection:`System --> Firmware --> Plugins` and install **os-bind**.
-You will finde the plugin at **Services->BIND**.
+You will finde the plugin at :menuselection:`Services --> BIND`.
 
 ----------------
 General Settings
@@ -70,7 +70,7 @@ DNSBL
     so it is whitelisted before the blacklists come into play.
 
 The Blacklists are downloaded and updated with every **Save** within BIND configuration.
-For production use you can go to **System->Settings->Cron** and add a cronjob. On the 
+For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
 dropdown list you'll find the corret task under **Command**. Set the refresh interval
 as you wish and save. This will trigger an update of the selected lists and reload 
 BIND.
@@ -89,7 +89,7 @@ Advanced
 --------
 
 Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting, 
-you can set in **Services->Unbound DNS->General->Custom Options**.
+you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`.
     
 .. code-block:: none
 

source/manual/how-tos/cachingproxy.rst

@@ -9,7 +9,7 @@ Setup Caching Proxy
 Enable / Disable
 ----------------
 The proxy is delivered with sane default settings for easy setup.
-To enable the proxy just go to **Services->Web Proxy->Administration** and
+To enable the proxy just go to :menuselection:`Services --> Web Proxy --> Administration` and
 check **Enable proxy** en click on **Apply**. The default will enable the proxy
 with User Authentication based on the local user database and runs on port 3128
 of the lan interface.
@@ -42,7 +42,7 @@ Check the **Enable local cache** and click **Apply**.
 .. Important::
 
   As the cache is not created by default you will need to stop and start the service
-  under **Services->Diagnostics**, this will ensure correct creation of the cache.
+  under :menuselection:`Services --> Diagnostics`, this will ensure correct creation of the cache.
 
 Advanced
 --------
@@ -60,7 +60,7 @@ Now select **Authentication Settings** and select the desired Authenticator(s) i
 the field **Authentication method**. Click on **Clear All** if you do not want to
 use any authentication.
 
-Depending on the Authentication Servers you have setup under **System->Access->Servers**
+Depending on the Authentication Servers you have setup under :menuselection:`System --> Access --> Servers`
 You can select one or more of the following:
 
 * No Authentication (leave field blank)
@@ -118,7 +118,7 @@ This list is a simple flat list that looks like this:
     207.net
     247media.com
 
-Go to **Services->Web Proxy->Administration** and click on the tab **Remote
+Go to :menuselection:`Services --> Web Proxy --> Administration` and click on the tab **Remote
 Access Control Lists**
 
 Now click on the **+** at the bottom right corner of the form to add a new list.
@@ -146,7 +146,7 @@ Now click on **Download ACLSs & Apply** to enable the blacklist/ad blocker.
 Firewall Rule No Proxy Bypass
 -----------------------------
 To make sure no-one can bypass the proxy you need to add a firewall rule.
-Go to **Firewall->Rules** and add the following to the top of the list rule on the
+Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the
 LAN interface (if LAN is where your clients and proxy are on).
 
 ============================ =====================

source/manual/how-tos/carp.rst

@@ -65,7 +65,7 @@ security reasons (state injection) as for performance.
 
 OPNsense includes a mechanism to keep the configuration of the backup
 server in sync with the master. This mechanism is called XMLRPC sync and
-can be found under System -> High Availability.
+can be found under :menuselection:`System --> High Availability --> Settings`.
 
 -----------------------------------------
 Setup interfaces & basic firewall rules
@@ -73,7 +73,7 @@ Setup interfaces & basic firewall rules
 
 .. Warning::
     Make sure the interface assignments on both systems are identical!
-    Via **Interfaces->Overview** you can check if e.g. DMZ is opt1 on 
+    Via :menuselection:`Interfaces --> Overview` you can check if e.g. DMZ is opt1 on
     both machines. When the assigments differ you will have mixed 
     Master and Backup IPs on both machines.
 
@@ -95,7 +95,7 @@ setup the following addresses and subnets:
 +-----------------------+
 
 Next we need to make sure the appropriate protocols can be used on the
-different interfaces, go to firewall -> rules and make sure both LAN and
+different interfaces, go to :menuselection:`Firewall --> Rules` and make sure both LAN and
 WAN accept at least CARP packets (see protocol selection). Because we're
 connecting both firewalls using a direct cable connection, we will add a
 single rule to accept all traffic on all protocols for that specific
@@ -132,7 +132,7 @@ Setup Virtual IPs
 
 On the master node we are going to setup our Virtual IP addresses, which
 will also be used for the backup node after synchronisation. Go to
-Firewall -> Virtual IPs and add a new one with the following
+:menuselection:`Firewall --> Virtual IPs` and add a new one with the following
 characteristics:
 
 +-------------------------+------------------------------------+
@@ -178,7 +178,7 @@ IP address to make a seamless migration possible. The default for
 OPNsense is to use the interfaces IP address, which is in our case the
 wrong one.
 
-Go to Firewall -> NAT and select outbound nat. Choose manual outbound
+Go to :menuselection:`Firewall --> NAT --> Outbound`. Choose manual outbound
 nat on this page and change the rules originating from the
 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).
 
@@ -207,7 +207,7 @@ Setup HA sync (xmlrpc) and pfSync
 ---------------------------------
 
 First we should enable pfSync using our dedicated interface using the
-master firewall. Go to System -> High Availability, enable pfSync and
+master firewall. Go to :menuselection:`System --> High Availability --> Settings`, enable pfSync and
 select the interface used for pfSync. Next setup the peer IP to the
 other hosts address (10.0.0.2).
 
@@ -236,13 +236,13 @@ firewalls before testing.
 Testing setup
 -------------
 
-First go to Status -> Carp in the OPNsense webinterface and check if
+First go to :menuselection:`System --> High availability --> Status` in the OPNsense webinterface and check if
 both machines are properly initialized.
 
 To test our setup, we will connect a client to the local area network
 and open a ssh connection to a host behind both firewalls. Now when
 connected you should be able to look at the state table on both OPNsense
-firewalls (Diagnostics -> States) and they should both display the same
+firewalls (:menuselection:`Firewall --> Diagnostics --> States Dump`) and they should both display the same
 connection. Next try to pull the network plug from the master firewall
 and it should move over to the backup without loosing (or freezing) the
 ssh connection.
@@ -271,7 +271,7 @@ downtime. To keep the downtime at a minimum when running updates just follow
 these steps:
 
 - Update your secondary unit and wait until it is online again
-- On your primary unit go to **Firewall->Virtual IP's->Status** and hit **Enter Persistent CARP Maintenance Mode**
+- On your primary unit go to :menuselection:`Firewall --> Virtual IPs --> Status` and click **Enter Persistent CARP Maintenance Mode**
 - You secondary unit is now *MASTER*, check if all services like DHCP, VPN, NAT are working correctly
 - If you ensured the update was fine, update your primary unit and hit **Leave Persistent CARP Maintenance Mode**
 

source/manual/how-tos/cellular.rst

@@ -99,7 +99,7 @@ Once the SIM card is ready, quit ``cu`` with ``~.``.
 Step 2 - Configure Point to Point device
 ----------------------------------------
 
-Go to **Interfaces->Point-to-Point->Devices** and click on **Add** in the upper
+Go to :menuselection:`Interfaces --> Point-to-Point --> Devices` and click on **Add** in the upper
 right corner of the form.
 
 Fill in the form like this (Example is for Dutch Mobile 4G KPN Subscription):
@@ -129,7 +129,7 @@ Click **Save** to apply the settings.
 ---------------------------------
 Step 3 - Assign the WAN interface
 ---------------------------------
-To assign the interface go to **Interfaces->Assignments** in our case we will make
+To assign the interface go to :menuselection:`Interfaces --> Assignments` in our case we will make
 this our primary internet connection and change the WAN assignment accordingly.
 
 To do so just change the **Network port** for **WAN** to **ppp0 (/dev/cuaU0.0) - 4G Cellular Network**.
@@ -145,7 +145,8 @@ the one of you cellular connection.
 ------------------------
 Step 4 - Troubleshooting
 ------------------------
-In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to: **Interfaces->Point-to-Point->Log File**. If you are
+In case it still does not work, first look at the log of the cellular device's PPP connection, to do so go to:
+:menuselection:`Interfaces --> Point-to-Point --> Log File`. If you are
 lucky you can see what went wrong directly in the log. Unfortunately, the PPP log is
 not very informative so it might not help at all.
 
@@ -164,10 +165,11 @@ providers required factory resets (for whatever reason) to get them to work prop
 
   Some Sierra Wireless modems still seem to need a specific init string to work
   properly. One that seems to work for multiple users and LTE cards is ``&F0E1Q0 +CMEE=2``. In any case you should first try without init string and only give it
-  a try if you could not get any connection without. You can add this in **Interfaces->Point-to-Point->Devices->Your particular device->Advanced Options->Init String**.
+  a try if you could not get any connection without. You can add this in
+  :menuselection:`Interfaces --> Point-to-Point --> Devices --> Your particular device --> Advanced Options --> Init String`.
 
 When the device seems to work properly then checkout if the interface was assigned
-an IP address, go to **Interfaces->Overview** and click on the WAN interface to
+an IP address, go to :menuselection:`Interfaces --> Overview` and click on the WAN interface to
 see the details.
 
 You should see an IP address, Gateway IP and ISP DNS server(s).

source/manual/how-tos/changelog.rst

@@ -8,7 +8,7 @@ if they are growing rapidly so the changelog does not fit into core anymore.
 Core
 ====
 
-Core offers a changelog section in the area **System -> Firmware** as an own menu or the dialog will
+Core offers a changelog section in the area :menuselection:`System --> Firmware` as an own menu or the dialog will
 automatically open in case of an available update.
 
 To open a changelog manually, you can open the Changelog tab, and click the book:

source/manual/how-tos/cloud_backup.rst

@@ -65,11 +65,11 @@ First we need to have a project in the google developer console:
    doesn't really matter for this.
 -  Enable the Drive API
 
-   -  In the left menu APIs -> "Drive API" -> Enable
+   -  In the left menu :menuselection:`APIs --> "Drive API" --> Enable`
 
 -  Open the project and start to create an API key
 
-   -  In the left menu : APIs & auth -> Credentials
+   -  In the left menu: :menuselection:`APIs & auth --> Credentials`
    -  Click on the button "Create new Client ID"
    -  Choose "Service account", followed by "Create Client ID"
 
@@ -98,7 +98,7 @@ Next thing is to create a folder in Google Drive and share it to the
    :name: setup-the-account-in-opnsense
 
 Now we can put it all together, login to your OPNsense firewall and go
-to the backup feature. It is located at **System->Configuration->Backups**.
+to the backup feature. It is located at :menuselection:`System --> Configuration --> Backups`.
 
 .. image:: ./images/600px-Google_Drive_Backup_screenshot.png
   :width: 100%
@@ -145,7 +145,7 @@ Copy and store the generated password.
 
