20250429 push notes

.obsidian/workspace.json

@@ -37,7 +37,7 @@
             "state": {
               "type": "markdown",
               "state": {
-                "file": "diary/2025-04-17.md",
+                "file": "diary/2025-04-29.md",
                 "mode": "source",
                 "source": true,
                 "backlinks": true,
@@ -52,16 +52,16 @@
                 }
               },
               "icon": "lucide-file",
-              "title": "2025-04-17"
+              "title": "2025-04-29"
             }
           },
           {
-            "id": "23e94d4003b4c31e",
+            "id": "6afce9769f210b2e",
             "type": "leaf",
             "state": {
               "type": "markdown",
               "state": {
-                "file": "projects/phytron/nextcloud_gitlab_after_hack.md",
+                "file": "projects/kwa/firewall_migration/20250317_first-meeting.md",
                 "mode": "source",
                 "source": true,
                 "backlinks": true,
@@ -76,16 +76,16 @@
                 }
               },
               "icon": "lucide-file",
-              "title": "nextcloud_gitlab_after_hack"
+              "title": "20250317_first-meeting"
             }
           },
           {
-            "id": "23676dcc91a6b6e8",
+            "id": "f311d0c07a57b878",
             "type": "leaf",
             "state": {
               "type": "markdown",
               "state": {
-                "file": "projects/kwa/firewall_migration/20250414-preparation.md",
+                "file": "projects/OPNsense/STANDARDS/Monthly-Time.md",
                 "mode": "source",
                 "source": true,
                 "backlinks": true,
@@ -100,16 +100,16 @@
                 }
               },
               "icon": "lucide-file",
-              "title": "20250414-preparation"
+              "title": "Monthly-Time"
             }
           },
           {
-            "id": "175e86d27cc90624",
+            "id": "33e939315b6ac8f0",
             "type": "leaf",
             "state": {
               "type": "markdown",
               "state": {
-                "file": "projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md",
+                "file": "projects/OPNsense/STANDARDS/Feature-Capability.md",
                 "mode": "source",
                 "source": true,
                 "backlinks": true,
@@ -124,11 +124,35 @@
                 }
               },
               "icon": "lucide-file",
-              "title": "overview-qumulo_and_comp-nodes"
+              "title": "Feature-Capability"
+            }
+          },
+          {
+            "id": "855d54493706a383",
+            "type": "leaf",
+            "state": {
+              "type": "markdown",
+              "state": {
+                "file": "projects/OPNsense/STANDARDS/possible-impovements.md",
+                "mode": "source",
+                "source": true,
+                "backlinks": true,
+                "backlinkOpts": {
+                  "collapseAll": false,
+                  "extraContext": false,
+                  "sortOrder": "alphabetical",
+                  "showSearch": false,
+                  "searchQuery": "",
+                  "backlinkCollapsed": false,
+                  "unlinkedCollapsed": true
+                }
+              },
+              "icon": "lucide-file",
+              "title": "possible-impovements"
             }
           }
         ],
-        "currentTab": 1
+        "currentTab": 4
       }
     ],
     "direction": "vertical"
@@ -304,44 +328,45 @@
       "templater-obsidian:Templater": false
     }
   },
-  "active": "b865e0663684cf60",
+  "active": "33e939315b6ac8f0",
   "lastOpenFiles": [
-    "projects/phytron/nextcloud_gitlab_after_hack.md",
-    "diary/2025-04-17.md",
+    "projects/OPNsense/STANDARDS/Monthly-Time.md",
+    "projects/OPNsense/STANDARDS/Feature-Capability.md",
+    "projects/OPNsense/STANDARDS/possible-impovements.md",
+    "diary/2025-04-29.md",
+    "projects/kwa/firewall_migration/20250317_first-meeting.md",
+    "projects/OPNsense/Schulungen/Untitled",
+    "projects/OPNsense/unknown/opnsense-proposal-draft.md",
+    "projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md",
+    "projects/OPNsense/STANDARDS",
+    "projects/OPNsense/unknown",
+    "projects/OPNsense/unknown/opnsense-planing.md",
+    "projects/OPNsense/unknown/opnsense-frankeriger-current.md",
+    "projects/OPNsense/unknown/opnsense-checklists.md",
+    "projects/OPNsense/unknown/opnsense-central-management.md",
+    "projects/OPNsense/unknown/opnsense-bussines-edition.md",
+    "projects/OPNsense/Schulungen/20250319-pre-meeting-prep.md",
+    "projects/OPNsense/Schulungen/20250305-initial_ideas.md",
+    "projects/OPNsense/Initial-Notes/OPNsense.md",
+    "projects/OPNsense/Initial-Notes/OPNsense-config.md",
+    "projects/OPNsense/Initial-Notes/OPNsense-config_summary.md",
+    "projects/OPNsense/Initial-Notes/OPNsense-future.md",
+    "projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md",
+    "projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md",
+    "projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md",
+    "projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md",
     "projects/kwa/firewall_migration/20250414-preparation.md",
-    "projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md",
-    "diary/2025-04-16.md",
-    "projects/ipv6/basics.md",
-    "diary/2025-04-15.md",
-    "projects/sbx/sbx-lab-network.md",
-    "diary/2025-04-14.md",
     "projects/kwa/firewall_migration/20250318-OPNsense_Migration.md",
-    "projects/win10_2_win11/20250411-Meeting-JM.md",
-    "diary/2025-04-11.md",
-    "diary/2025-04-13.md",
-    "projects/kwa/mail_migration/timestamp-change.md",
+    "archive/APSA",
+    "todo.md",
+    "projects/OPNsense/Cluster/20250307-cluster-test-on-sg310.md",
+    "files/Pasted image 20250429110706.png",
     "projects/win10_2_win11",
-    "diary/2025-04-10.md",
-    "diary/2025-04-09.md",
-    "diary/2025-04-08.md",
-    "projects/discopharma/20250320-manual-project.md",
-    "diary/2025-04-07.md",
-    "projects/ssr/202504-4architekten/notes.md",
-    "diary/2025-04-06.md",
-    "diary/2025-04-04.md",
-    "diary/2025-04-03.md",
-    "projects/neosphere/qumulus/20250502-storage-cluster.md",
-    "diary/2025-04-02.md",
-    "projects/sbx/manuals/Sophos-SG_PPPoE-data.md",
     "projects/sbx/manuals",
     "projects/ssr/202504-4architekten",
     "projects/sbx/firewall-std",
-    "projects/boschmann+feth",
+    "archive/boschmann+feth",
     "files/discopharma/discopharma-infra.drawio.png",
-    "files/discopharma",
-    "files/New folder",
-    "projects/discopharma/Meetings",
-    "diary/2025-04",
-    "diary/2025-03"
+    "files/discopharma"
   ]
 }

