## Vor Ort Notes 1. Plane Switch Portbelegung 2. Stelle alle Geraete auf dhcp um: 1. [x] switches 2. [x] APs 3. [x] Cloud-Key 4. [x] Telefone 5. [x] Drucker (drucker muss mehr angepasst werden: dns) 3. Dangerous: Setze VLANs auf designierte Ports um 4. Geraete runterfahren 5. Neue Firewall anschalten und hoffen, dass es klappt ## Notes opnsense ui: root, 4H?bh,wXU85JrXs opnsense ui: sbxadmin, %bghY!FH65Z cloud key: user: sbxadmin, 'l0b-J3HbQ7Om0jbfeuah' Main switch: 60:22:32:ee:22:38 Subscription key: a119bcee-9ca0-438c-b2c9-69db51d186b8 ## General - [ ] hermann ablauf mitteilen - [ ] Internetzugangsdaten beschaffen - [x] pruefe WAN/Modem Anschluss - fritz macht pppoe als router; modem laut fritz vorhanden - entferne fritzbox - [x] Change public DNS entries (gw.studio-stadt-region.de -> \ ) - [x] ports der unifi untersuchen - [x] configure dhcp on all unifi devices - [x] acme - challenge type - andere token con cf - [x] unifi dashboard - define all vlan networks - [x] add to opncentral - [x] fotos machen - [x] unifi cloud key mit cloud koppeln - [ ] Switch und APs in IT-Glue hinterlegen - [ ] physische Beschriftung anpassen ### deprecated - [ ] ips/ids anschalten - [ ] change ilo ip such that its in the mgmt net - [ ] backup via ftp to nas if possible ## Kerio Features ### Network - WAN: 10.0.80.2 (FritzBox PPPoE) - LAN: 192.168.80.1/24 - VPN: 172.16.80.1/24 ### DNS and DHCP - [x] domain name: ad.studio-stadt-region.de - [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1` ## OPNsense ### Network | Name | Interface | VLAN tag | Network | Note | | ---------- | --------- | -------- | --------------- | ----------------------- | | WAN | WAN | / | 10.0.80.2/32 | FritzBox PPPoE | | MGMT | LAN | 1 | 192.168.50.1/24 | | | SERVER | LAN | 80 | 192.168.80.1/24 | | | CLIENT | LAN | 20 | 192.168.20.1/24 | | | WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN | | WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | | | OpenVPN | VPN | | 172.16.80.1/24 | | ### Firewall #### Aliase - [x] filewave - [x] mailstore - [x] nas - [x] sbxoffice - [x] ad - [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.80.200) - [x] phone (NEW IP: 192.168.20.28/29. OLD IP: 192.168.80.28/29) #### Rules ##### WAN - [ ] enable geo filter (iran, north korea, russia) - [ ] Allow VPN entrypoint to WAN via VPN port ##### MGMT - [ ] allow 'mgmt addr' to AD server via ldap - [ ] allow 'mgmt net' to AD via dns ##### USER - [ ] allow 'user net' to AD via dns - [ ] allow 'user net' to nas via smb - [ ] allow 'user net' to AD via ldap(s) - [ ] allow 'user net' to 'server net' via https - [ ] allow 'user net' to mailstore via its web port (Reverse Proxy in future) - [ ] allow 'user net' to vwlizenz via (any?) - [ ] allow 'user net' to filewaveserver via filewaveservice ports ##### VPN - [ ] allow 'vpn net' to AD via dns - [ ] Allow SMB for VPN Client network - [ ] allow vpn net to server net ##### SERVER - [ ] Allow filewave out #### DNAT - [ ] Port 8462/tcp from WAN address to Mailstore IP NAT - [ ] Port Group "Filewave" from WAN address to Filewave IP NAT ### Authentication Server - [ ] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s) ### VPN - depends on: Authentication Server - one user and one admin vpn server - [ ] Setup OpenVPN. - [ ] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert - [ ] setup openvpn server - [ ] setup client certs ### IPS/IDS - [ ] setup and configure surricata - very heavy on resources.. need to be tested ### Content Filter - [ ] Recreate - if possible - application, web and https filter ### Reverse Proxy (Web Server Protection) - [ ] projektpro - [ ] Andere? ### NTP - Server: `srvu-master.ad.studio-stadt-region.de` ## Archive