new notes

areas/OPNsense/Cluster/20250307-cluster-test-on-sg310.md

@@ -0,0 +1,23 @@
+
+## Setup Interfaces
+
+### Master
+
+| Interface | Net            |
+| --------- | -------------- |
+| LAN       | 192.168.1.1/24 |
+| WAN       | 10.11.12.2/24  |
+| pfSync    | 10.0.0.1/31    | 
+
+#### Virtual IP
+
+WAN IP address: 10.11.12.4/24
+LAN IP address: 192.168.1.3/24
+
+### Slave
+
+| Interface | Net            |
+| --------- | -------------- |
+| LAN       | 192.168.1.2/24 |
+| WAN       | 10.11.12.3/24  |
+| pfSync    | 10.0.0.2/31    |

areas/OPNsense/Initial-Notes/OPNsense-about.md

@@ -0,0 +1,11 @@
+**OPNsense** is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
+
+OPNsense started as a fork of pfSense and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of bot m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
+
+OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
+
+
+## Mission Statement
+
+> "Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
+> The project's name is derived from open and sense stands for: 'Open (source) makes sense.'"

areas/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md

@@ -0,0 +1,43 @@
+---
+title: "OPNsense - Maintenance time estimate"
+author: Petar Cubela
+date: July 03, 2024
+geometry: margin=1.5cm
+output: pdf_document
+---
+
+## Intro
+
+Let us roughly calculate the time needed to maintain a OPNsesne firewall.
+Here we assumer that the firewall is already configured. Thus we are looking at standard maintenance of the device.
+
+## OPNcentral
+
+We are using OPNcentral which is able to monitor arbitrary numbers of OPNsense firewalls: 
+
+- it manually/automatically creates backups of all integrated firewalls 
+- backups can be read and compared for any firewall integrated in OPNcentral
+- firmware, services and resources status of each OPNsense firewall can be managed via OPNcentral
+- plugin configuration can be managed and send to each firewall via OPNcentral 
+
+## Time Consumption
+
+- updates have to been done regularly which can be checked and updated for all firewalls simultaneously via OPNcentral (~ 1h per month for all firewalls!)
+- in general the firewall will run flawlessly once setup without much interaction as long as nothing complicated has to be changed. 
+- changes in the configuration for known features should be in general simple (~1h per month for all firewalls!)
+- changes for new plugins should take longer depending on the plugin but happens seldom (few/many days depending on plugin once each half year)
+- OpenVPN integration is better integrated in Sophos. We will probably need to export the client configuration for each user (~ 1h per week for each firewall, depending on the number of users requiring vpn)
+
+- there can be unexpected problems with the firewall in production use which we have to test and can not assess pre-usage (~ 1h per month a firewall)
+
+### Estimation
+
+- ~ 1h/month for updates
+- ~ 1h/month for small config changes
+- ~ up to days for configuring new desired plugins. happens once per year/half year?
+- ~ 1h/month for vpn client export
+- ~ 1h/month for unexpected issues/tickets 
+
+Which summarizes to **~ 4 hours per month** and more when new not-so-known plugins have to be configured.
+
+

areas/OPNsense/Initial-Notes/OPNsense-config.md

@@ -0,0 +1,38 @@
+## Intro
+
+Start from beginning with factory settings.
+
+### TODO
+
+- [x] create sbxadmin user
+- [x] Enable ssh
+- [x] check wan is working
+- [x] familiarize with Center management
+- [x] manage opnsense via wan port (use DynDNS)
+- [ ] try cluster of two opnsense nodes in proxmox
+
+### Comments
+
+- Very loooong boot times
+
+## Enable LAN Bridge
+
+Links to manuals:
+
+- <https://docs.opnsense.org/manual/how-tos/lan_bridge.html>
+- <https://kb.protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/>
+
+## Enable SSH
+
+System -> Settings -> Administration -> Secure Shell
+
+- **Check** Enable Secure Shell
+- Login Group: wheel, admins
+- **DO NOT** permit root user login
+- Permit password login
+- Changed ssh port to 69
+
+
+## Central Management
+
+Follow: <https://docs.opnsense.org/vendor/deciso/opncentral.html>

areas/OPNsense/Initial-Notes/OPNsense-config_summary.md

@@ -0,0 +1,8 @@
+## DONE
+
+- general settings
+- SSH settings
+- Networkflow config (optional??)
+- Setup OpenVPN (authentication via local database)
+- local backup for OPNcentral
+- backup for hosts via OPNcentral

areas/OPNsense/Initial-Notes/OPNsense-future.md

@@ -0,0 +1,16 @@
+- mailgateway
+- reverse proxy (web application firewall)
+- ssl/tsl inspection and decryption
+- VPN authentication via Active Directory
+
+## TODO
+
+- [x] setup simple web server on a virtual linux machine
+- [x] setup smtp in a virtual linux machine
+- [x] set the test sever in opnsense's network
+
+## Notes
+
+VPN: Jan passwd: itKE=-gcbXN.=46 
+
+

areas/OPNsense/Initial-Notes/OPNsense.md

@@ -0,0 +1,3 @@
+[[OPNsense-about]]
+[[OPNsense-config]]
+[[OPNsense-config_summary]]

areas/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md

@@ -0,0 +1,4 @@
+## Introduction
+
+An _Intrusion Detection System_ (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors.
+An _Intrusion Prevention System_ (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat.