 .. image:: images/nextcloud_config.png
 
-Scroll to the Nextcloud Section in System -> Config -> Backup and enter the
+Scroll to the Nextcloud Section in :menuselection:`System --> Config --> Backup` and enter the
 following values:
 
 ================ ======================================================================

source/manual/how-tos/dnscrypt-proxy.rst

@@ -7,7 +7,7 @@ Installation
 ------------
 
 First of all, you have to install the dnscrypt-proxy plugin (os-dnscrypt-proxy) from the plugins view
-reachable via **System->Firmware->Plugins**.
+reachable via :menuselection:`System --> Firmware --> Plugins`.
 
 After a page reload you will get a new menu entry under **Services** for DNSCrypt-Proxy. 
 

source/manual/how-tos/edrop.rst

@@ -20,7 +20,7 @@ The lists for this example are located here:
 -------------------------------------
 Step 1 - Create an Alias for Spamhaus
 -------------------------------------
-Go to **Firewall->Aliases->All** and press the **Add a new alias** button in the
+Go to :menuselection:`Firewall --> Aliases --> All` and press the **Add a new alias** button in the
 top right corner of the form.
 
 Enter the following data:
@@ -60,7 +60,7 @@ Step 2 - Firewall Rules Inbound Traffic
 ---------------------------------------
 We will block incoming connections and outgoing connections for the drop and edrop lists.
 To do so we will start with inbound traffic on the WAN interface.
-Go to **Firewall->Rules** Select the **WAN** tab and press the **+** icon in the
+Go to :menuselection:`Firewall --> Rules` Select the **WAN** tab and press the **+** icon in the
 lower right corner.
 
 
@@ -97,7 +97,7 @@ Step 3 - Firewall Rules Outbound Traffic
 ----------------------------------------
 
 Now do the same for outbound traffic traffic on the LAN interface.
-Go to **Firewall->Rules** Select the **LAN** tab and press the **+** icon in the
+Go to :menuselection:`Firewall --> Rules` Select the **LAN** tab and press the **+** icon in the
 lower right corner.
 
 =================== ============== =============================================
@@ -131,7 +131,7 @@ lower right corner.
 Check pf Tables
 ---------------
 To list the IP addresses that are currently in the DROP and EDROP lists go to
-**Firewall->Diagnostics->pfTables** and select the list you want to see:
+:menuselection:`Firewall --> Diagnostics --> pfTables` and select the list you want to see:
 
 .. image:: images/spamhaus_pftable.png
     :width: 100%

source/manual/how-tos/guestnet.rst

@@ -54,7 +54,7 @@ with that and after finishing add/change the specifics to match the Hotel Guest
 Step 1 - Configure Interface
 ----------------------------
 For the Guest Network we will add a new interface.
-Go to **Interfaces->Assignments** And use the **+** to add a new interface.
+Go to :menuselection:`Interfaces --> Assignments` And use the **+** to add a new interface.
 Press **Save**. The new interface will be called **OPT1**, click on [OPT1] in the
 left menu to change its settings.
 
@@ -80,7 +80,7 @@ Press **Save** and then **Apply changes**.
 ------------------------------
 Step 2 - Configure DHCP Server
 ------------------------------
-Go to **Services->DHCPv4->[GUESTNET]**.
+Go to :menuselection:`Services --> DHCPv4 --> [GUESTNET]`.
 
 Fill in the following to setup the DHCP server for our guest net (leave everything
  else on its default setting):
@@ -98,7 +98,7 @@ Click **Save**.
 ---------------------------
 Step 3 - Add Firewall Rules
 ---------------------------
-Go to **Firewall->Rules** to add a new rule.
+Go to :menuselection:`Firewall --> Rules` to add a new rule.
 
 Now add the following rules (in order of prevalence):
 
@@ -196,7 +196,7 @@ Your rules should look similar to the screenshot below:
 ------------------------------
 Step 4 - Create Captive Portal
 ------------------------------
-Go to **Services->Captive Portal->Administration**
+Go to :menuselection:`Services --> Captive Portal --> Administration`
 
 To add a new Zone press the **+** in the lower right corner of the form.
 
@@ -322,7 +322,7 @@ Internet Access. This bandwidth will be shared evenly between connected clients.
       that would be 1 Mbps down stream (download). It is also possible to limit
       the traffic per user see also :doc:`shaper`
 
-Go to: **Firewall->Traffic Shaper->Settings**.
+Go to: :menuselection:`Firewall --> Traffic Shaper --> Settings`.
 
 Create a pipe for the Download by pressing the **+** in the lower right corner of
 the form and enter the following details:
@@ -408,7 +408,7 @@ This example will be for our "Royal Hotel".
 ---------------------------
 Step 8 - Add Voucher Server
 ---------------------------
-To add a Voucher Server go to: **System->Access->Servers** and click on
+To add a Voucher Server go to: :menuselection:`System --> Access --> Servers` and click on
 **Add server** in the top right corner of the screen.
 
 Fill in:
@@ -423,7 +423,7 @@ Click on **Save**.
 ------------------------
 Step 9 - Create Vouchers
 ------------------------
-Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**).
+Go back to the Captive portal and select Vouchers (:menuselection:`Services --> Captive Portal --> Vouchers`).
 Click on **Create Vouchers** in the lower right corner of the form.
 
 Let's create 1-day vouchers for our guests:
@@ -503,7 +503,7 @@ Now users will see the login form as part of your template:
 --------------
 Check Sessions
 --------------
-To check the active sessions go to **Services->Captive Portal->Sessions**
+To check the active sessions go to :menuselection:`Services --> Captive Portal --> Sessions`
 Our current session looks like this:
 
 .. image:: images/cp_active_sessions.png
@@ -520,7 +520,7 @@ You can drop an active session by clicking on the trashcan.
 Check Voucher Status
 --------------------
 You can check the validity and active status of a voucher by going to the voucher
-page of the captive portal (**Services->Captive Portal->Vouchers**) and select
+page of the captive portal (:menuselection:`Services --> Captive Portal --> Vouchers`) and select
 the correct database (Wi-Fi day pass in our example).
 
 .. image:: images/cp_active_vouchers.png

source/manual/how-tos/haproxy_howtos.rst

@@ -70,7 +70,7 @@ Execute function http-request auth"
 .. image:: images/haproxy_frontend_add_authentication.png
 
 
-* Go to "Settings" -> "Global Parameters", enable the advanced mode (top left), and add your users to configuration
+* Go to :menuselection:`Settings --> Global Parameters`, enable the advanced mode (top left), and add your users to configuration
   via the "Custom options"
 
 .. image:: images/haproxy_settings_global_params_auth.png

source/manual/how-tos/insight.rst

@@ -9,7 +9,7 @@ of Netflow data. To do so take a look at :doc:`netflow_exporter`.
 User Interface
 --------------
 Insight is a fully integrated part of OPNsense. Its User Interface is simple yet
-powerful. It can be accessed via **Reporting->Insight**.
+powerful. It can be accessed via :menuselection:`Reporting --> Insight`.
 
 .. image:: images/insight_gui.png
    :width: 100%

source/manual/how-tos/ips-feodo.rst

@@ -14,7 +14,7 @@ Prerequisites
 -------------
 * Always upgrade to latest release first.
   See :doc:`/manual/install` and/or upgrade to latest release:
-  **System->Firmware: Fetch updates**
+  :menuselection:`System --> Firmware --> Fetch updates`
 
 .. image:: images/firmware.png
     :width: 100%
@@ -42,8 +42,8 @@ Prerequisites
 --------------------------------------
 Setup Intrusion Detection & Prevention
 --------------------------------------
-To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled
+To enable IDS/IPS just go to :menuselection:`Services -> Intrusion Detection` and select
-& IPS mode**. Make sure you have selected the right interface for the intrusion
+**enabled & IPS mode**. Make sure you have selected the right interface for the intrusion
 detection system too run on. For our example we will use the WAN interface, as
 that will most likely be you connection with the public Internet.
 

source/manual/how-tos/ips-sslfingerprint.rst

@@ -10,7 +10,7 @@ Prerequisites
 -------------
 * Always upgrade to latest release first.
   See :doc:`/manual/install` and/or upgrade to latest release:
-  **System->Firmware: Fetch updates**
+  :menuselection:`System --> Firmware --> Fetch updates`.
 
 .. image:: images/firmware.png
     :width: 100%
@@ -29,7 +29,7 @@ Prerequisites
   After applying you need to reboot OPNsense otherwise offloading may not
   completely be disabled and IPS mode will not function.
 
-To start go to **Services->Intrusion Detection**
+To start go to :menuselection:`Services --> Intrusion Detection`
 
 |ids_menu|
 
@@ -91,10 +91,9 @@ And click **Save changes** |save|
 ---------------------------------------
 Enable Intrusion Detection & Prevention
 ---------------------------------------
-To enable IDS/IPS just go to Services->Intrusion Detection and select **enabled
+To enable IDS/IPS just go to :menuselection:`Services --> Intrusion Detection` and select **enabled & IPS mode**.
-& IPS mode**. Make sure you have selected the right interface for the intrusion
+Make sure you have selected the right interface for the intrusion detection system too run on. For our example
-detection system too run on. For our example we will use the WAN interface, as
+we will use the WAN interface, as that will most likely be you connection with the public Internet.
-that will most likely be you connection with the public Internet.
 
 ..  image:: images/idps.png
     :width: 100%

source/manual/how-tos/ipsec-road.rst

@@ -18,7 +18,7 @@ OPNsense and give you configuration examples for:
 
    For the sample we will use a private IP for our WAN connection.
    This requires us to disable the default block rule on wan to allow private traffic.
-   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   To do so, go to the :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
    *(Dont forget to save and apply)*
 
    .. image:: images/block_private_networks.png
@@ -95,7 +95,7 @@ interface.
 Step 1 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication methods.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example will use the following settings:
 
@@ -241,7 +241,7 @@ And Apply changes:
 
    If you already had IPsec enabled and added Road Warrior setup, it's important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongswan.
 
 ------------------------
@@ -249,7 +249,7 @@ Step 4 - Add IPsec Users
 ------------------------
 For this example we will create a new user who may access the mobile IPsec vpn.
 
-Go to **System->Access->Users** and press the **+** sign in the lower right corner
+Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner
 to add a new user.
 
 Enter the following into the form:
@@ -282,7 +282,7 @@ some screenshots. The configurations for Android and iOS will be settings only.
 Configure macOS Client
 ----------------------
 
-Start with opening your network settings (System Preferences -> Network) and
+Start with opening your network settings (:menuselection:`System Preferences --> Network)` and
 Add a new network by pressing the + in the lower left corner.
 
 Now select **VPN** and **Cisco IPSec**, give your connection a name and press **Create**.
@@ -312,7 +312,7 @@ Now test the connection by selecting it from the list and hit **Connect**.
 --------------------
 Configure iOS Client
 --------------------
-To add a VPN connection on an iOS device go to **Setting->General->VPN**.
+To add a VPN connection on an iOS device go to :menuselection:`Settings --> General --> VPN`.
 Select **Add VPN Configuration** chose **IPsec** and use the Following Settings:
 
 ========================== ======================= ========================================
@@ -326,9 +326,8 @@ Select **Add VPN Configuration** chose **IPsec** and use the Following Settings:
 ------------------------
 Configure Android Client
 ------------------------
-To add a VPN connection on an Android device go to **Settings -> Connections ->
+To add a VPN connection on an Android device go to :menuselection:`Settings --> Connections --> more networks`,
-more networks** , select **VPN**. Press the **+** in the top right corner to add
+select **VPN**. Press the **+** in the top right corner to add a new VPN connection.
-a new vpn connection.
 
