]

projects/ssr/firewall_migration/20250526-Notizen.md

@@ -0,0 +1,151 @@
+## Vor Ort Notes
+
+1. Plane Switch Portbelegung
+2. Stelle alle Geraete auf dhcp um: 
+	1. [x] switches
+	2. [x] APs
+	3. [x] Cloud-Key
+	4. [x] Telefone
+	5. [x] Drucker (drucker muss mehr angepasst werden: dns)
+3. Dangerous: Setze VLANs auf designierte Ports um
+4. Geraete runterfahren
+5. Neue Firewall anschalten und hoffen, dass es klappt
+
+## Notes
+opnsense ui: root,  4H?bh,wXU85JrXs
+opnsense ui: sbxadmin, %bghY!FH65Z
+cloud key: user: sbxadmin, 'l0b-J3HbQ7Om0jbfeuah' 
+Main switch: 60:22:32:ee:22:38
+Subscription key: a119bcee-9ca0-438c-b2c9-69db51d186b8
+
+## General
+- [ ] hermann ablauf mitteilen
+- [ ] Internetzugangsdaten beschaffen
+- [x] pruefe WAN/Modem Anschluss - fritz macht pppoe als router; modem laut fritz vorhanden - entferne fritzbox
+
+- [x] Change public DNS entries (gw.studio-stadt-region.de -> \<public-ip\> )
+- [x] ports der unifi untersuchen
+- [x] configure dhcp on all unifi devices
+- [x] acme - challenge type - andere token con cf
+- [x] unifi dashboard - define all vlan networks
+- [x] add to opncentral
+- [x] fotos machen
+- [x] unifi cloud key mit cloud koppeln
+- [ ] Switch und APs in IT-Glue hinterlegen
+- [ ] physische Beschriftung anpassen
+
+
+### deprecated
+- [ ] ips/ids anschalten
+- [ ] change ilo ip such that its in the mgmt net
+- [ ] backup via ftp to nas if possible
+
+
+## Kerio Features 
+
+### Network
+
+- WAN: 10.0.80.2 (FritzBox PPPoE)
+- LAN: 192.168.80.1/24
+- VPN: 172.16.80.1/24
+
+### DNS and DHCP
+
+- [x] domain name: ad.studio-stadt-region.de
+- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`
+
+## OPNsense
+
+### Network
+
+| Name       | Interface | VLAN tag | Network         | Note                    |
+| ---------- | --------- | -------- | --------------- | ----------------------- |
+| WAN        | WAN       | /        | 10.0.80.2/32    | FritzBox PPPoE          |
+| MGMT       | LAN       | 1        | 192.168.50.1/24 |                         |
+| SERVER     | LAN       | 80       | 192.168.80.1/24 |                         |
+| CLIENT     | LAN       | 20       | 192.168.20.1/24 |                         |
+| WLAN       | LAN       | 30       | 192.168.30.1/24 | USE CLIENT net for WLAN |
+| WLAN_GUEST | LAN       | 40       | 192.168.40.1/24 |                         |
+| OpenVPN    | VPN       |          | 172.16.80.1/24  |                         |
+
+### Firewall
+
+#### Aliase
+
+- [x] filewave
+- [x] mailstore
+- [x] nas
+- [x] sbxoffice
+- [x] ad
+- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.80.200)
+- [x] phone (NEW IP: 192.168.20.28/29. OLD IP: 192.168.80.28/29)
+
+#### Rules
+
+##### WAN
+
+- [ ] enable geo filter (iran, north korea, russia)
+- [ ] Allow VPN entrypoint to WAN via VPN port
+
+##### MGMT
+
+- [ ] allow 'mgmt addr' to AD server via ldap
+- [ ] allow 'mgmt net' to AD via dns
+
+##### USER
+
+- [ ] allow 'user net' to AD via dns
+- [ ] allow 'user net' to nas via smb
+- [ ] allow 'user net' to AD via ldap(s)
+- [ ] allow 'user net' to 'server net' via https
+- [ ] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
+- [ ] allow 'user net' to vwlizenz via (any?)
+- [ ] allow 'user net' to filewaveserver via filewaveservice ports
+
+##### VPN
+
+- [ ] allow 'vpn net' to AD via dns
+- [ ] Allow SMB for VPN Client network
+- [ ] allow vpn net to server net
+
+##### SERVER
+
+- [ ] Allow filewave out 
+
+#### DNAT
+
+- [ ] Port 8462/tcp from WAN address to Mailstore IP NAT
+- [ ] Port Group "Filewave" from WAN address to Filewave IP NAT
+
+### Authentication Server
+
+- [ ] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
+
+### VPN
+- depends on: Authentication Server
+- one user and one admin vpn server
+
+- [ ] Setup OpenVPN. 
+	- [ ] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
+	- [ ] setup openvpn server
+	- [ ] setup client certs
+
+### IPS/IDS
+
+- [ ] setup and configure surricata - very heavy on resources.. need to be tested
+
+### Content Filter
+
+- [ ] Recreate - if possible - application, web and https filter
+
+### Reverse Proxy (Web Server Protection)
+
+- [ ] projektpro
+- [ ] Andere?
+
+### NTP 
+
+- Server: `srvu-master.ad.studio-stadt-region.de`
+
+## Archive
+