areas/OPNsense/Schulungen/20250305-initial_ideas.md

@@ -0,0 +1,39 @@
+
+## Intro
+
+Ziel: Gebe Kollegen und Kolleginnen einen Ueberblich ueber die wichtigsten Funktionender OPNsense, sodass sie effizient und selbststaendig damit arbeiten koennen.
+
+## Notes
+
+- Template/Anleitung fuer Firewall Regeln in IT-Glue
+
+## Erste Schulung
+
+### Ort
+
+Hybrid: Teams + Meetingraum
+
+### Zeit
+
+Vorraussichtlich der 14.03.2025 um 10:00. 
+
+### Themen
+
+#### Allgemein/System
+
+- Lobby/Dashboard - Grundlagen, Customizierbar,
+- System/Firmware - Einspielen, Richitges Mirror und Caveat, Updates, Plugins und Packages
+- Gehe allgemein und grob die Einstellungen durch und Ihre Positionen
+- 
+
+#### Firewall 
+
+- Aliass - sehr wichtig und praktisch - sollte durch OPNcentral gepushed werden
+- NAT
+- Rules
+- Unterschiede zu Sophos - kein Masquerading erforderlich (macht opnsense automatisch?)
+
+#### Interfaces
+
+
+### VPN

areas/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md

@@ -0,0 +1,38 @@
+## Location
+
+Schwanthalerstr. 106
+
+Backup key: f2e3e44045f5da80fa7cfd2ccf38c4b03686764715398c20f538d12817670b63
+
+## Questions
+
+- Ist the VLAN tag 7 for the pppoe manually set
+- Gast interface ipv6 prefixx id of 1 not working
+- do we need router advertisement?
+
+## Credentials
+
+### PPPoe
+
+![ppp confitg](/files/apsa/pfsense_ppp-setup.png)
+
+- username: vdsl.vodafone/bi9442189781-static
+- password: cnh2bWJ3Y2w= (hashed via base64)
+
+### DynDNS
+
+- username: apsa-muc.spdns.de
+- password: YnptYi11ZGd1LWJ2d2I= (hashed via base64)
+
+
+## Config in place
+
+- PPPoe
+- DynDNS
+
+
+## Pass
+
+pfsense/opnsense local: admin, pass: xfapimsgwztkojrulqeb
+pfsense/opnsense rz: admin, pass: xfapimsgwztkojrulqeb
+

areas/OPNsense/opnsense-bussines-edition.md

@@ -0,0 +1,21 @@
+## Intro
+
+[Source](https://docs.opnsense.org/be.html#)
+
+> A mission critical version of the well-known OPNsense firewall.
+> The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
+> Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall. 
+> - Mission critical
+> - LINCE compliant (security verification by trained third party independent professionals)
+> - Commercial firmware repository
+> - Free GeoIP database
+> - Official OPNsense Open Virtualisation Image
+> - Central Management, including easy one click remote host access, provisioning and monitoring.
+> - Web Application Firewall
+> - Free E-Book (English & German)
+
+### More Information
+
+- [Central Management](https://docs.opnsense.org/vendor/deciso/opncentral.html)
+- [Web Application Firewall](https://docs.opnsense.org/vendor/deciso/opnwaf.html)
+- [Extended Blocklist](https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html)

areas/OPNsense/opnsense-central-management.md

@@ -0,0 +1,17 @@
+## MyNotes
+
+- It is advised to generate proper certificates for the machines.
+
+## Installation
+
+Install `os-OPNcentral` under System->Firmware->Plugins
+
+## Register new hosts
+
+- Generate an API key and secret from the machine which should be granted access to.
+- API keys are managed in the user manager
+- 
+
+## Provisioning Classes
+
+