 Use the Following Settings:
 

source/manual/how-tos/ipsec-rw-android.rst

@@ -23,7 +23,7 @@ the client certificate.
 Step 2 - Add VPN Connection
 ---------------------------
 
-Add a new VPN connection via **Settings->More->VPN**, enter a **Name** and choose the type you need.
+Add a new VPN connection via :menuselection:`Settings --> More --> VPN`, enter a **Name** and choose the type you need.
 Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
 CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
 or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.

source/manual/how-tos/ipsec-rw-srv-eapradius.rst

@@ -14,23 +14,23 @@ Step 1 - Create Certificates
 
 For EAP-RADIUS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. 
 
-Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
 choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
-matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
 the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
 of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
 This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
 
 If you already have a CA roll out a server certificate and import 
-the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 ---------------------
 Step 2 - Setup Radius
 ---------------------
 
 If you already have a local Radius server, add a new client with the IP address of your Firewall,
-set a shared secret, go to OPNsense UI to **System->Access->Servers** and add a new instance:
+set a shared secret, go to OPNsense UI to :menuselection:`System --> Access --> Servers` and add a new instance:
 
 ============================ ================ ====================================
  **Descriptive Name**         Name             *Give it a name*
@@ -46,7 +46,7 @@ When you do not have an own Radius instance just use the OPNsense plugin and fol
 Step 3 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication source.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example will use the following settings:
 
@@ -146,7 +146,7 @@ Phase 2 proposal (SA/Key Exchange)
 
    If you already had IPsec enabled and added Road Warrior setup, it is important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongSwan.
 
 ------------------------

source/manual/how-tos/ipsec-rw-srv-eaptls.rst

@@ -13,22 +13,22 @@ Step 1 - Create Certificates
 
 For EAP-TLS with IKEv2 you need to create a Root CA and a server certificate for your Firewall. 
 
-Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
 choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
-matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
 the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
 of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
 This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
 
 If you already have a CA roll out a server certificate and import 
-the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 -----------------------
 Step 2 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication source.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example we will use the following settings:
 
@@ -133,14 +133,14 @@ Phase 2 proposal (SA/Key Exchange)
 
    If you already had IPsec enabled and added Road Warrior setup, it's important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongSwan.
 
 ------------------------
 Step 4 - Add IPsec Users
 ------------------------
 
-Go to **System->Trust->Certificates** and create a new client certificate.
+Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
 Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
 the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
 certificate as PKCS12 and export it to your end user device.

source/manual/how-tos/ipsec-rw-srv-ikev1xauth.rst

@@ -27,22 +27,22 @@ Step 1 - Create Certificates (only for RSA variants)
 For Mutual RSA + XAuth and Hybrid RSA + XAuth you need to create a Root CA and a server certificate
 for your Firewall. 
 
-Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
 choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
-matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
 the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
 of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
 This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
 
 If you already have a CA roll out a server certificate and import 
-the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 -----------------------
 Step 2 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication source.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example will use the following settings:
 
@@ -144,14 +144,14 @@ Phase 2 proposal (SA/Key Exchange)
 
    If you already had IPsec enabled and added Road Warrior setup, it is important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongSwan.
 
 ------------------------
 Step 4 - Add IPsec Users
 ------------------------
 
-Go to **System->Access->Users** and press the **+** sign in the lower right corner
+Go to :menuselection:`System --> Access --> Users` and press the **+** sign in the lower right corner
 to add a new user.
 
 Enter the following into the form:
@@ -169,7 +169,7 @@ Step 5 - Add client certificate (for Mutual RSA)
 
 This step is only needed for Mutual RSA + XAuth!
 
-Go to **System->Trust->Certificates** and create a new client certificate.
+Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
 Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
 the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
 certificate as PKCS12 and export it to you enduser device.

source/manual/how-tos/ipsec-rw-srv-mschapv2.rst

@@ -15,22 +15,22 @@ Step 1 - Create Certificates
 For EAP-MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
 for your Firewall. 
 
-Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
 choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
-matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
 the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
 of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
 This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
 
 If you already have a CA roll out a server certificate and import 
-the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 -----------------------
 Step 2 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication source.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example will use the following settings:
 
@@ -130,14 +130,14 @@ Phase 2 proposal (SA/Key Exchange)
 
    If you already had IPsec enabled and added Road Warrior setup, it is important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongSwan.
 
 ------------------------
 Step 4 - Add IPsec Users
 ------------------------
 
-Go to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
+Go to :menuselection:`VPN --> IPsec --> Pre-Shared Keys` and press **Add**.
 
 Enter the following into the form:
 

source/manual/how-tos/ipsec-rw-srv-rsamschapv2.rst

@@ -15,22 +15,22 @@ Step 1 - Create Certificates
 For Mutual RSA + MSCHAPv2 with IKEv2 you need to create a Root CA and a server certificate
 for your Firewall. 
 
-Go to **System->Trust->Authorities** and click **Add**. Give it a **Descriptive Name** and as **Method**
+Go to :menuselection:`System --> Trust --> Authorities` and click **Add**. Give it a **Descriptive Name** and as **Method**
 choose **Create internal Certificate Authority**. Increase the **Lifetime** and fill in the fields 
-matching your local values. Now go to **System->Trust->Certificates** and create a new certificate for 
+matching your local values. Now go to :menuselection:`System --> Trust --> Certificates` and create a new certificate for
 the Firewall itself. Important is to change the **Type** to server. The Common Name can be the hostname
 of the Firewall and set as **Alternative Name** the FQDN your Firewall how it is known to the WAN side.
 This is most important as your VPN will drop when the FQDN does not match the ones of the certificate.
 
 If you already have a CA roll out a server certificate and import 
-the CA itself via **System->Trust->Authorities** and the certificate with the key in 
+the CA itself via :menuselection:`System --> Trust --> Authorities` and the certificate with the key in
-**System->Trust->Certificates**.
+:menuselection:`System --> Trust --> Certificates`.
 
 -----------------------
 Step 2 - Mobile Clients
 -----------------------
 First we will need to setup the mobile clients network and authentication source.
-Go to **VPN->IPsec->Mobile Clients**
+Go to :menuselection:`VPN --> IPsec --> Mobile Clients`
 
 For our example will use the following settings:
 
@@ -131,20 +131,20 @@ Phase 2 proposal (SA/Key Exchange)
 
    If you already had IPsec enabled and added Road Warrior setup, it is important to 
    restart the whole service via services widget in the upper right corner of IPSec pages
-   or via **System->Diagnostics->Services->Strongswan** since applying configuration only
+   or via :menuselection:`System --> Diagnostics --> Services --> Strongswan` since applying configuration only
    reloads it, but a restart also loads the required modules of strongSwan.
 
 ------------------------
 Step 4 - Add IPsec Users
 ------------------------
 
-Go to **System->Trust->Certificates** and create a new client certificate.
+Go to :menuselection:`System --> Trust --> Certificates` and create a new client certificate.
 Just click **Add**, choose your CA and probably increase the lifetime. Everything else besides
 the CN can be left default. Give a **Common Name** and **Save**. Download the newly created
 certificate as PKCS12 and export it to you enduser device.
 
 
-Switch to **VPN->IPsec->Pre-Shared Keys** and press **Add**.
+Switch to :menuselection:`VPN -> IPsec -> Pre-Shared Keys` and press **Add**.
 Enter the following into the form:
 
 ====================   ==========

source/manual/how-tos/ipsec-rw-w7.rst

@@ -9,15 +9,15 @@ We assume that you are familiar with adding a new VPN connection.
 
 The tests were done with Windows 7 and 10.
 
-All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
+All screenshot were taken from :menuselection:`Network and Sharing Center --> Change adapter settings`.
 
 ---------------------------
 Step 1 - Install Certificte
 ---------------------------
 
 Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
-Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
+Hit the Windows Start button and type *mmc* in search box. Go to :menuselection:`File --> Add/Remove Snap-In`.
-Choose **Certificates->Add->Computer account**.
+Choose :menuselection:`Certificates --> Add --> Computer account`.
 Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
 **All taks** and import. Select the Root CA and install. 
 

source/manual/how-tos/ipsec-rw.rst

@@ -24,7 +24,7 @@ authentication methods e.g.
 
    For the sample we will use a private ip for our WAN connection.
    This requires us to disable the default block rule on WAN to allow private traffic.
-   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”.
    *(Don't forget to save and apply)*
 
    .. image:: images/block_private_networks.png
@@ -113,11 +113,11 @@ very error prone we will not cover it here.
    :header: "VPN Method", "Win7", "Win10", "Linux", "Mac OS X", "IOS", "Android", "OPNsense config"
    :widths: 40, 20, 20, 20, 20, 20, 20, 20
 
-   "IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv1 Hybrid RSA + XAuth","N","N","N","tbd","tbd","N",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
-   "IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv1 Mutual RSA + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
-   "IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-ikev1xauth`"
+   "IKEv1 Mutual PSK + XAuth","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-ikev1xauth`"
-   "IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
+   "IKEv2 EAP-TLS","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`"
-   "IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eaptls`"
+   "IKEv2 RSA local + EAP remote","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eaptls`"
-   "IKEv2 EAP-MSCHAPv2","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-mschapv2`"
+   "IKEv2 EAP-MSCHAPv2","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-mschapv2`"
-   "IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-rsamschapv2`"
+   "IKEv2 Mutual RSA + EAP-MSCHAPv2","N","N","N","tbd","tbd","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-rsamschapv2`"
-   "IKEv2 EAP-RADIUS","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-w7`","Y :doc:`how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`how-tos/ipsec-rw-android`",":doc:`how-tos/ipsec-rw-srv-eapradius`"
+   "IKEv2 EAP-RADIUS","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-w7`","Y :doc:`/manual/how-tos/ipsec-rw-linux`","Y","Y","Y :doc:`/manual/how-tos/ipsec-rw-android`",":doc:`/manual/how-tos/ipsec-rw-srv-eapradius`"

source/manual/how-tos/ipsec-s2s.rst

@@ -18,7 +18,7 @@ connection (you local network need to different than that of the remote network)
 
    For the sample we will use a private IP for our WAN connection.
    This requires us to disable the default block rule on wan to allow private traffic.
-   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck “Block private networks”.
    *(Dont forget to save and apply)*
 
    .. image:: images/block_private_networks.png
@@ -174,7 +174,7 @@ Full Network Diagram Including IPsec Tunnel
 Firewall Rules Site A & Site B (part 1)
 ---------------------------------------
 To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
-sites (under **Firewall->Rules->WAN**):
+sites (under :menuselection:`Firewall --> Rules --> WAN`):
 
 * Protocol ESP
 * UDP Traffic on Port 500 (ISAKMP)
@@ -190,7 +190,7 @@ sites (under **Firewall->Rules->WAN**):
 -----------------------
 Step 1 - Phase 1 Site A
 -----------------------
-(Under **VPN->IPsec->Tunnel Settings** Press **+**)
+(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**)
 We will use the following settings:
 
 General information
@@ -322,7 +322,7 @@ And Apply changes:
 -----------------------
 Step 3 - Phase 1 Site B
 -----------------------
-(Under **VPN->IPsec->Tunnel Settings** Press **+**)
+(Under :menuselection:`VPN --> IPsec --> Tunnel Settings` Press **+**)
 We will use the following settings:
 
 General information
@@ -455,7 +455,7 @@ Firewall Rules Site A & Site B (part 2)
 ---------------------------------------
 
 To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
-interface (under **Firewall->Rules->IPsec**).
+interface (under :menuselection:`Firewall --> Rules --> IPsec`).
 
