Fix scaling of small images, fix typos, clarify IPsec s2s (#78)
This commit is contained in:
parent
fc18a434df
commit
86a9787cf3
|
@ -340,7 +340,7 @@ epub_copyright = copyright
|
|||
# A unique identification for the text.
|
||||
#epub_uid = ''
|
||||
|
||||
# A tuple containing the cover image and cover page html template filenames.
|
||||
# A tuple containing the cover image and cover page HTML template filenames.
|
||||
#epub_cover = ()
|
||||
|
||||
# A sequence of (type, uri, title) tuples for the guide element of content.opf.
|
||||
|
|
|
@ -66,7 +66,7 @@ Architecture
|
|||
|
||||
Always make sure there's a clear separation of concerns, back-end calls
|
||||
(like shell scripts) should be implemented using the configd system, all
|
||||
communication to the client should be handled from an api endpoint. (the
|
||||
communication to the client should be handled from an API endpoint. (the
|
||||
example provides more insights on how this works).
|
||||
|
||||
Back-end programs should not access the config.xml directly, if data is
|
||||
|
@ -215,7 +215,7 @@ retrieval/changing of configuration data.
|
|||
They should live in a subdirectory of the controller called Api and
|
||||
extend the corresponding class.
|
||||
|
||||
For our modules we create two api controllers, one for controlling
|
||||
For our modules we create two API controllers, one for controlling
|
||||
settings and one for performing service actions. (Named
|
||||
SettingsController.php and ServiceController.php) Both should look like
|
||||
this (replace Settings with Service for the other one):
|
||||
|
@ -377,7 +377,7 @@ something like this:
|
|||
{{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
|
||||
|
||||
This tells the template system to add a form using the contents of
|
||||
generalForm and name it frm\_GeneralSettings in the html page. Based on
|
||||
generalForm and name it frm\_GeneralSettings in the HTML page. Based on
|
||||
a standard template part which is already part of the standard system,
|
||||
named base\_form.volt.
|
||||
|
||||
|
@ -665,7 +665,7 @@ What have we accomplished now, we can input data, validate it and save
|
|||
it to the corresponding format of the actual service or application,
|
||||
which uses this data. So if you have a third party application, which
|
||||
you want to integrate into the user interface. You should be able to
|
||||
generate what it needs now. (there’s more to learn, but these are the
|
||||
generate what it needs now. (There’s more to learn, but these are the
|
||||
basics).
|
||||
|
||||
But how do should we control that third part program now? That’s the
|
||||
|
@ -760,7 +760,7 @@ elements:
|
|||
});
|
||||
});
|
||||
|
||||
(in html section)
|
||||
(in HTML section)
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
|
@ -868,7 +868,7 @@ content in it:
|
|||
</acl>
|
||||
|
||||
This creates an acl key named “page-user-helloworld” which authorizes
|
||||
access to both the ui and api urls of this application. You can now
|
||||
access to both the ui and API urls of this application. You can now
|
||||
grant access to this module from the system user manager.
|
||||
|
||||
|
|
||||
|
|
|
@ -86,7 +86,7 @@ A simple index controller to echo a request back looks like this:
|
|||
}
|
||||
}
|
||||
|
||||
When placed inside the api directory of Vendor/Sample can be called by sending a
|
||||
When placed inside the API directory of Vendor/Sample can be called by sending a
|
||||
post request to /api/sample/test/echo, using jquery:
|
||||
|
||||
.. code-block:: javascript
|
||||
|
|
|
@ -62,14 +62,14 @@ This routing is setup via the index page of our new code base and uses
|
|||
API routing
|
||||
-----------
|
||||
|
||||
Routing for api functions is quite similar to routing UI components,
|
||||
Routing for API functions is quite similar to routing UI components,
|
||||
just create a Api directory under the app path and place a controller
|
||||
class to handle the request. The only major difference is that it's
|
||||
handled by a separate php file (called api.php) in stead of the
|
||||
index.php file used to configure the ui part, details of the routing can
|
||||
be found in /usr/local/opnsense/mvc/app/config/services\_api.php .
|
||||
|
||||
If our sample app needs an api to echo something back via a controller called
|
||||
If our sample app needs an API to echo something back via a controller called
|
||||
tools it could be put into a file called:
|
||||
|
||||
::
|
||||
|
|
|
@ -49,7 +49,7 @@ time and we needed to transition that into something more structured.
|
|||
One of the first things (on the programming part of the system) we did was build
|
||||
components around an existing framework (`Phalcon <https://phalconphp.com/>`_)
|
||||
to create new modules, which could use validated configuration data (from the
|
||||
config.xml), supply a RESTful API and generate html output using standard
|
||||
config.xml), supply a RESTful API and generate HTML output using standard
|
||||
templates (Volt).
|
||||
|
||||
We created the configd system, which can generate system configuration and
|
||||
|
@ -78,7 +78,7 @@ implementation is one example of this stage.
|
|||
|
||||
**3)** Moving on
|
||||
(re)build new parts, using our new modules, which provide a layered development
|
||||
system to automatically support api calls from other systems and xml based model
|
||||
system to automatically support API calls from other systems and xml based model
|
||||
templates to describe configuration data.
|
||||
|
||||
*See also:*
|
||||
|
@ -87,7 +87,7 @@ templates to describe configuration data.
|
|||
* :doc:`Howto use the API </development/how-tos/api>`
|
||||
|
||||
Our guidelines somewhat depend of the stage the code is in, when writing new code,
|
||||
all actions should use the api system for actually changing configuration and
|
||||
all actions should use the API system for actually changing configuration and
|
||||
performing configuration tasks. They should, of course, use the normal PSR coding
|
||||
standards for PHP code and follow the Python PEPs.
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ Creating keys
|
|||
|
||||
API keys are managed in the user manager (system\_usermanager.php), go
|
||||
to the user manager page and select a user. Somewhere down the page you
|
||||
will find the api section for this user.
|
||||
will find the API section for this user.
|
||||
|
||||
|Usermanager add api key.png|
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ There are some myths surrounding our project offered mostly by pfSense enthusias
|
|||
if you have read their comments on us then we'd recommend to just ignore them and
|
||||
install OPNsense, if you have not already done so.
|
||||
|
||||
.. sidebar:: Lets fork and lift the project!
|
||||
.. sidebar:: Let's fork and lift the project!
|
||||
|
||||
.. image:: images/fork-lift_new.jpg
|
||||
|
||||
|
|
|
@ -79,11 +79,11 @@ OPNsense Core Features
|
|||
|
||||
- Intrusion Detection and Inline Prevention
|
||||
|
||||
- Build-in support for Emerging Treats rules
|
||||
- Built-in support for Emerging Treats rules
|
||||
- Simple setup by use of rule categories
|
||||
- Scheduler for period automatic updates
|
||||
|
||||
- Build-in reporting and monitoring tools
|
||||
- Built-in reporting and monitoring tools
|
||||
|
||||
- System Health, the modern take on RRD Graphs
|
||||
- Packet Capture
|
||||
|
|
|
@ -33,7 +33,7 @@ When using a fully qualified domain name, the name will we resolved periodically
|
|||
(default is each 300 seconds).
|
||||
|
||||
Sample
|
||||
Lets say we want to create an alias table for **www.youtube.com**
|
||||
Let's say we want to create an alias table for **www.youtube.com**
|
||||
|
||||
.. image:: images/aliases_host.png
|
||||
:width: 100%
|
||||
|
@ -120,10 +120,10 @@ Downloads
|
|||
Using Aliases in pf Firewall Rules
|
||||
----------------------------------
|
||||
Aliases can be used in the firewall rules to make administration of large lists
|
||||
easy. For instance we could have a list of remote ip's that should have access to
|
||||
easy. For instance we could have a list of remote IPs that should have access to
|
||||
certain services, when anything changes we only need to update the list.
|
||||
|
||||
Lets create a simple alias list and assume we have 3 remote ip's that may access
|
||||
Let's create a simple alias list and assume we have 3 remote IPs that may access
|
||||
the ipsec server for a site to site tunnel connection:
|
||||
|
||||
* 192.168.100.1
|
||||
|
|
|
@ -7,13 +7,12 @@ but is also widely used in corporate networks for an additional layer of securit
|
|||
on wireless or Internet access.