diary/2025-04-22.md

@@ -0,0 +1,111 @@
+$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
+
+![important](files/sbx/important.png)
+
+## Do-It
+
+- handout: Sophos und OPNsense
+- qumulo - zeichne endlich
+- phytron - nextcloud abschliessen
+
+## Timestamps
+
+- 09:15 - 09:45: Ticketpflege
+- 09:45 - 11:30: SSR Wildcard cert abgelaufen. erstelle wildcard certs via letsencrypt
+- 11:30 - 12:30: Pause
+- 12:30 - 15:00: SSL Zerifikate beantragen, rumschieben, umwandeln, ueberall einfuegen
+- 15:00 - 17:00: OPNsense einrichtung. VLANs, WAN config, Updates, Lizenz, IT-docs, Aliase setzen, user erstellen, dhcp config, dns config
+
+## Thursday
+
+- 08:45 - 09:00: Ueber MicroShit Support mail aergern
+- 09:00 - 09:45: aldi milch einkauf, quatchen
+- 09:45 - 10:00: Sammeln, kaffee
+- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer für die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen
+- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren
+- 10:45 - 11:00: Rauchen
+- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen
+- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa
+- 12:00 - 13:30: Pause
+- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen
+- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen
+
+## Wednesday
+
+
+- 08:30 - 09:00: ipv6 lernen
+
+- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann
+- 09:45 - 10:15: MicroShit Support schreiben
+- 10:15 - 11:00: Pause, ipv6 lernen
+- 11:00 - 12:30: ipv6 lernen 
+
+- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? 
+- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt
+- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo
+
+## Tuesday
+
+- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen
+	
+- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
+- 10.30 - 11:00: cloud.sbx.de design gestalten
+
+- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
+- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
+
+- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
+- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
+- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
+
+- 15:00 - 16:00: tga cloud erreichen
+
+## Monday
+
+- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen
+- 15:00 - 15:30: Mailstore authentifizerungs problem
+- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build
+- 16:00 - 16:30: TestCluster aufbauen und anschalten
+- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen
+
+## todo
+
+### General
+
+- [ ] handout fuer jeweils sophos und opnsense als vergleich
+- [ ] aufgaben fuer wartung rausschreiben
+- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
+
+- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
+ 
+- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
+- [ ] kwa/ssr snmp karten fuer usv
+- [ ] update filewave admin und central
+
+### SBX
+
+- [ ] kube cluster on pve.lab.softbox.net
+- [ ] backup on external drive for pve.lab.softbox.net
+
+- [ ] check if possible to monitor vsphere passwd expiration
+- [ ] create obsidian templates (Meetings, People, )
+- [ ] sbx - opsreportcard summary for action plan
+
+- [ ] fuege bharchitekten zu connectsecure hinzu
+- [ ] erstelle connectsecure report fuer grasslfing
+- [ ] cybercns bei heilmaier
+
+- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
+
+#### OPNsense
+
+1. check franke rieger firewall setup
+2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
+3. test management via opncentral
+4. write manual for on-boarding 
+	- setup wan manually 
+	- couple to opncentral 
+	- send generic config via opncentral 
+	- use manual for missing specific configs
+	- check workings of everything
+

