Many typo fixes and some rewording (#80)
This commit is contained in:
parent
86a9787cf3
commit
020c7c74ec
4
LICENSE
4
LICENSE
|
@ -38,8 +38,8 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
||||||
|
|
||||||
https://creativecommons.org/publicdomain/zero/1.0/
|
https://creativecommons.org/publicdomain/zero/1.0/
|
||||||
|
|
||||||
# Logo's
|
# Logos
|
||||||
Logo's may be subject to additional copyrights, property
|
Logos may be subject to additional copyrights, property
|
||||||
rights, trademarks etc. and may require the consent of a third party or the
|
rights, trademarks etc. and may require the consent of a third party or the
|
||||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||||
|
|
|
@ -22,7 +22,7 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
||||||
|
|
||||||
https://creativecommons.org/publicdomain/zero/1.0/
|
https://creativecommons.org/publicdomain/zero/1.0/
|
||||||
|
|
||||||
Logo's may be subject to additional copyrights, property
|
Logos may be subject to additional copyrights, property
|
||||||
rights, trademarks etc. and may require the consent of a third party or the
|
rights, trademarks etc. and may require the consent of a third party or the
|
||||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||||
|
|
|
@ -7,7 +7,7 @@ Development Manual
|
||||||
The OPNsense® project invites developers to start developing with OPNsense:
|
The OPNsense® project invites developers to start developing with OPNsense:
|
||||||
"For your own purpose or even better to join us in creating the best FreeBSD
|
"For your own purpose or even better to join us in creating the best FreeBSD
|
||||||
based open source firewall available!" The development workflow & build process
|
based open source firewall available!" The development workflow & build process
|
||||||
has been redesigned to make it more straightforward and easy for developers to
|
have been redesigned to make it more straightforward and easy for developers to
|
||||||
build OPNsense.
|
build OPNsense.
|
||||||
|
|
||||||
Being able to get the sources and build it yourself is one of the key factors of
|
Being able to get the sources and build it yourself is one of the key factors of
|
||||||
|
|
|
@ -81,7 +81,7 @@ first layer initializes Phalcon’s routing, which handles requests and
|
||||||
delivers them to the controller based on its url. User content is
|
delivers them to the controller based on its url. User content is
|
||||||
generated using Volt templates, which are picked by the controller.
|
generated using Volt templates, which are picked by the controller.
|
||||||
Because Phalcon’s default Models function with (relational) databases
|
Because Phalcon’s default Models function with (relational) databases
|
||||||
and we are using xml data, our model implementation is custom. But
|
and we are using XML data, our model implementation is custom. But
|
||||||
wherever possible we use components from Phalcon (for example,
|
wherever possible we use components from Phalcon (for example,
|
||||||
validation is handled using Phalcon’s classes). For a detailed
|
validation is handled using Phalcon’s classes). For a detailed
|
||||||
description on the routing principles used in OPNsense, visit Frontend
|
description on the routing principles used in OPNsense, visit Frontend
|
||||||
|
@ -98,7 +98,7 @@ controllers, with the use of views, can be found at :doc:`/development/frontend/
|
||||||
Models
|
Models
|
||||||
------
|
------
|
||||||
|
|
||||||
All models are defined by a combination of a class and an xml containing
|
All models are defined by a combination of a class and an XML containing
|
||||||
a (nested) definition. More information on defining models can be found
|
a (nested) definition. More information on defining models can be found
|
||||||
at the frontend model page :doc:`/development/frontend/models`.
|
at the frontend model page :doc:`/development/frontend/models`.
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ Using the system from php is rather simple:
|
||||||
Usage in Volt templates
|
Usage in Volt templates
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
The acl scheme is bound to the default UI controller, and can be used by
|
The ACL scheme is bound to the default UI controller, and can be used by
|
||||||
using the acl keyword:
|
using the acl keyword:
|
||||||
|
|
||||||
.. code-block:: jinja
|
.. code-block:: jinja
|
||||||
|
|
|
@ -37,8 +37,8 @@ An example of how to create a menu, is given below:
|
||||||
// test, print menu as structured named array
|
// test, print menu as structured named array
|
||||||
print_r($menu->getItems("/testpage.php"));
|
print_r($menu->getItems("/testpage.php"));
|
||||||
|
|
||||||
The current version only implements a static menu defined by one xml file
|
The current version only implements a static menu defined by one XML file
|
||||||
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional xml files
|
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional XML files
|
||||||
is already supported in the component for future use.
|
is already supported in the component for future use.
|
||||||
|
|
||||||
--------
|
--------
|
||||||
|
|
|
@ -120,7 +120,7 @@ Not all modules contain additional code in the php class, sometimes all
|
||||||
the standard behaviour is already sufficient for your
|
the standard behaviour is already sufficient for your
|
||||||
modules/application.
|
modules/application.
|
||||||
|
|
||||||
Which is the model xml template, our skeleton starts with something like
|
Which is the model XML template, our skeleton starts with something like
|
||||||
this:
|
this:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
@ -266,9 +266,9 @@ Adding Fields
|
||||||
.. rubric:: Adding fields to your model
|
.. rubric:: Adding fields to your model
|
||||||
:name: adding-fields-to-your-model
|
:name: adding-fields-to-your-model
|
||||||
|
|
||||||
When building the skeleton, we have created an empty model (xml), which
|
When building the skeleton, we have created an empty model (XML), which
|
||||||
we are going to fill with some attributes now. The items section of the
|
we are going to fill with some attributes now. The items section of the
|
||||||
model xml should contain the structure you want to use for your
|
model XML should contain the structure you want to use for your
|
||||||
application, you can create trees to hold data in here. All leaves
|
application, you can create trees to hold data in here. All leaves
|
||||||
should contain a field type to identify and validate it’s content. The
|
should contain a field type to identify and validate it’s content. The
|
||||||
list of attributes for our application can be translated to this:
|
list of attributes for our application can be translated to this:
|
||||||
|
@ -310,12 +310,12 @@ Enabled).
|
||||||
Presentation XML
|
Presentation XML
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
.. rubric:: Create a presentation xml to feed your template
|
.. rubric:: Create a presentation XML to feed your template
|
||||||
:name: create-a-presentation-xml-to-feed-your-template
|
:name: create-a-presentation-xml-to-feed-your-template
|
||||||
|
|
||||||
Because creating forms is one of the key assets of the system, we have
|
Because creating forms is one of the key assets of the system, we have
|
||||||
build some easy to use wrappers to guide you through the process. First
|
build some easy to use wrappers to guide you through the process. First
|
||||||
we create an xml file for the presentation, which defines fields to use
|
we create an XML file for the presentation, which defines fields to use
|
||||||
and adds some information for your template to render. Create a file in
|
and adds some information for your template to render. Create a file in
|
||||||
your controller directory using the sub directory forms and name it
|
your controller directory using the sub directory forms and name it
|
||||||
general.xml. Next copy in the following content:
|
general.xml. Next copy in the following content:
|
||||||
|
@ -392,7 +392,7 @@ Create API calls
|
||||||
:name: create-api-calls-to-retrieve-and-store-data
|
:name: create-api-calls-to-retrieve-and-store-data
|
||||||
|
|
||||||
The framework provides some helpful utilities to get and set data from
|
The framework provides some helpful utilities to get and set data from
|
||||||
and to the configuration xml by using your defined model. First step in
|
and to the configuration XML by using your defined model. First step in
|
||||||
binding your model to the system is to add a method to the
|
binding your model to the system is to add a method to the
|
||||||
SettingsController to fetch the data from our configuration (or provide
|
SettingsController to fetch the data from our configuration (or provide
|
||||||
the defaults if there is no content).
|
the defaults if there is no content).
|
||||||
|
@ -530,7 +530,7 @@ Let’s give it a try and save our data, without modifying it first.
|
||||||
|
|
||||||
Next correct the errors and save again, on successful save the data
|
Next correct the errors and save again, on successful save the data
|
||||||
should be stored in the config.xml. If you want to change validation
|
should be stored in the config.xml. If you want to change validation
|
||||||
messages, just edit the model xml and add your message in the
|
messages, just edit the model XML and add your message in the
|
||||||
ValidationMessage tag. For example:
|
ValidationMessage tag. For example:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
@ -848,15 +848,15 @@ automatically picks up this new information.
