4.0 KiB
Vor Ort Notes
- Plane Switch Portbelegung
- Stelle alle Geraete auf dhcp um:
- switches
- APs
- Cloud-Key
- Telefone
- Drucker (drucker muss mehr angepasst werden: dns)
- Dangerous: Setze VLANs auf designierte Ports um
- Geraete runterfahren
- Neue Firewall anschalten und hoffen, dass es klappt
Notes
opnsense ui: root, 4H?bh,wXU85JrXs opnsense ui: sbxadmin, %bghY!FH65Z cloud key: user: sbxadmin, 'l0b-J3HbQ7Om0jbfeuah' Main switch: 60:22:32:ee:22:38 Subscription key: a119bcee-9ca0-438c-b2c9-69db51d186b8
General
-
hermann ablauf mitteilen
-
Internetzugangsdaten beschaffen
-
pruefe WAN/Modem Anschluss - fritz macht pppoe als router; modem laut fritz vorhanden - entferne fritzbox
-
Change public DNS entries (gw.studio-stadt-region.de -> <public-ip> )
-
ports der unifi untersuchen
-
configure dhcp on all unifi devices
-
acme - challenge type - andere token con cf
-
unifi dashboard - define all vlan networks
-
add to opncentral
-
fotos machen
-
unifi cloud key mit cloud koppeln
-
Switch und APs in IT-Glue hinterlegen
-
physische Beschriftung anpassen
deprecated
- ips/ids anschalten
- change ilo ip such that its in the mgmt net
- backup via ftp to nas if possible
Kerio Features
Network
- WAN: 10.0.80.2 (FritzBox PPPoE)
- LAN: 192.168.80.1/24
- VPN: 172.16.80.1/24
DNS and DHCP
- domain name: ad.studio-stadt-region.de
- query forwarding:
*.zvelo.com->1.1.1.1,1.2.2.1
OPNsense
Network
| Name | Interface | VLAN tag | Network | Note |
|---|---|---|---|---|
| WAN | WAN | / | 10.0.80.2/32 | FritzBox PPPoE |
| MGMT | LAN | 1 | 192.168.50.1/24 | |
| SERVER | LAN | 80 | 192.168.80.1/24 | |
| CLIENT | LAN | 20 | 192.168.20.1/24 | |
| WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN |
| WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | |
| OpenVPN | VPN | 172.16.80.1/24 |
Firewall
Aliase
- filewave
- mailstore
- nas
- sbxoffice
- ad
- printer (NEW IP: 192.168.20.10. OLD IP: 192.168.80.200)
- phone (NEW IP: 192.168.20.28/29. OLD IP: 192.168.80.28/29)
Rules
WAN
- enable geo filter (iran, north korea, russia)
- Allow VPN entrypoint to WAN via VPN port
MGMT
- allow 'mgmt addr' to AD server via ldap
- allow 'mgmt net' to AD via dns
USER
- allow 'user net' to AD via dns
- allow 'user net' to nas via smb
- allow 'user net' to AD via ldap(s)
- allow 'user net' to 'server net' via https
- allow 'user net' to mailstore via its web port (Reverse Proxy in future)
- allow 'user net' to vwlizenz via (any?)
- allow 'user net' to filewaveserver via filewaveservice ports
VPN
- allow 'vpn net' to AD via dns
- Allow SMB for VPN Client network
- allow vpn net to server net
SERVER
- Allow filewave out
DNAT
- Port 8462/tcp from WAN address to Mailstore IP NAT
- Port Group "Filewave" from WAN address to Filewave IP NAT
Authentication Server
- AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
VPN
-
depends on: Authentication Server
-
one user and one admin vpn server
-
Setup OpenVPN.
- Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
- setup openvpn server
- setup client certs
IPS/IDS
- setup and configure surricata - very heavy on resources.. need to be tested
Content Filter
- Recreate - if possible - application, web and https filter
Reverse Proxy (Web Server Protection)
- projektpro
- Andere?
NTP
- Server:
srvu-master.ad.studio-stadt-region.de