## Intro The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care. The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard. ### Plugins - os-OPNcentral - os-squid - os-clamav - os-c-icap - os-acme-client ## Sophos features to reproduce ### Network - [x] LAN port has a static network of: 192.168.9.254/24 - [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127 - [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall) - [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on - [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration) - [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant - [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued ### Authentication - [x] Require MFA for: user portal, web admin console - [ ] setup ad as "server" in opnsense - [ ] import users form ad!!! (I hope it works...) #### Not required - [y] Kerberos for authenticating non-AD users (web authentication??) - [y] captive portal ### Miscellaneous - [x] sophos antivirus alternative (clamav + c-icap + squid web proxy) - [x] SSL VPN - Needs to be tested properly - [x] using SSL/TLS inspection with squid (transparent web proxy) ## Firewall rules to reproduce - [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf) - [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf) - [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer - [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" ) ## IPS - [x] default general policies - [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/) ## Web Proxy - [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools - [x] https encryption - [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list) ### Optional The following features are too complicated and thus only optional. ## Web application firewall - [ ] too complicated ## Wireless - [ ] does it need to be configured on opnsense??? ## Mail protection - [y] scan ~~outgoing~~ incoming mails for malware (why??) ## Web Server - not used