|
||||||
Plugin to access control (ACL)
|
Plugin to access control (ACL)
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
If we want to authorize users to access this module, we can add an acl
|
If we want to authorize users to access this module, we can add an ACL
|
||||||
to this module. Without it, only admin users can access it. Create an
|
to this module. Without it, only admin users can access it. Create an
|
||||||
xml file in the model directory name ACL/ACL.xml and place the following
|
XML file in the model directory name ACL/ACL.xml and place the following
|
||||||
content in it:
|
content in it:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<acl>
|
<acl>
|
||||||
<!-- unique acl key, must be globally unique for all acl's -->
|
<!-- unique acl key, must be globally unique for all ACLs -->
|
||||||
<page-user-helloworld>
|
<page-user-helloworld>
|
||||||
<name>WebCfg - Users: Hello World! </name>
|
<name>WebCfg - Users: Hello World! </name>
|
||||||
<description>Allow access to the Hello World! module</description>
|
<description>Allow access to the Hello World! module</description>
|
||||||
|
@ -867,7 +867,7 @@ content in it:
|
||||||
</page-user-helloworld>
|
</page-user-helloworld>
|
||||||
</acl>
|
</acl>
|
||||||
|
|
||||||
This creates an acl key named “page-user-helloworld” which authorizes
|
This creates an ACL key named “page-user-helloworld” which authorizes
|
||||||
access to both the ui and API urls of this application. You can now
|
access to both the ui and API urls of this application. You can now
|
||||||
grant access to this module from the system user manager.
|
grant access to this module from the system user manager.
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ Creating Models
|
||||||
|
|
||||||
A model represents the data which the application will use and takes
|
A model represents the data which the application will use and takes
|
||||||
care of the interaction to that data. In OPNsense most of the relevant
|
care of the interaction to that data. In OPNsense most of the relevant
|
||||||
data is physically stored in an xml structure (config.xml). The primary
|
data is physically stored in an XML structure (config.xml). The primary
|
||||||
goal for OPNsense models is to structure the use of configuration data,
|
goal for OPNsense models is to structure the use of configuration data,
|
||||||
by creating a clear abstraction layer.
|
by creating a clear abstraction layer.
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ When you design a model, the next thing to do is to figure out what data is
|
||||||
relevant for your application or module and think of the rules it should comply
|
relevant for your application or module and think of the rules it should comply
|
||||||
to (for example, if you need an email address you might want to validate the
|
to (for example, if you need an email address you might want to validate the
|
||||||
input). Designing the actual model is as simple as creating an xml file and
|
input). Designing the actual model is as simple as creating an xml file and
|
||||||
putting in your structure, the name of our xml file should be the same as the
|
putting in your structure, the name of our XML file should be the same as the
|
||||||
base name of our model suffixed by .xml.
|
base name of our model suffixed by .xml.
|
||||||
|
|
||||||
Using the same model, we would create the following file:
|
Using the same model, we would create the following file:
|
||||||
|
@ -91,7 +91,7 @@ Now let's explain what's happing here one tag at a time.
|
||||||
The content of a items tag describes the full tree based structure which holds
|
The content of a items tag describes the full tree based structure which holds
|
||||||
our data, in theory this could be as large as you want it to be, but keep in
|
our data, in theory this could be as large as you want it to be, but keep in
|
||||||
mind that the content for your model should be logical and understandable. Every
|
mind that the content for your model should be logical and understandable. Every
|
||||||
node in the tree could have a type, which defines it's behavior, nodes without a
|
node in the tree could have a type, which defines its behavior, nodes without a
|
||||||
type are just containers.
|
type are just containers.
|
||||||
|
|
||||||
From top to bottom we find the following nodes in our tree:
|
From top to bottom we find the following nodes in our tree:
|
||||||
|
|
|
@ -78,7 +78,7 @@ implementation is one example of this stage.
|
||||||
|
|
||||||
**3)** Moving on
|
**3)** Moving on
|
||||||
(re)build new parts, using our new modules, which provide a layered development
|
(re)build new parts, using our new modules, which provide a layered development
|
||||||
system to automatically support API calls from other systems and xml based model
|
system to automatically support API calls from other systems and XML based model
|
||||||
templates to describe configuration data.
|
templates to describe configuration data.
|
||||||
|
|
||||||
*See also:*
|
*See also:*
|
||||||
|
|
|
@ -41,7 +41,7 @@ Code sample (python)
|
||||||
--------------------
|
--------------------
|
||||||
|
|
||||||
For the python code sample we use the nice "requests" library
|
For the python code sample we use the nice "requests" library
|
||||||
(http://docs.python-requests.org/en/latest/), which makes http calls
|
(http://docs.python-requests.org/en/latest/), which makes HTTP calls
|
||||||
very easy.
|
very easy.
|
||||||
|
|
||||||
Before you can start, make sure your OPNsense has a valid SSL
|
Before you can start, make sure your OPNsense has a valid SSL
|
||||||
|
@ -102,7 +102,7 @@ Using curl
|
||||||
----------
|
----------
|
||||||
|
|
||||||
Simple testing with curl is also possible, the sample below uses the
|
Simple testing with curl is also possible, the sample below uses the
|
||||||
same credentials, but ignores the ssl certificate check (-k) for
|
same credentials, but ignores the SSL certificate check (-k) for
|
||||||
testing.
|
testing.
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
|
@ -102,4 +102,4 @@ OPNsense Core Features
|
||||||
- Stateful inspection firewall
|
- Stateful inspection firewall
|
||||||
- Granular control over state table
|
- Granular control over state table
|
||||||
- 802.1Q VLAN support
|
- 802.1Q VLAN support
|
||||||
- and more..
|
- and more…
|
||||||
|
|
|
@ -108,9 +108,9 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
|
||||||
https://creativecommons.org/publicdomain/zero/1.0/
|
https://creativecommons.org/publicdomain/zero/1.0/
|
||||||
|
|
||||||
-----------------
|
-----------------
|
||||||
Logo's Copyright
|
Logos Copyright
|
||||||
-----------------
|
-----------------
|
||||||
Logo's may be subject to additional copyrights, property
|
Logos may be subject to additional copyrights, property
|
||||||
rights, trademarks etc. and may require the consent of a third party or the
|
rights, trademarks etc. and may require the consent of a third party or the
|
||||||
license of these rights. Deciso B.V. does not represent or make any warranties
|
license of these rights. Deciso B.V. does not represent or make any warranties
|
||||||
that it owns or licenses any of the mentioned, nor does it grant them.
|
that it owns or licenses any of the mentioned, nor does it grant them.
|
||||||
|
|
|
@ -20,7 +20,7 @@ OPNsense offers the following alias types:
|
||||||
+------------+------------------------------------------------------+
|
+------------+------------------------------------------------------+
|
||||||
| Ports | Port numbers or a port range like 20:30 |
|
| Ports | Port numbers or a port range like 20:30 |
|
||||||
+------------+------------------------------------------------------+
|
+------------+------------------------------------------------------+
|
||||||
| URL Tables | A table of ip addresses that can be fetched |
|
| URL Tables | A table of IP addresses that can be fetched |
|
||||||
+------------+------------------------------------------------------+
|
+------------+------------------------------------------------------+
|
||||||
| GeoIP | Select countries or whole regions |
|
| GeoIP | Select countries or whole regions |
|
||||||
+------------+------------------------------------------------------+
|
+------------+------------------------------------------------------+
|
||||||
|
@ -44,7 +44,7 @@ Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube t
|
||||||
.. image:: images/pftable_youtube.png
|
.. image:: images/pftable_youtube.png
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
As you can see there are multiple ip addresses for this domain.
|
As you can see there are multiple IP addresses for this domain.
|
||||||
|
|
||||||
--------
|
--------
|
||||||
Networks
|
Networks
|
||||||
|
@ -64,7 +64,7 @@ section.
|
||||||
----------
|
----------
|
||||||
URL Tables
|
URL Tables
|
||||||
----------
|
----------
|
||||||
URL tables can be used to fetch a list of ip addresses from a remote server.
|
URL tables can be used to fetch a list of IP addresses from a remote server.
|
||||||
There are several IP lists available for free, most notably are the "Don't Route
|
There are several IP lists available for free, most notably are the "Don't Route
|
||||||
Or Peer" lists from Spamhaus.
|
Or Peer" lists from Spamhaus.
|
||||||
|
|
||||||
|
@ -152,7 +152,7 @@ Then concatenate both by defining a new list:
|
||||||
|
|
||||||
* servers { critical_servers , other_servers}.
|
* servers { critical_servers , other_servers}.
|
||||||
|
|
||||||
The end result will be a list with all ip addresses in one alias list (servers).
|
The end result will be a list with all IP addresses in one alias list (servers).