diary/2025-04-23.md

@@ -0,0 +1,132 @@
+$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
+
+![important](files/sbx/important.png)
+
+## Do-It
+
+- handout: Sophos und OPNsense
+- qumulo - zeichne endlich
+- phytron - nextcloud abschliessen
+
+## Timestamps
+
+- 08:30 - 09:00: Ankunft, Serverraum Verkabelung ann Switch pruefen und dokumentieren und planen Portbelegung, Neue Firewall anstecken, nachdenken
+- 09:00 - 09:30: UTM Installation bei Dominik durchgehen - zu aufwendig (MAC hypervisor), ports an switch durchgehen
+- 09:30 - 10:00: Beginn der Migration durchgehen
+- 10:00 - 12:30:  OPNsense anstecken, umstecken, allen geraeten dhcp einstellen. Klappt bei allen ausser beim cloud key.. panik, Alle unifi gereate zurucksetzen
+- 12:30 - 13:00: Pause
+- 13:00 - 14:30: unifi einstellungen anpassen, drucker ip anpassen
+- 14:30 - 16:30: VPN Einrichtung bei allen Usern, debuggen.. 
+- 16:30 - 17:15: VPN und debuggen
+
+## Wednesday
+
+- 09:00 - 09:15 Mails beantworten
+- 09:15 - 09:45: KWA: Firewall: IT-Glue config von opnsense erweitern, Certificate chain erzeugen fuer OpenVPN und sbxadmin user Client Zertifikat erstellen
+- 09:45 - 10:45: IPS/IDS konfigurieren, acme an test.gw.softbox.net einrichten und Zertifikate erstellen, IPS/IDS belastet das System hart, muss getestet werden ob deren HW das packt: hat mehr ram
+- 10:45 - 11:45: Firewall Regeln und Aliase setzen fuer alles Dienste, backup erstellen
+- 11:45 - 12:45: Pause
+- 12:45 - 13:45: Firewall Regeln fuer MGMT, CLIENT und SERVER net setzen
+- 13:45 - 14:45: Setze DNAT regel fuer LDAP ports von sbxoffice ip. AD config setzen und user syncen
+- 14:45 - 17:45: VPN Server config, firewall rules, 
+
+## Tuesday
+
+- 09:15 - 09:45: Ticketpflege
+- 09:45 - 11:30: SSR Wildcard cert abgelaufen. erstelle wildcard certs via letsencrypt
+- 11:30 - 12:30: Pause
+- 12:30 - 15:00: SSL Zerifikate beantragen, rumschieben, umwandeln, ueberall einfuegen
+- 15:00 - 17:00: OPNsense einrichtung. VLANs, WAN config, Updates, Lizenz, IT-docs, Aliase setzen, user erstellen, dhcp config, dns config
+
+## Thursday
+
+- 08:45 - 09:00: Ueber MicroShit Support mail aergern
+- 09:00 - 09:45: aldi milch einkauf, quatchen
+- 09:45 - 10:00: Sammeln, kaffee
+- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer für die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen
+- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren
+- 10:45 - 11:00: Rauchen
+- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen
+- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa
+- 12:00 - 13:30: Pause
+- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen
+- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen
+
+## Wednesday
+
+- 08:30 - 09:00: ipv6 lernen
+
+- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann
+- 09:45 - 10:15: MicroShit Support schreiben
+- 10:15 - 11:00: Pause, ipv6 lernen
+- 11:00 - 12:30: ipv6 lernen 
+
+- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? 
+- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt
+- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo
+
+## Tuesday
+
+- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen
+	
+- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
+- 10.30 - 11:00: cloud.sbx.de design gestalten
+
+- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
+- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
+
+- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
+- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
+- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
+
+- 15:00 - 16:00: tga cloud erreichen
+
+## Monday
+
+- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen
+- 15:00 - 15:30: Mailstore authentifizerungs problem
+- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build
+- 16:00 - 16:30: TestCluster aufbauen und anschalten
+- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen
+
+## todo
+
+### General
+
+- [ ] handout fuer jeweils sophos und opnsense als vergleich
+- [ ] aufgaben fuer wartung rausschreiben
+- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
+
+- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
+ 
+- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
+- [ ] kwa/ssr snmp karten fuer usv
+- [ ] update filewave admin und central
+
+### SBX
+
+- [ ] kube cluster on pve.lab.softbox.net
+- [ ] backup on external drive for pve.lab.softbox.net
+
+- [ ] check if possible to monitor vsphere passwd expiration
+- [ ] create obsidian templates (Meetings, People, )
+- [ ] sbx - opsreportcard summary for action plan
+
+- [ ] fuege bharchitekten zu connectsecure hinzu
+- [ ] erstelle connectsecure report fuer grasslfing
+- [ ] cybercns bei heilmaier
+
+- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
+
+#### OPNsense
+
+1. check franke rieger firewall setup
+2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
+3. test management via opncentral
+4. write manual for on-boarding 
+	- setup wan manually 
+	- couple to opncentral 
+	- send generic config via opncentral 
+	- use manual for missing specific configs
+	- check workings of everything
+