 .. image:: images/ipsec_ipsec_lan_rule.png
     :width: 100%
@@ -465,7 +465,7 @@ IPsec Tunnel Ready
 ------------------
 
 The tunnel should now be up and routing the both networks.
-Go to **VPN->IPsec->Status Overview** to see current status.
+Go to :menuselection:`VPN --> IPsec --> Status Overview` to see current status.
 Press on the **(i)** to see the details of the phase 2 tunnel(s), like this:
 
 .. image:: images/ipsec_status.png

source/manual/how-tos/ipv6_dsl.rst

@@ -17,7 +17,7 @@ It's compatible and tested for but not limited to:
 Step 1 - General Settings
 -------------------------
 
-Go to **System->Settings->General->** and check that **Prefer IPv4 over IPv6** 
+Go to :menuselection:`System --> Settings --> General` and check that **Prefer IPv4 over IPv6**
 is not ticked. This value is default so just check if it has been touched.
 
 Also enable **Allow DNS server list to be overridden by DHCP/PPP on WAN** at the 
@@ -27,13 +27,13 @@ bottom, so you get the correct DNS servers if you just use IPv4 ones.
 Step 2 - Allow IPv6
 -------------------
 
-Next go to **Firewall->Settings->Advanced** and verfiy that **Allow IPv6** is enabled.
+Next go to :menuselection:`Firewall --> Settings --> Advanced` and verfiy that **Allow IPv6** is enabled.
 
 --------------------------------
 Step 3 - Interface Configuration
 --------------------------------
 
-In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in section
+In :menuselection:`Interfaces --> [WAN]` and set **IPv6 Configuration Type** to DHCPv6 and in section
 **DHCPv6 client configuration** at the bottom tick:
 
 - Request only an IPv6 prefix
@@ -42,7 +42,7 @@ In **Interfaces->WAN** and set **IPv6 Configuration Type** to DHCPv6 and in sect
 
 Set the prefix size to the one your provider delegates, mostly /56 or 64, sometimes /48.
 
-Then change to **Interfaces->LAN** and set **IPv6 Configuration Type** to **Track Interface**.
+Then change to :menuselection:`Interfaces --> [LAN]` and set **IPv6 Configuration Type** to **Track Interface**.
 At the bottom in section **Track IPv6 Interface** choose **IPv6 Interface** as WAN and for
 **IPv6 Prefix ID** a value of 0 is perfectly fine.
 

source/manual/how-tos/ipv6_tunnelbroker.rst

@@ -41,7 +41,7 @@ Step 1 - Add GIF tunnel
 -----------------------
 
 To configure OPNsense start with adding a new gif interface.
-Go to **Interfaces->Other Types->GIF** and click on **Add** in the upper tight corner
+Go to :menuselection:`Interfaces --> Other Types --> GIF` and click on **Add** in the upper tight corner
 of the form.
 
 Use the following settings and copy in the IPv4&6 addresses from your TunnelBroker's UI.
@@ -64,14 +64,14 @@ Step 2 - Configure the GIF tunnel as a new interface
 ----------------------------------------------------
 
 The newly created GIF tunnel must now be assigned as a new interface.
-Go to **Interfaces->Assignments**, select the GIF tunnel for **New interface**
+Go to :menuselection:`Interfaces --> Assignments`, select the GIF tunnel for **New interface**
 and click the **+** sign next to it.
 
-Then under **Interfaces->[OPTX]** check **Enable Interface** and change the
+Then under :menuselection:`Interfaces -> [OPTX]` check **Enable Interface** and change the
 description to e.g. TUNNELBROKER before hitting **Save**.
 
 The newly created interface must now be set as the default IPv6 gateway
-under **System->Gateways->Single** by editing the new gateway entry
+under :menuselection:`System --> Gateways --> Single` by editing the new gateway entry
 TUNNELBROKER_TUNNELV6 and checking **Default Gateway** before saving.
 
 -----------------------------
@@ -103,7 +103,7 @@ Step 5 - Configure DHCPv6 SLAAC
 -------------------------------
 
 We'll next configure OPNsense for Stateless Address Auto Configuration (SLAAC).
-We're going to set up the DHCPv6 service. Go to **Services->DHCPv6->Server**.
+We're going to set up the DHCPv6 service. Go to :menuselection:`Services --> DHCPv6 --> Server`.
 
 Simply choose a range for clients to use. Save your settings. Next go to the
 Router Advertisements sub tab on that same page. Set the **Router Advertisements**

source/manual/how-tos/lan_bridge.rst

@@ -20,7 +20,7 @@ It's a good idea to add the extra NIC interfaces ( OPTx ) during installation.
 
 **Step Two**
 -----------------
-Create the bridge itself. Select Interfaces->Other Types->Bridge and ADD a new bridge. Select
+Create the bridge itself. Select :menuselection:`Interfaces --> Other Types --> Bridge` and ADD a new bridge. Select
 from the member interfaces the unused interfaces you wish to add to the bridge, OPT2,OPT3 etc.
     
 .. image:: images/lan_bridge_1.png
@@ -37,7 +37,7 @@ Now Save the new bridge.
 
 **Step Three**
 -----------------
-Select Interfaces->Assignments and for the LAN interface, select the bridge previously created
+Select :menuselection:`Interfaces --> Assignments` and for the LAN interface, select the bridge previously created
 and Save.
 
 .. image:: images/lan_bridge_3.png
@@ -50,7 +50,7 @@ time for the interface to come back up, but keep refreshing the web interface un
 **Step Four**
 -----------------
 The Original LAN interface is now unassigned and will need to be re-assigned. Go to
-Interfaces->Assignments and in the New Interface box you will see the NIC itself ( igb*, em* ),
+:menuselection:`Interfaces --> Assignments` and in the New Interface box you will see the NIC itself ( igb*, em* ),
 select it and hit the '+' button to add an assignment, then click Save.
 
 .. image:: images/lan_bridge_5.png
@@ -58,7 +58,7 @@ select it and hit the '+' button to add an assignment, then click Save.
 
 **Step Five**
 -----------------
-Select Interfaces->Other Types->Bridge and add the interface created in Step Four to the bridge
+Select :menuselection:`Interfaces --> Other Types --> Bridge` and add the interface created in Step Four to the bridge
 and Save, remember to check the new interface and ensure it is enabled as in Step Two.
 
 .. image:: images/lan_bridge_4.png
@@ -67,7 +67,7 @@ and Save, remember to check the new interface and ensure it is enabled as in Ste
 **Step Six**
 -----------------    
 We now need to make two changes to the System Tunables to ensure that filtering is carried
-out on the bridge itself, and not on the member interfaces. Go to System->Settings->Tunables
+out on the bridge itself, and not on the member interfaces. Go to :menuselection:`System --> Settings --> Tunables`
 and select using the pen button net.link.bridge.pfil_member and set the value to 0.
 
 .. image:: images/lan_bridge_6.png
@@ -80,7 +80,7 @@ Select the tunable net.link.bridge.pfil_bridge and set the value to 1
 
 **Final**
 -----------------    
-Once complete, the Interface->Assignments should look similar to this:
+Once complete, the :menuselection:`Interface --> Assignments` page should look similar to this:
 
 .. image:: images/lan_bridge_8.png
 	:width: 100%

source/manual/how-tos/multiwan.rst

@@ -50,7 +50,7 @@ Step 1 - Add monitor IPs
 You may skip this step if you already have setup the monitoring IP and both gateways
 are shown as online.
 
-To add a monitoring IP go to **System->Gateways->Single** and click on the first pencil
+To add a monitoring IP go to :menuselection:`System --> Gateways --> Single` and click on the first pencil
 symbol to edit the first gateway.
 
 Now make sure the following is configured:
@@ -73,7 +73,7 @@ Now make sure the following is configured:
 
 Step 2 - Add Gateway Group
 --------------------------
-Go to **System->Gateways->Group** and press **+ Add Group** in the upper right
+Go to :menuselection:`System --> Gateways --> Group` and press **+ Add Group** in the upper right
 corner.
 
 Use the following settings:
@@ -100,7 +100,7 @@ Use the following settings:
 
 Step 3 - Configure DNS for each gateway
 ---------------------------------------
-Go to **System->Settings->General** and make sure each gateway has its own DNS
+Go to :menuselection:`System --> Settings --> General` and make sure each gateway has its own DNS
 setup: like this:
 
 DNS servers
@@ -112,7 +112,7 @@ DNS servers
 
 Step 4 - Policy based routing
 -----------------------------
-Go to **Firewall->Rules**
+Go to :menuselection:`Firewall --> Rules`
 
 For our example we will update the default LAN pass rule. Click on the pencil
 next to this rule (*Default allow LAN to any rule*).
@@ -155,7 +155,7 @@ Advanced Options
 ----------------
 For each gateway there are several advanced options you can use to change the
 default behavior/thresholds. These option can be changed under
-**System->Gateways->Single**, press the pencil icon next to the Gateway you want
+:menuselection:`System --> Gateways --> Single`, press the pencil icon next to the Gateway you want
 to update.
 
 The current options are:
@@ -190,7 +190,7 @@ lead to unexpected behavior. To solve this you can use the option **Sticky Conne
 this will make sure each subsequent request from the same user to the same website
 is send through the same gateway.
 
-To set this option can be set under **Firewall->Settings->Advanced**.
+To set this option can be set under :menuselection:`Firewall --> Settings --> Advanced`.
 
 Unequal Balancing (Weight)
 --------------------------
@@ -200,7 +200,7 @@ load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps th
 set the weight of the first one to 1 and the second one to 2. This way the second
 gateway will get twice as many traffic to handle than the first.
 
-To do so, go to **System->Gateways->Single** and press the pencil icon next to the
+To do so, go to :menuselection:`System --> Gateways --> Single` and press the pencil icon next to the
 Gateway you want to update. The weight is defined under the advanced section.
 
 ------------------------------

source/manual/how-tos/netflow_exporter.rst

@@ -4,7 +4,7 @@ Configure Netflow Exporter
 
 .. image:: images/netflow_exporter.png
 
-Configuring the Netflow Exporter is a simple task. Go to **Reporting->NetFlow**.
+Configuring the Netflow Exporter is a simple task. Go to :menuselection:`Reporting --> NetFlow`.
 
