Skip to content

Instantly share code, notes, and snippets.

@utkonos

utkonos/_OPNsense Configuration Generator.ipynb Secret

Last active May 17, 2022 15:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save utkonos/57c79f1a0b68dd6a79cbf2de68db995a to your computer and use it in GitHub Desktop.
Save utkonos/57c79f1a0b68dd6a79cbf2de68db995a to your computer and use it in GitHub Desktop.
Download ZIP
Jupyter Notebook for Generating OPNsense Configuration XML Files from Python INI
Display the source blob
Display the rendered blob
Raw
_OPNsense Configuration Generator.ipynb
{
"cells": [
{
"cell_type": "code",
"execution_count": null,
"id": "4a75ba6f-b738-40e7-a660-d733ae3f7720",
"metadata": {},
"outputs": [],
"source": [
"import base64\n",
"import configparser\n",
"import ipaddress\n",
"import re\n",
"import subprocess\n",
"import time\n",
"import uuid\n",
"import xml.etree.ElementTree\n",
"\n",
"import nacl.public"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "ee28d7e2-0e9d-4a57-b993-be2d3f58159a",
"metadata": {},
"outputs": [],
"source": [
"version = '1.2.2'"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "eb0957a8-9c52-4224-a998-7c182cd5b3a7",
"metadata": {},
"outputs": [],
"source": [
"config = configparser.ConfigParser()\n",
"\n",
"config['Host'] = {'hostname': 'firewall',\n",
" 'domain': 'example.com',\n",
" 'dns': '198.51.100.100'}\n",
"config['WAN'] = {'if': 'vtnet0',\n",
" 'ip': '192.0.2.10',\n",
" 'subnet': '24',\n",
" 'gateway': '192.0.2.1'}\n",
"config['LAN'] = {'if': 'vtnet1',\n",
" 'ip': '172.16.0.1',\n",
" 'subnet': '24',\n",
" 'description': 'Workstations',\n",
" 'dhcp_start': '172.16.0.10',\n",
" 'dhcp_end': '172.16.0.250'}\n",
"config['OPT1'] = {'if': 'vtnet2',\n",
" 'ip': '172.17.0.1',\n",
" 'subnet': '24',\n",
" 'description': 'Servers',\n",
" 'dhcp_start': '172.17.0.10',\n",
" 'dhcp_end': '172.17.0.250'}\n",
"config['OPT2'] = {'if': 'vtnet3',\n",
" 'ip': '172.18.0.1',\n",
" 'subnet': '24',\n",
" 'description': 'DMZ',\n",
" 'dhcp_start': '172.18.0.10',\n",
" 'dhcp_end': '172.18.0.250'}\n",
"config['WGB'] = {'port': '51821',\n",
" 'server_pubkey': 'AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB',\n",
" 'server_privkey': 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',\n",
" 'server_ip': '172.19.0.1/24',\n",
" 'client_ip': '172.19.0.2/32',\n",
" 'client_pubkey': 'AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC'}\n",
"\n",
"with open('opnsense_config_example.ini', 'w') as configfile:\n",
" config.write(configfile)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "09e92d57-5a0c-4379-b2fa-ede07fdd94b5",
"metadata": {},
"outputs": [],
"source": [
"config = configparser.ConfigParser()\n",
"config.read('opnsense_config.ini')"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "ef7de8e2-3db3-4e19-87fe-fe59de563e5e",
"metadata": {},
"outputs": [],
"source": [
"tree = xml.etree.ElementTree.parse('config_template.xml')\n",
"root = tree.getroot()"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "9e0e6a7a-e942-4032-a8be-df50ef752ee4",
"metadata": {},
"outputs": [],
"source": [
"if hostname := config['Host'].get('hostname'):\n",
" root.find('system').find('hostname').text = hostname\n",
"if domain := config['Host'].get('domain'):\n",
" root.find('system').find('domain').text = domain"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "cdaea0e1-aae7-4a4f-ab86-6362028849b3",
"metadata": {},
"outputs": [],
"source": [
"revision = root.find('revision')\n",
"revision.find('time').text = str(round(time.time(), 4))\n",
"description = f'Created by OPNsense Configuration Generator v{version}'\n",
"revision.find('description').text = description"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "fa1cc20e-aabe-430b-9846-183dfabf4f89",
