Many typo fixes and some rewording (#80)
This commit is contained in:
parent
86a9787cf3
commit
020c7c74ec
4
LICENSE
4
LICENSE
|
@ -38,8 +38,8 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
|||
|
||||
https://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
# Logo's
|
||||
Logo's may be subject to additional copyrights, property
|
||||
# Logos
|
||||
Logos may be subject to additional copyrights, property
|
||||
rights, trademarks etc. and may require the consent of a third party or the
|
||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||
|
|
|
@ -22,7 +22,7 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
|||
|
||||
https://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
Logo's may be subject to additional copyrights, property
|
||||
Logos may be subject to additional copyrights, property
|
||||
rights, trademarks etc. and may require the consent of a third party or the
|
||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||
|
|
|
@ -7,7 +7,7 @@ Development Manual
|
|||
The OPNsense® project invites developers to start developing with OPNsense:
|
||||
"For your own purpose or even better to join us in creating the best FreeBSD
|
||||
based open source firewall available!" The development workflow & build process
|
||||
has been redesigned to make it more straightforward and easy for developers to
|
||||
have been redesigned to make it more straightforward and easy for developers to
|
||||
build OPNsense.
|
||||
|
||||
Being able to get the sources and build it yourself is one of the key factors of
|
||||
|
|
|
@ -81,7 +81,7 @@ first layer initializes Phalcon’s routing, which handles requests and
|
|||
delivers them to the controller based on its url. User content is
|
||||
generated using Volt templates, which are picked by the controller.
|
||||
Because Phalcon’s default Models function with (relational) databases
|
||||
and we are using xml data, our model implementation is custom. But
|
||||
and we are using XML data, our model implementation is custom. But
|
||||
wherever possible we use components from Phalcon (for example,
|
||||
validation is handled using Phalcon’s classes). For a detailed
|
||||
description on the routing principles used in OPNsense, visit Frontend
|
||||
|
@ -98,7 +98,7 @@ controllers, with the use of views, can be found at :doc:`/development/frontend/
|
|||
Models
|
||||
------
|
||||
|
||||
All models are defined by a combination of a class and an xml containing
|
||||
All models are defined by a combination of a class and an XML containing
|
||||
a (nested) definition. More information on defining models can be found
|
||||
at the frontend model page :doc:`/development/frontend/models`.
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ Using the system from php is rather simple:
|
|||
Usage in Volt templates
|
||||
-----------------------
|
||||
|
||||
The acl scheme is bound to the default UI controller, and can be used by
|
||||
The ACL scheme is bound to the default UI controller, and can be used by
|
||||
using the acl keyword:
|
||||
|
||||
.. code-block:: jinja
|
||||
|
|
|
@ -37,8 +37,8 @@ An example of how to create a menu, is given below:
|
|||
// test, print menu as structured named array
|
||||
print_r($menu->getItems("/testpage.php"));
|
||||
|
||||
The current version only implements a static menu defined by one xml file
|
||||
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional xml files
|
||||
The current version only implements a static menu defined by one XML file
|
||||
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional XML files
|
||||
is already supported in the component for future use.
|
||||
|
||||
--------
|
||||
|
|
|
@ -120,7 +120,7 @@ Not all modules contain additional code in the php class, sometimes all
|
|||
the standard behaviour is already sufficient for your
|
||||
modules/application.
|
||||
|
||||
Which is the model xml template, our skeleton starts with something like
|
||||
Which is the model XML template, our skeleton starts with something like
|
||||
this:
|
||||
|
||||
.. code-block:: xml
|
||||
|
@ -266,9 +266,9 @@ Adding Fields
|
|||
.. rubric:: Adding fields to your model
|
||||
:name: adding-fields-to-your-model
|
||||
|
||||
When building the skeleton, we have created an empty model (xml), which
|
||||
When building the skeleton, we have created an empty model (XML), which
|
||||
we are going to fill with some attributes now. The items section of the
|
||||
model xml should contain the structure you want to use for your
|
||||
model XML should contain the structure you want to use for your
|
||||
application, you can create trees to hold data in here. All leaves
|
||||
should contain a field type to identify and validate it’s content. The
|
||||
list of attributes for our application can be translated to this:
|
||||
|
@ -310,12 +310,12 @@ Enabled).
|
|||
Presentation XML
|
||||
----------------
|
||||
|
||||
.. rubric:: Create a presentation xml to feed your template
|
||||
.. rubric:: Create a presentation XML to feed your template
|
||||
:name: create-a-presentation-xml-to-feed-your-template
|
||||
|
||||
Because creating forms is one of the key assets of the system, we have
|
||||
build some easy to use wrappers to guide you through the process. First
|
||||
we create an xml file for the presentation, which defines fields to use
|
||||
we create an XML file for the presentation, which defines fields to use
|
||||
and adds some information for your template to render. Create a file in
|
||||
your controller directory using the sub directory forms and name it
|
||||
general.xml. Next copy in the following content:
|
||||
|
@ -392,7 +392,7 @@ Create API calls
|
|||
:name: create-api-calls-to-retrieve-and-store-data
|
||||
|
||||
The framework provides some helpful utilities to get and set data from
|
||||
and to the configuration xml by using your defined model. First step in
|
||||
and to the configuration XML by using your defined model. First step in
|
||||
binding your model to the system is to add a method to the
|
||||
SettingsController to fetch the data from our configuration (or provide
|
||||
the defaults if there is no content).
|
||||
|
@ -530,7 +530,7 @@ Let’s give it a try and save our data, without modifying it first.
|
|||
|
||||
Next correct the errors and save again, on successful save the data
|
||||
should be stored in the config.xml. If you want to change validation
|
||||
messages, just edit the model xml and add your message in the
|
||||
messages, just edit the model XML and add your message in the
|
||||
ValidationMessage tag. For example:
|
||||
|
||||
.. code-block:: xml
|
||||
|
@ -848,15 +848,15 @@ automatically picks up this new information.