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
Configure DROP and EDROP lists
|
Configure DROP and EDROP lists
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
.. image:: images/eye_on_virus_new.jpg
|
.. image:: images/eye_on_virus_new.jpg
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
**OPNsense** offers the industry standard ICAP to protect http and https
|
**OPNsense** offers the industry standard ICAP to protect HTTP and HTTPS
|
||||||
connections against ransomware, trojans, viruses and other malware .
|
connections against ransomware, trojans, viruses and other malware .
|
||||||
|
|
||||||
OPNsense offers a ClamAV plugin, which can be used with the C-ICAP plugin or relies on third
|
OPNsense offers a ClamAV plugin, which can be used with the C-ICAP plugin or relies on third
|
||||||
|
|
|
@ -70,7 +70,7 @@ Bandwidth Management
|
||||||
The Built-in traffic shaper can be utilized to:
|
The Built-in traffic shaper can be utilized to:
|
||||||
|
|
||||||
* Share bandwidth evenly
|
* Share bandwidth evenly
|
||||||
* Give priority to protocols port numbers and/or ip addresses
|
* Give priority to protocols port numbers and/or IP addresses
|
||||||
|
|
||||||
See also: :doc:`/manual/shaping`
|
See also: :doc:`/manual/shaping`
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ Setup for Sky UK ISP
|
||||||
|
|
||||||
**Introduction**
|
**Introduction**
|
||||||
-----------------
|
-----------------
|
||||||
This doc covers the setup of Opnsense on a Sky UK VDSL connection.
|
This doc covers the setup of OPNsense on a Sky UK VDSL connection.
|
||||||
|
|
||||||
Sky uses a simple IPoE connection, all that is required is a suitable modem
|
Sky uses a simple IPoE connection, all that is required is a suitable modem
|
||||||
in bridge mode. If using a standard OpenReach modem then no setting is required
|
in bridge mode. If using a standard OpenReach modem then no setting is required
|
||||||
|
@ -67,7 +67,7 @@ requirement for Sky .
|
||||||
|
|
||||||
The only other requirement in this section is to select ‘Prevent Release'.
|
The only other requirement in this section is to select ‘Prevent Release'.
|
||||||
This is there as the Sky DHCPv6 servers use a 'sticky' address. If the
|
This is there as the Sky DHCPv6 servers use a 'sticky' address. If the
|
||||||
Opnsense dhcp6 client sends a release signal to the server it's more than
|
OPNsense dhcp6 client sends a release signal to the server it's more than
|
||||||
likely that the allocated prefix will change, thus this setting, along with
|
likely that the allocated prefix will change, thus this setting, along with
|
||||||
the 'DHCP Unique Identifier' setting will attempt to mitigate this risk.
|
the 'DHCP Unique Identifier' setting will attempt to mitigate this risk.
|
||||||
|
|
||||||
|
@ -76,7 +76,7 @@ Once these settings have been entered, click on 'Save' then 'Apply'.
|
||||||
**DHCP Unique Identifier**
|
**DHCP Unique Identifier**
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|
||||||
Although Opnsense stores the IPv6 DUID it is possible this can be lost, this
|
Although OPNsense stores the IPv6 DUID it is possible this can be lost, this
|
||||||
again would probably result in a new prefix being given, therefore an option
|
again would probably result in a new prefix being given, therefore an option
|
||||||
to enter and store a DUID is given in the Interface:Settings menu.
|
to enter and store a DUID is given in the Interface:Settings menu.
|
||||||
|
|
||||||
|
|
|
@ -82,7 +82,7 @@ interfaces in the **FTP proxy interfaces** field and **Apply**.
|
||||||
-------------------
|
-------------------
|
||||||
Access Control List
|
Access Control List
|
||||||
-------------------
|
-------------------
|
||||||
You can setup ACL's by clicking on the arrow next to **Forward Proxy** and select
|
You can setup ACLs by clicking on the arrow next to **Forward Proxy** and select
|
||||||
**Access Control List**. Here you can:
|
**Access Control List**. Here you can:
|
||||||
|
|
||||||
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
|
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
|
||||||
|
@ -156,7 +156,7 @@ LAN interface (if LAN is where your clients and proxy are on).
|
||||||
**Source** LAN net
|
**Source** LAN net
|
||||||
**Destination Port Range** HTTP
|
**Destination Port Range** HTTP
|
||||||
**Category** Block Proxy Bypass
|
**Category** Block Proxy Bypass
|
||||||
**Description** Block http bypass
|
**Description** Block HTTP bypass
|
||||||
============================ =====================
|
============================ =====================
|
||||||
|
|
||||||
**Save**
|
**Save**
|
||||||
|
@ -170,7 +170,7 @@ And one more rule to block HTTPS access:
|
||||||
**Source** LAN net
|
**Source** LAN net
|
||||||
**Destination Port Range** HTTPS
|
**Destination Port Range** HTTPS
|
||||||
**Category** Block Proxy Bypass
|
**Category** Block Proxy Bypass
|
||||||
**Description** Block https bypass
|
**Description** Block HTTPS bypass
|
||||||
============================ =====================
|
============================ =====================
|
||||||
|
|
||||||
**Save** & **Apply changes**
|
**Save** & **Apply changes**
|
||||||
|
|
|
@ -18,12 +18,12 @@ route our traffic to the internet.
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
When using CARP ( `FreeBSD handbook on CARP <https://www.freebsd.org/doc/handbook/carp.html>`__ ), all
|
When using CARP ( `FreeBSD handbook on CARP <https://www.freebsd.org/doc/handbook/carp.html>`__ ), all
|
||||||
fail-safe interfaces should have a dedicated ip address which will be
|
fail-safe interfaces should have a dedicated IP address which will be
|
||||||
combined with one shared virtual ip address to communicate to both
|
combined with one shared virtual IP address to communicate to both
|
||||||
networks. In the picture above the dashed lines are used to mark the
|
networks. In the picture above the dashed lines are used to mark the
|
||||||
virtual addresses.
|
virtual addresses.
|
||||||
|
|
||||||
The configuration file (xml) for both firewalls can be downloaded from
|
The configuration file (XML) for both firewalls can be downloaded from
|
||||||
the wiki.
|
the wiki.
|
||||||
|
|
||||||
-----------
|
-----------
|
||||||
|
@ -37,7 +37,7 @@ we will explain briefly first:
|
||||||
:name: carp
|
:name: carp
|
||||||
|
|
||||||
Common Address Redundancy Protocol uses IP protocol 112, is derived from
|
Common Address Redundancy Protocol uses IP protocol 112, is derived from
|
||||||
OpenBSD and uses multicast packets to signal it's neighbours about it's
|
OpenBSD and uses multicast packets to signal its neighbours about its
|
||||||
status. Always make sure that each interface can receive carp packets.
|
status. Always make sure that each interface can receive carp packets.
|
||||||
Every virtual interface must have a unique Virtual Host ID (vhid), which
|
Every virtual interface must have a unique Virtual Host ID (vhid), which
|
||||||
is shared across the physical machines. To determine which physical
|
is shared across the physical machines. To determine which physical
|
||||||
|
@ -100,7 +100,7 @@ pfSync protocol.