"metadata": {},
"outputs": [],
"source": [
"root.find('system').find('dnsserver').text = config['Host']['dns']\n",
"\n",
"wan_if = root.find('interfaces').find('wan')\n",
"wan_if.find('if').text = config['WAN']['if']\n",
"wan_if.find('ipaddr').text = config['WAN']['ip']\n",
"wan_if.find('subnet').text = config['WAN']['subnet']\n",
"\n",
"lan_if = root.find('interfaces').find('lan')\n",
"lan_if.find('if').text = config['LAN']['if']\n",
"lan_if.find('descr').text = config['LAN']['description']\n",
"lan_if.find('ipaddr').text = config['LAN']['ip']\n",
"lan_if.find('subnet').text = config['LAN']['subnet']\n",
"\n",
"lan_dhcp = root.find('dhcpd').find('lan')\n",
"lan_dhcp.find('gateway').text = config['LAN']['ip']\n",
"lan_dhcp.find('range').find('from').text = config['LAN']['dhcp_start']\n",
"lan_dhcp.find('range').find('to').text = config['LAN']['dhcp_end']\n",
"lan_dhcp.find('dnsserver').text = config['LAN']['ip']\n",
"\n",
"gateway = root.find('gateways').find('gateway_item')\n",
"gateway.find('gateway').text = config['WAN']['gateway']"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "b56ca43e-ca9c-4444-86ae-817832b97f8b",
"metadata": {},
"outputs": [],
"source": [
"gateway_ip = ipaddress.ip_address(config['WAN']['gateway'])\n",
"\n",
"ip = config['WAN']['ip']\n",
"subnet = config['WAN']['subnet']\n",
"netblock = ipaddress.ip_network(f'{ip}/{subnet}', strict=False)\n",
"\n",
"if gateway_ip in netblock:\n",
" gateway.find('fargw').text = '0'\n",
"else:\n",
" gateway.find('fargw').text = '1'"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "dd06ece3-f7ba-49f6-b251-179f5e15e799",
"metadata": {},
"outputs": [],
"source": [
"opt_if_template = \"\"\"\n",
"<opt_if>\n",
" <if></if>\n",
" <descr></descr>\n",
" <enable>1</enable>\n",
" <spoofmac />\n",
" <ipaddr></ipaddr>\n",
" <subnet></subnet>\n",
"</opt_if>\n",
"\"\"\"\n",
"\n",
"opt_dhcp_template = \"\"\"\n",
"<opt_dhcp>\n",
" <enable>1</enable>\n",
" <gateway></gateway>\n",
" <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>\n",
" <numberoptions>\n",
" <item />\n",
" </numberoptions>\n",
" <range>\n",
" <from></from>\n",
" <to></to>\n",
" </range>\n",
" <winsserver />\n",
" <dnsserver></dnsserver>\n",
" <ntpserver />\n",
"</opt_dhcp>\n",
"\"\"\"\n",
"\n",
"wg_grp_template = \"\"\"\n",
"<wireguard>\n",
" <internal_dynamic>1</internal_dynamic>\n",
" <enable>1</enable>\n",
" <if>wireguard</if>\n",
" <descr>WireGuard (Group)</descr>\n",
" <type>group</type>\n",
" <virtual>1</virtual>\n",
"</wireguard>\n",
"\"\"\"\n",
"\n",
"wg_if_template = \"\"\"\n",
"<opt0>\n",
" <if>wg1</if>\n",
" <descr>WGB</descr>\n",
" <enable>1</enable>\n",
" <lock>1</lock>\n",
" <spoofmac/>\n",
"</opt0>\n",
"\"\"\"\n",
"\n",
"fw_wg_template = \"\"\"\n",
"<rule>\n",
" <type>pass</type>\n",
" <interface>wan</interface>\n",
" <ipprotocol>inet</ipprotocol>\n",
" <statetype>keep state</statetype>\n",
" <direction>in</direction>\n",
" <quick>1</quick>\n",
" <protocol>udp</protocol>\n",
" <source>\n",
" <any>1</any>\n",
" </source>\n",
" <destination>\n",
" <network>wanip</network>\n",
" <port></port>\n",
" </destination>\n",
"</rule>\n",
"\"\"\"\n",
"\n",
"fw_admin_template = \"\"\"\n",
"<rule>\n",
" <type>pass</type>\n",
" <interface>opt0</interface>\n",
" <ipprotocol>inet</ipprotocol>\n",
" <statetype>keep state</statetype>\n",
" <direction>in</direction>\n",
" <quick>1</quick>\n",
" <protocol>tcp</protocol>\n",
" <source>\n",
" <network>opt0</network>\n",
" </source>\n",
" <destination>\n",
" <network>opt0ip</network>\n",
" <port>443</port>\n",
" </destination>\n",
"</rule>\n",
"\"\"\"\n",
"\n",
"wg_conf_template = \"\"\"\n",
"<OPNsense>\n",
