20250907

2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
--- a/projects/cqse/fw-migration/20250718-main.md
+++ b/projects/cqse/fw-migration/20250718-main.md
@@ -5,3 +5,86 @@

 ## General

+- Interfaces need to be defined on each device. They are not synced
+
+
+## Current Firewall
+
+| Name           | Ethernet | VLAN | Network          | Gateway         | DHCP                              | Comment             |
+| -------------- | -------- | ---- | ---------------- | --------------- | --------------------------------- | ------------------- |
+| WAN            | eth1     | none | 62.245.142.26/29 | 62.245.142.25   | none                              | Mnet 500 Mbit Fiber |
+| LAN            | eth0     | 1    | 172.22.0.0/22    | 172.22.3.254    | 172.22.0.10 - 172.22.3.199        |                     |
+| GA             | eht2     | 400  | 172.22.4.0/24    | 172.22.4.254    | 172.22.4.100 - 172.22.4.199       | Gebaeudeautomation  |
+| DMZ            | eth4     | none | 172.22.5.0/24    | 172.22.5.254    |                                   | DMZ?                |
+| Homematic      | eht2     | 600  | 172.22.6.0/24    | 172.22.6.254    | 172.22.6.100 - 172.22.6.199       | Home?               |
+| W-LAN CQSE_VPN | eth2     | 147  | 192.168.147.0/24 | 192.168.147.254 | 192.168.147.100 - 192.168.147.199 | Was                 |
+|                | eht3     |      |                  |                 |                                   | HA Sync if          |
+
+## New Firewall
+
+
+| Name           | Ethernet     | VLAN | Network             | Gateway         | DHCP                              | Comment             |
+| -------------- | ------------ | ---- | ------------------- | --------------- | --------------------------------- | ------------------- |
+| WAN            | igc1         | none | 62.245.142.26-27/29 | 62.245.142.25   | none                              | Mnet 500 Mbit Fiber |
+| LAN            | igc0         | 1    | 172.22.0.0/22       | 172.22.3.254    | 172.22.0.10 - 172.22.3.199        |                     |
+| GA             | parent: igc2 | 400  | 172.22.4.0/24       | 172.22.4.254    | 172.22.4.100 - 172.22.4.199       | Gebaeudeautomation  |
+| DMZ            | igc3         | none | 172.22.5.0/24       | 172.22.5.254    |                                   | DMZ?                |
+| Homematic      | parent: igc2 | 600  | 172.22.6.0/24       | 172.22.6.254    | 172.22.6.100 - 172.22.6.199       | Home?               |
+| W-LAN CQSE_VPN | parent: igc2 | 147  | 192.168.147.0/24    | 192.168.147.254 | 192.168.147.100 - 192.168.147.199 | Was                 |
+|                | ax0          |      | 10.0.0.0/31         | /               | /                                 | HA Sync if          |
+
+
+## WAN 
+
+- External WAN: 62.245.142.26/29
+- WAN gateway: 62.245.142.25
+- WAN broadcast: 62.245.142.31
+- WAN not-used addresses: 62.245.142.27-30 
+
+## OPNsense Cluster
+
+### Master
+
+MGMT: 172.22.3.252/24
+WAN: 62.245.142.28/29
+WANsbx: 10.11.12.2/24
+ pfSync: 10.0.0.1/31
+
+### Slave
+
+MGMT: 172.22.3.253/24
+WAN: 62.245.142.27/29
+WANsbx: 10.11.12.3/24
+ pfSync: 10.0.0.2/31
+
+### Virtual IP
+
+WANsbx IP: 10.11.12.4/24
+WAN IP: 62.245.142.26/29
+LAN IP address: 172.22.3.254/24
+
+## Switches
+
+### cqse-sw-1og-1.cqse.lan
+
+- IP: 172.22.3.200
+- untagged in MGMT VLAN
+- carries 3 VLANs on igc2: GA, Homematic, WLAN-CQSE_VPN
+- Trk1: 49-50 (Sw2Sw Trunk)
+- Port 1: Sophos Node1 eth0 
+- Port 2: Sophos Node2 eth0 
+- Port 3: Sophos Node1 eth2 
+- Port 4: Sophos Node2 eth2 
+
+### cqse-sw-1og-2.cqse.lan
+
+- IP: 172.22.3.201
+- untagged in MGMT VLAN
+- carries 3 VLANs on igc2: GA, Homematic, WLAN-CQSE_VPN
+- Trk1: 49-50 (Sw2Sw Trunk)
+
+### cqse-sw-3.cqse.lan
+
+- IP: 172.22.5.200
+- All ports in DMZ
+
--- a/projects/cqse/fw-migration/20250818-migration.md
+++ b/projects/cqse/fw-migration/20250818-migration.md
@@ -0,0 +1,48 @@
+## general
+
+
+## 20250819 Vor Ort
+
+### Fragen
+
+- esxi? 
+- Cloud key?
+- dmz switch?
+
+### WiFi
+
+SSID: CQSE 
+Pass: iaKqhunm0P
+
+### Location
+
+- Freiham. Centa-Hafenbrädl-Straße 59
+
+## Pre TODO
+
+- [x] Firewall Aliases
+- [x] Firewall Rules
+- [x] Firewall NAT
+- [x] MGMT VPN for sbx 
+- [x] DNS Config
+- [x] DHCP config (static mappings)
+- [x] ACME config
+- [x] (optional) IPS/IDS
+
+## TODO
+
+- [x] Set VIPs for all Interfaces
+- [x] switch belegung pruefen.
+- [x] Firewall beschriften
+-  ~MFA setzen (?)~
+- [x] root ausschalten
+
+## After TODO
+
+- [x] ACME: issue certs.
+- [x] Check IPS/IDS
+- [x] OPNcentral: connect
+- [ ] OPNcentral: Backups konfigurieren
+- [x] dns verwaltung -> liegt bei google -> schreibe Herrn Hummel deshalb
+- [ ] anleitung - opnsense cluster update
+- [ ] opnsense standard in itglue hinterlegen
--- a/projects/cqse/fw-migration/opnsense-licenses.json
+++ b/projects/cqse/fw-migration/opnsense-licenses.json
@@ -0,0 +1 @@
+[{"value":"b2670a5d-78c0-4ac0-8823-f7c01e422196","sku":"DEC2770EU","name":"DEC2770 - OPNsense\u00ae Rack Security Appliance - EU","training_voucher":"CBDEB4D39222CF0A05A082A8C7F57F"},{"value":"3406eae4-cd9b-421f-90ba-cf645d724bcb","sku":"DEC2770EU","name":"DEC2770 - OPNsense\u00ae Rack Security Appliance - EU","training_voucher":"1D579C5F442904A162017DD51F492C"}]
				`@@ -0,0 +1 @@`
				`[{"value":"b2670a5d-78c0-4ac0-8823-f7c01e422196","sku":"DEC2770EU","name":"DEC2770 - OPNsense\u00ae Rack Security Appliance - EU","training_voucher":"CBDEB4D39222CF0A05A082A8C7F57F"},{"value":"3406eae4-cd9b-421f-90ba-cf645d724bcb","sku":"DEC2770EU","name":"DEC2770 - OPNsense\u00ae Rack Security Appliance - EU","training_voucher":"1D579C5F442904A162017DD51F492C"}]`