 Select all **Interfaces** you want to collect/export data from, usually one would
 select all available interfaces here.

source/manual/how-tos/nginx_ip_acl.rst

@@ -29,7 +29,7 @@ Configuration
 Create Users
 ------------
 
-Navigate to the "Accss -> IP ACL" tab.
+Navigate to the :menuselection:`Access --> IP ACL` tab.
 
 .. image:: images/nginx_ip_acl_01_list_view.png
 

source/manual/how-tos/nginx_tls_fingerprints.rst

@@ -88,7 +88,7 @@ shown in the following screenshot:
 Configuration Page
 ==================
 
-Now in the configuration page under HTTP -> TLS Fingerprints there will be an
+Now in the configuration page under :menuselection:`HTTP --> TLS Fingerprints` there will be an
 entry for the created fingerprint, so it can be edited:
 
 .. image:: images/nginx_fingerprint_settings.png

source/manual/how-tos/ntopng.rst

@@ -7,11 +7,11 @@ Installation
 ------------
 
 First of all, you have to install the ntopng plugin (os-ntopng) from the plugins view
-reachable via **System->Firmware->Plugins**.
+reachable via :menuselection:`System --> Firmware --> Plugins`.
 
 After a page reload you will get a new menu entry under **Services** for ntopng. If you
 don't have Redis plugin installed, you'll receive a warning in ntopng main menu. Please
-go back to **System->Firmware->Plugins**, install os-redis, change to **Services->Redis**
+go back to :menuselection:`System --> Firmware --> Plugins`, install os-redis, change to :menuselection:`Services --> Redis`
 and just enable the service. That's enough to run ntopng.
 
 ----------------

source/manual/how-tos/openconnect.rst

@@ -15,9 +15,9 @@ Palo Altos Global Protect will also be supported in future and of course the own
 Step 1 - Installation
 ---------------------
 
-Go to **System->Firmware->Plugins->** and search for **os-openconnect**. 
+Go to :menuselection:`System --> Firmware --> Plugins` and search for **os-openconnect**.
 Install the plugin as usual, refresh and page and the you'll find the client via
-**VPN->OpenConnect**.
+:menuselection:`VPN --> OpenConnect`.
 
 --------------
 Step 2 - Setup

source/manual/how-tos/orange_fr_fttp.rst

@@ -105,8 +105,8 @@ Click ‘Save’ and then ‘Apply’.
 -----------------
 
 
-Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track
+Select :menuselection:`Interfaces --> [LAN]` and set IPv4 to “Static IPv4” and IPv6 Configuration Type to
-Interface’
+“Track Interface”.
 
 .. image:: images/OF_image7.png
 	:width: 100%

source/manual/how-tos/pac.rst

@@ -35,7 +35,7 @@ Configuring PAC
 First Step: Creating Matches
 ----------------------------
 
-Go to 'Services' -> Proxy -> Configuration and open Match
+Go to :menuselection:`Services --> Proxy --> Configuration` and open Match
 
 .. image:: images/pac_menu_match.png
 
@@ -81,7 +81,7 @@ Host Pattern Wildcard for your internal domain
 Second Step: Create Proxy Servers
 ---------------------------------
 
-Now switch to PAC -> Proxies and add new proxy servers.
+Now switch to :menuselection:`PAC --> Proxies` and add new proxy servers.
 
 =========== ================================================================
 Name        Enter a name which will be shown at the rules view for selection
@@ -124,7 +124,7 @@ Third Step: Create Rules
 ------------------------
 
 Now as the matches and the proxies exist, rules can be built.
-For that, switching to PAC -> Rules is required.
+For that, switching to :menuselection:`PAC --> Rules` is required.
 
 Now the following rule needs to be created:
 
@@ -175,7 +175,7 @@ Variant 2: Manual Configuration
 .. Warning::
     When DNS is used, OPNsense must respond via HTTP on port 80.
 
-Open the page Services -> Unbound DNS -> Overrides and add a new host override
+Open the page :menuselection:`Services --> Unbound DNS --> Overrides` and add a new host override
 for the `wpad` host:
 
 .. image:: images/wpad_dns_unbound.png
@@ -211,14 +211,14 @@ created:
     http://wpad.example.com:80/wpad.dat
     
 .. Warning::
-    If you have **HTTP Redirect** enabled via **System->Settings->Administration**,
+    If you have **HTTP Redirect** enabled via :menuselection:`System --> Settings --> Administration`,
     make sure your browser accepts the certificate presented by OPNsense, as it won't
     download wpad.dat if the certificate is untrusted.
 
 Variant 2: Manual Configuration
 -------------------------------
 
-Open the page Services -> DHCP -> Server, select the correct interface and
+Open the page :menuselection:`Services --> DHCP --> Server`, select the correct interface and
 scroll down to the "Additional Options".
 
 Add this line and save:

source/manual/how-tos/proxyicapantivirus.rst

@@ -52,7 +52,7 @@ traffic to make sure the unencrypted ICAP traffic can't be tapped.
 
 Step 5 - Configure ICAP
 -----------------------
-To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings**
+To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings**
 for the **Forward Proxy** tab.
 
 Select enable ICAP and filling the Request and Response URLs.

source/manual/how-tos/proxyicapantivirusinternal.rst

@@ -44,7 +44,7 @@ Step 3 - Install and Configure the ClamAV and the C-ICAP plugins
 
 Step 4 - Configure ICAP
 -----------------------
-To configure ICAP go to **Services->Proxy->Administration** And select **ICAP Settings**
+To configure ICAP go to :menuselection:`Services --> Proxy --> Administration` and select **ICAP Settings**
 for the **Forward Proxy** tab.
 
 Select enable ICAP and filling the Request and Response URLs.

source/manual/how-tos/proxytransparent.rst

@@ -24,7 +24,7 @@ For basic configuration please refer to :doc:`cachingproxy`.
 
 Step 2 - Transparent HTTP
 --------------------------------
-Go to **Services->Proxy->Administration**
+Go to :menuselection:`Services --> Proxy --> Administration`
 
 Then select **General Forward Settings** under the **Forward Proxy Tab**.
 
@@ -61,7 +61,7 @@ The defaults should be alright, just press **Save** and **Apply Changes**.
 Step 4 - CA for Transparent SSL
 --------------------------------------
 Before we can setup transparent SSL/HTTPS proxy we need to create a Certificate
-Authority. Go to **System->Trust->Authorities** or use the search box to get there
+Authority. Go to :menuselection:`System --> Trust --> Authorities` or use the search box to get there
 fast.
 
 .. image:: images/search_ca.png
@@ -90,7 +90,7 @@ For our example we use the following data:
 
 Step 5 - Transparent SSL
 -------------------------------------
-Go to **Services->Proxy->Administration**
+Go to :menuselection:`Services --> Proxy --> Administration`
 Then select **General Forward Settings** under the **Forward Proxy Tab**.
 
 Select **Enable SSL mode** and set **CA to use** to the CA you have just created.
@@ -145,7 +145,7 @@ Step 8 - Configure OS/Browser
 -----------------------------
 Since the CA is not trusted by your browser, you will get a message about this
 for each page you visit. To solve this you can import the Key into your OS and
-set as trusted. To export the Key go to **System->Trust->Authorities** and click
+set as trusted. To export the Key go to :menuselection:`System --> Trust --> Authorities` and click
 on the icon to export the CA certificate. Of course one may choose to accept the
 certificate for each page manually, but for some pages that may not work well unless
 not bumped.

source/manual/how-tos/proxywebfilter.rst

@@ -28,7 +28,7 @@ For this tutorial we will assume:
 -------------------------------
 Step 1 - Disable Authentication
 -------------------------------
-To start go to **Services->Web Proxy->Administration**.
+To start go to :menuselection:`Services --> Web Proxy --> Administration`.
 
 Click on the arrow next to the **Forward Proxy** tab to show the drop down menu.
 Now select **Authentication Settings** and click on **Clear All** to disable user
@@ -87,7 +87,7 @@ of time as the first fetch as the adult alone section is ~15 MB.
 ---------------------
 Step 5 - Enable Proxy
 ---------------------
-To enable the proxy just go to **Services->Proxy Server->Administration** and
+To enable the proxy just go to :menuselection:`Services --> Proxy Server --> Administration` and
 check **Enable proxy** en click on **Apply**. The proxy will bind to LAN and port 3128.
 
 It may take a while for the proxy to start and the play icon on the top right corner
@@ -98,7 +98,7 @@ of the screen will turn red. Refresh the page to see if the proxy is done loadin
 Step 6 - Disable Proxy Bypass
 -----------------------------
 To make sure no-one can bypass the proxy you need to add a firewall rule.
-Go to **Firewall->Rules** and add the following to the top of the list rule on the
+Go to :menuselection:`Firewall --> Rules` and add the following to the top of the list rule on the
 LAN interface (if LAN is where your clients and proxy are on).
 
 ============================ =====================

source/manual/how-tos/serial_access.rst

@@ -27,7 +27,7 @@ Connecting to the serial console
 --------------------------------
 
 If you already installed OPNsense via a non-serial installer, serial access needs to be turned on. To do this, open
-the web interface, navigate to **System->Settings->Administration**, scroll down to 'Console' and set the primary or
+the web interface, navigate to :menuselection:`System --> Settings --> Administration`, scroll down to 'Console' and set the primary or
 secondary console to 'Serial console'. Note: this is **only** necessary if you already installed OPNsense, and did not
 use the serial installer to do so. In all other cases (accessing BIOS, running the serial installer, connecting to an
 installation that was done via serial), serial access is already available.

source/manual/how-tos/shaper.rst

@@ -55,7 +55,7 @@ has 10 Mbps Download and 1 Mbps Upload.
       }
     }
 
-To start go to **Firewall->Shaper->Settings**.
+To start go to :menuselection:`Firewall --> Shaper --> Settings`.
 
 Step 1 - Create Upload and Download Pipes
 -----------------------------------------
@@ -215,7 +215,7 @@ Upload that we want to share evenly between all users.
 
     }
 
-To start go to **Firewall->Traffic Shaper->Settings**.
+To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
 
 Step 1 - Create Upload and Download Pipes
 -----------------------------------------
@@ -344,7 +344,7 @@ users in such manner that each user will receive up to a maximum of 1 Mbps.
 
     }
 
-To start go to **Firewall->Traffic Shaper->Settings**.
+To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
 
 Step 1 - Create Upload and Download Pipes
 -----------------------------------------
@@ -420,7 +420,7 @@ for the upload traffic.
 | HTTPS (443)    |        |                   |
 +----------------+--------+-------------------+
 
-To start go to **Firewall->Traffic Shaper->Settings**.
+To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
 
 Step 1 - Create Download Pipe
 ------------------------------

source/manual/how-tos/sslvpn_client.rst

@@ -31,7 +31,7 @@ and give you configuration examples for:
 
    For the sample we will use a private IP for our WAN connection.
    This requires us to disable the default block rule on wan to allow private traffic.
-   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
    *(Dont forget to save and apply)*
 
    .. image:: images/block_private_networks.png
@@ -98,7 +98,7 @@ For completeness of this how-to we will also prepare a user.
 