|
||||||
.. rubric:: Backup
|
.. rubric:: Backup
|
||||||
:name: backup
|
:name: backup
|
||||||
|
|
||||||
The backup server needs it's own dedicated addresses, we will use these:
|
The backup server needs its own dedicated addresses, we will use these:
|
||||||
|
|
||||||
+----------+-------------------+
|
+----------+-------------------+
|
||||||
| LAN | 192.168.1.20/24 |
|
| LAN | 192.168.1.20/24 |
|
||||||
|
@ -180,7 +180,7 @@ consider. All clients should use the virtual address in stead of the
|
||||||
physical address it's normally propagating. Next thing to consider is
|
physical address it's normally propagating. Next thing to consider is
|
||||||
there will be two servers active at the same time, which should know of
|
there will be two servers active at the same time, which should know of
|
||||||
each others pools. If dns requests are also forwarded by OPNsense, make
|
each others pools. If dns requests are also forwarded by OPNsense, make
|
||||||
sure the dhcp server sends the right ip address. These are settings used
|
sure the dhcp server sends the right IP address. These are settings used
|
||||||
in our example (on the master server):
|
in our example (on the master server):
|
||||||
|
|
||||||
+--------------------+----------------+
|
+--------------------+----------------+
|
||||||
|
@ -197,7 +197,7 @@ Setup HA sync (xmlrpc) and pfSync
|
||||||
|
|
||||||
First we should enable pfSync using our dedicated interface using the
|
First we should enable pfSync using our dedicated interface using the
|
||||||
master firewall. Go to System -> High Availability, enable pfsync and
|
master firewall. Go to System -> High Availability, enable pfsync and
|
||||||
select the interface used for pfSync. Next setup the peer ip to the
|
select the interface used for pfSync. Next setup the peer IP to the
|
||||||
other hosts address (10.0.0.2).
|
other hosts address (10.0.0.2).
|
||||||
|
|
||||||
Now we need to configure the settings we want to duplicating to the
|
Now we need to configure the settings we want to duplicating to the
|
||||||
|
|
|
@ -130,7 +130,7 @@ lower right corner.
|
||||||
---------------
|
---------------
|
||||||
Check pf Tables
|
Check pf Tables
|
||||||
---------------
|
---------------
|
||||||
To list the ip addresses that are currently in the DROP and EDROP lists go to
|
To list the IP addresses that are currently in the DROP and EDROP lists go to
|
||||||
**Firewall->Diagnostics->pfTables** and select the list you want to see:
|
**Firewall->Diagnostics->pfTables** and select the list you want to see:
|
||||||
|
|
||||||
.. image:: images/spamhaus_pftable.png
|
.. image:: images/spamhaus_pftable.png
|
||||||
|
|
|
@ -83,8 +83,8 @@ Clicking on a piece of the pie will open a detailed view for further analysis.
|
||||||
IP Addresses Pie Chart
|
IP Addresses Pie Chart
|
||||||
----------------------
|
----------------------
|
||||||
The IP addresses pie chart works the same as the ports pie chart and shows the
|
The IP addresses pie chart works the same as the ports pie chart and shows the
|
||||||
percentage per ip number. One can change the view by clicking or double clicking
|
percentage per IP number. One can change the view by clicking or double clicking
|
||||||
on one of the shown ip numbers.
|
on one of the shown IP numbers.
|
||||||
|
|
||||||
Clicking on a piece of the pie will open a detailed view for further analysis.
|
Clicking on a piece of the pie will open a detailed view for further analysis.
|
||||||
|
|
||||||
|
@ -106,7 +106,7 @@ When opening the details view by clicking on the tab one can make a new query.
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
After selecting a valid date range (form/to) and interface one can further limit
|
After selecting a valid date range (form/to) and interface one can further limit
|
||||||
the output by filtering on port or ip address. Select the refresh icon to update
|
the output by filtering on port or IP address. Select the refresh icon to update
|
||||||
the detailed output. Leave Port and Address empty for a full detailed listing.
|
the detailed output. Leave Port and Address empty for a full detailed listing.
|
||||||
|
|
||||||
.. image:: images/insight_full_details.png
|
.. image:: images/insight_full_details.png
|
||||||
|
|
|
@ -29,7 +29,7 @@ Choose an instance type
|
||||||
---------------------------------
|
---------------------------------
|
||||||
Step 3 - Configure security group
|
Step 3 - Configure security group
|
||||||
---------------------------------
|
---------------------------------
|
||||||
To configure security group, make sure you allow https access from your own network.
|
To configure security group, make sure you allow HTTPS access from your own network.
|
||||||
|
|
||||||
.. image:: images/aws_configure_security_group.png
|
.. image:: images/aws_configure_security_group.png
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
|
@ -16,7 +16,7 @@ OPNsense and give you configuration examples for:
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
For the sample we will use a private ip for our WAN connection.
|
For the sample we will use a private IP for our WAN connection.
|
||||||
This requires us to disable the default block rule on wan to allow private traffic.
|
This requires us to disable the default block rule on wan to allow private traffic.
|
||||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||||
*(Dont forget to save and apply)*
|
*(Dont forget to save and apply)*
|
||||||
|
|
|
@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
For the sample we will use a private ip for our WAN connection.
|
For the sample we will use a private IP for our WAN connection.
|
||||||
This requires us to disable the default block rule on wan to allow private traffic.
|
This requires us to disable the default block rule on wan to allow private traffic.
|
||||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||||
*(Dont forget to save and apply)*
|
*(Dont forget to save and apply)*
|
||||||
|
@ -170,11 +170,11 @@ Full Network Diagram Including IPsec Tunnel
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
------------------------------
|
---------------------------------------
|
||||||
Firewall Rules Site A & Site B
|
Firewall Rules Site A & Site B (part 1)
|
||||||
------------------------------
|
---------------------------------------
|
||||||
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
|
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
|
||||||
sites:
|
sites (under **Firewall->Rules->WAN**):
|
||||||
|
|
||||||
* Protocol ESP
|
* Protocol ESP
|
||||||
* UDP Traffic on Port 500 (ISAKMP)
|
* UDP Traffic on Port 500 (ISAKMP)
|
||||||
|
@ -185,13 +185,7 @@ sites:
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
You can further limit the traffic by the source ip of the remote host.
|
You can further limit the traffic by the source IP of the remote host.
|
||||||
|
|
||||||
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
|
|
||||||
interface.
|
|
||||||
|
|
||||||
.. image:: images/ipsec_ipsec_lan_rule.png
|
|
||||||
:width: 100%
|
|
||||||
|
|
||||||
-----------------------
|
-----------------------
|
||||||
Step 1 - Phase 1 Site A
|
Step 1 - Phase 1 Site A
|
||||||
|
@ -206,7 +200,7 @@ General information
|
||||||
**Key Exchange version** V2
|
**Key Exchange version** V2
|
||||||
**Internet Protocol** IPv4
|
**Internet Protocol** IPv4
|
||||||
**Interface** WAN *choose the interface connected to the internet*
|
**Interface** WAN *choose the interface connected to the internet*
|
||||||
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
|
**Remote gateway** 172.10.2.1 *the public IP address of your remote OPNsense*
|
||||||
**Description** Site B *freely chosen description*
|
**Description** Site B *freely chosen description*
|
||||||
========================= ============= ================================================
|
========================= ============= ================================================
|
||||||
|
|
||||||
|
@ -320,7 +314,8 @@ And Apply changes:
|
||||||
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
**You are done configuring Site A.**
|
**You are almost done configuring Site A (only some firewall settings remain, which we'll address later).**
|
||||||
|
**We will now proceed setting up Site B**
|
||||||
|
|
||||||
-----------------------------
|
-----------------------------
|
||||||
|
|
||||||
|
@ -337,7 +332,7 @@ General information
|
||||||
**Key Exchange version** V2
|
**Key Exchange version** V2
|
||||||
**Internet Protocol** IPv4
|
**Internet Protocol** IPv4
|
||||||
**Interface** WAN *choose the interface connected to the internet*
|
**Interface** WAN *choose the interface connected to the internet*
|
||||||
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
|
**Remote gateway** 172.10.1.1 *the public IP address of your remote OPNsense*
|
||||||
**Description** Site A *freely chosen description*
|
**Description** Site A *freely chosen description*
|
||||||
========================= ============= ================================================
|
========================= ============= ================================================
|
||||||
|
|
||||||
|
@ -455,8 +450,15 @@ And Apply changes:
|
||||||
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
.. image:: images/ipsec_s2s_vpn_p1a_success.png
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
**You are done configuring Site B.**
|
---------------------------------------
|
||||||
|
Firewall Rules Site A & Site B (part 2)
|
||||||
|
---------------------------------------
|
||||||
|
|
||||||
|
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
|
||||||
|
interface (under **Firewall->Rules->IPsec**).
|
||||||
|
|
||||||
|
.. image:: images/ipsec_ipsec_lan_rule.png
|
||||||
|
:width: 100%
|
||||||
|
|
||||||
------------------
|
------------------
|
||||||
IPsec Tunnel Ready
|
IPsec Tunnel Ready
|
||||||
|
@ -511,7 +513,7 @@ Phase 1 works but no phase 2 tunnels are connected
|
||||||
---------------------------------------------------
|
---------------------------------------------------
|
||||||
|
|
||||||
Did you set the correct local and remote networks. A common mistake is to fill in
|
Did you set the correct local and remote networks. A common mistake is to fill in
|
||||||
the ip address of the remote host in stead of its network ending with **x.x.x.0**
|
the IP address of the remote host in stead of its network ending with **x.x.x.0**
|
||||||
|
|
||||||
Common issues are unequal settings. Both ends must use the same encryption standard.
|
Common issues are unequal settings. Both ends must use the same encryption standard.