|
||||
|
||||
.. image:: images/hotspot_login.png
|
||||
:width: 100%
|
||||
|
||||
--------------------
|
||||
Typical Applications
|
||||
--------------------
|
||||
* Guest Network
|
||||
* Hotel & Camping Wifi Access
|
||||
* Hotel & Camping Wi-Fi Access
|
||||
* Bring Your Own Device (BOYD)
|
||||
|
||||
-------------------
|
||||
|
@ -27,7 +26,6 @@ task. At the same time it offers additional functionalities, such as:
|
|||
* Custom Splash page
|
||||
|
||||
.. image:: images/captiveportal_template_folder.png
|
||||
:width: 100%
|
||||
|
||||
---------------
|
||||
Zone Management
|
||||
|
@ -69,7 +67,7 @@ the user can resume its active session.
|
|||
--------------------
|
||||
Bandwidth Management
|
||||
--------------------
|
||||
The Build-in traffic shaper can be utilized to:
|
||||
The Built-in traffic shaper can be utilized to:
|
||||
|
||||
* Share bandwidth evenly
|
||||
* Give priority to protocols port numbers and/or ip addresses
|
||||
|
|
|
@ -85,13 +85,13 @@ The content area is used to display:
|
|||
----------
|
||||
Form View
|
||||
----------
|
||||
Lets take a look at how an advanced form may look like:
|
||||
Let's take a look at how an advanced form may look like:
|
||||
|
||||
.. image:: images/proxy_form.png
|
||||
|
||||
Full Help
|
||||
---------
|
||||
Many forms are equipped with build-in help. In the upper right corner of the form
|
||||
Many forms are equipped with built-in help. In the upper right corner of the form
|
||||
you can select to view all help messages at once. The toggle will color green when
|
||||
enabled and show the help messages beneath the input items.
|
||||
|
||||
|
|
|
@ -53,13 +53,13 @@ for the ones that require disk writes, e.g. a caching proxy (cache) or intrusion
|
|||
and prevention (alert database).
|
||||
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
| Processor | 500MHz single core cpu |
|
||||
| Processor | 500 MHz single core cpu |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
| RAM | 512 MB |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
| Install method | Serial console or video (vga) |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
| Install target | SD or CF card with a minimum of 4GB, use nano images for installation. |
|
||||
| Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
|
||||
Table: *Minimum hardware requirements*
|
||||
|
@ -78,7 +78,7 @@ or high loads.
|
|||
+------------------+--------------------------------------------------------------------------+
|
||||
| Install method | Serial console or video (vga) |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
| Install target | 40 GB SSD, a minimum of 1GB memory is needed for the installer to run. |
|
||||
| Install target | 40 GB SSD, a minimum of 1 GB memory is needed for the installer to run. |
|
||||
+------------------+--------------------------------------------------------------------------+
|
||||
|
||||
Table: *Reasonable hardware requirements*
|
||||
|
@ -126,9 +126,9 @@ have massive impact on it. The candidates are:
|
|||
displayed below.
|
||||
|
||||
`State transition tables <https://en.wikipedia.org/wiki/State_transition_table>`__
|
||||
it is a known fact, that each state table entry requires about 1KB
|
||||
(kilo bytes) of RAM. The average state table, filled with 1000
|
||||
entries will occupy about ~10MB (mega bytes) of
|
||||
it is a known fact, that each state table entry requires about 1 kB
|
||||
(kilobytes) of RAM. The average state table, filled with 1000
|
||||
entries will occupy about ~10 MB (megabytes) of
|
||||
`RAM <https://en.wikipedia.org/wiki/Random-access_memory>`__.
|
||||
OPNsense usage settings with hundred of thousands of connections
|
||||
will require memory accordingly.
|
||||
|
|
|
@ -26,7 +26,7 @@ select from the list).
|
|||
Change Proxy Listening Port
|
||||
---------------------------
|
||||
By default the proxy will listen at port 3128, you can change this by clicking
|
||||
on the tab **Forward Proxy** and fill in the port in the **Proxy port** feild.
|
||||
on the tab **Forward Proxy** and fill in the port in the **Proxy port** field.
|
||||
Don't forget to **Apply** your changes.
|
||||
|
||||
------------
|
||||
|
@ -36,7 +36,6 @@ To enable caching click on the arrow next to the **General Proxy Settings** to
|
|||
see the dropdown menu and click on **Local Cache Settings**.
|
||||
|
||||
.. image:: images/proxy_cache.png
|
||||
:width: 100%
|
||||
|
||||
Check the **Enable local cache** and click **Apply**.
|
||||
|
||||
|
@ -49,7 +48,7 @@ Advanced
|
|||
--------
|
||||
Under the advanced settings (see mode switch on left top of the form) you can
|
||||
change the cache size, directory structure and max object size to keep in cache.
|
||||
Again defaults are fine for normal browsing and creates a 100MB cache with max 4MB
|
||||
Again defaults are fine for normal browsing and creates a 100 MB cache with max 4 MB
|
||||
object size.
|
||||
|
||||
|
||||
|
@ -87,7 +86,7 @@ You can setup ACL's by clicking on the arrow next to **Forward Proxy** and sele
|
|||
**Access Control List**. Here you can:
|
||||
|
||||
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
|
||||
* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IP's)
|
||||
* Add Unrestricted IP addresses (Unrestricted means just that, no authentication and no blacklisting for those IPs)
|
||||
* Add Banned hosts IP address (A ban will stop this client from being able to use the proxy)
|
||||
* Whitelist (Click on the (i) to see examples, whitelist prevail above blacklists)
|
||||
* Blacklist (If not allowed by a whitelist, this will block traffic based upon a regular expression)
|
||||
|
|
|
@ -28,7 +28,7 @@ Use websites like `FrequencyCheck <https://www.frequencycheck.com/>`_ to find th
|
|||
frequency band(s) used and get a cellular modem that supports these frequencies.
|
||||
|
||||
You should also buy an appropriate pigtail antenna cable and LTE antenna. Note
|
||||
that LTE antennas often have different connectors than WIFI antennas, chose your
|
||||
that LTE antennas often have different connectors than Wi-Fi antennas, chose your
|
||||
equipment accordingly. Getting the right antenna has a big impact on the quality
|
||||
of your signal. For LTE, MIMO (multiple input, multiple output) antennas should
|
||||
be considered, see for example `this guide <https://www.specialistantennas.co.uk/news/lte-antenna-choices-considerations>`_.
|
||||
|
|
|
@ -67,7 +67,7 @@ First we need to have a project in the google developer console:
|
|||
|
||||
- In the left menu APIs -> "Drive API" -> Enable
|
||||
|
||||
- Open the project and start to create an api key
|
||||
- Open the project and start to create an API key
|
||||
|
||||
- In the left menu : APIs & auth -> Credentials
|
||||
- Click on the button "Create new Client ID"
|
||||
|
|
|
@ -35,7 +35,7 @@ box to make a quick selection.
|
|||
----------------
|
||||
Before Selection
|
||||
----------------
|
||||
Take a look at this simple rule set before selecting our "My IP's" category.
|
||||
Take a look at this simple rule set before selecting our "My IPs" category.
|
||||
|
||||
.. image:: images/Rules_Full.png
|
||||
:width: 100%
|
||||
|
|
|
@ -26,7 +26,7 @@ Hotels and RV Parks
|
|||
-------------------
|
||||
Hotels and RV parks usually utilize a captive portal to allow guests (paid) access
|
||||
to internet for a limited duration. Guests need to login using a voucher they can
|
||||
either buy or obtain for free at the reception. OPNsense has build-in support for
|
||||
either buy or obtain for free at the reception. OPNsense has built-in support for
|
||||
vouchers and can easily create them on the fly. With this example we will show
|
||||
you how to setup the Guest Network for this purpose and setup a reception account
|
||||
for creating new vouchers.
|
||||
|
@ -88,7 +88,7 @@ Fill in the following to setup the DHCP server for our guest net (leave everythi
|
|||
|
||||
================ ==================================== =======================================
|
||||
**Enable** Checked *Enable the DCHP server on GUESTNET*
|
||||
**Range** 192.168.200.100 to 192.168.200.200 *Serve ip's from this range*
|
||||
**Range** 192.168.200.100 to 192.168.200.200 *Serve IPs from this range*
|
||||
**DNS servers** 192.168.200.1 *Supply a DNS with the lease*
|
||||
**Gateway** 192.168.200.1 *Supply a gateway with the lease*
|
||||
================ ==================================== =======================================
|
||||
|
@ -228,11 +228,10 @@ Step 5 - Create Template
|
|||
The template feature is one of the most powerful features of OPNsense's Captive
|
||||
Portal solution and it's very easy to work with.