areas/OPNsense/opnsense-checklists.md

@@ -0,0 +1,62 @@
+
+## Sbx Office IP 
+
+- 213.160.17.142/28
+- 213.160.17.141
+
+## Generic Checklist
+
+- [x] Set WAN - generic DHCP
+- [x] Set LAN - generic 192.168.1.1
+- [x] timezone: Europe/Berlin
+- [x] Set Hostname (OPNsense) , domain name (localhost)
+- [x] ntp server
+- [x] static dns setup
+- [x] std sbxadmin user
+- [x] enable assess log (system -> settings -> administration)
+- [x] LAN Bridge - generic all ports in bridge except igc1 (second port) is WAN port
+- [x] enable ssh: enable, DO NOT permit root login, permit password login, port: 22
+- [ ] firewall rules (LAN, WLAN, WLAN Guest {drop packets to LAN} ), std port activation
+- [ ] local backups
+- [ ] add office public ip as trusted (wan only reachable via office ip)
+
+### Optional
+
+- [x] web filtering
+- [x] http scanning
+- [ ] application control
+- [x] ssl/tls inspection
+- [ ] ssl certificates
+
+### Mandatory Plugins
+
+- [x] OPNcentral (for central management)
+
+## Special Checklist
+
+- [ ] add license TO: system -> firmware -> settings
+- [ ] WAN - static config or pppoe or whatever
+- [ ] LAN - ip network
+- [ ] domain name (gw.domain.tld)
+- [ ] ldap server config
+- [ ] system update on first boot! (WITH BUSSINES LICENSE)
+- [ ] setup dhcp server if used
+- [ ] connect to opncentral
+- [ ] create backups to opncentral
+- [ ] setup ldap server
+- [ ] setup openvpn server with authentication via ldap
+
+## OPNsense Importer
+
+> "All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations."
+
+- Create generic standard config to import at each customer install.
+
+## OPNcentral Provisioning
+
+We can use OPNcentral to provision the configuration of the customer's device, which is probably more useful than using the importer. Has to be tested. 
+
+## Notes
+
+- ATTENTION: On first initial install bussines license has to be configured before updating!!
+- DNS Servers: Cloudflare

areas/OPNsense/opnsense-frankeriger-current.md

@@ -0,0 +1,86 @@
+
+## Intro
+
+The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
+The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
+
+### Plugins
+
+- os-OPNcentral
+- os-squid
+- os-clamav
+- os-c-icap
+- os-acme-client
+
+## Sophos features to reproduce
+
+### Network
+
+- [x] LAN port has a static network of: 192.168.9.254/24
+- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
+- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
+- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
+
+- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
+- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
+
+- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
+ 
+### Authentication 
+
+- [x] Require MFA for: user portal, web admin console
+- [ ] setup ad as "server" in opnsense
+- [ ] import users form ad!!! (I hope it works...)
+
+#### Not required
+
+- [y] Kerberos for authenticating non-AD users (web authentication??)
+- [y] captive portal
+
+### Miscellaneous
+
+- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
+- [x] SSL VPN - Needs to be tested properly
+- [x] using SSL/TLS inspection with squid (transparent web proxy)
+
+## Firewall rules to reproduce
+
+- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
+- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
+	- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
+
+- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
+
+
+## IPS 
+
+- [x] default general policies
+- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
+
+## Web Proxy
+
+- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
+- [x] https encryption
+- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
+
+### Optional
+
+The following features are too complicated and thus only optional.
+
+## Web application firewall
+
+- [ ] too complicated
+
+## Wireless
+
+- [ ] does it need to be configured on opnsense???
+
+## Mail protection
+
+- [y] scan ~~outgoing~~ incoming mails for malware (why??)
+
+## Web Server 
+
+- not used
+
+

areas/OPNsense/opnsense-planing.md

@@ -0,0 +1,5 @@
+
+1. Learn Central Management
+2. Include firewall to OPNcentral
+3. Setup acme for ssl/ setup OPNWAF with acme included 
+4. Provision OPNsense Firewall via central management

areas/OPNsense/opnsense-proposal-draft.md

@@ -0,0 +1,40 @@
+## Introduction
+Goal: Propose a UTM firewall based on the opnsense operating system to the customer.
+Make "Bundles" including different kind of features with different price tags:
+
+### Features
+
+#### Main
+- Base setup (routing, generic config, firewall rules, vlans, authentication via ad, etc...)
+- VPN (standard OpenVPN)
+- Free SSL certs (via ACME and Lets Encrypt) with auto-renewal 
+- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL inspection, managed TLS exclusion, https de-/encryption) (!NOTE!: opnsense ca needs to be trusted from every client, which can be distributed by a GPO rule)
+	- Extend Feature of OPNsense Antivirus (with clamav + c-icap)
+- IDS/IPS Protection via Suricata 
+
+#### Not implemented yet
+- Mail Protection via Mail Relay on OPNsense 
+- WAF 
+
+#### Optional
+- DynDNS
+- Backup of config to google cloud, git or nextcloud (standard is backup locally and to opncentral)
+- `OPNProxy`-Plugin extends Web Proxy to fine grained control of user/group access to certain domains/urls
+
+### Bundles
+
+#### Level 1
+
+- Base
+- VPN
+- SSL certs (can be managed centrally by opncentral and pushed to specific customers when needed)
+
+#### Level 2
+
+- Web Proxy + Antivirus
+- IDS/IPS Protection
+
+#### Level 3
+
+- Mail Protection
+- WAF 