|
|||
Plugin to access control (ACL)
|
||||
------------------------------
|
||||
|
||||
If we want to authorize users to access this module, we can add an acl
|
||||
If we want to authorize users to access this module, we can add an ACL
|
||||
to this module. Without it, only admin users can access it. Create an
|
||||
xml file in the model directory name ACL/ACL.xml and place the following
|
||||
XML file in the model directory name ACL/ACL.xml and place the following
|
||||
content in it:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<acl>
|
||||
<!-- unique acl key, must be globally unique for all acl's -->
|
||||
<!-- unique acl key, must be globally unique for all ACLs -->
|
||||
<page-user-helloworld>
|
||||
<name>WebCfg - Users: Hello World! </name>
|
||||
<description>Allow access to the Hello World! module</description>
|
||||
|
@ -867,7 +867,7 @@ content in it:
|
|||
</page-user-helloworld>
|
||||
</acl>
|
||||
|
||||
This creates an acl key named “page-user-helloworld” which authorizes
|
||||
This creates an ACL key named “page-user-helloworld” which authorizes
|
||||
access to both the ui and API urls of this application. You can now
|
||||
grant access to this module from the system user manager.
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ Creating Models
|
|||
|
||||
A model represents the data which the application will use and takes
|
||||
care of the interaction to that data. In OPNsense most of the relevant
|
||||
data is physically stored in an xml structure (config.xml). The primary
|
||||
data is physically stored in an XML structure (config.xml). The primary
|
||||
goal for OPNsense models is to structure the use of configuration data,
|
||||
by creating a clear abstraction layer.
|
||||
|
||||
|
@ -44,7 +44,7 @@ When you design a model, the next thing to do is to figure out what data is
|
|||
relevant for your application or module and think of the rules it should comply
|
||||
to (for example, if you need an email address you might want to validate the
|
||||
input). Designing the actual model is as simple as creating an xml file and
|
||||
putting in your structure, the name of our xml file should be the same as the
|
||||
putting in your structure, the name of our XML file should be the same as the
|
||||
base name of our model suffixed by .xml.
|
||||
|
||||
Using the same model, we would create the following file:
|
||||
|
@ -91,7 +91,7 @@ Now let's explain what's happing here one tag at a time.
|
|||
The content of a items tag describes the full tree based structure which holds
|
||||
our data, in theory this could be as large as you want it to be, but keep in
|
||||
mind that the content for your model should be logical and understandable. Every
|
||||
node in the tree could have a type, which defines it's behavior, nodes without a
|
||||
node in the tree could have a type, which defines its behavior, nodes without a
|
||||
type are just containers.
|
||||
|
||||
From top to bottom we find the following nodes in our tree:
|
||||
|
|
|
@ -78,7 +78,7 @@ implementation is one example of this stage.
|
|||
|
||||
**3)** Moving on
|
||||
(re)build new parts, using our new modules, which provide a layered development
|
||||
system to automatically support API calls from other systems and xml based model
|
||||
system to automatically support API calls from other systems and XML based model
|
||||
templates to describe configuration data.
|
||||
|
||||
*See also:*
|
||||
|
|
|
@ -41,7 +41,7 @@ Code sample (python)
|
|||
--------------------
|
||||
|
||||
For the python code sample we use the nice "requests" library
|
||||
(http://docs.python-requests.org/en/latest/), which makes http calls
|
||||
(http://docs.python-requests.org/en/latest/), which makes HTTP calls
|
||||
very easy.
|
||||
|
||||
Before you can start, make sure your OPNsense has a valid SSL
|
||||
|
@ -102,7 +102,7 @@ Using curl
|
|||
----------
|
||||
|
||||
Simple testing with curl is also possible, the sample below uses the
|
||||
same credentials, but ignores the ssl certificate check (-k) for
|
||||
same credentials, but ignores the SSL certificate check (-k) for
|
||||
testing.
|
||||
|
||||
.. code-block:: sh
|
||||
|
|
|
@ -102,4 +102,4 @@ OPNsense Core Features
|
|||
- Stateful inspection firewall
|
||||
- Granular control over state table
|
||||
- 802.1Q VLAN support
|
||||
- and more..
|
||||
- and more…
|
||||
|
|
|
@ -108,9 +108,9 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
|||
https://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
-----------------
|
||||
Logo's Copyright
|
||||
Logos Copyright
|
||||
-----------------
|
||||
Logo's may be subject to additional copyrights, property
|
||||
Logos may be subject to additional copyrights, property
|
||||
rights, trademarks etc. and may require the consent of a third party or the
|
||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||
|
|
|
@ -20,7 +20,7 @@ OPNsense offers the following alias types:
|
|||
+------------+------------------------------------------------------+
|
||||
| Ports | Port numbers or a port range like 20:30 |
|
||||
+------------+------------------------------------------------------+
|
||||
| URL Tables | A table of ip addresses that can be fetched |
|
||||
| URL Tables | A table of IP addresses that can be fetched |
|
||||
+------------+------------------------------------------------------+
|
||||
| GeoIP | Select countries or whole regions |
|
||||
+------------+------------------------------------------------------+
|
||||
|
@ -44,7 +44,7 @@ Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube t
|
|||
.. image:: images/pftable_youtube.png
|
||||
:width: 100%
|
||||
|
||||
As you can see there are multiple ip addresses for this domain.
|
||||
As you can see there are multiple IP addresses for this domain.
|
||||
|
||||
--------
|
||||
Networks
|
||||
|
@ -64,7 +64,7 @@ section.
|
|||
----------
|
||||
URL Tables
|
||||
----------
|
||||
URL tables can be used to fetch a list of ip addresses from a remote server.
|
||||
URL tables can be used to fetch a list of IP addresses from a remote server.