|
||||
|
||||
Lets create a custom landing page, to do so click on the tab **Templates** and
|
||||
Let's create a custom landing page, to do so click on the tab **Templates** and
|
||||
click on the download icon in the lower right corner ( |download| ).
|
||||
|
||||
.. image:: images/template_download.png
|
||||
:width: 100%
|
||||
|
||||
Now download the default template, we will use this to create our own.
|
||||
Unpack the template zip file, you should have something similar to this:
|
||||
|
@ -242,21 +241,21 @@ Unpack the template zip file, you should have something similar to this:
|
|||
|
||||
Most files of the template can be modified, but some are default and may not be
|
||||
changes. Upon upload any changes to the files listed in **exclude.list** will be
|
||||
ignored. Currently these include the bootstrap java scripting and some fonts.
|
||||
ignored. Currently these include the bootstrap JavaScript and some fonts.
|
||||
|
||||
With the captive portal enabled the default screen looks like:
|
||||
|
||||
.. image:: images/default_login_no_authenticator.png
|
||||
:width: 100%
|
||||
|
||||
Lets change this default with a new logo and a welcome message, to this:
|
||||
Let's change this default with a new logo and a welcome message, to this:
|
||||
|
||||
.. image:: images/mycompany_login.png
|
||||
|
||||
To do so use your favourite editor and open the **index.html** file to make the
|
||||
changes.
|
||||
|
||||
Lets make the following changes to the template:
|
||||
Let's make the following changes to the template:
|
||||
|
||||
#. Change the logo to **company-logo.png**
|
||||
#. Remove the navigation bar on the top
|
||||
|
@ -308,20 +307,19 @@ Hit Upload ( |upload| )
|
|||
:width: 100%
|
||||
|
||||
.. |upload| image:: images/btn_upload.png
|
||||
:width: 100%
|
||||
|
||||
To enable the captive portal on the GUESTNET interface just click on **Apply**.
|
||||
|
||||
-------------------------------
|
||||
Step 6 - Limit Guests Bandwidth
|
||||
-------------------------------
|
||||
For our example we will reserve 10Mbps down and 1Mbps Up for the Guest Network's
|
||||
For our example we will reserve 10 Mbps down and 1 Mbps Up for the Guest Network's
|
||||
Internet Access. This bandwidth will be shared evenly between connected clients.
|
||||
|
||||
.. Note::
|
||||
With sharing evenly we mean that if 10 users at the same time try to use
|
||||
as much bandwidth as possible then everyone gets 1/10th. So in our example
|
||||
that would be 1Mbps down stream (download). It is also possible to limit
|
||||
that would be 1 Mbps down stream (download). It is also possible to limit
|
||||
the traffic per user see also :doc:`shaper`
|
||||
|
||||
Go to: **Firewall->Traffic Shaper->Settings**.
|
||||
|
@ -351,7 +349,7 @@ And add another pipe for the upload traffic.
|
|||
Click on **Save changes**.
|
||||
|
||||
|
||||
Create the traffic shaper rules.Click on the tab **Rules** and press the **+**
|
||||
Create the traffic shaper rules. Click on the tab **Rules** and press the **+**
|
||||
to do so.
|
||||
|
||||
First toggle the advanced mode (upper left corner of the form) and then fill in
|
||||
|
@ -363,7 +361,7 @@ the following details (leave everything not specified on defaults):
|
|||
**interface 2** GUESTNET
|
||||
**direction** in
|
||||
**target** pipe_10Mbps_down
|
||||
**description** Limit Guests download to 10Mbps
|
||||
**description** Limit Guests download to 10 Mbps
|
||||
================= ==================================
|
||||
|
||||
Click **Save changes**.
|
||||
|
@ -374,7 +372,7 @@ Click **Save changes**.
|
|||
**interface 2** GUESTNET
|
||||
**direction** out
|
||||
**target** pipe_1Mbps_up
|
||||
**description** Limit Guests upload to 1Mbps
|
||||
**description** Limit Guests upload to 1 Mbps
|
||||
================= ==================================
|
||||
|
||||
Click **Save changes**.
|
||||
|
@ -428,31 +426,31 @@ Step 9 - Create Vouchers
|
|||
Go back to the Captive portal and select Vouchers (**Services->Captive Portal->Vouchers**).
|
||||
Click on **Create Vouchers** in the lower right corner of the form.
|
||||
|
||||
Lets create 1 Day vouchers for our guests:
|
||||
Let's create 1 Day vouchers for our guests:
|
||||
|
||||
.. image:: images/create_vouchers.png
|
||||
:width: 100%
|
||||
|
||||
|
||||
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wifi day pass f.i.).
|
||||
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wi-Fi day pass, for example).
|
||||
For the example we create 10 vouchers. Click on **Generate**.
|
||||
|
||||
A file will be generated called **wifi day pass.csv**.
|
||||
A file will be generated called **Wi-Fi day pass.csv**.
|
||||
The content of this file looks like this:
|
||||
|
||||
.. code-block:: guess
|
||||
|
||||
username,password,vouchergroup,validity
|
||||
"IgJw@Pqf","MLi+Sb7Ak#","Wifi day pass","86400"
|
||||
"++?f[@i[","!m*)e(@;F,","Wifi day pass","86400"
|
||||
"bbtK9mBk","f/jCDL3:)b","Wifi day pass","86400"
|
||||
"iD%L[jLJ","I#FoZ#g!AY","Wifi day pass","86400"
|
||||
"+4bA\E[I","CNavt@0ck+","Wifi day pass","86400"
|
||||
"+,fg/\Sv","#22iIL-iQA","Wifi day pass","86400"
|
||||
":;Pc\N#s","Y\HuG9vAN$","Wifi day pass","86400"
|
||||
"00nLb=0Q","0*C_\_Nb_x","Wifi day pass","86400"
|
||||
"PA$J0YHF","kp!q%9;m)g","Wifi day pass","86400"
|
||||
"a,mCxbya","LcnCb#g/di","Wifi day pass","86400"
|
||||
"IgJw@Pqf","MLi+Sb7Ak#","Wi-Fi day pass","86400"
|
||||
"++?f[@i[","!m*)e(@;F,","Wi-Fi day pass","86400"
|
||||
"bbtK9mBk","f/jCDL3:)b","Wi-Fi day pass","86400"
|
||||
"iD%L[jLJ","I#FoZ#g!AY","Wi-Fi day pass","86400"
|
||||
"+4bA\E[I","CNavt@0ck+","Wi-Fi day pass","86400"
|
||||
"+,fg/\Sv","#22iIL-iQA","Wi-Fi day pass","86400"
|
||||
":;Pc\N#s","Y\HuG9vAN$","Wi-Fi day pass","86400"
|
||||
"00nLb=0Q","0*C_\_Nb_x","Wi-Fi day pass","86400"
|
||||
"PA$J0YHF","kp!q%9;m)g","Wi-Fi day pass","86400"
|
||||
"a,mCxbya","LcnCb#g/di","Wi-Fi day pass","86400"
|
||||
|
||||
The content are:
|
||||
|
||||
|
@ -465,11 +463,11 @@ The content are:
|
|||
|
||||
.. Warning::
|
||||
|
||||
For security reasons the plain text password for the vouchers are NOT stored
|
||||
For security reasons the plain text passwords for the vouchers are NOT stored
|
||||
on the firewall.
|
||||
|
||||
This file can be used for creating nice guest vouchers (on paper) by just merging
|
||||
the cvs data with word, open office or any other dtp/text editor.
|
||||
the CSV data with Microsoft Word, LibreOffice or any other DTP/text editor.
|
||||
|
||||
Create something like this:
|
||||
|
||||
|
@ -501,7 +499,6 @@ When done click **Save changes** and the **Apply** to apply the new settings.
|
|||
Now users will see the login form as part of your template:
|
||||
|
||||
.. image:: images/cp_voucher_login.png
|
||||
:width: 100%
|
||||
|
||||
--------------
|
||||
Check Sessions
|
||||
|
@ -523,8 +520,8 @@ You can drop an active session by clicking on the trashcan.
|
|||
Check Voucher Status
|
||||
--------------------
|
||||
You can check the validity and active status of a voucher by going to the voucher
|
||||
page of the captive portal (**Services->Captive Protal->Vouchers**) and select
|
||||
the correct database (Wifi day pass in our example).