diary/2025-04-25.md

@@ -0,0 +1,131 @@
+$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
+
+![important](files/sbx/important.png)
+
+## Do-It
+
+- handout: Sophos und OPNsense
+- qumulo - zeichne endlich
+- phytron - nextcloud abschliessen
+
+## Timestamps
+
+- 08:15 - 08:30: IT-Glue dokumentation
+- 08:30 - 08:45: Firewall Aliase und Regeln fuer Unifi definieren
+- 08:45 - 09:15: Firewall Regeln anpassen, Drucker macht Probleme, Regeln anpaasen, Drucker falsche DSN einsetllungen
+- 09:15 - 10:30: Alte firewall aufbauen und anschliessen, Passe VPN Config an: dns und regeln, bei Herrn wassmer vpn konfigurieren
+- 10:30 - 13:00: installiere opnsense auf alter hardware, debugging, root passwort geht nicht nach backup restore, mehrmals neu installieren, pass reset: komme nicht in web-ui
+- 13:00 - 14:00: Anfahrt
+- 14:00 - 15:00: Pause
+- 15:00 - 16:00: KWA opnsense HW aufbauen und mit pikvm verkabeln
+
+## Thursday
+
+- 08:30 - 09:00: Ankunft, Serverraum Verkabelung ann Switch pruefen und dokumentieren und planen Portbelegung, Neue Firewall anstecken, nachdenken
+- 09:00 - 09:30: UTM Installation bei Dominik durchgehen - zu aufwendig (MAC hypervisor), ports an switch durchgehen
+- 09:30 - 10:00: Beginn der Migration durchgehen
+- 10:00 - 12:30:  OPNsense anstecken, umstecken, allen geraeten dhcp einstellen. Klappt bei allen ausser beim cloud key.. panik, Alle unifi gereate zurucksetzen
+- 12:30 - 13:00: Pause
+- 13:00 - 14:30: unifi einstellungen anpassen, drucker ip anpassen
+- 14:30 - 16:30: VPN Einrichtung bei allen Usern, debuggen.. 
+- 16:30 - 17:15: VPN und debuggen
+
+## Wednesday
+
+- 09:15 - 09:45: KWA: Firewall: IT-Glue config von opnsense erweitern, Certificate chain erzeugen fuer OpenVPN und sbxadmin user Client Zertifikat erstellen
+- 09:45 - 10:45: IPS/IDS konfigurieren, acme an test.gw.softbox.net einrichten und Zertifikate erstellen, IPS/IDS belastet das System hart, muss getestet werden ob deren HW das packt: hat mehr ram
+- 10:45 - 11:45: Firewall Regeln und Aliase setzen fuer alles Dienste, backup erstellen
+
+- 12:45 - 13:45: Firewall Regeln fuer MGMT, CLIENT und SERVER net setzen
+- 13:45 - 14:45: Setze DNAT regel fuer LDAP ports von sbxoffice ip. AD config setzen und user syncen
+- 14:45 - 17:45: VPN Server config, firewall rules, 
+
+## Thursday
+
+
+- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer für die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen
+- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren
+
+- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen
+- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa
+
+- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen
+- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen
+
+## Wednesday
+
+- 08:30 - 09:00: ipv6 lernen
+
+- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann
+- 09:45 - 10:15: MicroShit Support schreiben
+- 10:15 - 11:00: Pause, ipv6 lernen
+- 11:00 - 12:30: ipv6 lernen 
+
+- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? 
+- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt
+- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo
+
+## Tuesday
+
+- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen
+	
+- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen
+- 10.30 - 11:00: cloud.sbx.de design gestalten
+
+- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen
+- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12
+
+- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen
+- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes
+- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen.
+
+- 15:00 - 16:00: tga cloud erreichen
+
+## Monday
+
+- 15:00 - 15:30: Mailstore authentifizerungs problem
+- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build
+- 16:00 - 16:30: TestCluster aufbauen und anschalten
+- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen
+
+## todo
+
+### General
+
+- [ ] handout fuer jeweils sophos und opnsense als vergleich
+- [ ] aufgaben fuer wartung rausschreiben
+- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
+
+- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
+ 
+- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
+- [ ] kwa/ssr snmp karten fuer usv
+- [ ] update filewave admin und central
+
+### SBX
+
+- [ ] kube cluster on pve.lab.softbox.net
+- [ ] backup on external drive for pve.lab.softbox.net
+
+- [ ] check if possible to monitor vsphere passwd expiration
+- [ ] create obsidian templates (Meetings, People, )
+- [ ] sbx - opsreportcard summary for action plan
+
+- [ ] fuege bharchitekten zu connectsecure hinzu
+- [ ] erstelle connectsecure report fuer grasslfing
+- [ ] cybercns bei heilmaier
+
+- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
+
+#### OPNsense
+
+1. check franke rieger firewall setup
+2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
+3. test management via opncentral
+4. write manual for on-boarding 
+	- setup wan manually 
+	- couple to opncentral 
+	- send generic config via opncentral 
+	- use manual for missing specific configs
+	- check workings of everything
+