 Configure TOTP server
 ---------------------
-To configure a Time based One Time Password server go to **System->Access->Servers**
+To configure a Time based One Time Password server go to :menuselection:`System --> Access --> Servers`
 and click **Add** in the top right corner of the form.
 
 .. TIP::
@@ -125,7 +125,7 @@ Add Certificate Authority
 -------------------------
 The VPN server needs a certificate authority to sign client or server certificates.
 
-To setup a new certificate authority go to **System->Trust->Authorities** and click
+To setup a new certificate authority go to :menuselection:`System --> Trust --> Authorities` and click
 **Add** in the top right corner of the form.
 
 For our example we will use the following setting:
@@ -149,7 +149,7 @@ Click **Save** to add the new Certificate Authority.
 Create a Certificate
 ---------------------
 After creating the Authority we will also need a certificate.
-To create a new certificate, go to **System->Trust->Certificates** and click
+To create a new certificate, go to :menuselection:`System --> Trust --> Certificates` and click
 **Add** in the upper right corner of the form.
 
 Fill in the form with (leave the rest default):
@@ -174,7 +174,7 @@ Click **Save** to create the certificate.
 
 Adding a User
 -------------
-To add a new user go to **System->Access->Users** and click **Add** in the top
+To add a new user go to :menuselection:`System --> Access --> Users` and click **Add** in the top
 right corner.
 
 Creating a user will be done in two steps, the first one is adding a basic user
@@ -220,7 +220,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding one that
 uses our two factor authentication. This setup offers a good protection and it is
 easy to setup on the clients as each client can use the same configuration.
 
-Go to **VPN->OpenVPN->Servers** and click **Add** in the top right corner
+Go to :menuselection:`VPN --> OpenVPN --> Servers` and click **Add** in the top right corner
 of the form.
 
 For our example will use the following settings:
@@ -313,7 +313,7 @@ macOS & Windows
 For macOS & Windows users we recommend using Viscosity from Sparklabs (https://www.sparklabs.com/viscosity/).
 Viscosity is very easy to setup and use and works well on both platforms.
 
-Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
+Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
 the list. Leave everything default and Download the **Viscosity Bundle** from the
 list of export options under **Client Install Packages**.
 
@@ -351,7 +351,7 @@ Android
 For Android users we recommend using OpenVPN for Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn)
 from Arne Schwabe.
 
-Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
+Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
 the list. Leave everything default and Download the inline **Android** configuration from the
 list of export options under **Client Install Packages**.
 
@@ -366,7 +366,7 @@ iOS
 For iOS users we recommend using OpenVPN Connect (https://itunes.apple.com/us/app/openvpn-connect/id590379981)
 from OpenVPN Technologies.
 
-Go to **VPN->OpenVPN->Client Export** and select the newly created VPN server from
+Go to :menuselection:`VPN --> OpenVPN --> Client Export` and select the newly created VPN server from
 the list. Leave everything default and Download the inline **OpenVPN Connect** configuration from the
 list of export options under **Client Install Packages**.
 
@@ -388,7 +388,7 @@ factors are:
 * Username/Password
 * Token (TOTP)
 
-Go to **VPN->OpenVPN->Servers** and click the pencil icon next to the server
+Go to :menuselection:`VPN --> OpenVPN --> Servers` and click the pencil icon next to the server
 we just created to change the 2FA to multi factor authentication.
 
 Now change **Server Mode** to *Remote Access (SSL/TLS + User Auth)* and leave

source/manual/how-tos/sslvpn_s2s.rst

@@ -19,7 +19,7 @@ network).
 
    For the sample we will use a private IP for our WAN connection.
    This requires us to disable the default block rule on WAN to allow private traffic.
-   To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
+   To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
    *(Don't forget to save and apply)*
 
    .. image:: images/block_private_networks.png
@@ -181,7 +181,7 @@ Adding a new SSL VPN server is relatively simple. We'll start by adding a server
 that uses a shared key. This setup offers a good protection and it is
 easy to setup.
 
-Go to **VPN->OpenVPN->Servers** and click on click **Add** in the top right corner
+Go to :menuselection:`VPN --> OpenVPN --> Servers` and click on click **Add** in the top right corner
 of the form.
 
 For our example will use the following settings (leave everything else on its default):
@@ -279,7 +279,7 @@ however you may decide just to allow traffic to one or more IPs.
 Step 4 - Site B Client
 ----------------------
 Now we will have to setup the client.
-Login to the second firewall, go to **VPN->OpenVPN->Clients** and click on
+Login to the second firewall, go to :menuselection:`VPN --> OpenVPN --> Clients` and click on
 **add client** in the upper right corner of the form.
 
 Now enter the following into the form (and leave everything else default):
@@ -306,7 +306,7 @@ Now enter the following into the form (and leave everything else default):
 
 Now click on **Save**  to apply your settings.
 
-The Connection Status can be viewed under **VPN->OpenVPN->Connection Status**
+The Connection Status can be viewed under :menuselection:`VPN --> OpenVPN --> Connection Status`
 
 .. image:: images/sslvpn_connection_status.png
    :width: 100%
@@ -314,7 +314,7 @@ The Connection Status can be viewed under **VPN->OpenVPN->Connection Status**
 ------------------------------
 Step 5 - Client Firewall Rules
 ------------------------------
-To allow traffic from the remote network just add a rule under **Firewall->Rules**
+To allow traffic from the remote network just add a rule under :menuselection:`Firewall --> Rules`
 OpenVPN tab.
 
 .. image:: images/sslvpn_firewall_rule_client.png

source/manual/how-tos/transparent_bridge.rst

@@ -60,7 +60,7 @@ Configuration in 10 easy steps
 ---------------------------------------
 
 To disable outbound NAT, go to
-**Firewall** -> **NAT** -> **Outbound**: Disable Outbound NAT rule generation
+:menuselection:`Firewall --> NAT --> Outbound` and select “Disable Outbound NAT rule generation”.
 
 |Filtering Bridge Step 1.png|
 
@@ -68,13 +68,13 @@ To disable outbound NAT, go to
 --------------------------
 
 Enable filtering bridge by changing **net.link.bridge.pfil\_bridge**
-from default to 1 in **System** -> **Settings** -> **System Tuneables**
+from default to 1 in :menuselection:`System --> Settings --> System Tuneables`.
 
 |Filtering Bridge Step 2.png|
 
 And disable filtering on member interfaces by changing
 **net.link.bridge.pfil\_member** from default to 0 in
-**System** -> **Settings** -> **System Tuneables**
+:menuselection:`System --> Settings --> System Tuneables`.
 
 |Filtering Bridge Step2a.png|
 
@@ -82,7 +82,7 @@ And disable filtering on member interfaces by changing
 --------------------
 
 Create a bridge of LAN and WAN, go to
-**Interfaces** -> **Other Types** -> **Bridge** :Add Select LAN and WAN.
+:menuselection:`Interfaces --> Other Types --> Bridge`. Add Select LAN and WAN.
 
 |Filtering Bridge Step 3a.png|
 
@@ -95,13 +95,13 @@ To be able to configure and manage the filtering bridge (OPNsense)
 afterwards, we will need to assign a new interface to the bridge and
 setup an IP address.
 
-Go to **Interfaces** -> **Assign** -> **Available network ports** , select
+Go to :menuselection:`Interfaces --> Assign --> Available network port`, select
 the bridge from the list and hit **+**.
 
 |Filtering Bridge Step 4.png|
 
 Now Add an IP address to the interface that you would like to use to
-manage the bridge. Go to **Interfaces** -> **OPT1** enable the interface
+manage the bridge. Go to :menuselection:`Interfaces --> [OPT1]`, enable the interface
 and fill-in the ip/netmask.
 
 5. Disable Block private networks & bogon
@@ -109,7 +109,7 @@ and fill-in the ip/netmask.
 
 For the WAN interface we nee to disable blocking of private networks & bogus IPs.
 
-Goto **Interfaces** -> **WAN** and unselect **Block private networks**
+Go to :menuselection:`Interfaces --> [WAN]` and unselect **Block private networks**
 and **Block bogon networks**.
 
 |Filtering Bridge Step 5.png|
@@ -117,7 +117,7 @@ and **Block bogon networks**.
 6. Disable the DHCP server on LAN
 ---------------------------------
 
-To disable the DCP server on LAN goto **Services** -> **DHCP Server** -> **LAN** and
+To disable the DHCP server on LAN go to :menuselection:`Services --> DHCPv4 --> [LAN]` and
 unselect enable.
 
 |Filtering Bridge Step 6.png|
@@ -133,7 +133,7 @@ This step is to ensure we have a full transparent bridge without any filtering
 taking place. You can setup the correct rules when you have confirmed the bridge
 to work properly.
 
-Goto **Firewall** -> **Rules** and add a rule per interface to allow all traffic
+Go to :menuselection:`Firewall --> Rules` and add a rule per interface to allow all traffic
 of any type.
 
 |Filtering Bridge Step 7.png|
@@ -146,14 +146,14 @@ ignored. So you can skip this step.
 As we now have setup allow rules for each interface we can safely remove
 the Anti Lockout rule on LAN
 
-Goto **Firewall** -> **Settings** -> **Admin Access** :Anti-lockout and select
+Go to :menuselection:`Firewall --> Settings --> Admin Access`: Anti-lockout and select
 this option to disable
 
 9. Set LAN and WAN interface type to 'none'
 -------------------------------------------
 
 Now remove the IP subnets in use for LAN and WAN by changing the
-interface type to none. Goto **Interfaces** -> **LAN** & **Interfaces** -> **WAN**
+interface type to none. Go to :menuselection:`Interfaces --> [LAN]` and :menuselection:`Interfaces --> [WAN]`
 to do so.
 
 |Filtering Bridge Step 9.png|

source/manual/how-tos/two_factor.rst

@@ -17,7 +17,7 @@ with this 2FA solution.
 --------------------------------------
 Step 1 - Add New Authentication Server
 --------------------------------------
-To add a TOTP server go to **System->Access-Servers** and press **Add server** in
+To add a TOTP server go to :menuselection:`System --> Access --> Servers` and press **Add server** in
 the top right corner. Then fill in the form as follows:
 
 ====================== =================================== ========================================
@@ -37,7 +37,7 @@ Install using the normal procedure for your device.
 ---------------------------
 Step 3 - Add or modify user
 ---------------------------
-For this example we will create a new user, go to **System->Access-Users** and click
+For this example we will create a new user, go to :menuselection:`System --> Access --> Users` and click
 on the plus sign in the lower right corner.
 
