20250429 push notes

2025-04-29 16:29:52 +02:00
parent 214941710d
commit 0cb3f588fa
69 changed files with 944 additions and 61 deletions
--- a/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md
+++ b/projects/kwa/firewall_migration/20250318-OPNsense_Migration.md
@@ -30,15 +30,15 @@ output: pdf_document

 ## Funktionen

- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
- VPN (OpenVPN)
- Free SSL certs (via ACME)
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
- OPNsense Antivirus Loesung (Clamav + C-Icap)
- IDS/IPS
- WAF
- OPNcentral
+- [x] Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
+- [x] VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
+- [x] VPN (OpenVPN)
+- [x] Free SSL certs (via ACME)
+- [ ] Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
+- [ ] OPNsense Antivirus Loesung (Clamav + C-Icap)
+- [x] IDS/IPS
+- [ ] WAF
+- [=] OPNcentral

 ## Zertifikate

--- a/projects/kwa/firewall_migration/20250414-preparation.md
+++ b/projects/kwa/firewall_migration/20250414-preparation.md
@@ -1,22 +1,143 @@

+## Vor Ort Notes
+opnsense ui: root,  4H?bh,wXU85JrXs
+opnsense ui: sbxadmin, %bghY!FH65Z
+cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU' 
+Main switch: 70:a7:41:ff:e4:4b
+Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15
+
+## General
+
+- [x] Change public DNS entries (gw.knoppwassmer.de -> \<public-ip\> )
+- [x] ports der unifi untersuchen
+- [x] setup acme with dns challenge (issue tomorrow)
+- [x] configure dhcp on all unifi devices
+- [x] unifi dashboard - define all vlan networks
+- [x] add to opncentral
+- [x] fotos machen
+- [x] ips/ids anschalten
+- [x] backup via ftp to nas if possible
+- [ ] change ilo ip such that its in the mgmt net
+- [ ] unifi cloud key mit cloud koppeln
+- [ ] Switch und APs in IT-Glue hinterlegen
+- [ ] physische Beschriftung anpassen
+
+
 ## Kerio Features 

 ### Network

 - WAN: 10.0.70.2 (FritzBox PPPoE)
 - LAN: 192.168.70.1/24
- VPN: 192.168.170.1/24
+- VPN: 172.16.70.1/24

+### DNS and DHCP
+
+- [x] domain name: ad.knoppwassmer.de
+- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`

 ## OPNsense

 ### Network

-| Name       | Interface | Network           | Note           |
-| ---------- | --------- | ----------------- | -------------- |
-| WAN        | WAN       | 10.0.70.2/32      | FritzBox PPPoE |
-| MGMT       | LAN       | 192.168.50.254/24 |                |
-| SERVER     | LAN       | 192.168.70.254/24 |                |
-| CLIENT     | LAN       | 192.168.20.254/24 |                |
-| WLAN       | LAN       | 192.168.30.254/24 |                |
-| WLAN_GUEST | LAN       | 192.168.40.254/24 |                |
+| Name       | Interface | VLAN tag | Network         | Note                    |
+| ---------- | --------- | -------- | --------------- | ----------------------- |
+| WAN        | WAN       | /        | 10.0.70.2/32    | FritzBox PPPoE          |
+| MGMT       | LAN       | 1        | 192.168.50.1/24 |                         |
+| SERVER     | LAN       | 70       | 192.168.70.1/24 |                         |
+| CLIENT     | LAN       | 20       | 192.168.20.1/24 |                         |
+| WLAN       | LAN       | 30       | 192.168.30.1/24 | USE CLIENT net for WLAN |
+| WLAN_GUEST | LAN       | 40       | 192.168.40.1/24 |                         |
+| OpenVPN    | VPN       |          | 172.16.70.1/24  |                         |
+
+### Firewall
+
+#### Aliase
+
+- [x] filewave
+- [x] mailstore
+- [x] nas
+- [x] sbxoffice
+- [x] ad
+- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200)
+
+#### Rules
+
+##### WAN
+
+- [ ] enable geo filter (iran, north korea, russia)
+- [x] Allow VPN entrypoint to WAN via VPN port
+
+##### MGMT
+
+- [x] allow 'mgmt addr' to AD server via ldap
+- [x] allow 'mgmt net' to AD via dns
+
+##### USER
+
+- [x] allow 'user net' to AD via dns
+- [x] allow 'user net' to nas via smb
+- [x] allow 'user net' to AD via ldap(s)
+- [x] allow 'user net' to 'server net' via https
+- [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
+- [x] allow 'user net' to vwlizenz via (any?)
+- [x] allow 'user net' to filewaveserver via filewaveservice ports
+
+##### VPN
+
+- [x] allow 'vpn net' to AD via dns
+- [x] Allow SMB for VPN Client network
+- [x] allow vpn net to server net
+
+##### SERVER
+
+- [x] Allow filewave out 
+
+#### DNAT
+
+- [x] Port 8462/tcp from WAN address to Mailstore IP NAT
+- [x] Port Group "Filewave" from WAN address to Filewave IP NAT
+
+### Authentication Server
+
+- [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
+
+### VPN
+- depends on: Authentication Server
+
+- [x] Setup OpenVPN. 
+	- [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
+	- [x] setup openvpn server
+	- [x] setup client certs
+
+### IPS/IDS
+
+- [x] setup and configure surricata - very heavy on resources.. need to be tested
+
+### Content Filter
+
+- [ ] Recreate - if possible - application, web and https filter
+
+### Reverse Proxy (Web Server Protection)
+
+- [ ] projektpro
+- [ ] Andere?
+
+### NTP 
+
+- Server: `srvu-master.ad.knoppwassmer.de`
+
+## Archive
+
+### Vor Ort Notes
+
+1. Plane Switch Portbelegung
+2. Stelle alle Geraete auf dhcp um: 
+	1. [x] switches
+	2. [x] APs
+	3. [x] Cloud-Key
+	4. [x] Telefone
+	5. [x] Drucker (drucker muss mehr angepasst werden: dns)
+3. Dangerous: Setze VLANs auf designierte Ports um
+4. Geraete runterfahren
+5. Neue Firewall anschalten und hoffen, dass es klappt