diary/2025-04-28.md

@@ -0,0 +1,69 @@
+$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
+
+![important](files/sbx/important.png)
+
+## Do-It
+
+- handout: Sophos und OPNsense
+- qumulo - zeichne endlich
+- phytron - nextcloud abschliessen
+
+## Timestamps
+
+- 08:45 - 09:00: Ticketpflege, Kaffee
+- 09:00 - 09:15: Mailpflege
+- 90:15 - 10:45: Ticketpflege
+- 10:45 - 11:00: Bvv CNAME Eintrag setzen
+- 11:00 - 12:00: Autotask KI Meeting
+- 12:00 - 12:15: Kommunikation mit Oli zu MicroShit Support Kack - Schiess Opfer Firma
+- 12:30 - 13:30: Pause
+- 13:30 - 13:45: Micro$hit Support schreiben. Was fuer Bastarde
+- 13:45 - 14:00: Ticketpflege
+- 14:00 - 15:30: OPNsense IPS/IDS Test, pakete installieren, IT-Glue doku anpassen, unifi switch in IT-glue replizieren
+- 15:30 - 15:45: NinjaOne Bitlocker Recherche, If Bitlocker enabled werden sie in Ninja angezeigt, Erstelle Skript zur Aktivierung des Bitlockers (https://ninjarmm.zendesk.com/hc/en-us/community/posts/35526222579597-Enable-Bitlocker), (https://ninjarmm.zendesk.com/hc/en-us/articles/360051468491-BitLocker-FileVault-Encryption-Key-Management)
+- 15:45 - 16:00: Privates
+- 16:00 - 16:30: Telefonat mit Sebastian, Packen fuer KWA (15 min)
+- 16:30 - 17:30: Anfahrt
+- 17:30 - 18:00: Alte HW einbauen, Lizenz einfuegen und Updaten, Switch in IT-glue anlegen
+
+## todo
+
+### General
+
+- [ ] handout fuer jeweils sophos und opnsense als vergleich
+- [ ] aufgaben fuer wartung rausschreiben
+- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline)
+
+- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
+ 
+- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
+- [ ] kwa/ssr snmp karten fuer usv
+- [ ] update filewave admin und central
+
+### SBX
+
+- [ ] kube cluster on pve.lab.softbox.net
+- [ ] backup on external drive for pve.lab.softbox.net
+
+- [ ] check if possible to monitor vsphere passwd expiration
+- [ ] create obsidian templates (Meetings, People, )
+- [ ] sbx - opsreportcard summary for action plan
+
+- [ ] fuege bharchitekten zu connectsecure hinzu
+- [ ] erstelle connectsecure report fuer grasslfing
+- [ ] cybercns bei heilmaier
+
+- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
+
+#### OPNsense
+
+1. check franke rieger firewall setup
+2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
+3. test management via opncentral
+4. write manual for on-boarding 
+	- setup wan manually 
+	- couple to opncentral 
+	- send generic config via opncentral 
+	- use manual for missing specific configs
+	- check workings of everything
+

diary/2025-04-29.md

@@ -0,0 +1,66 @@
+$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
+
+![important](files/sbx/important.png)
+
+### KWA OPNsense nacharbeit
+
+- [x] backup via ftp to nas if possible --> backup via opncentral
+- [ ] change ilo ip such that its in the mgmt net
+- [ ] unifi cloud key mit cloud koppeln
+- [x] Switch und APs in IT-Glue hinterlegen
+- [ ] physische Beschriftung anpassen
+
+## Timestamps
+
+- 08:45 - 09:00: [x] KWA OPNsense Firewall Regeln nachbessern
+- 09:15 - 10:30: TGA WebServer Protection zu Cloud
+- 10:30 - 10:45: Rauchen
+- 10:45 - 11:00: OPNcentral Lizenz einspielen und dokumentieren
+- 11:00 - 11:30: KWA OPNsense IT-Glue Doku weiterverfassen
+- 11:30 - 12:00: OPNsense cqse Angebot pruefen und besprechen
+- 12:00 - 13:00: Pause
+- 13:00 - 14:00: KWA: Unterstuetzung bei VPN Einrichtung auf iOS, Mail verfassen zu VW Ablage von Projekten auf NAS: pruefe Firewall Rules
+- 14:00 - 14:30: SSR: VW home.asp ticket von annika. Pruefe VWLizenz Server
+- 14:30 - 15:00: pause
+- 15:00 - 15:30: OPNsense feature liste
+
+## todo
+
+### General
+
+- [ ] Liste erstellen aller Projekte, die es gibt und neuem Mitarbeiter vorstellen
+
+- [ ] handout fuer jeweils sophos und opnsense als vergleich
+
+- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
+ 
+- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
+- [ ] kwa/ssr snmp karten fuer usv
+- [ ] update filewave admin und central
+
+### SBX
+
+- [ ] backup on external drive for pve.lab.softbox.net
+
+- [ ] check if possible to monitor vsphere passwd expiration
+- [ ] create obsidian templates (Meetings, People, )
+- [ ] sbx - opsreportcard summary for action plan
+
+- [ ] fuege bharchitekten zu connectsecure hinzu
+- [ ] erstelle connectsecure report fuer grasslfing
+- [ ] cybercns bei heilmaier
+
+- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
+
+#### OPNsense
+
+1. check franke rieger firewall setup
+2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
+3. test management via opncentral
+4. write manual for on-boarding 
+	- setup wan manually 
+	- couple to opncentral 
+	- send generic config via opncentral 
+	- use manual for missing specific configs
+	- check workings of everything
+