|
||||
page of the captive portal (**Services->Captive Portal->Vouchers**) and select
|
||||
the correct database (Wi-Fi day pass in our example).
|
||||
|
||||
.. image:: images/cp_active_vouchers.png
|
||||
:width: 100%
|
||||
|
@ -538,16 +535,16 @@ the correct database (Wifi day pass in our example).
|
|||
------------------------
|
||||
Advanced - Session popup
|
||||
------------------------
|
||||
Lets create a Session Popup so user can see some details about there session and
|
||||
Logout. For this feature we will use OPNsense's build-in api calls.
|
||||
Let's create a Session Popup so users can see some details about their session and
|
||||
Logout. For this feature we will use OPNsense's built-in API calls.
|
||||
|
||||
In particular we will use the following api call (for zone id 0):
|
||||
In particular we will use the following API call (for zone id 0):
|
||||
|
||||
.. code-block:: guess
|
||||
|
||||
/api/captiveportal/access/status/0/
|
||||
|
||||
The response on this api call looks like this (for an active session):
|
||||
The response on this API call looks like this (for an active session):
|
||||
|
||||
.. code-block:: json
|
||||
|
||||
|
@ -566,7 +563,7 @@ The response on this api call looks like this (for an active session):
|
|||
"packets_in":3181,
|
||||
"clientState":"AUTHORIZED"}
|
||||
|
||||
It would go a bit to far to explain standard html and java scripting used for
|
||||
It would go a bit to far to explain standard HTML and JavaScript used for
|
||||
our simple popup, but a full demo template can be downloaded:
|
||||
|
||||
:download:`Download the example Template (with popup) <resources/template_popup.zip>`
|
||||
|
|
|
@ -20,7 +20,7 @@ Prerequisites
|
|||
:width: 100%
|
||||
|
||||
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
|
||||
logging (>10GB advisable).
|
||||
logging (>10 GB advisable).
|
||||
|
||||
* Disable all Hardware Offloading
|
||||
Under **Interface-Settings**
|
||||
|
@ -57,7 +57,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
|
|||
the form.
|
||||
|
||||
.. image:: images/applybtn.png
|
||||
:width: 100%
|
||||
|
||||
---------------
|
||||
Fetch Rule sets
|
||||
|
@ -71,7 +70,6 @@ To do so: select Enabled after each one.
|
|||
To download the rule sets press **Download & Update Rules**.
|
||||
|
||||
.. image:: images/downloadbtn.png
|
||||
:width: 100%
|
||||
|
||||
-----------------------
|
||||
Change default behavior
|
||||
|
@ -93,7 +91,6 @@ Apply fraud drop actions
|
|||
Now press **Download & Update Rules** again to change the behavior to drop.
|
||||
|
||||
.. image:: images/downloadbtn.png
|
||||
:width: 100%
|
||||
|
||||
---------------
|
||||
Keep up to date
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
IPS GeoIP Blocking
|
||||
==================
|
||||
|
||||
This tutorial explains how to setup the IPS system to block ip's based on their
|
||||
This tutorial explains how to setup the IPS system to block IPs based on their
|
||||
geographic location. This option is made possible by the integration of the
|
||||
Maxmind GeoLite2 Country database. More information can be found here: http://dev.maxmind.com/geoip/geoip2/geolite2/
|
||||
|
||||
|
@ -17,7 +17,7 @@ Prerequisites
|
|||
:width: 100%
|
||||
|
||||
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
|
||||
logging (>10GB advisable).
|
||||
logging (>10 GB advisable).
|
||||
|
||||
* Disable all Hardware Offloading
|
||||
Under **Interface-Settings**
|
||||
|
@ -87,13 +87,11 @@ Apply configuration
|
|||
If this is the first GeoIP rule you add then you need to **Download & Update Rules**
|
||||
|
||||
.. image:: images/downloadbtn.png
|
||||
:width: 100%
|
||||
|
||||
Then apply the configuration by pressing the **Apply** button at the bottom of
|
||||
the form.
|
||||
|
||||
.. image:: images/applybtn.png
|
||||
:width: 100%
|
||||
|
||||
|
||||
------------
|
||||
|
|
|
@ -16,7 +16,7 @@ Prerequisites
|
|||
:width: 100%
|
||||
|
||||
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
|
||||
logging (>10GB advisable).
|
||||
logging (>10 GB advisable).
|
||||
|
||||
* Disable all Hardware Offloading
|
||||
Under **Interface-Settings**
|
||||
|
@ -106,7 +106,6 @@ First apply the configuration by pressing the **Apply** button at the bottom of
|
|||
the form.
|
||||
|
||||
.. image:: images/applybtn.png
|
||||
:width: 100%
|
||||
|
||||
----------------------------
|
||||
Clear Browser Cache and test
|
||||
|
|
|
@ -3,7 +3,7 @@ IPSec BINAT
|
|||
===============
|
||||
|
||||
Assume company A has local LAN 10.0.1.0/24 and company B has local LAN 10.0.2.0/24.
|
||||
Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wifi.
|
||||
Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wi-Fi.
|
||||
|
||||
We have to define new networks for the Phase 2 with unused ones and create NAT entries to reach the final systems.
|
||||
|
||||
|
|
|
@ -203,7 +203,7 @@ General information
|
|||
-------------------
|
||||
========================= ============= ================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *both V1 and V2 are supported*
|
||||
**Key Exchange version** V2
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
|
||||
|
@ -215,7 +215,6 @@ Phase 1 proposal (Authentication)
|
|||
---------------------------------
|
||||
=========================== ====================== ======================================
|
||||
**Authentication method** Mutual PSK *Using a Pre-shared Key*
|
||||
**Negotiation mode** Main *Use Main. Aggressive is insecure*
|
||||
**My identifier** My IP address *Simple identification for fixed ip*
|
||||
**Peer identifier** Peer IP address *Simple identification for fixed ip*
|
||||
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
|
||||
|
@ -224,12 +223,12 @@ Phase 1 proposal (Authentication)
|
|||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ============= ===========================================
|
||||
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
|
||||
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
|
||||
**DH key group** 2048 bit *2048 bit should be sufficient*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ============= ===========================================
|
||||
========================== =============== ===========================================
|
||||
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
|
||||
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
|
||||
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== =============== ===========================================
|
||||
|
||||
|
||||
Advanced Options
|
||||
|
@ -245,7 +244,6 @@ Advanced Options
|
|||
Save your setting by pressing:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
Now you should see the following screen:
|
||||
|
||||
|
@ -259,7 +257,6 @@ Step 2 - Phase 2 Site A
|
|||
Press the button that says '+ Show 0 Phase-2 entries'
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_show_p2.png
|
||||
:width: 100%
|
||||
|
||||
You will see an empty list:
|
||||
|
||||
|
@ -291,30 +288,27 @@ Remote Network
|
|||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============ =======================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
|
||||
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
|
||||
**PFS Key group** 2048 bit *Not required but enhanced security*
|
||||
=========================== =============== =======================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
|
||||
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
|
||||
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============ =======================================
|
||||
=========================== =============== =======================================
|
||||
|
||||
Save your setting by pressing:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
-----------------------------
|
||||
|
||||
Enable IPsec for Site A, Select:
|
||||
|
||||
.. image:: images/ipsec_s2s_vpn_p1a_enable.png
|
||||
:width: 100%
|
||||
|
||||
Save:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
And Apply changes:
|
||||
|
||||
|
@ -340,7 +334,7 @@ General information
|
|||
-------------------
|
||||
========================= ============= ================================================
|
||||
**Connection method** default *default is 'Start on traffic'*
|
||||
**Key Exchange version** V2 *both V1 and V2 are supported*
|
||||
**Key Exchange version** V2
|
||||
**Internet Protocol** IPv4
|
||||
**Interface** WAN *choose the interface connected to the internet*
|
||||
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
|
||||
|
@ -352,7 +346,6 @@ Phase 1 proposal (Authentication)
|
|||
---------------------------------
|
||||
=========================== ====================== ======================================
|
||||
**Authentication method** Mutual PSK *Using a Pre-shared Key*
|
||||
**Negotiation mode** Main *Use Main. Aggressive is insecure*
|
||||
**My identifier** My IP address *Simple identification for fixed ip*
|
||||
**Peer identifier** Peer IP address *Simple identification for fixed ip*
|
||||
**Pre-Shared Key** At4aDMOAOub2NwT6gMHA *Random key*. **CREATE YOUR OWN!**
|
||||
|
@ -361,12 +354,12 @@ Phase 1 proposal (Authentication)
|
|||
|
||||
Phase 1 proposal (Algorithms)
|
||||
-----------------------------
|
||||
========================== ============= ===========================================
|
||||
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
|
||||
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
|
||||
**DH key group** 2048 bit *2048 bit should be sufficient*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== ============= ===========================================
|
||||
========================== =============== ===========================================
|
||||
**Encryption algorithm** AES *For our sample we will Use AES/256 bits*
|
||||
**Hash algoritm** SHA512 *Use a strong hash like SHA512*
|
||||
**DH key group** 14 (2048 bit) *2048 bit should be sufficient*
|
||||
**Lifetime** 28800 sec *lifetime before renegotiation*
|
||||
========================== =============== ===========================================
|
||||
|
||||
|
||||
Advanced Options
|
||||
|
@ -382,7 +375,6 @@ Advanced Options
|
|||
Save your setting by pressing:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
Now you should see the following screen:
|
||||
|
||||
|
@ -429,19 +421,18 @@ Remote Network
|
|||
|
||||
Phase 2 proposal (SA/Key Exchange)
|
||||
----------------------------------
|
||||
=========================== ============ =======================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
|
||||
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
|
||||
**PFS Key group** 2048 bit *Not required but enhanced security*
|
||||
=========================== =============== =======================================
|
||||
**Protocol** ESP *Choose ESP for encryption*
|
||||
**Encryption algorithms** AES / 256 *For the sample we use AES 256*
|
||||
**Hash algortihms** SHA512 *Choose a strong hash like SHA512*
|
||||
**PFS Key group** 14 (2048 bit) *Not required but enhanced security*
|
||||
**Lifetime** 3600 sec
|
||||
=========================== ============ =======================================
|
||||
=========================== =============== =======================================
|
||||
|
||||
|
||||
Save your setting by pressing:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
-----------------------------
|
||||
|
||||
|
@ -453,7 +444,6 @@ Enable IPsec for Site B, Select:
|
|||
Save:
|
||||
|
||||
.. image:: images/btn_save.png
|
||||
:width: 100%
|
||||
|
||||
And Apply changes:
|
||||
|
||||
|
@ -530,4 +520,4 @@ Common issues are unequal settings. Both ends must use the same encryption stand
|
|||
|
||||
If you are testing locally with your pc connected to one of the two test boxes
|
||||
as in the sample configuration, then make sure you have no other network
|
||||
connections (f.i. wifi).
|
||||
connections (Wi-Fi, for example).
|
||||
|
|
|
@ -24,7 +24,7 @@ Configure Failover
|
|||
------------------
|
||||
To setup Failover the following step will be taken:
|
||||
|
||||
#. Add monitor IP's to the gateways
|
||||
#. Add monitor IPs to the gateways
|
||||
#. Add a gateway group
|
||||
#. Configure DNS for each gateway
|
||||
#. Use policy based routing to utilize our gateway group
|
||||
|
@ -40,12 +40,12 @@ To setup Failover the following step will be taken:
|
|||
Example configuration
|
||||
---------------------
|
||||
Our example utilized two previous configured WAN gateways that both are confirmed
|
||||
to function separately. As DNS's and monitor ip's we will utilize google's DNS
|
||||
to function separately. As DNS's and monitor IPs we will utilize google's DNS
|
||||
services 8.8.8.8 and 8.8.4.4, of course you can use your own 'known good' setting.
|
||||
|
||||
We defined WAN and WAN2, where WAN will be our primary (default) gateway.
|
||||
|
||||
Step 1 - Add monitor IP's
|
||||
Step 1 - Add monitor IPs
|
||||
-------------------------
|
||||
You may skip this step if you already have setup the monitoring ip and both gateways
|
||||
are shown as online.
|
||||
|
@ -185,7 +185,7 @@ gateways.
|
|||
|
||||
Sticky Connection
|
||||
-----------------
|
||||
Some web sites don't like changing request ip's for the same session, this may
|
||||
Some web sites don't like changing request IPs for the same session, this may
|
||||
lead to unexpected behavior. To solve this you can use the option **Sticky Connections**,
|
||||
this will make sure each subsequent request from the same user to the same website
|
||||
is send through the same gateway.
|
||||
|
@ -196,7 +196,7 @@ Unequal Balancing (Weight)
|
|||
--------------------------
|
||||
If you have a non symmetric setup with one IPS having a much higher
|
||||
bandwidth that the other then you can set a weight on each gateway to change the
|
||||
load balance. For instance if you have one line of 10Mbps and one of 20Mbps then
|
||||
load balance. For instance if you have one line of 10 Mbps and one of 20 Mbps then
|
||||
set the weight of the first one to 1 and the second one to 2. This way the second
|
||||
gateway will get twice as many traffic to handle than the first.
|
||||
|
||||
|
|
|
@ -1,123 +1,123 @@
|
|||
Orange France FTTP IPv4 & IPv6
|
||||
==============================
|
||||
|
||||
**Original Author:** Kev Willers
|
||||
|
||||
**Introduction**
|
||||
-----------------
|
||||
This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
|
||||
|
||||
The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
|
||||
|
||||
|
||||
**Getting ready to make the connection**
|
||||
----------------------------------------
|
||||
|
||||
Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
|
||||
|
||||
.. image:: images/OF_image0.png
|
||||
:width: 100%
|
||||
|
||||
and the WAN interface assignment should hence look something like this
|
||||
|
||||
.. image:: images/OF_image1.png
|
||||
:width: 100%
|
||||
|
||||
**Configuring the WAN Interface**
|
||||
---------------------------------
|
||||
|
||||
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
|
||||
requests respectively
|
||||
|
||||
select options DHCP and DHCPv6 in general configuration
|
||||
|
||||
.. image:: images/OF_image2.png
|
||||
:width: 100%
|
||||
|
||||
**On the DHCP request it is a requirement to pass the following:**
|
||||
|
||||
* dhcp-class-identifier "sagem"
|
||||
* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
|
||||
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
|
||||
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
|
||||
|
||||
.. Note::
|
||||
The eleven leading hex 00 pairs to be prefixed to the converted userID
|
||||
|
||||
These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request
|
||||
|
||||
.. image:: images/OF_image3.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
It is necessary to specify the following 'Request Options'
|
||||
|
||||
* subnet-mask
|
||||
* broadcast-address
|
||||
* dhcp-lease-time
|
||||
* dhcp-renewal-time
|
||||
* dhcp-rebinding-time
|
||||
* domain-search, routers
|
||||
* domain-name-servers
|
||||
* option-90
|
||||
|
||||
These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request
|
||||
|
||||
Now for the regional specific part.
|
||||
|
||||
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
|
||||
this can be done via the 'Option Modifiers'.
|
||||
|
||||
.. Note::
|
||||
The vlan-parent is the physical WAN interface - igb0, em0 etc.
|
||||
|
||||
.. image:: images/OF_image4.png
|
||||
:width: 100%
|
||||
|
||||
On the DHCP6 request we need to use raw options
|
||||
|
||||
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
|
||||
|
||||
.. image:: images/OF_image5.png
|
||||
:width: 100%
|
||||
|
||||
then add the following options in the 'Send Options' field
|
||||
|
||||
* ia-pd 0
|
||||
* raw-option 6 00:0b:00:11:00:17:00:18
|
||||
* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
|
||||
* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
|
||||
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
|
||||
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
|
||||
|
||||
.. Note::
|
||||
The eleven leading hex 00 pairs to be prefixed to the converted userID
|
||||
|
||||
Finally set the Identity Association and Prefix interface as shown
|
||||
|
||||
.. image:: images/OF_image6.png
|
||||
:width: 100%
|
||||
|
||||
Click ‘Save’ and then ‘Apply’.
|
||||
|
||||
|
||||
**LAN Interface**
|
||||
-----------------
|
||||
|
||||
|
||||
Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track
|
||||
Interface’
|
||||
|
||||
.. image:: images/OF_image7.png
|
||||
:width: 100%
|
||||
|
||||
|
||||
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
|
||||
|
||||
|
||||
.. image:: images/OF_image8.png
|
||||
:width: 100%
|
||||
|
||||
Click ‘Save’ and then ‘Apply’.