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
===============
|
===============
|
||||||
Setup Multi WAN
|
Setup Multi WAN
|
||||||
===============
|
===============
|
||||||
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
|
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
|
||||||
are also possible with OPNsense.
|
are also possible with OPNsense.
|
||||||
|
|
||||||
.. blockdiag::
|
.. blockdiag::
|
||||||
|
@ -47,10 +47,10 @@ We defined WAN and WAN2, where WAN will be our primary (default) gateway.
|
||||||
|
|
||||||
Step 1 - Add monitor IPs
|
Step 1 - Add monitor IPs
|
||||||
-------------------------
|
-------------------------
|
||||||
You may skip this step if you already have setup the monitoring ip and both gateways
|
You may skip this step if you already have setup the monitoring IP and both gateways
|
||||||
are shown as online.
|
are shown as online.
|
||||||
|
|
||||||
To add a monitoring ip go to **System->Gateways->All** and click on the first pencil
|
To add a monitoring IP go to **System->Gateways->All** and click on the first pencil
|
||||||
symbol to edit the first gateway.
|
symbol to edit the first gateway.
|
||||||
|
|
||||||
Now make sure the following is configured:
|
Now make sure the following is configured:
|
||||||
|
@ -208,4 +208,4 @@ Combining Balancing & Failover
|
||||||
------------------------------
|
------------------------------
|
||||||
To combine Load Balancing with Failover you will have 2 or more WAN connections
|
To combine Load Balancing with Failover you will have 2 or more WAN connections
|
||||||
for Balancing purposes and 1 or more for Failover. OPNsense offers 5 tiers
|
for Balancing purposes and 1 or more for Failover. OPNsense offers 5 tiers
|
||||||
(Failover groups) each tier can hold multiple ISP's/WAN gateways.
|
(Failover groups) each tier can hold multiple ISPs/WAN gateways.
|
||||||
|
|
|
@ -18,5 +18,5 @@ For local analysis using Insight also enable **Capture local**.
|
||||||
Depending on the application you would like to use select **Version** 5 or 9.
|
Depending on the application you would like to use select **Version** 5 or 9.
|
||||||
Remember that version 5 does not support IPv6.
|
Remember that version 5 does not support IPv6.
|
||||||
|
|
||||||
Add your **Destinations** (ip:port then enter) local ip will be added automatic
|
Add your **Destinations** (ip:port then enter) local IP will be added automatic
|
||||||
if Capture local is selected.
|
if Capture local is selected.
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
===========================
|
===========================
|
||||||
Setup Anti Virus Protection
|
Setup Anti Virus Protection
|
||||||
===========================
|
===========================
|
||||||
OPNsense can offer http and https protection by utilizing its highly flexible
|
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
|
||||||
proxy and the industry standard ICAP. An external engine from one of the known
|
proxy and the industry standard ICAP. An external engine from one of the known
|
||||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||||
|
@ -42,11 +42,11 @@ Step 4 - Connect the Engine
|
||||||
---------------------------
|
---------------------------
|
||||||
Now connect the server that the engine is installed on to OPNsense trough either
|
Now connect the server that the engine is installed on to OPNsense trough either
|
||||||
a switch or a direct cable connection. Preferable use a separate network for this
|
a switch or a direct cable connection. Preferable use a separate network for this
|
||||||
traffic to make sure the unencrypted ICAP traffic can's be tapped.
|
traffic to make sure the unencrypted ICAP traffic can't be tapped.
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
ICAP traffic is not encrypted, meaning you have to make sure the traffic is not
|
ICAP traffic is not encrypted, meaning you have to make sure the traffic is not
|
||||||
visible to anyone else. When using transparent https mode it is best to configure
|
visible to anyone else. When using transparent HTTPS mode it is best to configure
|
||||||
a separate interface for ICAP traffic and connect the Server (Engine) directly
|
a separate interface for ICAP traffic and connect the Server (Engine) directly
|
||||||
with a crosslink cable. Alternatively one may use a VLAN for this purpose.
|
with a crosslink cable. Alternatively one may use a VLAN for this purpose.
|
||||||
|
|
||||||
|
@ -70,8 +70,8 @@ Step 6 - Test using EICAR
|
||||||
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
||||||
on this page you will find several files you can test.
|
on this page you will find several files you can test.
|
||||||
|
|
||||||
First test the http protocol version and if that works the https version if you
|
First test the HTTP protocol version. If that works, test the HTTP version if you
|
||||||
have also configured the transparent ssl proxy mode.
|
have also configured the transparent SSL proxy mode.
|
||||||
|
|
||||||
.. Warning::
|
.. Warning::
|
||||||
**IMPORTANT NOTE** :
|
**IMPORTANT NOTE** :
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
==================================================
|
==================================================
|
||||||
Setup Anti Virus Protection using OPNsense Plugins
|
Setup Anti Virus Protection using OPNsense Plugins
|
||||||
==================================================
|
==================================================
|
||||||
OPNsense can offer http and https protection by utilizing its highly flexible
|
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
|
||||||
proxy and the industry standard ICAP. An external engine from one of the known
|
proxy and the industry standard ICAP. An external engine from one of the known
|
||||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||||
|
@ -62,8 +62,8 @@ Step 5 - Test using EICAR
|
||||||
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
|
||||||
on this page you will find several files you can test.
|
on this page you will find several files you can test.
|
||||||
|
|
||||||
First test the http protocol version and if that works the https version if you
|
First test the HTTP protocol version. If that works, test the HTTPS version if you
|
||||||
have also configured the transparent ssl proxy mode.
|
have also configured the transparent SSL proxy mode.
|
||||||
|
|
||||||
.. Warning::
|
.. Warning::
|
||||||
**IMPORTANT NOTE** :
|
**IMPORTANT NOTE** :
|
||||||
|
|
|
@ -7,14 +7,14 @@ can be configured to run in transparent mode, this mean the clients browser does
|
||||||
not have to be configured for the web proxy, but all traffic is diverted to the
|
not have to be configured for the web proxy, but all traffic is diverted to the
|
||||||
proxy automatically by utilizing Network Address Translation.
|
proxy automatically by utilizing Network Address Translation.
|
||||||
|
|
||||||
In this How To, we will explain the basic http as well as https (ssl bump) transparent
|
In this How To, we will explain the basic HTTP as well as HTTPS (SSL bump) transparent
|
||||||
proxy modes.
|
proxy modes.
|
||||||
|
|
||||||
.. Warning::
|
.. Warning::
|
||||||
The Transparent SSL/HTTPS proxy mode uses a technique also called man-in-the-middle,
|
The Transparent SSL/HTTPS proxy mode uses a technique also called man-in-the-middle,
|
||||||
only configure and use this if your know what you are doing. When configured wrong
|
only configure and use this if you know what you are doing. When configured incorrectly
|
||||||
you may end up in lessing your security defenses significantly instead of enhancing
|
you may end up in lessening your security defenses significantly instead of enhancing
|
||||||
them. Using a transparent https proxy can be a dangerous practice and may not be
|
them. Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
||||||
allowed by the services you use, for instance e-banking.
|
allowed by the services you use, for instance e-banking.
|
||||||
|
|
||||||
Step 1 - Basic Proxy Setup
|
Step 1 - Basic Proxy Setup
|
||||||
|
@ -33,7 +33,7 @@ And Click **Apply**.