projects/OPNsense/STANDARDS/Feature-Capability.md

@@ -0,0 +1,113 @@
+# OPNsense Feature Capability Overview (Industry Use)
+
+This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments.
+
+---
+
+## ✅ Stable / Industry-Proven Core Features
+
+These features are well-supported, reliable, and commonly used in production deployments.
+
+### 🔧 Core Networking & Routing
+- VLANs (tagged, untagged)
+- Static and dynamic routing (OSPF, BGP via FRR plugin)
+- Multi-WAN with load balancing / failover
+- NAT (1:1, port forward, outbound NAT)
+- DHCP/DHCPv6 Server & Relay
+- DNS Resolver (Unbound) with DoT, conditional forwarding
+- NTP Server
+
+### 🔐 Firewall & Security
+- Stateful firewall with alias system
+- Schedule-based rules
+- GeoIP blocking
+- Packet logging and rule hit counters
+
+### 👥 Authentication
+- Local user DB
+- LDAP / Active Directory (GPO support)
+- Two-Factor Authentication (TOTP)
+- Captive Portal with LDAP/RADIUS integration
+
+### 🌍 VPN Services
+- OpenVPN (with client export)
+- IPsec (strongSwan)
+- WireGuard (kernel module; fast & stable)
+
+### 🔐 SSL Certificates
+- ACME/Let's Encrypt support
+- DNS-01, HTTP-01
+- Auto-renewal + deploy to services
+
+### 💾 Backup & Management
+- Local and remote encrypted backup
+- OPNcentral for multi-firewall config, update, backup
+- High Availability (CARP-based)
+
+---
+
+## ⚠️ Moderately Reliable / Needs Case-by-Case Testing
+
+These features are usable but require testing or tuning to ensure stability.
+
+### 🛡️ Intrusion Detection / Prevention
+- Suricata (IDS/IPS)
+  - Can impact performance on low-RAM systems (≥8GB recommended)
+  - Inline mode works but may be unstable with certain NICs
+  - Regular ruleset updates supported
+
+### 🌐 Web Filtering / Proxy
+- Squid Proxy + ICAP/ClamAV
+  - SSL inspection fragile; requires CA deployment to clients
+  - Transparent mode unstable on some NICs
+  - Basic caching stable; filtering can be unreliable
+  - ICAP antivirus adds CPU load
+
+### 🔄 Dynamic DNS
+- DDNS client with broad provider support
+- Stable and scriptable
+
+### ☁️ Remote Backups
+- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
+- Manual testing of restore process recommended
+
+---
+
+## ❌ Experimental / Immature Features
+
+Avoid these for now in production or industrial deployments.
+
+### 📬 Mail Gateway / Relay
+- Basic Postfix relay plugin
+- No spam filtering or advanced mail security
+- Not recommended for secure mail handling
+
+### 🌐 Web Application Firewall (WAF)
+- Nginx WAF plugin exists
+- No full ModSecurity/OWASP integration
+- Better to isolate on a dedicated reverse proxy
+
+### 📦 OPNProxy Plugin
+- Adds fine-grained Squid-based user/group URL access control
+- Inherits Squid’s instability
+- Use with caution or for testing only
+
+---
+
+## Summary Table
+
+| **Feature**                    | **Production Readiness** | **Notes**                                                   |
+|-------------------------------|---------------------------|-------------------------------------------------------------|
+| Core firewall, routing        | ✅ Yes                    | Fully stable                                                |
+| VPN (OpenVPN, WireGuard)      | ✅ Yes                    | Strong support and maturity                                 |
+| Suricata                      | ⚠️ With caution           | Test on hardware; monitor CPU/RAM                           |
+| Web Proxy / Filtering         | ❌ Avoid or isolate        | Only basic use; SSL filtering often unstable                |
+| Antivirus (clamav)            | ⚠️ Optional               | High CPU use; best supplemented by endpoint AV              |
+| DNS & DHCP                    | ✅ Yes                    | Mature and reliable                                         |
+| Mail Relay                    | ❌ No                      | Lacks required filtering and logging for industrial use     |
+| WAF (nginx)                   | ❌ No                      | Too limited for meaningful protection                       |
+| DDNS, Backups, Certs          | ✅ Yes                    | Useful and stable                                           |
+
+---
+
+_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._

projects/OPNsense/STANDARDS/Monthly-Time.md

@@ -0,0 +1,22 @@
+## OPNsense Firewall Monthly Maintenance Estimate (Per Firewall)
+
+### Typical Monthly Tasks
+
+| **Task**                               | **Description**                                                                 | **Estimated Time** |
+|----------------------------------------|----------------------------------------------------------------------------------|---------------------|
+| **Firmware & Plugin Updates**          | Centralized via OPNcentral; all firewalls updated simultaneously.               | 1 hour              |
+| **Routine Configuration Changes**      | Adjusting existing settings, rules, or features (not new plugins).              | 1 hour              |
+| **VPN Client Configuration**           | Exporting client configs for OpenVPN/IPsec users.                               | 0.5 hour            |
+| **Monitoring & Alert Response**        | Reviewing OPNcentral alerts and responding to system warnings.                  | 0.5 hour            |
+| **Unexpected Issues / Tickets**        | Troubleshooting user reports or production issues.                              | 1 hour              |
+|                                        |                                                                                  |                     |
+| **Total (typical month)**              |                                                                                  | **~4 hours**        |
+
+---
+
+### Additional (Occasional) Tasks
+
+| **Task**                               | **Frequency**            | **Estimated Time**        |
+|----------------------------------------|--------------------------|----------------------------|
+| **New Plugin Integration**             | 1–2 times per year       | 1–3 days (one-time effort) |
+| **Firewall Policy Audit & Cleanup**    | Quarterly or Biannually  | 1–2 hours per audit        |

projects/OPNsense/STANDARDS/possible-impovements.md

@@ -0,0 +1,93 @@
+# OPNsense Recommended Plugins & Features (Industrial / Office Use)
+
+This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level.
+
+---
+
+## 🔍 Monitoring & Logging
+
+### ✅ Telegraf Plugin
+- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring.
+- **Integration:** Grafana, InfluxDB, Prometheus.
+- **Notes:** Lightweight and reliable.
+
+### ✅ Netflow / Insight (built-in)
+- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage.
+- **Use Case:** Bandwidth monitoring and anomaly detection.
+- **Notes:** Data can be archived for audit purposes.
+
+### ✅ Zabbix Agent
+- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments.
+- **Notes:** Trusted in enterprise and industrial networks.
+
+---
+
+## 🔐 Access Control & Identity
+
+### ⚠️ FreeRADIUS Plugin
+- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal.
+- **Notes:** Complex to configure; powerful in the right hands.
+
+### ✅ TOTP / 2FA for Web GUI
+- **Purpose:** Adds two-factor authentication for admin access.
+- **Notes:** Uses Google Authenticator or similar apps.
+
+---
+
+## 🛠️ Configuration & Deployment
+
+### ✅ Shellcmd Plugin
+- **Purpose:** Runs custom shell scripts/commands at boot or service start.
+- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes.
+- **Notes:** Excellent for hotfixes or automation in production.
+
+### ✅ Smart Plugin (S.M.A.R.T. Monitoring)
+- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD.
+- **Notes:** Essential for long-term reliability.
+
+---
+
+## 🧱 Firewall Enhancements
+
+### ⚠️ GeoIP Aliases
+- **Purpose:** Block/allow traffic by country.
+- **Notes:** Requires MaxMind license (free with registration).
+
+### ✅ Policy-Based Routing
+- **Purpose:** Custom WAN selection per VLAN/service/source.
+- **Notes:** Use for traffic shaping, failover, or VoIP priority.
+
+---
+
+## 📡 Edge / Optional Features
+
+### ✅ NTP Daemon
+- **Purpose:** Acts as internal time server for LAN devices.
+- **Use Case:** Environments without external NTP access.
+- **Notes:** Stable and lightweight.
+
+### ✅ mDNS Repeater
+- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint).
+- **Use Case:** Offices with Apple devices or smart printers.
+- **Notes:** Requires proper VLAN firewall rules.
+
+---
+
+## ✅ Recommended Baseline Set for Industrial Use
+
+| **Category**       | **Feature**            | **Plugin**        | **Trust Level** |
+|--------------------|------------------------|-------------------|-----------------|
+| Monitoring         | Telegraf, Netflow      | `telegraf`        | ✅ Stable       |
+| Logging/NMS        | Zabbix Agent           | `os-zabbix-agent` | ✅ Stable       |
+| Automation         | Boot Scripting         | `shellcmd`        | ✅ Stable       |
+| Identity/VPN       | FreeRADIUS (optional)  | `freeradius`      | ⚠️ Moderate     |
+| Access Security    | TOTP 2FA               | Built-in          | ✅ Stable       |
+| Routing Control    | Policy Routing         | Built-in          | ✅ Stable       |
+| Geo Restrictions   | GeoIP Aliases          | MaxMind required  | ⚠️ Moderate     |
+| Time Sync          | NTP Server             | Built-in          | ✅ Stable       |
+| Edge VLAN Utility  | mDNS Repeater          | `mdns-repeater`   | ✅ Stable       |
+
+---
+
+_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._
+

projects/kwa/firewall_migration/20250318-OPNsense_Migration.md

@@ -30,15 +30,15 @@ output: pdf_document
 
 ## Funktionen
 
-- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
-- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
-- VPN (OpenVPN)
-- Free SSL certs (via ACME)
-- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
-- OPNsense Antivirus Loesung (Clamav + C-Icap)
-- IDS/IPS
-- WAF
-- OPNcentral
+- [x] Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
+- [x] VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
+- [x] VPN (OpenVPN)
+- [x] Free SSL certs (via ACME)
+- [ ] Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
+- [ ] OPNsense Antivirus Loesung (Clamav + C-Icap)
+- [x] IDS/IPS
+- [ ] WAF
+- [=] OPNcentral
 
 ## Zertifikate
 

projects/kwa/firewall_migration/20250414-preparation.md

@@ -1,22 +1,143 @@
 
+## Vor Ort Notes
+opnsense ui: root,  4H?bh,wXU85JrXs
+opnsense ui: sbxadmin, %bghY!FH65Z
+cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU' 
+Main switch: 70:a7:41:ff:e4:4b
+Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15
+
+## General
+
+- [x] Change public DNS entries (gw.knoppwassmer.de -> \<public-ip\> )
+- [x] ports der unifi untersuchen
+- [x] setup acme with dns challenge (issue tomorrow)
+- [x] configure dhcp on all unifi devices
+- [x] unifi dashboard - define all vlan networks
+- [x] add to opncentral
+- [x] fotos machen
+- [x] ips/ids anschalten
+- [x] backup via ftp to nas if possible
+- [ ] change ilo ip such that its in the mgmt net
+- [ ] unifi cloud key mit cloud koppeln
+- [ ] Switch und APs in IT-Glue hinterlegen
+- [ ] physische Beschriftung anpassen
+
+
 ## Kerio Features 
 
 ### Network
 
 - WAN: 10.0.70.2 (FritzBox PPPoE)
 - LAN: 192.168.70.1/24
-- VPN: 192.168.170.1/24
+- VPN: 172.16.70.1/24
 
+### DNS and DHCP
+
+- [x] domain name: ad.knoppwassmer.de
+- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`
 
 ## OPNsense
 
 ### Network
 
-| Name       | Interface | Network           | Note           |
-| ---------- | --------- | ----------------- | -------------- |
-| WAN        | WAN       | 10.0.70.2/32      | FritzBox PPPoE |
-| MGMT       | LAN       | 192.168.50.254/24 |                |
-| SERVER     | LAN       | 192.168.70.254/24 |                |
-| CLIENT     | LAN       | 192.168.20.254/24 |                |
-| WLAN       | LAN       | 192.168.30.254/24 |                |
-| WLAN_GUEST | LAN       | 192.168.40.254/24 |                |
+| Name       | Interface | VLAN tag | Network         | Note                    |
+| ---------- | --------- | -------- | --------------- | ----------------------- |
+| WAN        | WAN       | /        | 10.0.70.2/32    | FritzBox PPPoE          |
+| MGMT       | LAN       | 1        | 192.168.50.1/24 |                         |
+| SERVER     | LAN       | 70       | 192.168.70.1/24 |                         |
+| CLIENT     | LAN       | 20       | 192.168.20.1/24 |                         |
+| WLAN       | LAN       | 30       | 192.168.30.1/24 | USE CLIENT net for WLAN |
+| WLAN_GUEST | LAN       | 40       | 192.168.40.1/24 |                         |
+| OpenVPN    | VPN       |          | 172.16.70.1/24  |                         |
+
+### Firewall
+
+#### Aliase
+
+- [x] filewave
+- [x] mailstore
+- [x] nas
+- [x] sbxoffice
+- [x] ad
+- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200)
+
+#### Rules
+
+##### WAN
+
+- [ ] enable geo filter (iran, north korea, russia)
+- [x] Allow VPN entrypoint to WAN via VPN port
+
+##### MGMT
+
+- [x] allow 'mgmt addr' to AD server via ldap
+- [x] allow 'mgmt net' to AD via dns
+
+##### USER
+
+- [x] allow 'user net' to AD via dns
+- [x] allow 'user net' to nas via smb
+- [x] allow 'user net' to AD via ldap(s)
+- [x] allow 'user net' to 'server net' via https
+- [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
+- [x] allow 'user net' to vwlizenz via (any?)
+- [x] allow 'user net' to filewaveserver via filewaveservice ports
+
+##### VPN
+
+- [x] allow 'vpn net' to AD via dns
+- [x] Allow SMB for VPN Client network
+- [x] allow vpn net to server net
+
+##### SERVER
+
+- [x] Allow filewave out 
+
+#### DNAT
+
+- [x] Port 8462/tcp from WAN address to Mailstore IP NAT
+- [x] Port Group "Filewave" from WAN address to Filewave IP NAT
+
+### Authentication Server
+
+- [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
+
+### VPN
+- depends on: Authentication Server
+
+- [x] Setup OpenVPN. 
+	- [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
+	- [x] setup openvpn server
+	- [x] setup client certs
+
+### IPS/IDS
+
+- [x] setup and configure surricata - very heavy on resources.. need to be tested
+
+### Content Filter
+
+- [ ] Recreate - if possible - application, web and https filter
+
+### Reverse Proxy (Web Server Protection)
+
+- [ ] projektpro
+- [ ] Andere?
+
+### NTP 
+
+- Server: `srvu-master.ad.knoppwassmer.de`
+
+## Archive
+
+### Vor Ort Notes
+
+1. Plane Switch Portbelegung
+2. Stelle alle Geraete auf dhcp um: 
+	1. [x] switches
+	2. [x] APs
+	3. [x] Cloud-Key
+	4. [x] Telefone
+	5. [x] Drucker (drucker muss mehr angepasst werden: dns)
+3. Dangerous: Setze VLANs auf designierte Ports um
+4. Geraete runterfahren
+5. Neue Firewall anschalten und hoffen, dass es klappt