" <wireguard>\n",
" <general version=\"0.0.1\">\n",
" <enabled>1</enabled>\n",
" </general>\n",
" <server version=\"0.0.3\">\n",
" <servers>\n",
" <server>\n",
" <enabled>1</enabled>\n",
" <name>WGBootstrap</name>\n",
" <instance>1</instance>\n",
" <pubkey></pubkey>\n",
" <privkey></privkey>\n",
" <port></port>\n",
" <mtu/>\n",
" <dns/>\n",
" <tunneladdress></tunneladdress>\n",
" <disableroutes>0</disableroutes>\n",
" <gateway/>\n",
" <peers></peers>\n",
" </server>\n",
" </servers>\n",
" </server>\n",
" <client version=\"0.0.6\">\n",
" <clients>\n",
" <client>\n",
" <enabled>1</enabled>\n",
" <name>WGBootstrap</name>\n",
" <pubkey></pubkey>\n",
" <psk/>\n",
" <tunneladdress></tunneladdress>\n",
" <serveraddress/>\n",
" <serverport/>\n",
" <keepalive/>\n",
" </client>\n",
" </clients>\n",
" </client>\n",
" </wireguard>\n",
"</OPNsense>\n",
"\"\"\""
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "c4da71fa-555e-445a-be7d-0007575cbc3d",
"metadata": {},
"outputs": [],
"source": [
"if config.has_section('WGB'):\n",
" if s_pvk := config['WGB'].get('server_privkey'):\n",
" server_privkey = s_pvk\n",
" server_pubkey = config['WGB']['server_pubkey']\n",
" else:\n",
" s_pvk = nacl.public.PrivateKey.generate()\n",
" server_privkey = base64.b64encode(bytes(s_pvk)).decode()\n",
" server_pubkey = base64.b64encode(bytes(s_pvk.public_key)).decode()\n",
"\n",
" if c_pbk := config['WGB'].get('client_pubkey'):\n",
" client_pubkey = c_pbk\n",
" else:\n",
" wg_client_config = configparser.RawConfigParser()\n",
" wg_client_config.optionxform = lambda option: option\n",
"\n",
" c_pvk = nacl.public.PrivateKey.generate()\n",
" client_privkey = base64.b64encode(bytes(c_pvk)).decode()\n",
" client_pubkey = base64.b64encode(bytes(c_pvk.public_key)).decode()\n",
"\n",
" wg_client_config['Interface'] = {'PrivateKey': client_privkey,\n",
" 'Address': config['WGB']['client_ip']}\n",
"\n",
" if hostname and domain:\n",
" host = f'{hostname}.{domain}'\n",
" else:\n",
" host = config['WAN']['ip']\n",
" endpoint = '{}:{}'.format(host, config['WGB']['port'])\n",
"\n",
" wg_client_config['Peer'] = {'PublicKey': server_pubkey,\n",
" 'AllowedIPs': config['WGB']['server_ip'],\n",
" 'Endpoint': endpoint}\n",
"\n",
" with open('WGBootstrap.conf', 'w') as configfile:\n",
" wg_client_config.write(configfile)\n",
"\n",
" plugins = xml.etree.ElementTree.Element('plugins')\n",
" plugins.text = 'os-wireguard'\n",
" root.find('system').find('firmware').append(plugins)\n",
"\n",
" wg_grp = xml.etree.ElementTree.fromstring(wg_grp_template)\n",
" root.find('interfaces').append(wg_grp)\n",
" wg_if = xml.etree.ElementTree.fromstring(wg_if_template)\n",
" root.find('interfaces').append(wg_if)\n",
"\n",
" fw_wg = xml.etree.ElementTree.fromstring(fw_wg_template)\n",
" fw_wg.find('destination').find('port').text = config['WGB']['port']\n",
" root.find('filter').insert(0, fw_wg)\n",
" fw_admin = xml.etree.ElementTree.fromstring(fw_admin_template)\n",
" root.find('filter').append(fw_admin)\n",
"\n",
" wg_conf = xml.etree.ElementTree.fromstring(wg_conf_template)\n",
" wgc = wg_conf.find('wireguard')\n",
"\n",
" wg_server = wgc.find('server').find('servers').find('server')\n",
" wg_server.set('uuid', str(uuid.uuid4()))\n",
" wg_server.find('pubkey').text = server_pubkey\n",
" wg_server.find('privkey').text = server_privkey\n",
" wg_server.find('port').text = config['WGB']['port']\n",
" wg_server.find('tunneladdress').text = config['WGB']['server_ip']\n",
" client_id = str(uuid.uuid4())\n",
" wg_server.find('peers').text = client_id\n",
"\n",
" wg_client = wgc.find('client').find('clients').find('client')\n",
" wg_client.set('uuid', client_id)\n",
" wg_client.find('pubkey').text = client_pubkey\n",