|
||||
There are several IP lists available for free, most notably are the "Don't Route
|
||||
Or Peer" lists from Spamhaus.
|
||||
|
||||
|
@ -152,7 +152,7 @@ Then concatenate both by defining a new list:
|
|||
|
||||
* servers { critical_servers , other_servers}.
|
||||
|
||||
The end result will be a list with all ip addresses in one alias list (servers).
|
||||
The end result will be a list with all IP addresses in one alias list (servers).
|
||||
|
||||
------------------------------
|
||||
Configure DROP and EDROP lists
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
.. image:: images/eye_on_virus_new.jpg
|
||||
:width: 100%
|
||||
|
||||
**OPNsense** offers the industry standard ICAP to protect http and https
|
||||
**OPNsense** offers the industry standard ICAP to protect HTTP and HTTPS
|
||||
connections against ransomware, trojans, viruses and other malware .
|
||||
|
||||
OPNsense offers a ClamAV plugin, which can be used with the C-ICAP plugin or relies on third
|
||||
|
|
|
@ -70,7 +70,7 @@ Bandwidth Management
|
|||
The Built-in traffic shaper can be utilized to:
|
||||
|
||||
* Share bandwidth evenly
|
||||
* Give priority to protocols port numbers and/or ip addresses
|
||||
* Give priority to protocols port numbers and/or IP addresses
|
||||
|
||||
See also: :doc:`/manual/shaping`
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ Setup for Sky UK ISP
|
|||
|
||||
**Introduction**
|
||||
-----------------
|
||||
This doc covers the setup of Opnsense on a Sky UK VDSL connection.
|
||||
This doc covers the setup of OPNsense on a Sky UK VDSL connection.
|
||||
|
||||
Sky uses a simple IPoE connection, all that is required is a suitable modem
|
||||
in bridge mode. If using a standard OpenReach modem then no setting is required
|
||||
|
@ -67,7 +67,7 @@ requirement for Sky .
|
|||
|
||||
The only other requirement in this section is to select ‘Prevent Release'.
|
||||
This is there as the Sky DHCPv6 servers use a 'sticky' address. If the
|
||||
Opnsense dhcp6 client sends a release signal to the server it's more than
|
||||
OPNsense dhcp6 client sends a release signal to the server it's more than
|
||||
likely that the allocated prefix will change, thus this setting, along with
|
||||
the 'DHCP Unique Identifier' setting will attempt to mitigate this risk.
|
||||
|
||||
|
@ -76,7 +76,7 @@ Once these settings have been entered, click on 'Save' then 'Apply'.
|
|||
**DHCP Unique Identifier**
|
||||
--------------------------
|
||||
|
||||
Although Opnsense stores the IPv6 DUID it is possible this can be lost, this
|
||||
Although OPNsense stores the IPv6 DUID it is possible this can be lost, this
|
||||
again would probably result in a new prefix being given, therefore an option
|
||||
to enter and store a DUID is given in the Interface:Settings menu.
|
||||
|
||||
|
|
|
@ -82,7 +82,7 @@ interfaces in the **FTP proxy interfaces** field and **Apply**.
|
|||
-------------------
|
||||
Access Control List
|
||||
-------------------
|
||||
You can setup ACL's by clicking on the arrow next to **Forward Proxy** and select
|
||||
You can setup ACLs by clicking on the arrow next to **Forward Proxy** and select
|
||||
**Access Control List**. Here you can:
|
||||
|
||||
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
|
||||
|
@ -156,7 +156,7 @@ LAN interface (if LAN is where your clients and proxy are on).
|
|||
**Source** LAN net
|
||||
**Destination Port Range** HTTP
|
||||
**Category** Block Proxy Bypass
|
||||
**Description** Block http bypass
|
||||
**Description** Block HTTP bypass
|
||||
============================ =====================
|
||||
|
||||
**Save**
|
||||
|
@ -170,7 +170,7 @@ And one more rule to block HTTPS access:
|
|||
**Source** LAN net
|
||||
**Destination Port Range** HTTPS
|
||||
**Category** Block Proxy Bypass
|
||||
**Description** Block https bypass
|
||||
**Description** Block HTTPS bypass
|
||||
============================ =====================
|
||||
|
||||
**Save** & **Apply changes**
|
||||
|
|
|
@ -18,12 +18,12 @@ route our traffic to the internet.
|
|||
:width: 100%
|
||||
|
||||
When using CARP ( `FreeBSD handbook on CARP <https://www.freebsd.org/doc/handbook/carp.html>`__ ), all
|
||||
fail-safe interfaces should have a dedicated ip address which will be
|
||||
combined with one shared virtual ip address to communicate to both
|
||||
fail-safe interfaces should have a dedicated IP address which will be
|
||||
combined with one shared virtual IP address to communicate to both
|
||||
networks. In the picture above the dashed lines are used to mark the
|
||||
virtual addresses.
|
||||
|
||||
The configuration file (xml) for both firewalls can be downloaded from
|
||||
The configuration file (XML) for both firewalls can be downloaded from
|
||||
the wiki.
|
||||
|
||||
-----------
|
||||
|
@ -37,7 +37,7 @@ we will explain briefly first:
|
|||
:name: carp
|
||||
|
||||
Common Address Redundancy Protocol uses IP protocol 112, is derived from
|
||||
OpenBSD and uses multicast packets to signal it's neighbours about it's
|
||||
OpenBSD and uses multicast packets to signal its neighbours about its
|
||||
status. Always make sure that each interface can receive carp packets.
|
||||
Every virtual interface must have a unique Virtual Host ID (vhid), which
|
||||
is shared across the physical machines. To determine which physical
|
||||
|
@ -100,7 +100,7 @@ pfSync protocol.