|
||||
|
||||
It is advisable at this point to reboot the system.
|
||||
Orange France FTTP IPv4 & IPv6
|
||||
==============================
|
||||
|
||||
**Original Author:** Kev Willers
|
||||
|
||||
**Introduction**
|
||||
-----------------
|
||||
This guide is for Orange France FTTP using DHCP to connect (this method currently excludes the users of the PRO package).
|
||||
|
||||
The guide deals with just the internet connection. Setting up of TV or Phone is not covered here.
|
||||
|
||||
|
||||
**Getting ready to make the connection**
|
||||
----------------------------------------
|
||||
|
||||
Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below
|
||||
|
||||
.. image:: images/OF_image0.png
|
||||
:width: 100%
|
||||
|
||||
and the WAN interface assignment should hence look something like this
|
||||
|
||||
.. image:: images/OF_image1.png
|
||||
:width: 100%
|
||||
|
||||
**Configuring the WAN Interface**
|
||||
---------------------------------
|
||||
|
||||
In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6
|
||||
requests respectively
|
||||
|
||||
select options DHCP and DHCPv6 in general configuration
|
||||
|
||||
.. image:: images/OF_image2.png
|
||||
:width: 100%
|
||||
|
||||
**On the DHCP request it is a requirement to pass the following:**
|
||||
|
||||
* dhcp-class-identifier "sagem"
|
||||
* user-class "+FSVDSL_livebox.Internet.softathome.Livebox3"
|
||||
* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
|
||||
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
|
||||
|
||||
.. Note::
|
||||
The eleven leading hex 00 pairs to be prefixed to the converted userID
|
||||
|
||||
These parameters should be passed as comma separated options in the 'Send Options' area of their WAN DHCP request
|
||||
|
||||
.. image:: images/OF_image3.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
It is necessary to specify the following 'Request Options'
|
||||
|
||||
* subnet-mask
|
||||
* broadcast-address
|
||||
* dhcp-lease-time
|
||||
* dhcp-renewal-time
|
||||
* dhcp-rebinding-time
|
||||
* domain-search, routers
|
||||
* domain-name-servers
|
||||
* option-90
|
||||
|
||||
These parameters should be passed as comma separated options in the 'Request Options' area of their WAN DHCP request
|
||||
|
||||
Now for the regional specific part.
|
||||
|
||||
Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then
|
||||
this can be done via the 'Option Modifiers'.
|
||||
|
||||
.. Note::
|
||||
The vlan-parent is the physical WAN interface - igb0, em0 etc.
|
||||
|
||||
.. image:: images/OF_image4.png
|
||||
:width: 100%
|
||||
|
||||
On the DHCP6 request we need to use raw options
|
||||
|
||||
Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority'
|
||||
|
||||
.. image:: images/OF_image5.png
|
||||
:width: 100%
|
||||
|
||||
then add the following options in the 'Send Options' field
|
||||
|
||||
* ia-pd 0
|
||||
* raw-option 6 00:0b:00:11:00:17:00:18
|
||||
* raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
|
||||
* raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d
|
||||
* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX
|
||||
(hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx)
|
||||
|
||||
.. Note::
|
||||
The eleven leading hex 00 pairs to be prefixed to the converted userID
|
||||
|
||||
Finally set the Identity Association and Prefix interface as shown
|
||||
|
||||
.. image:: images/OF_image6.png
|
||||
:width: 100%
|
||||
|
||||
Click ‘Save’ and then ‘Apply’.
|
||||
|
||||
|
||||
**LAN Interface**
|
||||
-----------------
|
||||
|
||||
|
||||
Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type to ‘Track
|
||||
Interface’
|
||||
|
||||
.. image:: images/OF_image7.png
|
||||
:width: 100%
|
||||
|
||||
|
||||
Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address.
|
||||
|
||||
|
||||
.. image:: images/OF_image8.png
|
||||
:width: 100%
|
||||
|
||||
Click ‘Save’ and then ‘Apply’.
|
||||
|
||||
It is advisable at this point to reboot the system.
|
||||
|
|
|
@ -4,7 +4,7 @@ Setup Anti Virus Protection
|
|||
OPNsense can offer http and https protection by utilizing its highly flexible
|
||||
proxy and the industry standard ICAP. An external engine from one of the known
|
||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||
trojans and viruses. This protection can be further enhanced by the build-in Intrusion
|
||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||
Prevention System and Category Based Web filtering.
|
||||
|
||||
This How To will utilize Symantec's Protection Engine, but any other vendor that
|
||||
|
|
|
@ -4,7 +4,7 @@ Setup Anti Virus Protection using OPNsense Plugins
|
|||
OPNsense can offer http and https protection by utilizing its highly flexible
|
||||
proxy and the industry standard ICAP. An external engine from one of the known
|
||||
vendors is used to offer maximum protection against malware, such as ransomware,
|
||||
trojans and viruses. This protection can be further enhanced by the build-in Intrusion
|
||||
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
|
||||
Prevention System and Category Based Web filtering.
|
||||
|
||||
This How To will use the Plugins C-ICAP and ClamAV.
|
||||
|
|
|
@ -151,9 +151,8 @@ certificate for each page manually, but for some pages that may not work well un
|
|||
not bumped.
|
||||
|
||||
.. image:: images/export_CA_cert.png
|
||||
:width: 100%
|
||||
|
||||
Import and change trust settings on your favorite OS. Per example on OSX it looks
|
||||
Import and change trust settings on your favorite OS. For example, on macOS it looks
|
||||
like this:
|
||||
|
||||
.. image:: images/Trust_Settings_OSX.png
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
====================
|
||||
Setup Web Filtering
|
||||
====================
|
||||
Category based web filtering in OPNsense is done by utilizing the build-in proxy
|
||||
Category based web filtering in OPNsense is done by utilizing the built-in proxy
|
||||
and one of the freely available or commercial blacklists.
|
||||
|
||||
For this this How-to we will utilize the `UT1 "web categorization list" <https://dsi.ut-capitole.fr/blacklists/index_en.php>`__ from the
|
||||
|
@ -62,7 +62,7 @@ Press **Save Changes**.
|
|||
Step 3 - Download the Categories
|
||||
--------------------------------
|
||||
Now press Download ACL's, please note that this will take a while (can be several
|
||||
minutes) as the full list (>19MB) will be converted to squid acl's.
|
||||
minutes) as the full list (>19 MB) will be converted to squid acl's.
|
||||
|
||||
-------------------------
|
||||
Step 4 - Setup Categories
|
||||
|
@ -82,7 +82,7 @@ clear the list and select the following from the drop down list:
|
|||
|
||||
Now **Save changes** and press **Download ACLs** again to download and reconstruct
|
||||
the list with only the selected categories. This will take roughly the same amount
|
||||
of time as the first fetch as the adult alone section is ~15MB.
|
||||
of time as the first fetch as the adult alone section is ~15 MB.
|
||||
|
||||
---------------------
|
||||
Step 5 - Enable Proxy
|
||||
|
|
|
@ -79,17 +79,17 @@ When you are done save the form, the CA is now generated.
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/CA.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
.. Tip::
|
||||
|
||||
Use valid email addresses for your certificates always.
|
||||
Bogus addresses can pose a security risk not only for certificates btw. ;-)
|
||||
Always use valid email addresses for your certificates.
|
||||
Bogus addresses can pose a security risk – and not only for certificates.
|
||||
|
||||
The Intermediate
|
||||
----------------
|
||||
|
||||
Time to create the second CA which is an **intermediate CA**. This certificate will be signed
|
||||
Time to create the second CA, which is an **intermediate CA**. This certificate will be signed
|
||||
by the root CA we just created. In return it will sign the sever certificate for OPNsense.
|
||||
|
||||
Go to **Trust/Authorities**
|
||||
|
@ -103,7 +103,7 @@ Have a look at the form, create an intermediate CA and save it.
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/CA-inter.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
The Certificate
|
||||
---------------
|
||||
|
@ -122,7 +122,7 @@ Have a look at the next form and notice the common name, create a server certifi
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/webgui-cert.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
.. Tip::
|
||||
|
||||
|
@ -189,7 +189,7 @@ Go to **Trust/Authorities** create a new CA for Nextcloud and save it.
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/CA-cloud.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
OPNsense needs to be made aware of the Nextcloud chain we are creating.
|
||||
|
||||
|
@ -231,7 +231,7 @@ Go to **Trust/Authorities** and create an intermediate CA.