 Enter a **Username** and **Password** and fill in the other fields just as you would
@@ -106,7 +106,7 @@ Google Authenticator Android, iOS            https://www.google.com/landing/2ste
 Step 5 - Test the token
 -----------------------
 For testing the user authentication, OPNsense offers a simple tester.
-Go to **System->Access->Tester**
+Go to :menuselection:`System --> Access --> Tester`
 
 Select the Authentication server you have configured, and enter the user name.
 Then enter the ***token** + **password**, remember the order

source/manual/how-tos/user-ldap.rst

@@ -20,7 +20,7 @@ You OPNsense firewall need to be fully configured and able to access the LDAP se
 
 Step 1 - Add New LDAP server
 ----------------------------
-To add a new LDAP server as authentication source, go to **System->Access->Servers**
+To add a new LDAP server as authentication source, go to :menuselection:`System --> Access --> Servers`
 and click on **Add server** the top right corner, just above the form.
 
 Enter the following information:
@@ -66,7 +66,7 @@ Enter the following information:
 
 Step 2 - Test
 --------------
-To test if the server is configured correctly, go to **System->Access->Tester**
+To test if the server is configured correctly, go to :menuselection:`System --> Access --> Tester`
 and select your LDAP server and enter a valid username + password. Click on
 **Test** and if everything is setup correctly it will show:
 
@@ -84,7 +84,7 @@ If not (or your entered invalid credentials) it shows:
 Step 3 - Import Users
 ---------------------
 If you would like to give LDAP/Active Directory users access to the GUI, you need
-to import the users into the local user manager. Go to **System->Access->Users**
+to import the users into the local user manager. Go to :menuselection:`System --> Access --> Users`
 you will see a cloud import icon at the lower right corner of the form.
 
 .. image:: images/user_cloudimport.png
@@ -97,7 +97,7 @@ A new form will be show with the individual users, select the ones you like to i
 
 Step 4 - Update ldap user privileges
 ------------------------------------
-Now if you go to **System->Access->Users** you will see all users including the
+Now if you go to :menuselection:`System --> Access --> Users` you will see all users including the
 newly imported ldap users. You can create a specific group for these users to
 easily manage the privileges or use one of your earlier created groups.
 
@@ -116,7 +116,7 @@ Step 5 - Update system access settings
 Now we have configures, verified and imported the users from our LDAP server, we
 need to change the default settings to allow LDAP users to login.
 
-Go to **System->Access->Settings** and change the Authentication Server from
+Go to :menuselection:`System --> Access --> Settings` and change the Authentication Server from
 **Local Database** to your newly created **LDAP** server. Leave the fallback on
 **Local Database** and click on **Save and Test**.
 

source/manual/how-tos/user-local.rst

@@ -10,7 +10,7 @@ the privileges for granting access to certain parts of the GUI (Web Configurator
 
 Adding Users
 ------------
-To add a new user go to **System->Access->Users** and click on the **+** sign at
+To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at
 the bottom right corner of the form.
 
 ========================== =========== =========================================================
@@ -29,7 +29,7 @@ the bottom right corner of the form.
 
 Creating Groups
 ---------------
-Go to **System->Access->Groups** and click on the **+** sign in the lower right
+Go to :menuselection:`System --> Access --> Groups` and click on the **+** sign in the lower right
 corner of the form.
 
 Enter a **Group name** and a **Description** and add users to the group.
@@ -37,7 +37,7 @@ Enter a **Group name** and a **Description** and add users to the group.
 Add privileges to a group
 -------------------------
 After creating a group the privileges can be added by editing the group.
-Go to **System->Access-Groups** and click on the edit symbol (pencil) right next
+Go to :menuselection:`System --> Access --> Groups` and click on the edit symbol (pencil) right next
 to the group you like to change.
 
 To assign privileges, just click on the pencil icon on the right of **Assigned Privileges**.
@@ -58,7 +58,7 @@ User accounts can be used for logging in to the web frontend, as well as for log
 serial or SSH). The latter will only work if the user's shell is not set to ``/sbin/nologin`` and if group the user is
 part of is allowed SSH access.
 
-In order to access OPNsense via SSH, SSH access will need to be configured via **System->Settings->Administration**.
+In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`.
 Under the "Secure Shell" heading, the following options are available:
 
 ============================ ==========================================================================

source/manual/how-tos/user-radius.rst

@@ -2,7 +2,7 @@
 Configuring Radius
 ==================
 Configuring a Radius server for user authentication in services like vpn or captive portal
-is easy just go to **System->Access->Servers** and click on **Add server** in the top right corner.
+is easy just go to :menuselection:`System --> Access --> Servers` and click on **Add server** in the top right corner.
 
 Fill in the form:
 
@@ -16,6 +16,6 @@ Fill in the form:
 **Authentication Timeout**      5              *Timeout for Radius to respond on requests*
 ============================== =============== =========================================================
 
-Use the tester under **System->Access->Tester** to test the Radius server.
+Use the tester under :menuselection:`System --> Access --> Tester` to test the Radius server.
 
 If you want to use the FreeRADIUS plugin set up the server as 127.0.0.1 and don't forget to add a **Client** in the FreeRADIUS configuration.

source/manual/how-tos/wireguard-client-azire.rst

@@ -51,7 +51,7 @@ Step 3 - Assignments and Routing
 --------------------------------
 
 To let you internal clients go through the tunnel you have to add a NAT entry. Go to 
-**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual 
+:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual
 or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
 LAN network and set **Translation / target** to **interface address**.
 

source/manual/how-tos/wireguard-client-mullvad.rst

@@ -52,7 +52,7 @@ Step 2 - Assignments and Routing
 --------------------------------
 
 To let you internal clients go through the tunnel you have to add a NAT entry. Go to 
-**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual 
+:menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set to manual
 or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
 LAN network and set **Translation / target** to **interface address**.
 

source/manual/how-tos/wireguard-client.rst

@@ -18,10 +18,10 @@ WireGuard as a central server or just as a client.
 Step 1 - Installation
 ---------------------
 
-Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings** 
+Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings`
-the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search 
+the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search
 for **os-wireguard-devel**.  Install the plugin as usual, refresh and page and the you'll find the client 
-via **VPN->WireGuard**.
+via :menuselection:`VPN --> WireGuard`.
 
 --------------------------------
 Step 2a - Setup WireGuard Server
@@ -49,7 +49,7 @@ If you want to add more users just add them in **Endpoints** and link them via *
 Step 2b - Setup Firewall
 ------------------------
 
-On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your
+On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
 instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can 
 set granular rules on connection inside your tunnel.
 
@@ -61,10 +61,10 @@ Step 2c - Assignments and Routing
 
 With this setup your clients can reach your internal networks when they add it vial **Tunnel Address**.
 But what if you want to push all traffic via VPN in order to filter some streams out of it?
-Then we have to assign the interface via **Interface->Assignments**, choose our instance (e.g. instance
+Then we have to assign the interface via :menuselection:`Interface --> Assignments`, choose our instance (e.g. instance
 0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address.
 
-After this we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set
+After this we can go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set
 to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel
 Network you use and **Translation / target** set to WAN address.
 
@@ -73,7 +73,7 @@ Internet via your VPN.
 
 When assigning interfaces we can also add gateways to them. This would  offer you the chance to 
 balance traffic via different VPN providers or do more complex routing scenarios. 
-To do this, go to **System->Gateways->Single** and add a new gateway. Choose your WireGuard interface
+To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose your WireGuard interface
 and set the Gateway to **dynamic**.
 
 -------------------------------

source/manual/how-tos/wireguard-s2s.rst

@@ -20,10 +20,10 @@ and widely deployable. It is currently under heavy development.
 Step 1 - Installation
 ---------------------
 
-Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings** 
+Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings`
-the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search 
+the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search
 for **os-wireguard-devel**.  Install the plugin as usual, refresh and page and the you'll find the client 
-via **VPN->WireGuard**.
+via :menuselection:`VPN --> WireGuard`.
 
 ------------------------
 Step 2 - Setup WireGuard
@@ -50,7 +50,7 @@ Now we can **Enable** the VPN in tab **General** and go on with the setup.
 Step 3 - Setup Firewall
 -----------------------
 
-On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your
+On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
 instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can 
 set granular rules on connection inside your tunnel.
 

source/manual/install.rst

@@ -158,8 +158,8 @@ Depending on you hardware and use case different installation media are provided
   and re-writes. For embedded (nano) versions memory disks for /var and /tmp are
   applied by default to prolong CF (flash) card lifetimes.
 
-  To enable for non embedded versions: Enable **System⇒Settings⇒Miscellaneous⇒RAM** Disk
+  To enable for non embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
-  Settings; afterwards reboot. Consider to enable an external syslog server as well.
+  change the setting, then reboot. Consider to enable an external syslog server as well.
 
 ------------------------------
 Media Filename Composition
@@ -225,7 +225,7 @@ OpenSSL and LibreSSL
 
 OPNsense images are provided based upon `OpenSSL <https://www.openssl.org>`__.
 The `LibreSSL <http://www.libressl.org>`__ flavor can be selected from within
-the GUI ( System⇒Firmware⇒Settings ). In order to apply your choice an update
+the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update
 must be performed after save, which can include a reboot of the system.
 
 .. image:: ./images/firmware_flavour.png
@@ -422,7 +422,7 @@ Minimum installation actions
     In case of a minimum install setup (i.e. on CF cards), OPNsense can
     be run with all standard features, expect for the ones that require
     disk writes, e.g. a caching proxy like Squid. Do not create a swap
-    slice, but a RAM Disk instead. In the GUI enable **System⇒Settings⇒Miscellaneous⇒RAM Disk Settings**
+    slice, but a RAM Disk instead. In the GUI enable :menuselection:`System --> Settings --> Miscellaneous --> RAM Disk Settings`*
     and set the size to 100-128 MB or more, depending on your available RAM.
     Afterwards reboot.
 
@@ -468,7 +468,7 @@ The other method to upgrade the system is via console option **12) Upgrade from
 .. rubric:: GUI
    :name: gui
 
-An update can be done through the GUI via **System⇒Firmware⇒Updates**.
+An update can be done through the GUI via :menuselection:`System --> Firmware --> Updates`.
 