|
|||
.. rubric:: Backup
|
||||
:name: backup
|
||||
|
||||
The backup server needs it's own dedicated addresses, we will use these:
|
||||
The backup server needs its own dedicated addresses, we will use these:
|
||||
|
||||
+----------+-------------------+
|
||||
| LAN | 192.168.1.20/24 |
|
||||
|
@ -180,7 +180,7 @@ consider. All clients should use the virtual address in stead of the
|
|||
physical address it's normally propagating. Next thing to consider is
|
||||
there will be two servers active at the same time, which should know of
|
||||
each others pools. If dns requests are also forwarded by OPNsense, make
|
||||
sure the dhcp server sends the right ip address. These are settings used
|
||||
sure the dhcp server sends the right IP address. These are settings used
|
||||
in our example (on the master server):
|
||||
|
||||
+--------------------+----------------+
|
||||
|
@ -197,7 +197,7 @@ Setup HA sync (xmlrpc) and pfSync
|
|||
|
||||
First we should enable pfSync using our dedicated interface using the
|
||||
master firewall. Go to System -> High Availability, enable pfsync and
|
||||
select the interface used for pfSync. Next setup the peer ip to the
|
||||
select the interface used for pfSync. Next setup the peer IP to the
|
||||
other hosts address (10.0.0.2).
|
||||
|
||||
Now we need to configure the settings we want to duplicating to the
|
||||
|
|
|
@ -130,7 +130,7 @@ lower right corner.
|
|||
---------------
|
||||
Check pf Tables
|
||||
---------------
|
||||
To list the ip addresses that are currently in the DROP and EDROP lists go to
|
||||
To list the IP addresses that are currently in the DROP and EDROP lists go to
|
||||
**Firewall->Diagnostics->pfTables** and select the list you want to see:
|
||||
|
||||
.. image:: images/spamhaus_pftable.png
|
||||
|
|
|
@ -83,8 +83,8 @@ Clicking on a piece of the pie will open a detailed view for further analysis.
|
|||
IP Addresses Pie Chart
|
||||
----------------------
|
||||
The IP addresses pie chart works the same as the ports pie chart and shows the
|
||||
percentage per ip number. One can change the view by clicking or double clicking
|
||||
on one of the shown ip numbers.
|
||||
percentage per IP number. One can change the view by clicking or double clicking
|
||||
on one of the shown IP numbers.
|
||||
|
||||
Clicking on a piece of the pie will open a detailed view for further analysis.
|
||||
|
||||
|
@ -106,7 +106,7 @@ When opening the details view by clicking on the tab one can make a new query.
|
|||
:width: 100%
|
||||
|
||||
After selecting a valid date range (form/to) and interface one can further limit
|
||||
the output by filtering on port or ip address. Select the refresh icon to update
|
||||
the output by filtering on port or IP address. Select the refresh icon to update
|
||||
the detailed output. Leave Port and Address empty for a full detailed listing.
|
||||
|
||||
.. image:: images/insight_full_details.png
|
||||
|
|
|
@ -29,7 +29,7 @@ Choose an instance type
|
|||
---------------------------------
|
||||
Step 3 - Configure security group
|
||||
---------------------------------
|
||||
To configure security group, make sure you allow https access from your own network.
|
||||
To configure security group, make sure you allow HTTPS access from your own network.
|
||||
|
||||
.. image:: images/aws_configure_security_group.png
|
||||
:width: 100%
|
||||
|
|
|
@ -16,7 +16,7 @@ OPNsense and give you configuration examples for:
|
|||
|
||||
.. Note::
|
||||
|
||||
For the sample we will use a private ip for our WAN connection.
|
||||
For the sample we will use a private IP for our WAN connection.
|
||||
This requires us to disable the default block rule on wan to allow private traffic.
|
||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||
*(Dont forget to save and apply)*
|
||||
|
|
|
@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
|
|||
|
||||
.. Note::
|
||||
|
||||
For the sample we will use a private ip for our WAN connection.
|
||||
For the sample we will use a private IP for our WAN connection.
|
||||
This requires us to disable the default block rule on wan to allow private traffic.
|
||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||
*(Dont forget to save and apply)*
|
||||
|
@ -170,11 +170,11 @@ Full Network Diagram Including IPsec Tunnel
|
|||
|
||||
}
|
||||
|
||||
------------------------------
|
||||
Firewall Rules Site A & Site B
|
||||
------------------------------
|
||||
---------------------------------------
|
||||
Firewall Rules Site A & Site B (part 1)
|
||||
---------------------------------------
|
||||
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
|
||||
sites:
|
||||
sites (under **Firewall->Rules->WAN**):
|
||||
|
||||
* Protocol ESP
|
||||
* UDP Traffic on Port 500 (ISAKMP)
|
||||
|
@ -185,13 +185,7 @@ sites:
|
|||
|
||||
.. Note::
|
||||
|
||||
You can further limit the traffic by the source ip of the remote host.
|
||||
|
||||
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
|
||||
interface.
|
||||
|
||||
.. image:: images/ipsec_ipsec_lan_rule.png
|
||||
:width: 100%
|
||||
You can further limit the traffic by the source IP of the remote host.
|
||||
|
||||
-----------------------
|
||||
Step 1 - Phase 1 Site A
|
||||
|
@ -206,7 +200,7 @@ General information
|
|||
**Key Exchange version** V2
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
|
||||
**Remote gateway** 172.10.2.1 *the public IP address of your remote OPNsense*
|
||||
**Description** Site B *freely chosen description*
|
||||
========================= ============= ================================================
|
||||
|
||||
|
@ -320,7 +314,8 @@ And Apply changes:
|
|||
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
||||
:width: 100%
|
||||
|
||||
**You are done configuring Site A.**
|
||||
**You are almost done configuring Site A (only some firewall settings remain, which we'll address later).**
|
||||
**We will now proceed setting up Site B**
|
||||
|
||||
-----------------------------
|
||||
|
||||
|
@ -337,7 +332,7 @@ General information
|
|||
**Key Exchange version** V2
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
|
||||
**Remote gateway** 172.10.1.1 *the public IP address of your remote OPNsense*
|
||||
**Description** Site A *freely chosen description*
|
||||
========================= ============= ================================================
|
||||
|
||||
|
@ -455,8 +450,15 @@ And Apply changes:
|
|||
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
||||
:width: 100%
|
||||
|
||||
**You are done configuring Site B.**
|
||||
---------------------------------------
|
||||
Firewall Rules Site A & Site B (part 2)
|
||||
---------------------------------------
|
||||
|
||||
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
|
||||
interface (under **Firewall->Rules->IPsec**).
|
||||
|
||||
.. image:: images/ipsec_ipsec_lan_rule.png
|
||||
:width: 100%
|
||||
|
||||
------------------
|
||||
IPsec Tunnel Ready
|
||||
|
@ -511,7 +513,7 @@ Phase 1 works but no phase 2 tunnels are connected
|
|||
---------------------------------------------------
|
||||
|
||||
Did you set the correct local and remote networks. A common mistake is to fill in
|
||||
the ip address of the remote host in stead of its network ending with **x.x.x.0**
|
||||
the IP address of the remote host in stead of its network ending with **x.x.x.0**
|
||||
|
||||
Common issues are unequal settings. Both ends must use the same encryption standard.
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
===============
|
||||
Setup Multi WAN
|
||||
===============
|
||||
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
|
||||
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
|
||||
are also possible with OPNsense.
|
||||
|
||||
.. blockdiag::
|
||||
|
@ -47,10 +47,10 @@ We defined WAN and WAN2, where WAN will be our primary (default) gateway.
|
|||
|
||||
Step 1 - Add monitor IPs
|
||||
-------------------------
|
||||
You may skip this step if you already have setup the monitoring ip and both gateways
|
||||
You may skip this step if you already have setup the monitoring IP and both gateways
|
||||
are shown as online.
|
||||
|
||||
To add a monitoring ip go to **System->Gateways->All** and click on the first pencil
|
||||
To add a monitoring IP go to **System->Gateways->All** and click on the first pencil
|
||||
symbol to edit the first gateway.
|
||||
|
||||
Now make sure the following is configured:
|
||||
|
@ -208,4 +208,4 @@ Combining Balancing & Failover
|
|||
------------------------------
|
||||
To combine Load Balancing with Failover you will have 2 or more WAN connections
|
||||
for Balancing purposes and 1 or more for Failover. OPNsense offers 5 tiers
|
||||
(Failover groups) each tier can hold multiple ISP's/WAN gateways.
|
||||
(Failover groups) each tier can hold multiple ISPs/WAN gateways.
|
||||
|
|
|
@ -18,5 +18,5 @@ For local analysis using Insight also enable **Capture local**.
|
|||
Depending on the application you would like to use select **Version** 5 or 9.
|
||||
Remember that version 5 does not support IPv6.
|
||||
|
||||
Add your **Destinations** (ip:port then enter) local ip will be added automatic
|
||||
Add your **Destinations** (ip:port then enter) local IP will be added automatic
|
||||
if Capture local is selected.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
===========================
|
||||
Setup Anti Virus Protection
|
||||
===========================
|
||||
OPNsense can offer http and https protection by utilizing its highly flexible
|
||||
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
|
||||
proxy and the industry standard ICAP. An external engine from one of the known
|
||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||
|
@ -42,11 +42,11 @@ Step 4 - Connect the Engine
|
|||
---------------------------
|
||||
Now connect the server that the engine is installed on to OPNsense trough either
|
||||
a switch or a direct cable connection. Preferable use a separate network for this
|
||||
traffic to make sure the unencrypted ICAP traffic can's be tapped.
|
||||
traffic to make sure the unencrypted ICAP traffic can't be tapped.
|
||||
|
||||
.. Note::
|
||||
ICAP traffic is not encrypted, meaning you have to make sure the traffic is not
|
||||
visible to anyone else. When using transparent https mode it is best to configure
|
||||
visible to anyone else. When using transparent HTTPS mode it is best to configure
|
||||
a separate interface for ICAP traffic and connect the Server (Engine) directly
|
||||
with a crosslink cable. Alternatively one may use a VLAN for this purpose.
|
||||
|
||||
|
@ -70,8 +70,8 @@ Step 6 - Test using EICAR
|
|||
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
||||
on this page you will find several files you can test.
|
||||
|
||||
First test the http protocol version and if that works the https version if you
|
||||
have also configured the transparent ssl proxy mode.
|
||||
First test the HTTP protocol version. If that works, test the HTTP version if you
|
||||
have also configured the transparent SSL proxy mode.
|
||||
|
||||
.. Warning::
|
||||
**IMPORTANT NOTE** :
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
==================================================
|
||||
Setup Anti Virus Protection using OPNsense Plugins
|
||||
==================================================
|
||||
OPNsense can offer http and https protection by utilizing its highly flexible
|
||||
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
|
||||
proxy and the industry standard ICAP. An external engine from one of the known
|
||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||
|
@ -62,8 +62,8 @@ Step 5 - Test using EICAR
|
|||
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
||||
on this page you will find several files you can test.
|
||||
|
||||
First test the http protocol version and if that works the https version if you
|
||||
have also configured the transparent ssl proxy mode.
|
||||
First test the HTTP protocol version. If that works, test the HTTPS version if you
|
||||
have also configured the transparent SSL proxy mode.
|
||||
|
||||
.. Warning::
|
||||
**IMPORTANT NOTE** :
|
||||
|
|
|
@ -7,14 +7,14 @@ can be configured to run in transparent mode, this mean the clients browser does
|
|||
not have to be configured for the web proxy, but all traffic is diverted to the
|
||||
proxy automatically by utilizing Network Address Translation.