" wg_client.find('tunneladdress').text = config['WGB']['client_ip']\n",
"\n",
" root.append(wg_conf)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "8300929c-a4c9-4bc0-8365-d7eb8786c2d4",
"metadata": {},
"outputs": [],
"source": [
"for section in config.sections():\n",
" if match := re.match('OPT(?P<number>\\d)', section):\n",
" opt_if = xml.etree.ElementTree.fromstring(opt_if_template)\n",
" opt_if.tag = 'opt{}'.format(match.group('number'))\n",
" opt_if.find('if').text = config[section]['if']\n",
" opt_if.find('descr').text = config[section]['description']\n",
" opt_if.find('ipaddr').text = config[section]['ip']\n",
" opt_if.find('subnet').text = config[section]['subnet']\n",
" root.find('interfaces').append(opt_if)\n",
"\n",
" if start := config[section].get('dhcp_start'):\n",
" opt_dhcp = xml.etree.ElementTree.fromstring(opt_dhcp_template)\n",
" opt_dhcp.tag = 'opt{}'.format(match.group('number'))\n",
" opt_dhcp.find('gateway').text = config[section]['ip']\n",
" opt_dhcp.find('range').find('from').text = start\n",
" opt_dhcp.find('range').find('to').text = config[section]['dhcp_end']\n",
" opt_dhcp.find('dnsserver').text = config[section]['ip']\n",
" root.find('dhcpd').append(opt_dhcp)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "fb41dde5-f1fd-4549-af29-bc4df686a86a",
"metadata": {},
"outputs": [],
"source": [
"xml.etree.ElementTree.indent(root, space=' ')"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "57ada25d-8ac4-4a25-99fa-811adf52ac6f",
"metadata": {},
"outputs": [],
"source": [
"tree.write('config.xml', xml_declaration=True)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "5fdd93f0-5641-4f50-b56a-40fcb8a8ed82",
"metadata": {},
"outputs": [],
"source": [
"xml.etree.ElementTree.dump(root)"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.10.4"
}
},
"nbformat": 4,
"nbformat_minor": 5
}
Raw
config_template.xml
<?xml version="1.0"?>
<opnsense>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>default</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
</sysctl>
<system>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
</ssh>
<firmware version="1.0.0">
<mirror/>
<flavour/>
</firmware>
<dnsserver></dnsserver>
<language>en_US</language>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if></if>
<ipaddr></ipaddr>
<ipaddrv6/>
<subnet></subnet>
<gateway>WAN_GW</gateway>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<subnetv6/>
<gatewayv6/>
</wan>
<lan>
<if></if>
<descr></descr>
<enable>1</enable>
<spoofmac/>
<ipaddr></ipaddr>
<subnet></subnet>
</lan>
<lo0>
<internal_dynamic>1</internal_dynamic>
<descr>Loopback</descr>
<enable>1</enable>
<if>lo0</if>
<ipaddr>127.0.0.1</ipaddr>
<ipaddrv6>::1</ipaddrv6>
<subnet>8</subnet>
<subnetv6>128</subnetv6>
<type>none</type>
<virtual>1</virtual>
</lo0>
</interfaces>
<dhcpd>
<lan>
<enable>1</enable>
<gateway></gateway>
<ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
<numberoptions>
<item/>
</numberoptions>
<range>
<from></from>
<to></to>
</range>
<winsserver/>
<dnsserver></dnsserver>
<ntpserver/>
</lan>
</dhcpd>
<unbound>
<enable>on</enable>
<dnssec>on</dnssec>
<dnssecstripped>on</dnssecstripped>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
<revision>
<username>(system)</username>
<time></time>
<description></description>
</revision>
<gateways>
<gateway_item>
<descr>Interface WAN Gateway</descr>
<defaultgw>1</defaultgw>
<ipprotocol>inet</ipprotocol>
<interface>wan</interface>
<gateway></gateway>
<monitor_disable>1</monitor_disable>
<name>WAN_GW</name>
<interval>1</interval>
<weight>1</weight>
<fargw></fargw>
</gateway_item>
</gateways>
</opnsense>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment