diff --git a/.DS_Store b/.DS_Store index 499cc25..0836ba8 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index 246b806..49c9b97 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -37,7 +37,7 @@ "state": { "type": "markdown", "state": { - "file": "diary/2025-04-17.md", + "file": "diary/2025-04-29.md", "mode": "source", "source": true, "backlinks": true, @@ -52,16 +52,16 @@ } }, "icon": "lucide-file", - "title": "2025-04-17" + "title": "2025-04-29" } }, { - "id": "23e94d4003b4c31e", + "id": "6afce9769f210b2e", "type": "leaf", "state": { "type": "markdown", "state": { - "file": "projects/phytron/nextcloud_gitlab_after_hack.md", + "file": "projects/kwa/firewall_migration/20250317_first-meeting.md", "mode": "source", "source": true, "backlinks": true, @@ -76,16 +76,16 @@ } }, "icon": "lucide-file", - "title": "nextcloud_gitlab_after_hack" + "title": "20250317_first-meeting" } }, { - "id": "23676dcc91a6b6e8", + "id": "f311d0c07a57b878", "type": "leaf", "state": { "type": "markdown", "state": { - "file": "projects/kwa/firewall_migration/20250414-preparation.md", + "file": "projects/OPNsense/STANDARDS/Monthly-Time.md", "mode": "source", "source": true, "backlinks": true, @@ -100,16 +100,16 @@ } }, "icon": "lucide-file", - "title": "20250414-preparation" + "title": "Monthly-Time" } }, { - "id": "175e86d27cc90624", + "id": "33e939315b6ac8f0", "type": "leaf", "state": { "type": "markdown", "state": { - "file": "projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md", + "file": "projects/OPNsense/STANDARDS/Feature-Capability.md", "mode": "source", "source": true, "backlinks": true, @@ -124,11 +124,35 @@ } }, "icon": "lucide-file", - "title": "overview-qumulo_and_comp-nodes" + "title": "Feature-Capability" + } + }, + { + "id": "855d54493706a383", + "type": "leaf", + "state": { + "type": "markdown", + "state": { + "file": "projects/OPNsense/STANDARDS/possible-impovements.md", + "mode": "source", + "source": true, + "backlinks": true, + "backlinkOpts": { + "collapseAll": false, + "extraContext": false, + "sortOrder": "alphabetical", + "showSearch": false, + "searchQuery": "", + "backlinkCollapsed": false, + "unlinkedCollapsed": true + } + }, + "icon": "lucide-file", + "title": "possible-impovements" } } ], - "currentTab": 1 + "currentTab": 4 } ], "direction": "vertical" @@ -304,44 +328,45 @@ "templater-obsidian:Templater": false } }, - "active": "b865e0663684cf60", + "active": "33e939315b6ac8f0", "lastOpenFiles": [ - "projects/phytron/nextcloud_gitlab_after_hack.md", - "diary/2025-04-17.md", + "projects/OPNsense/STANDARDS/Monthly-Time.md", + "projects/OPNsense/STANDARDS/Feature-Capability.md", + "projects/OPNsense/STANDARDS/possible-impovements.md", + "diary/2025-04-29.md", + "projects/kwa/firewall_migration/20250317_first-meeting.md", + "projects/OPNsense/Schulungen/Untitled", + "projects/OPNsense/unknown/opnsense-proposal-draft.md", + "projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md", + "projects/OPNsense/STANDARDS", + "projects/OPNsense/unknown", + "projects/OPNsense/unknown/opnsense-planing.md", + "projects/OPNsense/unknown/opnsense-frankeriger-current.md", + "projects/OPNsense/unknown/opnsense-checklists.md", + "projects/OPNsense/unknown/opnsense-central-management.md", + "projects/OPNsense/unknown/opnsense-bussines-edition.md", + "projects/OPNsense/Schulungen/20250319-pre-meeting-prep.md", + "projects/OPNsense/Schulungen/20250305-initial_ideas.md", + "projects/OPNsense/Initial-Notes/OPNsense.md", + "projects/OPNsense/Initial-Notes/OPNsense-config.md", + "projects/OPNsense/Initial-Notes/OPNsense-config_summary.md", + "projects/OPNsense/Initial-Notes/OPNsense-future.md", + "projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md", + "projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md", + "projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md", + "projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md", "projects/kwa/firewall_migration/20250414-preparation.md", - "projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md", - "diary/2025-04-16.md", - "projects/ipv6/basics.md", - "diary/2025-04-15.md", - "projects/sbx/sbx-lab-network.md", - "diary/2025-04-14.md", "projects/kwa/firewall_migration/20250318-OPNsense_Migration.md", - "projects/win10_2_win11/20250411-Meeting-JM.md", - "diary/2025-04-11.md", - "diary/2025-04-13.md", - "projects/kwa/mail_migration/timestamp-change.md", + "archive/APSA", + "todo.md", + "projects/OPNsense/Cluster/20250307-cluster-test-on-sg310.md", + "files/Pasted image 20250429110706.png", "projects/win10_2_win11", - "diary/2025-04-10.md", - "diary/2025-04-09.md", - "diary/2025-04-08.md", - "projects/discopharma/20250320-manual-project.md", - "diary/2025-04-07.md", - "projects/ssr/202504-4architekten/notes.md", - "diary/2025-04-06.md", - "diary/2025-04-04.md", - "diary/2025-04-03.md", - "projects/neosphere/qumulus/20250502-storage-cluster.md", - "diary/2025-04-02.md", - "projects/sbx/manuals/Sophos-SG_PPPoE-data.md", "projects/sbx/manuals", "projects/ssr/202504-4architekten", "projects/sbx/firewall-std", - "projects/boschmann+feth", + "archive/boschmann+feth", "files/discopharma/discopharma-infra.drawio.png", - "files/discopharma", - "files/New folder", - "projects/discopharma/Meetings", - "diary/2025-04", - "diary/2025-03" + "files/discopharma" ] } \ No newline at end of file diff --git a/areas/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md b/archive/APSA/apsa-pfsense_vs_opnsense/setup-notes.md similarity index 100% rename from areas/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md rename to archive/APSA/apsa-pfsense_vs_opnsense/setup-notes.md diff --git a/projects/VZ/Rezept-Installation.md b/archive/VZ/Rezept-Installation.md similarity index 100% rename from projects/VZ/Rezept-Installation.md rename to archive/VZ/Rezept-Installation.md diff --git a/projects/VZ/Win11-autoinstall-iso.md b/archive/VZ/Win11-autoinstall-iso.md similarity index 100% rename from projects/VZ/Win11-autoinstall-iso.md rename to archive/VZ/Win11-autoinstall-iso.md diff --git a/projects/VZ/ninja-install-archive.md b/archive/VZ/ninja-install-archive.md similarity index 100% rename from projects/VZ/ninja-install-archive.md rename to archive/VZ/ninja-install-archive.md diff --git a/projects/boschmann+feth/20250326-Preparation.md b/archive/boschmann+feth/20250326-Preparation.md similarity index 100% rename from projects/boschmann+feth/20250326-Preparation.md rename to archive/boschmann+feth/20250326-Preparation.md diff --git a/projects/bvv/bind-manual.md b/archive/bvv/bind-manual.md similarity index 100% rename from projects/bvv/bind-manual.md rename to archive/bvv/bind-manual.md diff --git a/projects/radiochemie/opnsense-on-sophosHW-END.md b/archive/radiochemie/opnsense-on-sophosHW-END.md similarity index 100% rename from projects/radiochemie/opnsense-on-sophosHW-END.md rename to archive/radiochemie/opnsense-on-sophosHW-END.md diff --git a/projects/radiochemie/opnsense-on-sophosHW-HA.md b/archive/radiochemie/opnsense-on-sophosHW-HA.md similarity index 100% rename from projects/radiochemie/opnsense-on-sophosHW-HA.md rename to archive/radiochemie/opnsense-on-sophosHW-HA.md diff --git a/projects/radiochemie/opnsense-on-sophosHW-intro.md b/archive/radiochemie/opnsense-on-sophosHW-intro.md similarity index 100% rename from projects/radiochemie/opnsense-on-sophosHW-intro.md rename to archive/radiochemie/opnsense-on-sophosHW-intro.md diff --git a/projects/radiochemie/opnsense-on-sophosHW-multi_wan.md b/archive/radiochemie/opnsense-on-sophosHW-multi_wan.md similarity index 100% rename from projects/radiochemie/opnsense-on-sophosHW-multi_wan.md rename to archive/radiochemie/opnsense-on-sophosHW-multi_wan.md diff --git a/projects/radiochemie/opnsense-on-sophosHW-ressources.md b/archive/radiochemie/opnsense-on-sophosHW-ressources.md similarity index 100% rename from projects/radiochemie/opnsense-on-sophosHW-ressources.md rename to archive/radiochemie/opnsense-on-sophosHW-ressources.md diff --git a/projects/radiochemie/ovpn-mixed-otp.md b/archive/radiochemie/ovpn-mixed-otp.md similarity index 100% rename from projects/radiochemie/ovpn-mixed-otp.md rename to archive/radiochemie/ovpn-mixed-otp.md diff --git a/projects/ssr-kwa/Tickets-20240704.md b/archive/ssr-kwa/Tickets-20240704.md similarity index 100% rename from projects/ssr-kwa/Tickets-20240704.md rename to archive/ssr-kwa/Tickets-20240704.md diff --git a/projects/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md b/archive/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md similarity index 100% rename from projects/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md rename to archive/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md diff --git a/projects/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md b/archive/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md similarity index 100% rename from projects/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md rename to archive/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md diff --git a/projects/ssr-kwa/buero-umbau/20240918_meeting-oli.md b/archive/ssr-kwa/buero-umbau/20240918_meeting-oli.md similarity index 100% rename from projects/ssr-kwa/buero-umbau/20240918_meeting-oli.md rename to archive/ssr-kwa/buero-umbau/20240918_meeting-oli.md diff --git a/projects/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md b/archive/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md similarity index 100% rename from projects/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md rename to archive/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md diff --git a/projects/ssr-kwa/buero-umbau/Inital.md b/archive/ssr-kwa/buero-umbau/Inital.md similarity index 100% rename from projects/ssr-kwa/buero-umbau/Inital.md rename to archive/ssr-kwa/buero-umbau/Inital.md diff --git a/projects/ssr-kwa/einsatz-20240715.md b/archive/ssr-kwa/einsatz-20240715.md similarity index 100% rename from projects/ssr-kwa/einsatz-20240715.md rename to archive/ssr-kwa/einsatz-20240715.md diff --git a/projects/ssr-kwa/licenses.md b/archive/ssr-kwa/licenses.md similarity index 100% rename from projects/ssr-kwa/licenses.md rename to archive/ssr-kwa/licenses.md diff --git a/projects/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md b/archive/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md similarity index 100% rename from projects/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md rename to archive/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md diff --git a/projects/ssr-kwa/mail-migration/20250206-KWA-Meeting.md b/archive/ssr-kwa/mail-migration/20250206-KWA-Meeting.md similarity index 100% rename from projects/ssr-kwa/mail-migration/20250206-KWA-Meeting.md rename to archive/ssr-kwa/mail-migration/20250206-KWA-Meeting.md diff --git a/projects/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md b/archive/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md similarity index 100% rename from projects/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md rename to archive/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md diff --git a/projects/ssr-kwa/manual/Checkliste-apple-geraete.md b/archive/ssr-kwa/manual/Checkliste-apple-geraete.md similarity index 100% rename from projects/ssr-kwa/manual/Checkliste-apple-geraete.md rename to archive/ssr-kwa/manual/Checkliste-apple-geraete.md diff --git a/projects/ssr-kwa/manual/iphone-onboarding.md b/archive/ssr-kwa/manual/iphone-onboarding.md similarity index 100% rename from projects/ssr-kwa/manual/iphone-onboarding.md rename to archive/ssr-kwa/manual/iphone-onboarding.md diff --git a/projects/ssr-kwa/manual/kerio-vpn-apple-silicon.html b/archive/ssr-kwa/manual/kerio-vpn-apple-silicon.html similarity index 100% rename from projects/ssr-kwa/manual/kerio-vpn-apple-silicon.html rename to archive/ssr-kwa/manual/kerio-vpn-apple-silicon.html diff --git a/projects/ssr-kwa/manual/kerio-vpn-apple-silicon.md b/archive/ssr-kwa/manual/kerio-vpn-apple-silicon.md similarity index 100% rename from projects/ssr-kwa/manual/kerio-vpn-apple-silicon.md rename to archive/ssr-kwa/manual/kerio-vpn-apple-silicon.md diff --git a/projects/ssr-kwa/manual/smb-server-centos.md b/archive/ssr-kwa/manual/smb-server-centos.md similarity index 100% rename from projects/ssr-kwa/manual/smb-server-centos.md rename to archive/ssr-kwa/manual/smb-server-centos.md diff --git a/projects/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md b/archive/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md similarity index 100% rename from projects/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md rename to archive/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md diff --git a/projects/ssr-kwa/projekt-datenschutz/backup-scheme.md b/archive/ssr-kwa/projekt-datenschutz/backup-scheme.md similarity index 100% rename from projects/ssr-kwa/projekt-datenschutz/backup-scheme.md rename to archive/ssr-kwa/projekt-datenschutz/backup-scheme.md diff --git a/projects/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md b/archive/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md similarity index 100% rename from projects/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md rename to archive/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md diff --git a/projects/ssr-kwa/todo-20240725.md b/archive/ssr-kwa/todo-20240725.md similarity index 100% rename from projects/ssr-kwa/todo-20240725.md rename to archive/ssr-kwa/todo-20240725.md diff --git a/diary/2025-04-21.md b/diary/2025-04-21.md new file mode 100644 index 0000000..e69de29 diff --git a/diary/2025-04-22.md b/diary/2025-04-22.md new file mode 100644 index 0000000..b9be357 --- /dev/null +++ b/diary/2025-04-22.md @@ -0,0 +1,111 @@ +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +## Do-It + +- handout: Sophos und OPNsense +- qumulo - zeichne endlich +- phytron - nextcloud abschliessen + +## Timestamps + +- 09:15 - 09:45: Ticketpflege +- 09:45 - 11:30: SSR Wildcard cert abgelaufen. erstelle wildcard certs via letsencrypt +- 11:30 - 12:30: Pause +- 12:30 - 15:00: SSL Zerifikate beantragen, rumschieben, umwandeln, ueberall einfuegen +- 15:00 - 17:00: OPNsense einrichtung. VLANs, WAN config, Updates, Lizenz, IT-docs, Aliase setzen, user erstellen, dhcp config, dns config + +## Thursday + +- 08:45 - 09:00: Ueber MicroShit Support mail aergern +- 09:00 - 09:45: aldi milch einkauf, quatchen +- 09:45 - 10:00: Sammeln, kaffee +- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer fΓΌr die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen +- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren +- 10:45 - 11:00: Rauchen +- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen +- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa +- 12:00 - 13:30: Pause +- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen +- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen + +## Wednesday + + +- 08:30 - 09:00: ipv6 lernen + +- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann +- 09:45 - 10:15: MicroShit Support schreiben +- 10:15 - 11:00: Pause, ipv6 lernen +- 11:00 - 12:30: ipv6 lernen + +- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? +- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt +- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo + +## Tuesday + +- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen + +- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen +- 10.30 - 11:00: cloud.sbx.de design gestalten + +- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen +- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12 + +- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen +- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes +- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen. + +- 15:00 - 16:00: tga cloud erreichen + +## Monday + +- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen +- 15:00 - 15:30: Mailstore authentifizerungs problem +- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build +- 16:00 - 16:30: TestCluster aufbauen und anschalten +- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich +- [ ] aufgaben fuer wartung rausschreiben +- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline) + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] kube cluster on pve.lab.softbox.net +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing +- [ ] cybercns bei heilmaier + +- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups + +#### OPNsense + +1. check franke rieger firewall setup +2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...) +3. test management via opncentral +4. write manual for on-boarding + - setup wan manually + - couple to opncentral + - send generic config via opncentral + - use manual for missing specific configs + - check workings of everything + diff --git a/diary/2025-04-23.md b/diary/2025-04-23.md new file mode 100644 index 0000000..8d03038 --- /dev/null +++ b/diary/2025-04-23.md @@ -0,0 +1,132 @@ +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +## Do-It + +- handout: Sophos und OPNsense +- qumulo - zeichne endlich +- phytron - nextcloud abschliessen + +## Timestamps + +- 08:30 - 09:00: Ankunft, Serverraum Verkabelung ann Switch pruefen und dokumentieren und planen Portbelegung, Neue Firewall anstecken, nachdenken +- 09:00 - 09:30: UTM Installation bei Dominik durchgehen - zu aufwendig (MAC hypervisor), ports an switch durchgehen +- 09:30 - 10:00: Beginn der Migration durchgehen +- 10:00 - 12:30: OPNsense anstecken, umstecken, allen geraeten dhcp einstellen. Klappt bei allen ausser beim cloud key.. panik, Alle unifi gereate zurucksetzen +- 12:30 - 13:00: Pause +- 13:00 - 14:30: unifi einstellungen anpassen, drucker ip anpassen +- 14:30 - 16:30: VPN Einrichtung bei allen Usern, debuggen.. +- 16:30 - 17:15: VPN und debuggen + +## Wednesday + +- 09:00 - 09:15 Mails beantworten +- 09:15 - 09:45: KWA: Firewall: IT-Glue config von opnsense erweitern, Certificate chain erzeugen fuer OpenVPN und sbxadmin user Client Zertifikat erstellen +- 09:45 - 10:45: IPS/IDS konfigurieren, acme an test.gw.softbox.net einrichten und Zertifikate erstellen, IPS/IDS belastet das System hart, muss getestet werden ob deren HW das packt: hat mehr ram +- 10:45 - 11:45: Firewall Regeln und Aliase setzen fuer alles Dienste, backup erstellen +- 11:45 - 12:45: Pause +- 12:45 - 13:45: Firewall Regeln fuer MGMT, CLIENT und SERVER net setzen +- 13:45 - 14:45: Setze DNAT regel fuer LDAP ports von sbxoffice ip. AD config setzen und user syncen +- 14:45 - 17:45: VPN Server config, firewall rules, + +## Tuesday + +- 09:15 - 09:45: Ticketpflege +- 09:45 - 11:30: SSR Wildcard cert abgelaufen. erstelle wildcard certs via letsencrypt +- 11:30 - 12:30: Pause +- 12:30 - 15:00: SSL Zerifikate beantragen, rumschieben, umwandeln, ueberall einfuegen +- 15:00 - 17:00: OPNsense einrichtung. VLANs, WAN config, Updates, Lizenz, IT-docs, Aliase setzen, user erstellen, dhcp config, dns config + +## Thursday + +- 08:45 - 09:00: Ueber MicroShit Support mail aergern +- 09:00 - 09:45: aldi milch einkauf, quatchen +- 09:45 - 10:00: Sammeln, kaffee +- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer fΓΌr die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen +- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren +- 10:45 - 11:00: Rauchen +- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen +- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa +- 12:00 - 13:30: Pause +- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen +- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen + +## Wednesday + +- 08:30 - 09:00: ipv6 lernen + +- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann +- 09:45 - 10:15: MicroShit Support schreiben +- 10:15 - 11:00: Pause, ipv6 lernen +- 11:00 - 12:30: ipv6 lernen + +- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? +- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt +- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo + +## Tuesday + +- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen + +- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen +- 10.30 - 11:00: cloud.sbx.de design gestalten + +- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen +- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12 + +- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen +- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes +- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen. + +- 15:00 - 16:00: tga cloud erreichen + +## Monday + +- 14:00 - 15:00: kwa zertifikate bestellen lassen und einpflegen +- 15:00 - 15:30: Mailstore authentifizerungs problem +- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build +- 16:00 - 16:30: TestCluster aufbauen und anschalten +- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich +- [ ] aufgaben fuer wartung rausschreiben +- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline) + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] kube cluster on pve.lab.softbox.net +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing +- [ ] cybercns bei heilmaier + +- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups + +#### OPNsense + +1. check franke rieger firewall setup +2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...) +3. test management via opncentral +4. write manual for on-boarding + - setup wan manually + - couple to opncentral + - send generic config via opncentral + - use manual for missing specific configs + - check workings of everything + diff --git a/diary/2025-04-24.md b/diary/2025-04-24.md new file mode 100644 index 0000000..e69de29 diff --git a/diary/2025-04-25.md b/diary/2025-04-25.md new file mode 100644 index 0000000..2b83af8 --- /dev/null +++ b/diary/2025-04-25.md @@ -0,0 +1,131 @@ +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +## Do-It + +- handout: Sophos und OPNsense +- qumulo - zeichne endlich +- phytron - nextcloud abschliessen + +## Timestamps + +- 08:15 - 08:30: IT-Glue dokumentation +- 08:30 - 08:45: Firewall Aliase und Regeln fuer Unifi definieren +- 08:45 - 09:15: Firewall Regeln anpassen, Drucker macht Probleme, Regeln anpaasen, Drucker falsche DSN einsetllungen +- 09:15 - 10:30: Alte firewall aufbauen und anschliessen, Passe VPN Config an: dns und regeln, bei Herrn wassmer vpn konfigurieren +- 10:30 - 13:00: installiere opnsense auf alter hardware, debugging, root passwort geht nicht nach backup restore, mehrmals neu installieren, pass reset: komme nicht in web-ui +- 13:00 - 14:00: Anfahrt +- 14:00 - 15:00: Pause +- 15:00 - 16:00: KWA opnsense HW aufbauen und mit pikvm verkabeln + +## Thursday + +- 08:30 - 09:00: Ankunft, Serverraum Verkabelung ann Switch pruefen und dokumentieren und planen Portbelegung, Neue Firewall anstecken, nachdenken +- 09:00 - 09:30: UTM Installation bei Dominik durchgehen - zu aufwendig (MAC hypervisor), ports an switch durchgehen +- 09:30 - 10:00: Beginn der Migration durchgehen +- 10:00 - 12:30: OPNsense anstecken, umstecken, allen geraeten dhcp einstellen. Klappt bei allen ausser beim cloud key.. panik, Alle unifi gereate zurucksetzen +- 12:30 - 13:00: Pause +- 13:00 - 14:30: unifi einstellungen anpassen, drucker ip anpassen +- 14:30 - 16:30: VPN Einrichtung bei allen Usern, debuggen.. +- 16:30 - 17:15: VPN und debuggen + +## Wednesday + +- 09:15 - 09:45: KWA: Firewall: IT-Glue config von opnsense erweitern, Certificate chain erzeugen fuer OpenVPN und sbxadmin user Client Zertifikat erstellen +- 09:45 - 10:45: IPS/IDS konfigurieren, acme an test.gw.softbox.net einrichten und Zertifikate erstellen, IPS/IDS belastet das System hart, muss getestet werden ob deren HW das packt: hat mehr ram +- 10:45 - 11:45: Firewall Regeln und Aliase setzen fuer alles Dienste, backup erstellen + +- 12:45 - 13:45: Firewall Regeln fuer MGMT, CLIENT und SERVER net setzen +- 13:45 - 14:45: Setze DNAT regel fuer LDAP ports von sbxoffice ip. AD config setzen und user syncen +- 14:45 - 17:45: VPN Server config, firewall rules, + +## Thursday + + +- 10:00 - 10:30: DAV: Linux Netwerkeinstellungen - Ticket Nummer fΓΌr die Rechnung bitte [BGS-13360](https://hilfe.dav360.de/browse/BGS-13360 "https://hilfe.dav360.de/browse/bgs-13360") nutzen +- 10:30 - 10:45: TeamViewer auf Mac Instalileren und konfigurieren + +- 11:00 - 11:30: Telefonat mit Toril: apple id kann nicht angelegt werden, da Nummer schon vergeben, Notizen App fehlen Funktionen +- 11:30 - 12:00: FIrewall aufbauen fuer opnsense firewall migration bei kwa + +- 13:30 - 15:00: neospehere netzwerkdiagram zeichnen +- 15:00 - 16:30: OPNsense Einrichtung bei KWA. Lizenz in IT-Glue Eintragen, Passwoerter in IT-Glue eintragen + +## Wednesday + +- 08:30 - 09:00: ipv6 lernen + +- 09:30 - 09:45: FileMaker Update bei Matthias Wittmann +- 09:45 - 10:15: MicroShit Support schreiben +- 10:15 - 11:00: Pause, ipv6 lernen +- 11:00 - 12:30: ipv6 lernen + +- 13:30 - 14:00: Toril schreiben. Recherche: kann man 2 apple id's mit selber nummer haben? +- 14:00 - 14:30: tga firewall - es geht obwohl es das sollte. Nehme an, dass es an der public IP liegt +- 14:30 - 17:30: NeoSphere Netzwerkstruktur um neuen Qumulo + +## Tuesday + +- 09:30 - 09:45: neosphere - ilo-ubt03 lizenz key suchen + +- 10:00 - 10:30: Zugang phytron nextcloud: design schon gemacht, updaten um zwei versionen +- 10.30 - 11:00: cloud.sbx.de design gestalten + +- 11:15 - 11:45: Projekt Freigabe Postafaecher fuer KWA hinzufuegen +- 11:45 - 12:00: SSR Teams nicht mehr anwendbar duer macOS 12 + +- 13:00 - 13:30: Neosphere Netzwerkdiagram erstellen +- 13:30 - 14:00: Lerne was SLURM und Integration in Kubernetes +- 14:00 - 14:30: Matthias kontaktieren, Sein Mac Updaten, erstelle Liste aller Geraete welche Update brauchen. + +- 15:00 - 16:00: tga cloud erreichen + +## Monday + +- 15:00 - 15:30: Mailstore authentifizerungs problem +- 15:30 - 16:00: Mit Marko OPNsense bei cqse besprechen und standard hardware raussuchen fuer den build +- 16:00 - 16:30: TestCluster aufbauen und anschalten +- 16:30 - 17:00: OPNsense auf XG installieren fuer KWA und entsprechend Notizen machen + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich +- [ ] aufgaben fuer wartung rausschreiben +- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline) + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] kube cluster on pve.lab.softbox.net +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing +- [ ] cybercns bei heilmaier + +- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups + +#### OPNsense + +1. check franke rieger firewall setup +2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...) +3. test management via opncentral +4. write manual for on-boarding + - setup wan manually + - couple to opncentral + - send generic config via opncentral + - use manual for missing specific configs + - check workings of everything + diff --git a/diary/2025-04-26.md b/diary/2025-04-26.md new file mode 100644 index 0000000..e69de29 diff --git a/diary/2025-04-27.md b/diary/2025-04-27.md new file mode 100644 index 0000000..e69de29 diff --git a/diary/2025-04-28.md b/diary/2025-04-28.md new file mode 100644 index 0000000..844eedd --- /dev/null +++ b/diary/2025-04-28.md @@ -0,0 +1,69 @@ +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +## Do-It + +- handout: Sophos und OPNsense +- qumulo - zeichne endlich +- phytron - nextcloud abschliessen + +## Timestamps + +- 08:45 - 09:00: Ticketpflege, Kaffee +- 09:00 - 09:15: Mailpflege +- 90:15 - 10:45: Ticketpflege +- 10:45 - 11:00: Bvv CNAME Eintrag setzen +- 11:00 - 12:00: Autotask KI Meeting +- 12:00 - 12:15: Kommunikation mit Oli zu MicroShit Support Kack - Schiess Opfer Firma +- 12:30 - 13:30: Pause +- 13:30 - 13:45: Micro$hit Support schreiben. Was fuer Bastarde +- 13:45 - 14:00: Ticketpflege +- 14:00 - 15:30: OPNsense IPS/IDS Test, pakete installieren, IT-Glue doku anpassen, unifi switch in IT-glue replizieren +- 15:30 - 15:45: NinjaOne Bitlocker Recherche, If Bitlocker enabled werden sie in Ninja angezeigt, Erstelle Skript zur Aktivierung des Bitlockers (https://ninjarmm.zendesk.com/hc/en-us/community/posts/35526222579597-Enable-Bitlocker), (https://ninjarmm.zendesk.com/hc/en-us/articles/360051468491-BitLocker-FileVault-Encryption-Key-Management) +- 15:45 - 16:00: Privates +- 16:00 - 16:30: Telefonat mit Sebastian, Packen fuer KWA (15 min) +- 16:30 - 17:30: Anfahrt +- 17:30 - 18:00: Alte HW einbauen, Lizenz einfuegen und Updaten, Switch in IT-glue anlegen + +## todo + +### General + +- [ ] handout fuer jeweils sophos und opnsense als vergleich +- [ ] aufgaben fuer wartung rausschreiben +- [ ] detailiert feature liste fuer opnsense (fuer internen nutzen und grobe baseline) + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] kube cluster on pve.lab.softbox.net +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing +- [ ] cybercns bei heilmaier + +- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups + +#### OPNsense + +1. check franke rieger firewall setup +2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...) +3. test management via opncentral +4. write manual for on-boarding + - setup wan manually + - couple to opncentral + - send generic config via opncentral + - use manual for missing specific configs + - check workings of everything + diff --git a/diary/2025-04-29.md b/diary/2025-04-29.md new file mode 100644 index 0000000..7dd21a4 --- /dev/null +++ b/diary/2025-04-29.md @@ -0,0 +1,66 @@ +$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$ + +![important](files/sbx/important.png) + +### KWA OPNsense nacharbeit + +- [x] backup via ftp to nas if possible --> backup via opncentral +- [ ] change ilo ip such that its in the mgmt net +- [ ] unifi cloud key mit cloud koppeln +- [x] Switch und APs in IT-Glue hinterlegen +- [ ] physische Beschriftung anpassen + +## Timestamps + +- 08:45 - 09:00: [x] KWA OPNsense Firewall Regeln nachbessern +- 09:15 - 10:30: TGA WebServer Protection zu Cloud +- 10:30 - 10:45: Rauchen +- 10:45 - 11:00: OPNcentral Lizenz einspielen und dokumentieren +- 11:00 - 11:30: KWA OPNsense IT-Glue Doku weiterverfassen +- 11:30 - 12:00: OPNsense cqse Angebot pruefen und besprechen +- 12:00 - 13:00: Pause +- 13:00 - 14:00: KWA: Unterstuetzung bei VPN Einrichtung auf iOS, Mail verfassen zu VW Ablage von Projekten auf NAS: pruefe Firewall Rules +- 14:00 - 14:30: SSR: VW home.asp ticket von annika. Pruefe VWLizenz Server +- 14:30 - 15:00: pause +- 15:00 - 15:30: OPNsense feature liste + +## todo + +### General + +- [ ] Liste erstellen aller Projekte, die es gibt und neuem Mitarbeiter vorstellen + +- [ ] handout fuer jeweils sophos und opnsense als vergleich + +- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung + +- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs +- [ ] kwa/ssr snmp karten fuer usv +- [ ] update filewave admin und central + +### SBX + +- [ ] backup on external drive for pve.lab.softbox.net + +- [ ] check if possible to monitor vsphere passwd expiration +- [ ] create obsidian templates (Meetings, People, ) +- [ ] sbx - opsreportcard summary for action plan + +- [ ] fuege bharchitekten zu connectsecure hinzu +- [ ] erstelle connectsecure report fuer grasslfing +- [ ] cybercns bei heilmaier + +- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups + +#### OPNsense + +1. check franke rieger firewall setup +2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...) +3. test management via opncentral +4. write manual for on-boarding + - setup wan manually + - couple to opncentral + - send generic config via opncentral + - use manual for missing specific configs + - check workings of everything + diff --git a/files/Pasted image 20250429110706.png b/files/Pasted image 20250429110706.png new file mode 100644 index 0000000..92b870f Binary files /dev/null and b/files/Pasted image 20250429110706.png differ diff --git a/areas/OPNsense/Cluster/20250307-cluster-test-on-sg310.md b/projects/OPNsense/Cluster/20250307-cluster-test-on-sg310.md similarity index 100% rename from areas/OPNsense/Cluster/20250307-cluster-test-on-sg310.md rename to projects/OPNsense/Cluster/20250307-cluster-test-on-sg310.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense-about.md b/projects/OPNsense/Initial-Notes/OPNsense-about.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense-about.md rename to projects/OPNsense/Initial-Notes/OPNsense-about.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md b/projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md rename to projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense-config.md b/projects/OPNsense/Initial-Notes/OPNsense-config.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense-config.md rename to projects/OPNsense/Initial-Notes/OPNsense-config.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense-config_summary.md b/projects/OPNsense/Initial-Notes/OPNsense-config_summary.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense-config_summary.md rename to projects/OPNsense/Initial-Notes/OPNsense-config_summary.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense-future.md b/projects/OPNsense/Initial-Notes/OPNsense-future.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense-future.md rename to projects/OPNsense/Initial-Notes/OPNsense-future.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense.md b/projects/OPNsense/Initial-Notes/OPNsense.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense.md rename to projects/OPNsense/Initial-Notes/OPNsense.md diff --git a/areas/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md b/projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md similarity index 100% rename from areas/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md rename to projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md diff --git a/projects/OPNsense/STANDARDS/Feature-Capability.md b/projects/OPNsense/STANDARDS/Feature-Capability.md new file mode 100644 index 0000000..36b2d1f --- /dev/null +++ b/projects/OPNsense/STANDARDS/Feature-Capability.md @@ -0,0 +1,113 @@ +# OPNsense Feature Capability Overview (Industry Use) + +This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments. + +--- + +## βœ… Stable / Industry-Proven Core Features + +These features are well-supported, reliable, and commonly used in production deployments. + +### πŸ”§ Core Networking & Routing +- VLANs (tagged, untagged) +- Static and dynamic routing (OSPF, BGP via FRR plugin) +- Multi-WAN with load balancing / failover +- NAT (1:1, port forward, outbound NAT) +- DHCP/DHCPv6 Server & Relay +- DNS Resolver (Unbound) with DoT, conditional forwarding +- NTP Server + +### πŸ” Firewall & Security +- Stateful firewall with alias system +- Schedule-based rules +- GeoIP blocking +- Packet logging and rule hit counters + +### πŸ‘₯ Authentication +- Local user DB +- LDAP / Active Directory (GPO support) +- Two-Factor Authentication (TOTP) +- Captive Portal with LDAP/RADIUS integration + +### 🌍 VPN Services +- OpenVPN (with client export) +- IPsec (strongSwan) +- WireGuard (kernel module; fast & stable) + +### πŸ” SSL Certificates +- ACME/Let's Encrypt support +- DNS-01, HTTP-01 +- Auto-renewal + deploy to services + +### πŸ’Ύ Backup & Management +- Local and remote encrypted backup +- OPNcentral for multi-firewall config, update, backup +- High Availability (CARP-based) + +--- + +## ⚠️ Moderately Reliable / Needs Case-by-Case Testing + +These features are usable but require testing or tuning to ensure stability. + +### πŸ›‘οΈ Intrusion Detection / Prevention +- Suricata (IDS/IPS) + - Can impact performance on low-RAM systems (β‰₯8GB recommended) + - Inline mode works but may be unstable with certain NICs + - Regular ruleset updates supported + +### 🌐 Web Filtering / Proxy +- Squid Proxy + ICAP/ClamAV + - SSL inspection fragile; requires CA deployment to clients + - Transparent mode unstable on some NICs + - Basic caching stable; filtering can be unreliable + - ICAP antivirus adds CPU load + +### πŸ”„ Dynamic DNS +- DDNS client with broad provider support +- Stable and scriptable + +### ☁️ Remote Backups +- Supported to Google Drive, Git, Nextcloud (via plugin/scripting) +- Manual testing of restore process recommended + +--- + +## ❌ Experimental / Immature Features + +Avoid these for now in production or industrial deployments. + +### πŸ“¬ Mail Gateway / Relay +- Basic Postfix relay plugin +- No spam filtering or advanced mail security +- Not recommended for secure mail handling + +### 🌐 Web Application Firewall (WAF) +- Nginx WAF plugin exists +- No full ModSecurity/OWASP integration +- Better to isolate on a dedicated reverse proxy + +### πŸ“¦ OPNProxy Plugin +- Adds fine-grained Squid-based user/group URL access control +- Inherits Squid’s instability +- Use with caution or for testing only + +--- + +## Summary Table + +| **Feature** | **Production Readiness** | **Notes** | +|-------------------------------|---------------------------|-------------------------------------------------------------| +| Core firewall, routing | βœ… Yes | Fully stable | +| VPN (OpenVPN, WireGuard) | βœ… Yes | Strong support and maturity | +| Suricata | ⚠️ With caution | Test on hardware; monitor CPU/RAM | +| Web Proxy / Filtering | ❌ Avoid or isolate | Only basic use; SSL filtering often unstable | +| Antivirus (clamav) | ⚠️ Optional | High CPU use; best supplemented by endpoint AV | +| DNS & DHCP | βœ… Yes | Mature and reliable | +| Mail Relay | ❌ No | Lacks required filtering and logging for industrial use | +| WAF (nginx) | ❌ No | Too limited for meaningful protection | +| DDNS, Backups, Certs | βœ… Yes | Useful and stable | + +--- + +_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._ diff --git a/projects/OPNsense/STANDARDS/Monthly-Time.md b/projects/OPNsense/STANDARDS/Monthly-Time.md new file mode 100644 index 0000000..706a204 --- /dev/null +++ b/projects/OPNsense/STANDARDS/Monthly-Time.md @@ -0,0 +1,22 @@ +## OPNsense Firewall Monthly Maintenance Estimate (Per Firewall) + +### Typical Monthly Tasks + +| **Task** | **Description** | **Estimated Time** | +|----------------------------------------|----------------------------------------------------------------------------------|---------------------| +| **Firmware & Plugin Updates** | Centralized via OPNcentral; all firewalls updated simultaneously. | 1 hour | +| **Routine Configuration Changes** | Adjusting existing settings, rules, or features (not new plugins). | 1 hour | +| **VPN Client Configuration** | Exporting client configs for OpenVPN/IPsec users. | 0.5 hour | +| **Monitoring & Alert Response** | Reviewing OPNcentral alerts and responding to system warnings. | 0.5 hour | +| **Unexpected Issues / Tickets** | Troubleshooting user reports or production issues. | 1 hour | +| | | | +| **Total (typical month)** | | **~4 hours** | + +--- + +### Additional (Occasional) Tasks + +| **Task** | **Frequency** | **Estimated Time** | +|----------------------------------------|--------------------------|----------------------------| +| **New Plugin Integration** | 1–2 times per year | 1–3 days (one-time effort) | +| **Firewall Policy Audit & Cleanup** | Quarterly or Biannually | 1–2 hours per audit | diff --git a/projects/OPNsense/STANDARDS/possible-impovements.md b/projects/OPNsense/STANDARDS/possible-impovements.md new file mode 100644 index 0000000..2396e3c --- /dev/null +++ b/projects/OPNsense/STANDARDS/possible-impovements.md @@ -0,0 +1,93 @@ +# OPNsense Recommended Plugins & Features (Industrial / Office Use) + +This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level. + +--- + +## πŸ” Monitoring & Logging + +### βœ… Telegraf Plugin +- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring. +- **Integration:** Grafana, InfluxDB, Prometheus. +- **Notes:** Lightweight and reliable. + +### βœ… Netflow / Insight (built-in) +- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage. +- **Use Case:** Bandwidth monitoring and anomaly detection. +- **Notes:** Data can be archived for audit purposes. + +### βœ… Zabbix Agent +- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments. +- **Notes:** Trusted in enterprise and industrial networks. + +--- + +## πŸ” Access Control & Identity + +### ⚠️ FreeRADIUS Plugin +- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal. +- **Notes:** Complex to configure; powerful in the right hands. + +### βœ… TOTP / 2FA for Web GUI +- **Purpose:** Adds two-factor authentication for admin access. +- **Notes:** Uses Google Authenticator or similar apps. + +--- + +## πŸ› οΈ Configuration & Deployment + +### βœ… Shellcmd Plugin +- **Purpose:** Runs custom shell scripts/commands at boot or service start. +- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes. +- **Notes:** Excellent for hotfixes or automation in production. + +### βœ… Smart Plugin (S.M.A.R.T. Monitoring) +- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD. +- **Notes:** Essential for long-term reliability. + +--- + +## 🧱 Firewall Enhancements + +### ⚠️ GeoIP Aliases +- **Purpose:** Block/allow traffic by country. +- **Notes:** Requires MaxMind license (free with registration). + +### βœ… Policy-Based Routing +- **Purpose:** Custom WAN selection per VLAN/service/source. +- **Notes:** Use for traffic shaping, failover, or VoIP priority. + +--- + +## πŸ“‘ Edge / Optional Features + +### βœ… NTP Daemon +- **Purpose:** Acts as internal time server for LAN devices. +- **Use Case:** Environments without external NTP access. +- **Notes:** Stable and lightweight. + +### βœ… mDNS Repeater +- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint). +- **Use Case:** Offices with Apple devices or smart printers. +- **Notes:** Requires proper VLAN firewall rules. + +--- + +## βœ… Recommended Baseline Set for Industrial Use + +| **Category** | **Feature** | **Plugin** | **Trust Level** | +|--------------------|------------------------|-------------------|-----------------| +| Monitoring | Telegraf, Netflow | `telegraf` | βœ… Stable | +| Logging/NMS | Zabbix Agent | `os-zabbix-agent` | βœ… Stable | +| Automation | Boot Scripting | `shellcmd` | βœ… Stable | +| Identity/VPN | FreeRADIUS (optional) | `freeradius` | ⚠️ Moderate | +| Access Security | TOTP 2FA | Built-in | βœ… Stable | +| Routing Control | Policy Routing | Built-in | βœ… Stable | +| Geo Restrictions | GeoIP Aliases | MaxMind required | ⚠️ Moderate | +| Time Sync | NTP Server | Built-in | βœ… Stable | +| Edge VLAN Utility | mDNS Repeater | `mdns-repeater` | βœ… Stable | + +--- + +_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._ + diff --git a/areas/OPNsense/Schulungen/20250305-initial_ideas.md b/projects/OPNsense/Schulungen/20250305-initial_ideas.md similarity index 100% rename from areas/OPNsense/Schulungen/20250305-initial_ideas.md rename to projects/OPNsense/Schulungen/20250305-initial_ideas.md diff --git a/areas/OPNsense/Schulungen/20250319-pre-meeting-prep.md b/projects/OPNsense/Schulungen/20250319-pre-meeting-prep.md similarity index 100% rename from areas/OPNsense/Schulungen/20250319-pre-meeting-prep.md rename to projects/OPNsense/Schulungen/20250319-pre-meeting-prep.md diff --git a/areas/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md b/projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md similarity index 100% rename from areas/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md rename to projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md diff --git a/areas/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md b/projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md similarity index 100% rename from areas/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md rename to projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md diff --git a/areas/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md b/projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md similarity index 100% rename from areas/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md rename to projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md diff --git a/areas/OPNsense/plugins/net-snmp.md b/projects/OPNsense/plugins/net-snmp.md similarity index 100% rename from areas/OPNsense/plugins/net-snmp.md rename to projects/OPNsense/plugins/net-snmp.md diff --git a/areas/OPNsense/opnsense-bussines-edition.md b/projects/OPNsense/unknown/opnsense-bussines-edition.md similarity index 100% rename from areas/OPNsense/opnsense-bussines-edition.md rename to projects/OPNsense/unknown/opnsense-bussines-edition.md diff --git a/areas/OPNsense/opnsense-central-management.md b/projects/OPNsense/unknown/opnsense-central-management.md similarity index 100% rename from areas/OPNsense/opnsense-central-management.md rename to projects/OPNsense/unknown/opnsense-central-management.md diff --git a/areas/OPNsense/opnsense-checklists.md b/projects/OPNsense/unknown/opnsense-checklists.md similarity index 100% rename from areas/OPNsense/opnsense-checklists.md rename to projects/OPNsense/unknown/opnsense-checklists.md diff --git a/areas/OPNsense/opnsense-frankeriger-current.md b/projects/OPNsense/unknown/opnsense-frankeriger-current.md similarity index 100% rename from areas/OPNsense/opnsense-frankeriger-current.md rename to projects/OPNsense/unknown/opnsense-frankeriger-current.md diff --git a/areas/OPNsense/opnsense-planing.md b/projects/OPNsense/unknown/opnsense-planing.md similarity index 100% rename from areas/OPNsense/opnsense-planing.md rename to projects/OPNsense/unknown/opnsense-planing.md diff --git a/areas/OPNsense/opnsense-proposal-draft.md b/projects/OPNsense/unknown/opnsense-proposal-draft.md similarity index 100% rename from areas/OPNsense/opnsense-proposal-draft.md rename to projects/OPNsense/unknown/opnsense-proposal-draft.md diff --git a/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md b/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md index d445e49..086a33d 100644 --- a/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md +++ b/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md @@ -30,15 +30,15 @@ output: pdf_document ## Funktionen -- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..) -- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest) -- VPN (OpenVPN) -- Free SSL certs (via ACME) -- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave) -- OPNsense Antivirus Loesung (Clamav + C-Icap) -- IDS/IPS -- WAF -- OPNcentral +- [x] Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..) +- [x] VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest) +- [x] VPN (OpenVPN) +- [x] Free SSL certs (via ACME) +- [ ] Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave) +- [ ] OPNsense Antivirus Loesung (Clamav + C-Icap) +- [x] IDS/IPS +- [ ] WAF +- [=] OPNcentral ## Zertifikate diff --git a/projects/kwa/firewall_migration/20250414-preparation.md b/projects/kwa/firewall_migration/20250414-preparation.md index 33cf8ee..880c340 100644 --- a/projects/kwa/firewall_migration/20250414-preparation.md +++ b/projects/kwa/firewall_migration/20250414-preparation.md @@ -1,22 +1,143 @@ +## Vor Ort Notes +opnsense ui: root, 4H?bh,wXU85JrXs +opnsense ui: sbxadmin, %bghY!FH65Z +cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU' +Main switch: 70:a7:41:ff:e4:4b +Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15 + +## General + +- [x] Change public DNS entries (gw.knoppwassmer.de -> \ ) +- [x] ports der unifi untersuchen +- [x] setup acme with dns challenge (issue tomorrow) +- [x] configure dhcp on all unifi devices +- [x] unifi dashboard - define all vlan networks +- [x] add to opncentral +- [x] fotos machen +- [x] ips/ids anschalten +- [x] backup via ftp to nas if possible +- [ ] change ilo ip such that its in the mgmt net +- [ ] unifi cloud key mit cloud koppeln +- [ ] Switch und APs in IT-Glue hinterlegen +- [ ] physische Beschriftung anpassen + + ## Kerio Features ### Network - WAN: 10.0.70.2 (FritzBox PPPoE) - LAN: 192.168.70.1/24 -- VPN: 192.168.170.1/24 +- VPN: 172.16.70.1/24 +### DNS and DHCP + +- [x] domain name: ad.knoppwassmer.de +- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1` ## OPNsense ### Network -| Name | Interface | Network | Note | -| ---------- | --------- | ----------------- | -------------- | -| WAN | WAN | 10.0.70.2/32 | FritzBox PPPoE | -| MGMT | LAN | 192.168.50.254/24 | | -| SERVER | LAN | 192.168.70.254/24 | | -| CLIENT | LAN | 192.168.20.254/24 | | -| WLAN | LAN | 192.168.30.254/24 | | -| WLAN_GUEST | LAN | 192.168.40.254/24 | | +| Name | Interface | VLAN tag | Network | Note | +| ---------- | --------- | -------- | --------------- | ----------------------- | +| WAN | WAN | / | 10.0.70.2/32 | FritzBox PPPoE | +| MGMT | LAN | 1 | 192.168.50.1/24 | | +| SERVER | LAN | 70 | 192.168.70.1/24 | | +| CLIENT | LAN | 20 | 192.168.20.1/24 | | +| WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN | +| WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | | +| OpenVPN | VPN | | 172.16.70.1/24 | | + +### Firewall + +#### Aliase + +- [x] filewave +- [x] mailstore +- [x] nas +- [x] sbxoffice +- [x] ad +- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200) + +#### Rules + +##### WAN + +- [ ] enable geo filter (iran, north korea, russia) +- [x] Allow VPN entrypoint to WAN via VPN port + +##### MGMT + +- [x] allow 'mgmt addr' to AD server via ldap +- [x] allow 'mgmt net' to AD via dns + +##### USER + +- [x] allow 'user net' to AD via dns +- [x] allow 'user net' to nas via smb +- [x] allow 'user net' to AD via ldap(s) +- [x] allow 'user net' to 'server net' via https +- [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future) +- [x] allow 'user net' to vwlizenz via (any?) +- [x] allow 'user net' to filewaveserver via filewaveservice ports + +##### VPN + +- [x] allow 'vpn net' to AD via dns +- [x] Allow SMB for VPN Client network +- [x] allow vpn net to server net + +##### SERVER + +- [x] Allow filewave out + +#### DNAT + +- [x] Port 8462/tcp from WAN address to Mailstore IP NAT +- [x] Port Group "Filewave" from WAN address to Filewave IP NAT + +### Authentication Server + +- [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s) + +### VPN +- depends on: Authentication Server + +- [x] Setup OpenVPN. + - [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert + - [x] setup openvpn server + - [x] setup client certs + +### IPS/IDS + +- [x] setup and configure surricata - very heavy on resources.. need to be tested + +### Content Filter + +- [ ] Recreate - if possible - application, web and https filter + +### Reverse Proxy (Web Server Protection) + +- [ ] projektpro +- [ ] Andere? + +### NTP + +- Server: `srvu-master.ad.knoppwassmer.de` + +## Archive + +### Vor Ort Notes + +1. Plane Switch Portbelegung +2. Stelle alle Geraete auf dhcp um: + 1. [x] switches + 2. [x] APs + 3. [x] Cloud-Key + 4. [x] Telefone + 5. [x] Drucker (drucker muss mehr angepasst werden: dns) +3. Dangerous: Setze VLANs auf designierte Ports um +4. Geraete runterfahren +5. Neue Firewall anschalten und hoffen, dass es klappt