|
||||
|
||||
In this How To, we will explain the basic http as well as https (ssl bump) transparent
|
||||
In this How To, we will explain the basic HTTP as well as HTTPS (SSL bump) transparent
|
||||
proxy modes.
|
||||
|
||||
.. Warning::
|
||||
The Transparent SSL/HTTPS proxy mode uses a technique also called man-in-the-middle,
|
||||
only configure and use this if your know what you are doing. When configured wrong
|
||||
you may end up in lessing your security defenses significantly instead of enhancing
|
||||
them. Using a transparent https proxy can be a dangerous practice and may not be
|
||||
only configure and use this if you know what you are doing. When configured incorrectly
|
||||
you may end up in lessening your security defenses significantly instead of enhancing
|
||||
them. Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
||||
allowed by the services you use, for instance e-banking.
|
||||
|
||||
Step 1 - Basic Proxy Setup
|
||||
|
@ -33,7 +33,7 @@ And Click **Apply**.
|
|||
|
||||
Step 3 - NAT/Firewall Rule
|
||||
---------------------------------
|
||||
A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the
|
||||
A simple way to add the NAT/Firewall Rule is to click the **(i)** icon on the
|
||||
left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**.
|
||||
|
||||
.. image:: images/screenshot_enable_transparent_http.png
|
||||
|
|
|
@ -61,8 +61,8 @@ Press **Save Changes**.
|
|||
--------------------------------
|
||||
Step 3 - Download the Categories
|
||||
--------------------------------
|
||||
Now press Download ACL's, please note that this will take a while (can be several
|
||||
minutes) as the full list (>19 MB) will be converted to squid acl's.
|
||||
Now press Download ACLs, please note that this will take a while (can be several
|
||||
minutes) as the full list (>19 MB) will be converted to squid ACLs.
|
||||
|
||||
-------------------------
|
||||
Step 4 - Setup Categories
|
||||
|
@ -108,7 +108,7 @@ LAN interface (if LAN is where your clients and proxy are on).
|
|||
**Source** LAN net
|
||||
**Destination Port Range** HTTP
|
||||
**Category** Block Proxy Bypass
|
||||
**Description** Block http bypass
|
||||
**Description** Block HTTP bypass
|
||||
============================ =====================
|
||||
|
||||
**Save**
|
||||
|
@ -122,7 +122,7 @@ And one more rule to block HTTPS access:
|
|||
**Source** LAN net
|
||||
**Destination Port Range** HTTPS
|
||||
**Category** Block Proxy Bypass
|
||||
**Description** Block https bypass
|
||||
**Description** Block HTTPS bypass
|
||||
============================ =====================
|
||||
|
||||
**Save** & **Apply changes**
|
||||
|
|
|
@ -144,7 +144,7 @@
|
|||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<descr>Randomize PIDs (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
Setup Traffic Shaping
|
||||
=====================
|
||||
|
||||
For this how-to we will look into these scenario's:
|
||||
For this how-to we will look into these scenarios:
|
||||
|
||||
#. Reserve dedicated bandwidth for a realtime traffic such as (hosted) Voice Over IP (VOIP) server.
|
||||
#. Share internet bandwidth amongst users evenly
|
||||
|
@ -112,10 +112,10 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
|
|||
====================== ================= =====================================================
|
||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** any *The source ip to shape, leave on any*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source IP to shape, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 172.10.2.1 *The ip address of our VOIP server*
|
||||
**destination** 172.10.2.1 *The IP address of our VOIP server*
|
||||
**dst-port** any *Use any of the destination port if static*
|
||||
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
|
||||
**description** ShapeVOIPUpload *Enter a descriptive name*
|
||||
|
@ -127,10 +127,10 @@ Create a rule for traffic coming from the VOIP Server (Download).
|
|||
====================== ================= =====================================================
|
||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** 172.10.2.1 *The ip address of our VOIP server*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** 172.10.2.1 *The IP address of our VOIP server*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
|
||||
**description** ShapeVOIPDown *Enter a descriptive name*
|
||||
|
@ -141,7 +141,7 @@ Create a rule for all other internet upload traffic
|
|||
====================== ================= =====================================================
|
||||
**sequence** 31 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *the destination address, leave in any*
|
||||
|
@ -156,8 +156,8 @@ Create a rule for all other internet download traffic
|
|||
====================== =================== =====================================================
|
||||
**sequence** 41 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** any *The source ip to shape, leave on any*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source IP to shape, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
|
@ -279,8 +279,8 @@ Create a rule for traffic directed towards the internet (Upload).
|
|||
====================== ================= =====================================================
|
||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** 192.168.1.0/24 *The source ip to shape, select the LAN network*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** 192.168.1.0/24 *The source IP to shape, select the LAN network*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination to shape, leave on any*
|
||||
**dst-port** any *Use any of the destination port if static*
|
||||
|
@ -294,10 +294,10 @@ Create a rule for traffic coming from the internet (Download).
|
|||
====================== ================= =====================================================
|
||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
||||
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
|
||||
**description** ShapeDownload *Enter a descriptive name*
|
||||
|
@ -373,10 +373,10 @@ Create a rule for traffic coming from the internet (Download).
|
|||
====================== ================= =====================================================
|
||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
||||
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
|
||||
**description** ShapeDownload *Enter a descriptive name*
|
||||
|
@ -384,7 +384,7 @@ Create a rule for traffic coming from the internet (Download).
|
|||
|
||||
.. Note::
|
||||
|
||||
If you want to limit traffic for a single ip then just enter the ip address
|
||||
If you want to limit traffic for a single IP then just enter the IP address
|
||||
in the destination field instead of the full LAN network range.
|
||||
|
||||
Now press |apply| to activate the traffic shaping rules.
|
||||
|
@ -476,46 +476,46 @@ Create a rule for smtp download traffic (email)
|
|||
====================== =================== =====================================================
|
||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** smtp *The source port to shape, smtp or 25*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** Queue-SMTP *Select the SMTP queue*
|
||||
**description** ShapeSMTPDownload *Enter a descriptive name*
|
||||
====================== =================== =====================================================
|
||||
|
||||
|
||||
Create a rule for http download traffic
|
||||
Create a rule for HTTP download traffic
|
||||
|
||||
====================== =================== =====================================================
|
||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** http *The source port to shape, http or 80*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** Queue-HTTP *Select the HTTP queue*
|
||||
**description** ShapeHTTPDownload *Enter a descriptive name*
|
||||
====================== =================== =====================================================
|
||||
|
||||
|
||||
Adding an extra rule for https traffic is simple as we can use the same http queue if we like:
|
||||
Adding an extra rule for HTTPS traffic is simple as we can use the same HTTP queue if we like:
|
||||
|
||||
====================== ==================== =====================================================
|
||||
**sequence** 31 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** https *The source port to shape, https or 443*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** Queue-HTTP *Select the HTTP queue*
|
||||
**description** ShapeHTTPSDownload *Enter a descriptive name*
|
||||
====================== ==================== =====================================================
|
||||
|
||||
This way http and https traffic will be treated the same (total max of 1 Mbps).
|
||||
This way HTTP and HTTPS traffic will be treated the same (total max of 1 Mbps).
|
||||
|
||||
Now press |apply| to activate the traffic shaping rules.
|
||||
|
||||
|
@ -620,10 +620,10 @@ Create a rule for the download traffic
|
|||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**interface2** GuestNet *Select the interface that matches your GuestNet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**direction** in *Match incoming packages (download)*
|
||||
**target** PipeDown-2Mbps *Select the Download pipe*
|
||||
|
@ -639,7 +639,7 @@ Create a rule for the upload traffic
|
|||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**destination** any *The destination IP to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**direction** out *Match incoming packages (download)*
|
||||
**target** PipeUp-1Mbps *Select the Download pipe*
|
||||
|
|
|
@ -29,7 +29,7 @@ and give you configuration examples for:
|
|||
|
||||
.. Note::
|
||||
|
||||
For the sample we will use a private ip for our WAN connection.
|
||||
For the sample we will use a private IP for our WAN connection.
|
||||
This requires us to disable the default block rule on wan to allow private traffic.
|
||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||
*(Dont forget to save and apply)*
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
Setup SSL VPN site to site tunnel
|
||||
=================================
|
||||
|
||||
Site to site VPN's connect two locations with static public IP addresses and allow
|
||||
Site to site VPNs connect two locations with static public IP addresses and allow
|
||||
traffic to be routed between the two networks. This is most commonly used to
|
||||
connect an organization's branch offices back to its main office, so branch users
|
||||
can access network resources in the main office.
|
||||
|
@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
|
|||
|
||||
.. Note::
|
||||
|
||||
For the sample we will use a private ip for our WAN connection.
|
||||
For the sample we will use a private IP for our WAN connection.
|
||||
This requires us to disable the default block rule on wan to allow private traffic.
|
||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||
*(Don't forget to save and apply)*
|
||||
|
|
|
@ -6,15 +6,15 @@ is easy just go to **System->Access->Servers** and click on **Add server** in th
|
|||
|
||||
Fill in the form:
|
||||
|
||||
============================== =============== ========================================================
|
||||
============================== =============== =========================================================
|
||||
**Descriptive name** radius_test *Enter a descriptive name*
|
||||
**Type** Radius *Select Radius*
|
||||
**Hostname or IP address** 10.10.10.1 *Enter the IP of your Radius server*
|
||||
**Shared Secret** secret *Shared secret for your Radius server*
|
||||
**Services offered** Authentication *Select Authentication,for Captive portal + accounting*
|
||||
**Authentication port value** 1812 *Port number, 1812 is default for accounting it's 1813*
|
||||
**Authentication port value** 1812 *Port number, 1812 is default; for accounting it's 1813*
|
||||
**Authentication Timeout** 5 *Timeout for Radius to respond on requests*
|
||||
============================== =============== ========================================================
|
||||
============================== =============== =========================================================
|
||||
|
||||
Use the tester under **System->Access->Tester** to test the Radius server.
|
||||
|
||||
|
|
|
@ -344,8 +344,8 @@ By default you have to log in to enter the console.
|
|||
VLANs and assigning interfaces
|
||||
If choose to do manual interface assignment or when no config file can be
|
||||
found then you are asked to assign Interfaces and VLANs. VLANs are optional.
|
||||
If you do not need VLAN's then choose **no**. You can always configure
|
||||
VLAN's at a later time.
|
||||
If you do not need VLANs then choose **no**. You can always configure
|
||||
VLANs at a later time.
|
||||
|
||||
LAN, WAN and optional interfaces
|
||||
The first interface is the LAN interface. Type the appropriate
|
||||
|
|
|
@ -6,7 +6,7 @@ Using IPv6
|
|||
:width: 100%
|
||||
|
||||
OPNsense fully supports IPv6 for routing and firewall. However there are lots of
|
||||
different options to utilize IPv6. Currently these scenario's are known to work:
|
||||
different options to utilize IPv6. Currently these scenarios are known to work:
|
||||
|
||||
* Native IPv6 only
|
||||
* Dual Stack IPv4 + IPv6
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
=========
|
||||
Multi WAN
|
||||
=========
|
||||
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
|
||||
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
|
||||
are also possible with OPNsense.
|
||||
|
||||
.. blockdiag::
|
||||
|
@ -30,7 +30,7 @@ connectivity is fully restored so will the routing switch back to the primary IS
|
|||
------------------
|
||||
WAN Load Balancing
|
||||
------------------
|
||||
Load balancing can be used to split the load between two (or more) ISP's. This
|
||||
Load balancing can be used to split the load between two (or more) ISPs. This
|
||||
enhances the total available bandwidth and/or lowers the load on each ISP.