areas/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md

@@ -0,0 +1,38 @@
+## Source
+
+- <https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/>
+- <https://docs.opnsense.org/manual/ips.html>
+
+## Introduction
+
+> "The Intrusion Prevention System (IPS) system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to detect and mitigate security threats at wire speed."
+
+## Initial Settings
+
+1. Got to "Services > Intrusion Detection > Administration" which defaults to the "Settings" tab
+2. Click the "Enable" checkbox to activate intrusion detection
+3. Activate IPS by checking "IPS mode"
+4. Optional: If using VLANs, check the "Promiscuous mode" checkbox
+5. Set the pattern matcher as "Hyperscan"
+6. As Interface choose "LAN" to monitory the local network traffic
+7. When finished click "Apply" to save the settings.
+
+Even though intrusion detection is enabled nothing will happen until we have
+downloaded some rule sets and configure at least one policy.
+
+Below you see a picture of the network configuration:
+![img1](opnsense/idsips/settings.png)
+
+## Downloading and Enabling Rulesets
+
+**(NOTE FOR ME: It has yet too be decided which rules we will use eventually. This
+also depends on the specific customer' needs.)**
+
+1. Change to the "Download" tab.
+2. Select all pre-defined lists (depends on customer' needs) and click on "Enable
+   selected" and directly after "Download & Update Rules"
+3.
+
+![img2](opnsense/idsips/downloads.png)
+
+## Creating a Policy

areas/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md

@@ -0,0 +1,3 @@
+## Source
+- <https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/>
+

areas/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md

@@ -0,0 +1,15 @@
+## UTM Configuration
+
+- [x] ids/ips (suricata)
+- [ ] web proxy
+- [ ] antivirus
+- [ ] openvpn
+- [ ] acme
+- [ ] mail protection
+- [ ] waf
+
+## Non-common
+
+- [ ] VLAN 
+- [ ] LAGG 
+

areas/OPNsense/plugins/net-snmp.md

@@ -0,0 +1,57 @@
+
+## SNMP Konfiguration mit bsnmpd
+
+Die hier beschriebene Anleitung konfiguriert SNMP in der Version 2c.
+**Installiere nicht das SNMP Plugin! (i.e.: os-net-smp)**
+Es wird nicht mit **bsnmp** funktionieren.
+
+
+## Schritte auf der OPNsense
+
+1. Oeffne eine OPNsense Konsole (zum Beispiel: ssh ueber vpn) und melde dich als `root`-user an. (Befehl: `su`)
+2. Aktiviere den `bsnmpd`-Dienst durch Erstellung der Datei `/etc/rc.conf.d/bsnmpd` mit dem folgenden Inhalt:
+`bsnmpd_enable="YES"`
+3. Auskommentiere die folgenden Zeilen in `/etc/snmpd.config`, um benoetigte SNMP Module zu aktivieren:
+```
+read := "your_snmp_community"
+begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so"
+begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"
+```
+Trage fuer die Variable `read` den genutzten Community Namen ein.
+4. Starte den `bsnmpd`-Dienst mit dem folgenden Befehl:
+`/etc/rc.d/bsnmpd start`
+5. Setze eine Firewall Regel auf, welche es erlaubt von einem Quell Geraet die OPNsense ueber den SNMP Port (161) zu erreichen.
+6. Teste die Verbindung durch eine SNMP Abfrage an der OPNsense.
+
+## Dont use
+
+
+```
+*** This port installs snmpd, header files and libraries but does not
+     start snmpd by default.
+     If you want to auto-start snmpd and snmptrapd, add the following to
+     /etc/rc.conf:
+
+	snmpd_enable="YES"
+	snmpd_flags="-a"
+	snmpd_conffile="/usr/local/share/snmp/snmpd.conf /etc/snmpd.conf"
+	snmptrapd_enable="YES"
+	snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
+
+**** You may also specify the following make variables:
+
+	NET_SNMP_SYS_CONTACT="zi@FreeBSD.org"
+	NET_SNMP_SYS_LOCATION="USA"
+	DEFAULT_SNMP_VERSION=3
+	NET_SNMP_MIB_MODULES="host smux mibII/mta_sendmail ucd-snmp/diskio"
+	NET_SNMP_LOGFILE=/var/log/snmpd.log
+	NET_SNMP_PERSISTENTDIR=/var/net-snmp
+
+     to define default values (or to override the defaults).  To avoid being
+     prompted during the configuration process, you should (minimally) define
+     the first two variables. (NET_SNMP_SYS_*)
+
+     You may also define the following to avoid all interactive configuration:
+
+	BATCH="yes"
+```