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/CA-cloud-inter.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
Download the intermediate CA and install it to your browser:
|
||||
|
||||
|
@ -253,7 +253,7 @@ Go to **Trust/Certificates** create a server certificate.
|
|||
====================== =================================== ========================================
|
||||
|
||||
.. image:: images/cloud-cert.png
|
||||
:width: 15%
|
||||
:width: 100%
|
||||
|
||||
We need to install this certificate and key to our Nextcloud server, two ways are shown here.
|
||||
|
||||
|
|
|
@ -17,9 +17,9 @@ In this scenario we will create a pipe dedicated for traffic going to and coming
|
|||
from our realtime application. For the sample we presume a SIP trunk or hosted
|
||||
Voice Over IP (VOIP) server.
|
||||
|
||||
For this example we presume a requirement of 4 uncompressed voice channels of 64Kbps,
|
||||
resulting in a total bandwidth of 256Kbps. The internet connection in this example
|
||||
has 10Mbps Download and 1Mbps Upload.
|
||||
For this example we presume a requirement of 4 uncompressed voice channels of 64 kbps,
|
||||
resulting in a total bandwidth of 256 kbps. The internet connection in this example
|
||||
has 10 Mbps Download and 1 Mbps Upload.
|
||||
|
||||
|
||||
|
||||
|
@ -69,17 +69,17 @@ Create Pipe For Upload (To our VOIP Server)
|
|||
**bandwidth** 256 *Numeric value of the desired bandwidth*
|
||||
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
|
||||
**mask** (Empty) *Used for auto queueing, empty for our sample*
|
||||
**description** PipeUp-256Kbps *Free field, enter something descriptive*
|
||||
**description** PipeUp-256kbps *Free field, enter something descriptive*
|
||||
====================== ================ ================================================
|
||||
|
||||
Create Pipe For Upload (Other Traffic = 1024Kbps - 256Kbps = 768Kbps)
|
||||
Create Pipe For Upload (Other Traffic = 1024 kbps - 256 kbps = 768 kbps)
|
||||
|
||||
====================== ================ ================================================
|
||||
**enabled** Checked *Check to enable the pipe*
|
||||
**bandwidth** 768 *Numeric value of the desired bandwidth*
|
||||
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
|
||||
**mask** (Empty) *Used for auto queueing, empty for our sample*
|
||||
**description** PipeUp-768Kbps *Free field, enter something descriptive*
|
||||
**description** PipeUp-768kbps *Free field, enter something descriptive*
|
||||
====================== ================ ================================================
|
||||
|
||||
Create Pipe For Download (From our VOIP Server)
|
||||
|
@ -89,17 +89,17 @@ Create Pipe For Download (From our VOIP Server)
|
|||
**bandwidth** 256 *Numeric value of the desired bandwidth*
|
||||
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
|
||||
**mask** (Empty) *Used for auto queueing, empty for our sample*
|
||||
**description** PipeDown-256Kbps *Free field, enter something descriptive*
|
||||
**description** PipeDown-256kbps *Free field, enter something descriptive*
|
||||
====================== ================== ================================================
|
||||
|
||||
Create Pipe For Download (Other Traffic = 10240Kbps - 256Kbps = 9984Kbps )
|
||||
Create Pipe For Download (Other Traffic = 10240 kbps - 256 kbps = 9984 kbps )
|
||||
|
||||
====================== =================== ================================================
|
||||
**enabled** Checked *Check to enable the pipe*
|
||||
**bandwidth** 9984 *Numeric value of the desired bandwidth*
|
||||
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
|
||||
**mask** (Empty) *Used for auto queueing, empty for our sample*
|
||||
**description** PipeDown-9984Kbps *Free field, enter something descriptive*
|
||||
**description** PipeDown-9984kbps *Free field, enter something descriptive*
|
||||
====================== =================== ================================================
|
||||
|
||||
Step 2 - Create Rules
|
||||
|
@ -117,7 +117,7 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
|
|||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 172.10.2.1 *The ip address of our VOIP server*
|
||||
**dst-port** any *Use any of the destination port if static*
|
||||
**target** PipeUP-256Kbps *Select the Upload 256Kbps Pipe*
|
||||
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
|
||||
**description** ShapeVOIPUpload *Enter a descriptive name*
|
||||
====================== ================= =====================================================
|
||||
|
||||
|
@ -132,7 +132,7 @@ Create a rule for traffic coming from the VOIP Server (Download).
|
|||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** PipeDown256Kbps *Select the Download 256Kbps Pipe*
|
||||
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
|
||||
**description** ShapeVOIPDown *Enter a descriptive name*
|
||||
====================== ================= =====================================================
|
||||
|
||||
|
@ -142,11 +142,11 @@ Create a rule for all other internet upload traffic
|
|||
**sequence** 31 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** 192.168.1.0/24 *The source ip's to shape, our LAN network*
|
||||
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *the destination address, leave in any*
|
||||
**dst-port** any *Use any of the destination port if static*
|
||||
**target** PipeUp-768Kbps *Select the Upload 256Kbps Pipe*
|
||||
**target** PipeUp-768kbps *Select the Upload 768 kbps Pipe*
|
||||
**description** ShapeUpload *Enter a descriptive name*
|
||||
====================== ================= =====================================================
|
||||
|
||||
|
@ -159,9 +159,9 @@ Create a rule for all other internet download traffic
|
|||
**proto** ip *Select the protocol, ip in our example*
|
||||
**source** any *The source ip to shape, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination ip's to shape, our LAN network*
|
||||
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** PipeDown-9984Kbps *Select the Download 256Kbps Pipe*
|
||||
**target** PipeDown-9984kbps *Select the Download 256Kbps Pipe*
|
||||
**description** ShapeDown *Enter a descriptive name*
|
||||
====================== =================== =====================================================
|
||||
|
||||
|
@ -185,8 +185,8 @@ Now press |apply| to activate the traffic shaping rules.
|
|||
Share bandwidth evenly
|
||||
----------------------
|
||||
|
||||
For this example we presume an internet connection of 10Mbps Download and 1Mbps
|
||||
Upload that we want to share evenly over all users.
|
||||
For this example we presume an internet connection of 10 Mbps Download and 1 Mbps
|
||||
Upload that we want to share evenly between all users.
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
@ -299,7 +299,7 @@ Create a rule for traffic coming from the internet (Download).
|
|||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** QueueDown-10Mbps *Select the Download 10Mbps Queue*
|
||||
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
|
||||
**description** ShapeDownload *Enter a descriptive name*
|
||||
====================== ================= =====================================================
|
||||
|
||||
|
@ -315,7 +315,7 @@ Limit bandwidth per user
|
|||
------------------------
|
||||
|
||||
For this example we will divide the internet Download traffic between the connected
|
||||
users in such manner that each user will receive up to a maximum of 1Mbps.
|
||||
users in such manner that each user will receive up to a maximum of 1 Mbps.
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
@ -378,7 +378,7 @@ Create a rule for traffic coming from the internet (Download).
|
|||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
|
||||
**dst-port** any *The destination port to shape, leave on any*
|
||||
**target** PipeDown-1Mbps *Select the Download 256Kbps Pipe*
|
||||
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
|
||||
**description** ShapeDownload *Enter a descriptive name*
|
||||
====================== ================= =====================================================
|
||||
|
||||
|
@ -401,11 +401,11 @@ By utilizing queues we can influence the bandwidth within a pipe and give certai
|
|||
applications more bandwidth than others based on a weighted algorithm.
|
||||
|
||||
The idea is simple:
|
||||
Let presume we have a pipe of 10Mbps and 2 applications for instance smtp (email)
|
||||
Let presume we have a pipe of 10 Mbps and 2 applications for instance smtp (email)
|
||||
and http(s). The http(s) traffic will get a weight of 1 and the smtp traffic a
|
||||
weight of 9, then when all capacity of our pipe is in use the email traffic will
|
||||
get 9x more bandwidth than our http(s) traffic, resulting in 1Mbps for http(s)
|
||||
and 9Mbps for smtp.
|
||||
get 9x more bandwidth than our http(s) traffic, resulting in 1 Mbps for http(s)
|
||||
and 9 Mbps for smtp.
|
||||
|
||||
For our example we only look at download traffic, but the exact same can be done
|
||||
for the upload traffic.
|
||||
|
@ -413,10 +413,10 @@ for the upload traffic.