|
||||||
|
|
||||||
Step 3 - NAT/Firewall Rule
|
Step 3 - NAT/Firewall Rule
|
||||||
---------------------------------
|
---------------------------------
|
||||||
A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the
|
A simple way to add the NAT/Firewall Rule is to click the **(i)** icon on the
|
||||||
left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**.
|
left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**.
|
||||||
|
|
||||||
.. image:: images/screenshot_enable_transparent_http.png
|
.. image:: images/screenshot_enable_transparent_http.png
|
||||||
|
|
|
@ -61,8 +61,8 @@ Press **Save Changes**.
|
||||||
--------------------------------
|
--------------------------------
|
||||||
Step 3 - Download the Categories
|
Step 3 - Download the Categories
|
||||||
--------------------------------
|
--------------------------------
|
||||||
Now press Download ACL's, please note that this will take a while (can be several
|
Now press Download ACLs, please note that this will take a while (can be several
|
||||||
minutes) as the full list (>19 MB) will be converted to squid acl's.
|
minutes) as the full list (>19 MB) will be converted to squid ACLs.
|
||||||
|
|
||||||
-------------------------
|
-------------------------
|
||||||
Step 4 - Setup Categories
|
Step 4 - Setup Categories
|
||||||
|
@ -108,7 +108,7 @@ LAN interface (if LAN is where your clients and proxy are on).
|
||||||
**Source** LAN net
|
**Source** LAN net
|
||||||
**Destination Port Range** HTTP
|
**Destination Port Range** HTTP
|
||||||
**Category** Block Proxy Bypass
|
**Category** Block Proxy Bypass
|
||||||
**Description** Block http bypass
|
**Description** Block HTTP bypass
|
||||||
============================ =====================
|
============================ =====================
|
||||||
|
|
||||||
**Save**
|
**Save**
|
||||||
|
@ -122,7 +122,7 @@ And one more rule to block HTTPS access:
|
||||||
**Source** LAN net
|
**Source** LAN net
|
||||||
**Destination Port Range** HTTPS
|
**Destination Port Range** HTTPS
|
||||||
**Category** Block Proxy Bypass
|
**Category** Block Proxy Bypass
|
||||||
**Description** Block https bypass
|
**Description** Block HTTPS bypass
|
||||||
============================ =====================
|
============================ =====================
|
||||||
|
|
||||||
**Save** & **Apply changes**
|
**Save** & **Apply changes**
|
||||||
|
|
|
@ -144,7 +144,7 @@
|
||||||
<value>default</value>
|
<value>default</value>
|
||||||
</item>
|
</item>
|
||||||
<item>
|
<item>
|
||||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
<descr>Randomize PIDs (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||||
<tunable>kern.randompid</tunable>
|
<tunable>kern.randompid</tunable>
|
||||||
<value>default</value>
|
<value>default</value>
|
||||||
</item>
|
</item>
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
Setup Traffic Shaping
|
Setup Traffic Shaping
|
||||||
=====================
|
=====================
|
||||||
|
|
||||||
For this how-to we will look into these scenario's:
|
For this how-to we will look into these scenarios:
|
||||||
|
|
||||||
#. Reserve dedicated bandwidth for a realtime traffic such as (hosted) Voice Over IP (VOIP) server.
|
#. Reserve dedicated bandwidth for a realtime traffic such as (hosted) Voice Over IP (VOIP) server.
|
||||||
#. Share internet bandwidth amongst users evenly
|
#. Share internet bandwidth amongst users evenly
|
||||||
|
@ -112,10 +112,10 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source ip to shape, leave on any*
|
**source** any *The source IP to shape, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** 172.10.2.1 *The ip address of our VOIP server*
|
**destination** 172.10.2.1 *The IP address of our VOIP server*
|
||||||
**dst-port** any *Use any of the destination port if static*
|
**dst-port** any *Use any of the destination port if static*
|
||||||
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
|
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
|
||||||
**description** ShapeVOIPUpload *Enter a descriptive name*
|
**description** ShapeVOIPUpload *Enter a descriptive name*
|
||||||
|
@ -127,10 +127,10 @@ Create a rule for traffic coming from the VOIP Server (Download).
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** 172.10.2.1 *The ip address of our VOIP server*
|
**source** 172.10.2.1 *The IP address of our VOIP server*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
|
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
|
||||||
**description** ShapeVOIPDown *Enter a descriptive name*
|
**description** ShapeVOIPDown *Enter a descriptive name*
|
||||||
|
@ -141,7 +141,7 @@ Create a rule for all other internet upload traffic
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 31 *Auto generated number, overwrite only when needed*
|
**sequence** 31 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
|
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** any *the destination address, leave in any*
|
**destination** any *the destination address, leave in any*
|
||||||
|
@ -156,8 +156,8 @@ Create a rule for all other internet download traffic
|
||||||
====================== =================== =====================================================
|
====================== =================== =====================================================
|
||||||
**sequence** 41 *Auto generated number, overwrite only when needed*
|
**sequence** 41 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source ip to shape, leave on any*
|
**source** any *The source IP to shape, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
|
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
|
@ -279,8 +279,8 @@ Create a rule for traffic directed towards the internet (Upload).
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** 192.168.1.0/24 *The source ip to shape, select the LAN network*
|
**source** 192.168.1.0/24 *The source IP to shape, select the LAN network*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** any *The destination to shape, leave on any*
|
**destination** any *The destination to shape, leave on any*
|
||||||
**dst-port** any *Use any of the destination port if static*
|
**dst-port** any *Use any of the destination port if static*
|
||||||
|
@ -294,10 +294,10 @@ Create a rule for traffic coming from the internet (Download).
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
|
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
|
||||||
**description** ShapeDownload *Enter a descriptive name*
|
**description** ShapeDownload *Enter a descriptive name*
|
||||||
|
@ -373,10 +373,10 @@ Create a rule for traffic coming from the internet (Download).
|
||||||
====================== ================= =====================================================
|
====================== ================= =====================================================
|
||||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
|
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
|
||||||
**description** ShapeDownload *Enter a descriptive name*
|
**description** ShapeDownload *Enter a descriptive name*
|
||||||
|
@ -384,7 +384,7 @@ Create a rule for traffic coming from the internet (Download).
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
If you want to limit traffic for a single ip then just enter the ip address
|
If you want to limit traffic for a single IP then just enter the IP address
|
||||||
in the destination field instead of the full LAN network range.
|
in the destination field instead of the full LAN network range.
|
||||||
|
|
||||||
Now press |apply| to activate the traffic shaping rules.
|
Now press |apply| to activate the traffic shaping rules.
|
||||||
|
@ -476,46 +476,46 @@ Create a rule for smtp download traffic (email)
|
||||||
====================== =================== =====================================================
|
====================== =================== =====================================================
|
||||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** smtp *The source port to shape, smtp or 25*
|
**src-port** smtp *The source port to shape, smtp or 25*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** Queue-SMTP *Select the SMTP queue*
|
**target** Queue-SMTP *Select the SMTP queue*
|
||||||
**description** ShapeSMTPDownload *Enter a descriptive name*
|
**description** ShapeSMTPDownload *Enter a descriptive name*
|
||||||
====================== =================== =====================================================
|
====================== =================== =====================================================
|
||||||
|
|
||||||
|
|
||||||
Create a rule for http download traffic
|
Create a rule for HTTP download traffic
|
||||||
|
|
||||||
====================== =================== =====================================================
|
====================== =================== =====================================================
|
||||||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** http *The source port to shape, http or 80*
|
**src-port** http *The source port to shape, http or 80*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** Queue-HTTP *Select the HTTP queue*
|
**target** Queue-HTTP *Select the HTTP queue*
|
||||||
**description** ShapeHTTPDownload *Enter a descriptive name*
|
**description** ShapeHTTPDownload *Enter a descriptive name*
|
||||||
====================== =================== =====================================================
|
====================== =================== =====================================================
|
||||||
|
|
||||||
|
|
||||||
Adding an extra rule for https traffic is simple as we can use the same http queue if we like:
|
Adding an extra rule for HTTPS traffic is simple as we can use the same HTTP queue if we like:
|
||||||
|
|
||||||
====================== ==================== =====================================================
|
====================== ==================== =====================================================
|
||||||
**sequence** 31 *Auto generated number, overwrite only when needed*
|
**sequence** 31 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** https *The source port to shape, https or 443*
|
**src-port** https *The source port to shape, https or 443*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**target** Queue-HTTP *Select the HTTP queue*
|
**target** Queue-HTTP *Select the HTTP queue*
|
||||||
**description** ShapeHTTPSDownload *Enter a descriptive name*
|
**description** ShapeHTTPSDownload *Enter a descriptive name*
|
||||||
====================== ==================== =====================================================
|
====================== ==================== =====================================================
|
||||||
|
|
||||||
This way http and https traffic will be treated the same (total max of 1 Mbps).