|
||||
|
||||
The principle is simple: Each WAN connection (gateway) gets a portion of the traffic.
|
||||
|
@ -39,10 +39,10 @@ The traffic can be divided equally or weighted.
|
|||
------------------------------
|
||||
Combining Balancing & Failover
|
||||
------------------------------
|
||||
It is also possible to combine Load Balancing with Failover in such scenario's
|
||||
It is also possible to combine Load Balancing with Failover in such scenarios
|
||||
you will have 2 or more WAN connections for Balancing purposes and 1 or more for
|
||||
Failover. OPNsense offers 5 tiers (Failover groups) each tier can hold multiple
|
||||
ISP's/WAN gateways.
|
||||
ISPs/WAN gateways.
|
||||
|
||||
-------------
|
||||
Configuration
|
||||
|
|
|
@ -11,13 +11,13 @@ is very fast with little overhead compared to softflowd or pfflowd.
|
|||
|
||||
While many monitoring solutions such as Nagios, Cacti and vnstat only capture traffic
|
||||
statistics, Netflow captures complete packet flows including source, destination
|
||||
ip and port number.
|
||||
IP and port number.
|
||||
|
||||
OPNsense offers full support for exporting Netflow data to external collectors as
|
||||
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
|
||||
|
||||
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
|
||||
into it's Graphical User Interface.
|
||||
into its Graphical User Interface.
|
||||
|
||||
------------------
|
||||
Supported Versions
|
||||
|
|
|
@ -55,12 +55,12 @@ The latest update of OPNsense to version 18.1.5 did a minor jump for the IPSec p
|
|||
From this moment your VPNs are unstable and only a restart helps.
|
||||
|
||||
To check if the update of the package is the reason you can easily revert the package
|
||||
to it's previous state while running the latest OPNsense version itself
|
||||
to its previous state while running the latest OPNsense version itself.
|
||||
|
||||
# opnsense-revert -r 18.1.4 strongswan
|
||||
|
||||
With this command you will on e.g. 18.1.5 while reverting the package strongswan to it's version it was in 18.1.4.
|
||||
If you want to go back to the current release version just just
|
||||
With this command you can, for example, run OPNsense 18.1.5 while using the 18.1.4 version of strongswan.
|
||||
If you want to go back to the current release version just do
|
||||
|
||||
# opnsense-revert strongswan
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ category based web filter support. Main features include:
|
|||
|
||||
* Fetch from a remote URL
|
||||
* Supports flat file list and category based compressed lists
|
||||
* Automatically convert category based blacklists to squid ACL's
|
||||
* Automatically convert category based blacklists to squid ACLs
|
||||
* Keep up to date with the built-in scheduler
|
||||
* Compatible with most popular blacklist
|
||||
|
||||
|
@ -75,13 +75,10 @@ Transparent Mode
|
|||
----------------
|
||||
The transparent mode means all request will be diverted to the proxy without any
|
||||
configuration on your client. Transparent mode works very well with unsecured http
|
||||
requests, however with secured (SSL) https connection the proxy will become a
|
||||
requests, however with secured (SSL) HTTPS connection the proxy will become a
|
||||
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
|
||||
the traffic with its master key that the client is required to trust.
|
||||
|
||||
While we do not encourage the use of https in transparent mode, this feature is
|
||||
scheduled for release in version 16.7.
|
||||
|
||||
.. Warning::
|
||||
Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
||||
allowed by the services you use, for instance e-banking.
|
||||
|
|
|
@ -24,7 +24,7 @@ OPNsense traffic shaping is a reliable solution to limit bandwidth or prioritize
|
|||
traffic and can be combined with other functions such as captive portal or high
|
||||
availability (CARP).
|
||||
|
||||
Bandwidth limitations can be defined based upon the interface(s), ip source &
|
||||
Bandwidth limitations can be defined based upon the interface(s), IP source &
|
||||
destination, direction of traffic (in/out) and port numbers (application).
|
||||
|
||||
Available bandwidth can be shared evenly over all users, this allows for
|
||||
|
|
|
@ -43,4 +43,4 @@ HardenedBSD's core team consists of Oliver Pinter and Shawn Webb.
|
|||
Cooperation with OPNsense
|
||||
-------------------------
|
||||
In May 2015, HardenedBSD announced their cooperation with OPNsense.
|
||||
A HardenedBSD-flavored versions of OPNsense is available as of June 2015.
|
||||
A HardenedBSD-flavored version of OPNsense is available as of June 2015.
|
||||
|
|
|
@ -17,9 +17,9 @@ community-recognized body for reviewing and approving licenses as OSD-conformant
|
|||
|
||||
-----------------------
|
||||
|
||||
------------------
|
||||
Relations OPNsense
|
||||
------------------
|
||||
--------------------
|
||||
Relation to OPNsense
|
||||
--------------------
|
||||
OPNsense is licensed under an Open Source Initiative `approved license <http://opensource.org/licenses>`__. OPNsense
|
||||
is and will be available with the simple 2-clause BSD license. We believe an
|
||||
open source project should provide the sources and the tools to build it.
|
||||
|
|
|
@ -288,7 +288,7 @@
|
|||
// rST seems to want dds to be treated as the browser would, indented.
|
||||
dd
|
||||
margin: 0 0 $base-line-height / 2 $base-line-height
|
||||
// This is what Sphinx spits out for it's autodocs. Depending upon what language the person is referencing
|
||||
// This is what Sphinx spits out for its autodocs. Depending upon what language the person is referencing
|
||||
// these things usually have a class of "method" or "class" or something similar, but really who knows.
|
||||
// Sphinx doesn't give me a generic class on these, so unfortunately I have to apply it to the root dl.
|
||||
// This makes me terribly unhappy and makes this code very nesty. Unfortunately I've seen hand-written docs
|
||||
|
|
Loading…
Reference in New Issue