|
|||
+----------------+--------+-------------------+
|
||||
| Application | Weight | Minimum Bandwidth |
|
||||
+================+========+===================+
|
||||
| SMTP (port 25) | 9 | 9Mbps |
|
||||
| SMTP (port 25) | 9 | 9 Mbps |
|
||||
+----------------+--------+-------------------+
|
||||
| HTTP (80) | | |
|
||||
+----------------+ 1 | 1Mbps |
|
||||
+----------------+ 1 | 1 Mbps |
|
||||
| HTTPS (443) | | |
|
||||
+----------------+--------+-------------------+
|
||||
|
||||
|
@ -428,7 +428,7 @@ On the **Pipes** tab click the **+** button in the lower right corner.
|
|||
An empty **Edit Pipe** screen will popup.
|
||||
|
||||
|
||||
Create Pipe For Download (10Mbps)
|
||||
Create Pipe For Download (10 Mbps)
|
||||
|
||||
====================== ================= ===============================================
|
||||
**enabled** Checked *Check to enable the pipe*
|
||||
|
@ -515,7 +515,7 @@ Adding an extra rule for https traffic is simple as we can use the same http que
|
|||
**description** ShapeHTTPSDownload *Enter a descriptive name*
|
||||
====================== ==================== =====================================================
|
||||
|
||||
This way http and https traffic will be treated the same (total max of 1Mbps).
|
||||
This way http and https traffic will be treated the same (total max of 1 Mbps).
|
||||
|
||||
Now press |apply| to activate the traffic shaping rules.
|
||||
|
||||
|
@ -532,11 +532,11 @@ One of the options with OPNsense's traffic shaper is its ability to add shaping
|
|||
rules based upon two interfaces. This option allows you to shape traffic
|
||||
differently based on the direction the traffic is moving between interfaces.
|
||||
|
||||
For this example we will use this functionality to share a symmetric 10Mbps internet
|
||||
For this example we will use this functionality to share a symmetric 10 Mbps internet
|
||||
connection between a primary LAN network and a Guest Network.
|
||||
|
||||
The LAN network will not be limited, traffic from users on our Guest Network will
|
||||
be limited to a total of 2Mbps Download and 1Mbps Upload.
|
||||
be limited to a total of 2 Mbps Download and 1 Mbps Upload.
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
@ -636,7 +636,7 @@ Create a rule for the upload traffic
|
|||
**sequence** 21 *Auto generated number, overwrite only when needed*
|
||||
**interface** WAN *Select the interface that matches your GuestNet*
|
||||
**interface2** GuestNet *Select the interface connected to the internet*
|
||||
**proto** ip *Select the protocol, ip in our example*
|
||||
**proto** ip *Select the protocol, IP in our example*
|
||||
**source** any *The source address, leave on any*
|
||||
**src-port** any *The source port to shape, leave on any*
|
||||
**destination** any *The destination ip to shape, leave on any*
|
||||
|
|
|
@ -265,7 +265,7 @@ For our configuration we only use one server accessible on UDP port 1194.
|
|||
|
||||
Next we also need to allow traffic from the VPN client network (192.168.2.0/24).
|
||||
For our example we will allow client to access anything on our local network(s),
|
||||
however you may decide just to allow traffic to one or more IP's.
|
||||
however you may decide just to allow traffic to one or more IPs.
|
||||
|
||||
.. image:: images/sslvpn_openvpn_rule.png
|
||||
:width: 100%
|
||||
|
|
|
@ -107,7 +107,7 @@ and fill-in the ip/netmask.
|
|||
5. Disable Block private networks & bogon
|
||||
-----------------------------------------
|
||||
|
||||
For the WAN interface we nee to disable blocking of private networks & bogus ip's.
|
||||
For the WAN interface we nee to disable blocking of private networks & bogus IPs.
|
||||
|
||||
Goto **Interfaces** -> **WAN** and unselect **Block private networks**
|
||||
and **Block bogon networks**.
|
||||
|
|
|
@ -88,7 +88,6 @@ to import the users into the local user manager. Go to **System->Access->Users**
|
|||
you will see a cloud import icon at the lower right corner of the form.
|
||||
|
||||
.. image:: images/user_cloudimport.png
|
||||
:width: 100%
|
||||
|
||||
Click on the cloud import icon to start importing users.
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@ Depending on you hardware and use case different installation media are provided
|
|||
| | | running in serial console (115200) mode with |
|
||||
| | | secondary VGA support (no kernel messages though) |
|
||||
+--------+-----------------------------------------------------+
|
||||
| nano | | a preinstalled serial image for 4GB USB sticks, |
|
||||
| nano | | a preinstalled serial image for 4 GB USB sticks, |
|
||||
| | | SD or CF cards for use with embedded devices |
|
||||
+--------+-----------------------------------------------------+
|
||||
|
||||
|
@ -104,7 +104,6 @@ Depending on you hardware and use case different installation media are provided
|
|||
Media Filename Composition
|
||||
------------------------------
|
||||
.. blockdiag::
|
||||
:scale: 100%
|
||||
|
||||
diagram {
|
||||
default_shape = roundedbox;
|
||||
|
@ -182,7 +181,7 @@ your target platform has a serial interface choose the "serial image.
|
|||
64-bit and 32-bit install images are provided. The following examples
|
||||
apply to both.
|
||||
|
||||
Write the image to a USB flash drive (>= 1GB) or an IDE hard disk,
|
||||
Write the image to a USB flash drive (>=1 GB) or an IDE hard disk,
|
||||
either with dd under FreeBSD or under Windows with physdiskwrite
|
||||
|
||||
Before writing an (iso) image you need to unpack it first (use bunzip2).
|
||||
|
|
|
@ -16,7 +16,7 @@ ip and port number.
|
|||
OPNsense offers full support for exporting Netflow data to external collectors as
|
||||
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
|
||||
|
||||
OPNsense is the only open source solution with a build-in Netflow analyzer integrated
|
||||
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
|
||||
into it's Graphical User Interface.
|
||||
|
||||
------------------
|
||||
|
|
|
@ -25,7 +25,7 @@ Features include:
|
|||
--------------
|
||||
Authenticators
|
||||
--------------
|
||||
User authentication can be done using OPNsense standard and build-in authenticators.
|
||||
User authentication can be done using OPNsense standard and built-in authenticators.
|
||||
Currently these include:
|
||||
|
||||
* LDAP (incl. Microsoft Active Directory)
|
||||
|
@ -61,13 +61,13 @@ shaping features.Additionally it includes its own options:
|
|||
-------------------------
|
||||
Category Based Web Filter
|
||||
-------------------------
|
||||
No need for additional plugins, such as squidGuard - as OPNsense has build-in
|
||||
No need for additional plugins, such as squidGuard - as OPNsense has built-in
|
||||
category based web filter support. Main features include:
|
||||
|
||||
* Fetch from a remote URL
|
||||
* Supports flat file list and category based compressed lists
|
||||
* Automatically convert category based blacklists to squid ACL's
|
||||
* Keep up to date with the build-in scheduler
|
||||
* Keep up to date with the built-in scheduler
|
||||
* Compatible with most popular blacklist
|
||||
|
||||
----------------
|
||||
|
|
|
@ -13,7 +13,7 @@ General tips
|
|||
For optimum performance and compatibility, these guides are given:
|
||||
|
||||
* Minimum required RAM is 1 GB
|
||||
* Minimum recommended virtual disk size of 8GB
|
||||
* Minimum recommended virtual disk size of 8 GB
|
||||
* Disable all off-loading settings in **Interfaces->Settings**
|
||||
|
||||
.. image:: images/disableoffloading.png
|
||||
|
@ -109,7 +109,7 @@ article first.
|
|||
File copy failed during installation
|
||||
------------------------------------
|
||||
This issue is most likely caused by low memory setting. Make sure your virtual
|
||||
OPNsense installation has a minimum of 1GB of RAM.
|
||||
OPNsense installation has a minimum of 1 GB of RAM.
|
||||
|
||||
------------------
|
||||
|
||||
|
|
|
@ -29,7 +29,6 @@ well known IPsec as well as older (now considered insecure) legacy options such
|
|||
L2TP and PPTP.
|
||||
|
||||
.. image:: images/vpn.png
|
||||
:width: 100%
|
||||
|
||||
.. Note::
|
||||
|
||||
|
|
Loading…
Reference in New Issue