|
This way HTTP and HTTPS traffic will be treated the same (total max of 1 Mbps).
|
||||||
|
|
||||||
Now press |apply| to activate the traffic shaping rules.
|
Now press |apply| to activate the traffic shaping rules.
|
||||||
|
|
||||||
|
@ -620,10 +620,10 @@ Create a rule for the download traffic
|
||||||
**sequence** 11 *Auto generated number, overwrite only when needed*
|
**sequence** 11 *Auto generated number, overwrite only when needed*
|
||||||
**interface** WAN *Select the interface connected to the internet*
|
**interface** WAN *Select the interface connected to the internet*
|
||||||
**interface2** GuestNet *Select the interface that matches your GuestNet*
|
**interface2** GuestNet *Select the interface that matches your GuestNet*
|
||||||
**proto** ip *Select the protocol, ip in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**direction** in *Match incoming packages (download)*
|
**direction** in *Match incoming packages (download)*
|
||||||
**target** PipeDown-2Mbps *Select the Download pipe*
|
**target** PipeDown-2Mbps *Select the Download pipe*
|
||||||
|
@ -639,7 +639,7 @@ Create a rule for the upload traffic
|
||||||
**proto** ip *Select the protocol, IP in our example*
|
**proto** ip *Select the protocol, IP in our example*
|
||||||
**source** any *The source address, leave on any*
|
**source** any *The source address, leave on any*
|
||||||
**src-port** any *The source port to shape, leave on any*
|
**src-port** any *The source port to shape, leave on any*
|
||||||
**destination** any *The destination ip to shape, leave on any*
|
**destination** any *The destination IP to shape, leave on any*
|
||||||
**dst-port** any *The destination port to shape, leave on any*
|
**dst-port** any *The destination port to shape, leave on any*
|
||||||
**direction** out *Match incoming packages (download)*
|
**direction** out *Match incoming packages (download)*
|
||||||
**target** PipeUp-1Mbps *Select the Download pipe*
|
**target** PipeUp-1Mbps *Select the Download pipe*
|
||||||
|
|
|
@ -29,7 +29,7 @@ and give you configuration examples for:
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
For the sample we will use a private ip for our WAN connection.
|
For the sample we will use a private IP for our WAN connection.
|
||||||
This requires us to disable the default block rule on wan to allow private traffic.
|
This requires us to disable the default block rule on wan to allow private traffic.
|
||||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||||
*(Dont forget to save and apply)*
|
*(Dont forget to save and apply)*
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
Setup SSL VPN site to site tunnel
|
Setup SSL VPN site to site tunnel
|
||||||
=================================
|
=================================
|
||||||
|
|
||||||
Site to site VPN's connect two locations with static public IP addresses and allow
|
Site to site VPNs connect two locations with static public IP addresses and allow
|
||||||
traffic to be routed between the two networks. This is most commonly used to
|
traffic to be routed between the two networks. This is most commonly used to
|
||||||
connect an organization's branch offices back to its main office, so branch users
|
connect an organization's branch offices back to its main office, so branch users
|
||||||
can access network resources in the main office.
|
can access network resources in the main office.
|
||||||
|
@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
|
||||||
|
|
||||||
.. Note::
|
.. Note::
|
||||||
|
|
||||||
For the sample we will use a private ip for our WAN connection.
|
For the sample we will use a private IP for our WAN connection.
|
||||||
This requires us to disable the default block rule on wan to allow private traffic.
|
This requires us to disable the default block rule on wan to allow private traffic.
|
||||||
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
|
||||||
*(Don't forget to save and apply)*
|
*(Don't forget to save and apply)*
|
||||||
|
|
|
@ -6,15 +6,15 @@ is easy just go to **System->Access->Servers** and click on **Add server** in th
|
||||||
|
|
||||||
Fill in the form:
|
Fill in the form:
|
||||||
|
|
||||||
============================== =============== ========================================================
|
============================== =============== =========================================================
|
||||||
**Descriptive name** radius_test *Enter a descriptive name*
|
**Descriptive name** radius_test *Enter a descriptive name*
|
||||||
**Type** Radius *Select Radius*
|
**Type** Radius *Select Radius*
|
||||||
**Hostname or IP address** 10.10.10.1 *Enter the IP of your Radius server*
|
**Hostname or IP address** 10.10.10.1 *Enter the IP of your Radius server*
|
||||||
**Shared Secret** secret *Shared secret for your Radius server*
|
**Shared Secret** secret *Shared secret for your Radius server*
|
||||||
**Services offered** Authentication *Select Authentication,for Captive portal + accounting*
|
**Services offered** Authentication *Select Authentication,for Captive portal + accounting*
|
||||||
**Authentication port value** 1812 *Port number, 1812 is default for accounting it's 1813*
|
**Authentication port value** 1812 *Port number, 1812 is default; for accounting it's 1813*
|
||||||
**Authentication Timeout** 5 *Timeout for Radius to respond on requests*
|
**Authentication Timeout** 5 *Timeout for Radius to respond on requests*
|
||||||
============================== =============== ========================================================
|
============================== =============== =========================================================
|
||||||
|
|
||||||
Use the tester under **System->Access->Tester** to test the Radius server.
|
Use the tester under **System->Access->Tester** to test the Radius server.
|
||||||
|
|
||||||
|
|
|
@ -344,8 +344,8 @@ By default you have to log in to enter the console.
|
||||||
VLANs and assigning interfaces
|
VLANs and assigning interfaces
|
||||||
If choose to do manual interface assignment or when no config file can be
|
If choose to do manual interface assignment or when no config file can be
|
||||||
found then you are asked to assign Interfaces and VLANs. VLANs are optional.
|
found then you are asked to assign Interfaces and VLANs. VLANs are optional.
|
||||||
If you do not need VLAN's then choose **no**. You can always configure
|
If you do not need VLANs then choose **no**. You can always configure
|
||||||
VLAN's at a later time.
|
VLANs at a later time.
|
||||||
|
|
||||||
LAN, WAN and optional interfaces
|
LAN, WAN and optional interfaces
|
||||||
The first interface is the LAN interface. Type the appropriate
|
The first interface is the LAN interface. Type the appropriate
|
||||||
|
|
|
@ -6,7 +6,7 @@ Using IPv6
|
||||||
:width: 100%
|
:width: 100%
|
||||||
|
|
||||||
OPNsense fully supports IPv6 for routing and firewall. However there are lots of
|
OPNsense fully supports IPv6 for routing and firewall. However there are lots of
|
||||||
different options to utilize IPv6. Currently these scenario's are known to work:
|
different options to utilize IPv6. Currently these scenarios are known to work:
|
||||||
|
|
||||||
* Native IPv6 only
|
* Native IPv6 only
|
||||||
* Dual Stack IPv4 + IPv6
|
* Dual Stack IPv4 + IPv6
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
=========
|
=========
|
||||||
Multi WAN
|
Multi WAN
|
||||||
=========
|
=========
|
||||||
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
|
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
|
||||||
are also possible with OPNsense.
|
are also possible with OPNsense.
|
||||||
|
|
||||||
.. blockdiag::
|
.. blockdiag::
|
||||||
|
@ -30,7 +30,7 @@ connectivity is fully restored so will the routing switch back to the primary IS
|
||||||
------------------
|
------------------
|
||||||
WAN Load Balancing
|
WAN Load Balancing
|
||||||
------------------
|
------------------
|
||||||
Load balancing can be used to split the load between two (or more) ISP's. This
|
Load balancing can be used to split the load between two (or more) ISPs. This
|
||||||
enhances the total available bandwidth and/or lowers the load on each ISP.
|
enhances the total available bandwidth and/or lowers the load on each ISP.
