## Vor Ort Notes opnsense ui: root, 4H?bh,wXU85JrXs opnsense ui: sbxadmin, %bghY!FH65Z cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU' Main switch: 70:a7:41:ff:e4:4b Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15 ## General - [x] Change public DNS entries (gw.knoppwassmer.de -> \ ) - [x] ports der unifi untersuchen - [x] setup acme with dns challenge (issue tomorrow) - [x] configure dhcp on all unifi devices - [x] unifi dashboard - define all vlan networks - [x] add to opncentral - [x] fotos machen - [x] ips/ids anschalten - [x] backup via ftp to nas if possible - [ ] change ilo ip such that its in the mgmt net - [ ] unifi cloud key mit cloud koppeln - [ ] Switch und APs in IT-Glue hinterlegen - [ ] physische Beschriftung anpassen ## Kerio Features ### Network - WAN: 10.0.70.2 (FritzBox PPPoE) - LAN: 192.168.70.1/24 - VPN: 172.16.70.1/24 ### DNS and DHCP - [x] domain name: ad.knoppwassmer.de - [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1` ## OPNsense ### Network | Name | Interface | VLAN tag | Network | Note | | ---------- | --------- | -------- | --------------- | ----------------------- | | WAN | WAN | / | 10.0.70.2/32 | FritzBox PPPoE | | MGMT | LAN | 1 | 192.168.50.1/24 | | | SERVER | LAN | 70 | 192.168.70.1/24 | | | CLIENT | LAN | 20 | 192.168.20.1/24 | | | WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN | | WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | | | OpenVPN | VPN | | 172.16.70.1/24 | | ### Firewall #### Aliase - [x] filewave - [x] mailstore - [x] nas - [x] sbxoffice - [x] ad - [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200) #### Rules ##### WAN - [ ] enable geo filter (iran, north korea, russia) - [x] Allow VPN entrypoint to WAN via VPN port ##### MGMT - [x] allow 'mgmt addr' to AD server via ldap - [x] allow 'mgmt net' to AD via dns ##### USER - [x] allow 'user net' to AD via dns - [x] allow 'user net' to nas via smb - [x] allow 'user net' to AD via ldap(s) - [x] allow 'user net' to 'server net' via https - [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future) - [x] allow 'user net' to vwlizenz via (any?) - [x] allow 'user net' to filewaveserver via filewaveservice ports ##### VPN - [x] allow 'vpn net' to AD via dns - [x] Allow SMB for VPN Client network - [x] allow vpn net to server net ##### SERVER - [x] Allow filewave out #### DNAT - [x] Port 8462/tcp from WAN address to Mailstore IP NAT - [x] Port Group "Filewave" from WAN address to Filewave IP NAT ### Authentication Server - [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s) ### VPN - depends on: Authentication Server - [x] Setup OpenVPN. - [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert - [x] setup openvpn server - [x] setup client certs ### IPS/IDS - [x] setup and configure surricata - very heavy on resources.. need to be tested ### Content Filter - [ ] Recreate - if possible - application, web and https filter ### Reverse Proxy (Web Server Protection) - [ ] projektpro - [ ] Andere? ### NTP - Server: `srvu-master.ad.knoppwassmer.de` ## Archive ### Vor Ort Notes 1. Plane Switch Portbelegung 2. Stelle alle Geraete auf dhcp um: 1. [x] switches 2. [x] APs 3. [x] Cloud-Key 4. [x] Telefone 5. [x] Drucker (drucker muss mehr angepasst werden: dns) 3. Dangerous: Setze VLANs auf designierte Ports um 4. Geraete runterfahren 5. Neue Firewall anschalten und hoffen, dass es klappt