 .. image:: ./images/firmware-update.png
    :width: 100%

source/manual/logging.rst

@@ -10,14 +10,14 @@ with the settings of the component they belong to. The log files can be found he
 System 
 ------
 
-============================= ================================ =============================================================
+============================= =================================================== =============================================================
- **System Log**                **System->Log Files->General**   *Most of all system related events go here*
+ **System Log**                :menuselection:`System --> Log Files --> General`   *Most of all system related events go here*
- **Backend / config daemon**   **System->Log Files->Backend**   *Here you can find logs for config generation of API usage*
+ **Backend / config daemon**   :menuselection:`System --> Log Files --> Backend`   *Here you can find logs for config generation of API usage*
- **Web GUI**                   **System->Log Files->Web GUI**   *Lighttpd, the webserver of OPNsense itself, logs here*
+ **Web GUI**                   :menuselection:`System --> Log Files --> Web GUI`   *Lighttpd, the webserver of OPNsense itself, logs here*
- **Firmware**                  **System->Firmware->Log File**   *Updates from the packaging system go here*
+ **Firmware**                  :menuselection:`System --> Firmware --> Log File`   *Updates from the packaging system go here*
- **Gateways**                  **System->Gateways->Log File**   *Lists Dpinger gateway tracking related log messages*
+ **Gateways**                  :menuselection:`System --> Gateways --> Log File`   *Lists Dpinger gateway tracking related log messages*
- **Routing**                   **System->Routes->Log File**     *Routing changes or interface events*
+ **Routing**                   :menuselection:`System --> Routes --> Log File`     *Routing changes or interface events*
-============================= ================================ ============================================================= 
+============================= =================================================== =============================================================
 
 .. Note::
    Log files on file system:
@@ -32,10 +32,10 @@ System
 Interfaces 
 ----------
 
-==================== ========================================== ===================================================================
+==================== ============================================================== ===================================================================
- **Wireless**         **Interfaces->Wireless->Log File**         *When using wireless features of OPNsense you find the logs here*
+ **Wireless**         :menuselection:`Interfaces --> Wireless --> Log File`         *When using wireless features of OPNsense you find the logs here*
- **Point-to-Point**   **Interfaces->Point-to-Point->Log File**   *PPP dialup logs like PPPoE are found here*
+ **Point-to-Point**   :menuselection:`Interfaces --> Point-to-Point --> Log File`   *PPP dialup logs like PPPoE are found here*
-==================== ========================================== ===================================================================
+==================== ============================================================== ===================================================================
 
 .. Note::
    Log files on file system:
@@ -46,10 +46,10 @@ Interfaces
 Firewall 
 --------
 
-================ ===================================== =============================================================================
+================ ======================================================== =============================================================================
- **Live View**    **Firewall->Log Files->Live View**    *View firewall logs in realtime, smart filtering can be applied*
+ **Live View**    :menuselection:`Firewall --> Log Files --> Live View`    *View firewall logs in realtime, smart filtering can be applied*
- **Plain View**   **Firewall->Log Files->Plain View**   *Just the plain contents how **pf** logs into **filter.log** *
+ **Plain View**   :menuselection:`Firewall --> Log Files --> Plain View`   *Just the plain contents how **pf** logs into **filter.log** *
-================ ===================================== =============================================================================
+================ ======================================================== =============================================================================
 
 .. Note::
    Log files on file system:
@@ -59,10 +59,10 @@ Firewall
 VPN
 ---
 
-================= ============================ =====================================
+================= =============================================== =====================================
- **IPsec Log**     **VPN->IPsec->Log File**     *Everything around IPsec goes here*
+ **IPsec Log**     :menuselection:`VPN --> IPsec --> Log File`     *Everything around IPsec goes here*
- **OpenVPN Log**   **VPN->OpenVPN->Log File**   *OpenVPN logs everything here*
+ **OpenVPN Log**   :menuselection:`VPN --> OpenVPN --> Log File`   *OpenVPN logs everything here*
-================= ============================ =====================================
+================= =============================================== =====================================
 
 .. Note::
    Log files on file system:
@@ -73,16 +73,16 @@ VPN
 Services
 --------
 
-========================= ============================================= =============================================
+========================= ================================================================ =============================================
- **Captive Portal**        **Services->Captive Portal->Log File**        *Events from Captive Portal go here*
+ **Captive Portal**        :menuselection:`Services --> Captive Portal --> Log File`        *Events from Captive Portal go here*
- **DHCPv4**                **Services->DHCPv4->Log File**                *DHCP events get logged here*
+ **DHCPv4**                :menuselection:`Services --> DHCPv4 --> Log File`                *DHCP events get logged here*
- **Dnsmasq DNS**           **Services->Dnsmasq DNS->Log File**           *The DNSmasq Forwarder logs*
+ **Dnsmasq DNS**           :menuselection:`Services --> Dnsmasq DNS --> Log File`           *The DNSmasq Forwarder logs*
- **HAProxy**               **Services->HAProxy->Log File**               *The logs of the Reverse Proxy*
+ **HAProxy**               :menuselection:`Services --> HAProxy --> Log File`               *The logs of the Reverse Proxy*
- **Intrusion Detection**   **Services->Intrusion Detection->Log File**   *Suricata Logs are here*
+ **Intrusion Detection**   :menuselection:`Services --> Intrusion Detection --> Log File`   *Suricata Logs are here*
- **Network Time**          **Services->Network Time->Log File**          *NTP daemon logs*
+ **Network Time**          :menuselection:`Services --> Network Time --> Log File`          *NTP daemon logs*
- **Unbound DNS**           **Services->Unbound DNS->Log File**           *Unbound resolver logs can be found here*
+ **Unbound DNS**           :menuselection:`Services --> Unbound DNS --> Log File`           *Unbound resolver logs can be found here*
- **Web Proxy**             **Services->Web Proxy->Log File**             *Squid access.log, store.log and cache.log*
+ **Web Proxy**             :menuselection:`Services --> Web Proxy --> Log File`             *Squid access.log, store.log and cache.log*
-========================= ============================================= =============================================
+========================= ================================================================ =============================================
 
 .. Note::
    Log files on file system:
@@ -102,7 +102,7 @@ Circular Logs
 -------------
 
 Most of the core features log to circular log files so they will not grow bigger
-than a predefined size. You can tune this value via **System->Settings->Logging**.
+than a predefined size. You can tune this value via :menuselection:`System --> Settings --> Logging`.
 There, you can also disable the writing of logs to disk or reset them all.
 
 You can view the contents via CLI with:

source/manual/monit.rst

@@ -10,7 +10,7 @@ configuration options explained in more detail afterwards, along with some cavea
 Global setup
 ------------
 
-Navigate to **Services->Monit->Settings**. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes.
+Navigate to :menuselection:`Services --> Monit --> Settings`. On the “General Settings” tab, turn on Monit and fill in the details of your SMTP server. Save the changes.
 Then, navigate to the “Alert settings” and add one for your e-mail address. If your mail server requires the “From” field
 to be properly set, enter ``From: sender@example.com`` in the “Mail format” field. Save the alert and apply the changes.
 
@@ -85,7 +85,7 @@ Save and apply.
 Settings overview
 -----------------
 
-Navigate to **Services->Monit->Settings**. You will see four tabs, which we will describe in more detail below
+Navigate to :menuselection:`Services --> Monit --> Settings`. You will see four tabs, which we will describe in more detail below
 
 ^^^^^^^^^^^^^^^^
 General Settings
@@ -242,5 +242,5 @@ These include:
 Status
 ------
 
-The Monit status panel can be accessed via **Services->Monit->Status**. For every active service, it will show the status,
+The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status,
 along with extra information if the service provides it.

source/manual/netflow.rst

@@ -17,7 +17,7 @@ OPNsense offers full support for exporting Netflow data to external collectors a
 well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
 
 OPNsense is the only open source solution with a built-in Netflow analyzer integrated
-into its Graphical User Interface. It can be accessed via **Reporting->Netflow**.
+into its Graphical User Interface. It can be accessed via :menuselection:`Reporting --> Netflow`.
 
 ------------------
 Supported Versions

source/manual/nptv6.rst

@@ -6,7 +6,7 @@ Network Prefix Translation, shortened to NPTv6, is used to translate IPv6 addres
 is to translate global ("WAN") IPs to local ones. In this regard, it is similar to NAT, although NPTv6 can only be
 used to map addresses one-to-one, unlike NAT which typically translates one external IP to several internal ones.
 
-NPTv6 routes are listed at **Firewall->NAT->NPTv6**. New rules can be added by clicking **Add** in the upper right
+NPTv6 routes are listed at :menuselection:`Firewall --> NAT --> NPTv6`. New rules can be added by clicking **Add** in the upper right
 corner. A quick overview of the fields:
 
 ============================= =======================================================================================================================================================================

source/manual/systemhealth.rst

@@ -5,7 +5,7 @@ System Health & Round Robin Data
 .. image:: images/systemhealth_sample.png
     :width: 100%
 
-System Health is a dynamic view on RRD data gathered by the system. It can be accessed via **Reporting->Health**. It allows you
+System Health is a dynamic view on RRD data gathered by the system. It can be accessed via :menuselection:`Reporting --> Health`. It allows you
 to dive into different statistics that show the overall health and performance of
 the system over time.
 

source/manual/updates.rst

@@ -10,14 +10,14 @@ the fortnightly updates adding a third number (e.g. 19.1.3 for the third update
 Installing updates
 ------------------
 
-Updates can be installed from the web interface, by going to **System->Firmware->Updates**. On this page, you can click
+Updates can be installed from the web interface, by going to :menuselection:`System --> Firmware --> Updates`. On this page, you can click
 **Check for updates** to search for updates. If they are available, a button will appear to install them.
 
 ---------------
 Update settings
 ---------------
 
-By navigating to **System->Firmware->Settings**, you can influence the firmware update settings:
+By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
 
 * **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
 * **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL.

source/manual/users.rst

@@ -47,17 +47,17 @@ rights, called privileges.
 Authentication services
 ----------------------------------
 
-Authentication services can be configured using the settings in **System->Access->Servers**.
+Authentication services can be configured using the settings in :menuselection:`System --> Access --> Servers`.
 This includes both local accounts and remote authentication.
 
 By default, OPNsense GUI login will use local accounts. This can be changed, however,
-by going to **System->Settings->Administration**, scrolling down to the "Authentication" group,
+by going to :menuselection:`System --> Settings --> Administration`, scrolling down to the "Authentication" group,
 and changing the 'Server' option.
 
 Local account configuration
 ---------------------------
 
-Settings for handling login via local accounts can be set by going to **System->Access->Servers**,
+Settings for handling login via local accounts can be set by going to :menuselection:`System --> Access --> Servers`,
 then clicking the 'Edit' icon (a pencil) for 'Local Database'. Here, you can improve security of
 local user accounts by setting password length and complexity constraints.
 

source/manual/virtuals.rst

@@ -14,7 +14,7 @@ For optimum performance and compatibility, these guides are given:
 
 * Minimum required RAM is 1 GB
 * Minimum recommended virtual disk size of 8 GB
-* Disable all off-loading settings in **Interfaces->Settings**
+* Disable all off-loading settings in :menuselection:`Interfaces --> Settings`
 
 .. image:: images/disableoffloading.png
 
@@ -25,7 +25,7 @@ VMware ESXi
 VMware offers full instructions for installing FreeBSD, these can be found
 `here <http://partnerweb.vmware.com/GOSIG/FreeBSD_11x.html>`__.
 
-To install the VMware tools just goto **System->Firmware->Plugins** and install
+To install the VMware tools just goto :menuselection:`System --> Firmware --> Plugins` and install
 **os-vmware** by clicking on the **+** sign next to it.
 
 .. image:: images/os-vmware.png
@@ -39,7 +39,7 @@ To install the VMware tools just goto **System->Firmware->Plugins** and install
 
 Xen
 ---
-To install the Xen tools just goto **System->Firmware->Plugins** and install
+To install the Xen tools just goto :menuselection:`System --> Firmware --> Plugins` and install
 **os-xen** by clicking on the **+** sign next to it.
 
 .. image:: images/os-xen.png