|
||||||
|
|
||||||
The principle is simple: Each WAN connection (gateway) gets a portion of the traffic.
|
The principle is simple: Each WAN connection (gateway) gets a portion of the traffic.
|
||||||
|
@ -39,10 +39,10 @@ The traffic can be divided equally or weighted.
|
||||||
------------------------------
|
------------------------------
|
||||||
Combining Balancing & Failover
|
Combining Balancing & Failover
|
||||||
------------------------------
|
------------------------------
|
||||||
It is also possible to combine Load Balancing with Failover in such scenario's
|
It is also possible to combine Load Balancing with Failover in such scenarios
|
||||||
you will have 2 or more WAN connections for Balancing purposes and 1 or more for
|
you will have 2 or more WAN connections for Balancing purposes and 1 or more for
|
||||||
Failover. OPNsense offers 5 tiers (Failover groups) each tier can hold multiple
|
Failover. OPNsense offers 5 tiers (Failover groups) each tier can hold multiple
|
||||||
ISP's/WAN gateways.
|
ISPs/WAN gateways.
|
||||||
|
|
||||||
-------------
|
-------------
|
||||||
Configuration
|
Configuration
|
||||||
|
|
|
@ -11,13 +11,13 @@ is very fast with little overhead compared to softflowd or pfflowd.
|
||||||
|
|
||||||
While many monitoring solutions such as Nagios, Cacti and vnstat only capture traffic
|
While many monitoring solutions such as Nagios, Cacti and vnstat only capture traffic
|
||||||
statistics, Netflow captures complete packet flows including source, destination
|
statistics, Netflow captures complete packet flows including source, destination
|
||||||
ip and port number.
|
IP and port number.
|
||||||
|
|
||||||
OPNsense offers full support for exporting Netflow data to external collectors as
|
OPNsense offers full support for exporting Netflow data to external collectors as
|
||||||
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
|
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
|
||||||
|
|
||||||
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
|
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
|
||||||
into it's Graphical User Interface.
|
into its Graphical User Interface.
|
||||||
|
|
||||||
------------------
|
------------------
|
||||||
Supported Versions
|
Supported Versions
|
||||||
|
|
|
@ -55,12 +55,12 @@ The latest update of OPNsense to version 18.1.5 did a minor jump for the IPSec p
|
||||||
From this moment your VPNs are unstable and only a restart helps.
|
From this moment your VPNs are unstable and only a restart helps.
|
||||||
|
|
||||||
To check if the update of the package is the reason you can easily revert the package
|
To check if the update of the package is the reason you can easily revert the package
|
||||||
to it's previous state while running the latest OPNsense version itself
|
to its previous state while running the latest OPNsense version itself.
|
||||||
|
|
||||||
# opnsense-revert -r 18.1.4 strongswan
|
# opnsense-revert -r 18.1.4 strongswan
|
||||||
|
|
||||||
With this command you will on e.g. 18.1.5 while reverting the package strongswan to it's version it was in 18.1.4.
|
With this command you can, for example, run OPNsense 18.1.5 while using the 18.1.4 version of strongswan.
|
||||||
If you want to go back to the current release version just just
|
If you want to go back to the current release version just do
|
||||||
|
|
||||||
# opnsense-revert strongswan
|
# opnsense-revert strongswan
|
||||||
|
|
||||||
|
|
|
@ -66,7 +66,7 @@ category based web filter support. Main features include:
|
||||||
|
|
||||||
* Fetch from a remote URL
|
* Fetch from a remote URL
|
||||||
* Supports flat file list and category based compressed lists
|
* Supports flat file list and category based compressed lists
|
||||||
* Automatically convert category based blacklists to squid ACL's
|
* Automatically convert category based blacklists to squid ACLs
|
||||||
* Keep up to date with the built-in scheduler
|
* Keep up to date with the built-in scheduler
|
||||||
* Compatible with most popular blacklist
|
* Compatible with most popular blacklist
|
||||||
|
|
||||||
|
@ -75,13 +75,10 @@ Transparent Mode
|
||||||
----------------
|
----------------
|
||||||
The transparent mode means all request will be diverted to the proxy without any
|
The transparent mode means all request will be diverted to the proxy without any
|
||||||
configuration on your client. Transparent mode works very well with unsecured http
|
configuration on your client. Transparent mode works very well with unsecured http
|
||||||
requests, however with secured (SSL) https connection the proxy will become a
|
requests, however with secured (SSL) HTTPS connection the proxy will become a
|
||||||
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
|
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
|
||||||
the traffic with its master key that the client is required to trust.
|
the traffic with its master key that the client is required to trust.
|
||||||
|
|
||||||
While we do not encourage the use of https in transparent mode, this feature is
|
|
||||||
scheduled for release in version 16.7.
|
|
||||||
|
|
||||||
.. Warning::
|
.. Warning::
|
||||||
Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
||||||
allowed by the services you use, for instance e-banking.
|
allowed by the services you use, for instance e-banking.
|
||||||
|
|
|
@ -24,7 +24,7 @@ OPNsense traffic shaping is a reliable solution to limit bandwidth or prioritize
|
||||||
traffic and can be combined with other functions such as captive portal or high
|
traffic and can be combined with other functions such as captive portal or high
|
||||||
availability (CARP).
|
availability (CARP).
|
||||||
|
|
||||||
Bandwidth limitations can be defined based upon the interface(s), ip source &
|
Bandwidth limitations can be defined based upon the interface(s), IP source &
|
||||||
destination, direction of traffic (in/out) and port numbers (application).
|
destination, direction of traffic (in/out) and port numbers (application).
|
||||||
|
|
||||||
Available bandwidth can be shared evenly over all users, this allows for
|
Available bandwidth can be shared evenly over all users, this allows for
|
||||||
|
|
|
@ -43,4 +43,4 @@ HardenedBSD's core team consists of Oliver Pinter and Shawn Webb.
|
||||||
Cooperation with OPNsense
|
Cooperation with OPNsense
|
||||||
-------------------------
|
-------------------------
|
||||||
In May 2015, HardenedBSD announced their cooperation with OPNsense.
|
In May 2015, HardenedBSD announced their cooperation with OPNsense.
|
||||||
A HardenedBSD-flavored versions of OPNsense is available as of June 2015.
|
A HardenedBSD-flavored version of OPNsense is available as of June 2015.
|
||||||
|
|
|
@ -17,9 +17,9 @@ community-recognized body for reviewing and approving licenses as OSD-conformant
|
||||||
|
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
------------------
|
--------------------
|
||||||
Relations OPNsense
|
Relation to OPNsense
|
||||||
------------------
|
--------------------
|
||||||
OPNsense is licensed under an Open Source Initiative `approved license <http://opensource.org/licenses>`__. OPNsense
|
OPNsense is licensed under an Open Source Initiative `approved license <http://opensource.org/licenses>`__. OPNsense
|
||||||
is and will be available with the simple 2-clause BSD license. We believe an
|
is and will be available with the simple 2-clause BSD license. We believe an
|
||||||
open source project should provide the sources and the tools to build it.
|
open source project should provide the sources and the tools to build it.
|
||||||
|
|
|
@ -288,7 +288,7 @@
|
||||||
// rST seems to want dds to be treated as the browser would, indented.
|
// rST seems to want dds to be treated as the browser would, indented.
|
||||||
dd
|
dd
|
||||||
margin: 0 0 $base-line-height / 2 $base-line-height
|
margin: 0 0 $base-line-height / 2 $base-line-height
|
||||||
// This is what Sphinx spits out for it's autodocs. Depending upon what language the person is referencing
|
// This is what Sphinx spits out for its autodocs. Depending upon what language the person is referencing
|
||||||
// these things usually have a class of "method" or "class" or something similar, but really who knows.
|
// these things usually have a class of "method" or "class" or something similar, but really who knows.
|
||||||
// Sphinx doesn't give me a generic class on these, so unfortunately I have to apply it to the root dl.
|
// Sphinx doesn't give me a generic class on these, so unfortunately I have to apply it to the root dl.
|
||||||
// This makes me terribly unhappy and makes this code very nesty. Unfortunately I've seen hand-written docs
|
// This makes me terribly unhappy and makes this code very nesty. Unfortunately I've seen hand-written docs
|
||||||
|
|
Loading…
Reference in New Issue