CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/projects/ssr/firewall_migration/20250526-Notizen.md
Petar Cubela 252a91dbcc ]
2025-07-15 15:36:24 +02:00

152 lines
4.0 KiB
Markdown
Raw Permalink Blame History

## Vor Ort Notes
1. Plane Switch Portbelegung
2. Stelle alle Geraete auf dhcp um:
1. [x] switches
2. [x] APs
3. [x] Cloud-Key
4. [x] Telefone
5. [x] Drucker (drucker muss mehr angepasst werden: dns)
3. Dangerous: Setze VLANs auf designierte Ports um
4. Geraete runterfahren
5. Neue Firewall anschalten und hoffen, dass es klappt
## Notes
opnsense ui: root, 4H?bh,wXU85JrXs
opnsense ui: sbxadmin, %bghY!FH65Z
cloud key: user: sbxadmin, 'l0b-J3HbQ7Om0jbfeuah'
Main switch: 60:22:32:ee:22:38
Subscription key: a119bcee-9ca0-438c-b2c9-69db51d186b8
## General
- [ ] hermann ablauf mitteilen
- [ ] Internetzugangsdaten beschaffen
- [x] pruefe WAN/Modem Anschluss - fritz macht pppoe als router; modem laut fritz vorhanden - entferne fritzbox
- [x] Change public DNS entries (gw.studio-stadt-region.de -> \<public-ip\> )
- [x] ports der unifi untersuchen
- [x] configure dhcp on all unifi devices
- [x] acme - challenge type - andere token con cf
- [x] unifi dashboard - define all vlan networks
- [x] add to opncentral
- [x] fotos machen
- [x] unifi cloud key mit cloud koppeln
- [ ] Switch und APs in IT-Glue hinterlegen
- [ ] physische Beschriftung anpassen
### deprecated
- [ ] ips/ids anschalten
- [ ] change ilo ip such that its in the mgmt net
- [ ] backup via ftp to nas if possible
## Kerio Features
### Network
- WAN: 10.0.80.2 (FritzBox PPPoE)
- LAN: 192.168.80.1/24
- VPN: 172.16.80.1/24
### DNS and DHCP
- [x] domain name: ad.studio-stadt-region.de
- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`
## OPNsense
### Network
| Name | Interface | VLAN tag | Network | Note |
| ---------- | --------- | -------- | --------------- | ----------------------- |
| WAN | WAN | / | 10.0.80.2/32 | FritzBox PPPoE |
| MGMT | LAN | 1 | 192.168.50.1/24 | |
| SERVER | LAN | 80 | 192.168.80.1/24 | |
| CLIENT | LAN | 20 | 192.168.20.1/24 | |
| WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN |
| WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | |
| OpenVPN | VPN | | 172.16.80.1/24 | |
### Firewall
#### Aliase
- [x] filewave
- [x] mailstore
- [x] nas
- [x] sbxoffice
- [x] ad
- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.80.200)
- [x] phone (NEW IP: 192.168.20.28/29. OLD IP: 192.168.80.28/29)
#### Rules
##### WAN
- [ ] enable geo filter (iran, north korea, russia)
- [ ] Allow VPN entrypoint to WAN via VPN port
##### MGMT
- [ ] allow 'mgmt addr' to AD server via ldap
- [ ] allow 'mgmt net' to AD via dns
##### USER
- [ ] allow 'user net' to AD via dns
- [ ] allow 'user net' to nas via smb
- [ ] allow 'user net' to AD via ldap(s)
- [ ] allow 'user net' to 'server net' via https
- [ ] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
- [ ] allow 'user net' to vwlizenz via (any?)
- [ ] allow 'user net' to filewaveserver via filewaveservice ports
##### VPN
- [ ] allow 'vpn net' to AD via dns
- [ ] Allow SMB for VPN Client network
- [ ] allow vpn net to server net
##### SERVER
- [ ] Allow filewave out
#### DNAT
- [ ] Port 8462/tcp from WAN address to Mailstore IP NAT
- [ ] Port Group "Filewave" from WAN address to Filewave IP NAT
### Authentication Server
- [ ] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
### VPN
- depends on: Authentication Server
- one user and one admin vpn server
- [ ] Setup OpenVPN.
- [ ] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
- [ ] setup openvpn server
- [ ] setup client certs
### IPS/IDS
- [ ] setup and configure surricata - very heavy on resources.. need to be tested
### Content Filter
- [ ] Recreate - if possible - application, web and https filter
### Reverse Proxy (Web Server Protection)
- [ ] projektpro
- [ ] Andere?
### NTP
- Server: `srvu-master.ad.studio-stadt-region.de`
## Archive
Reference in New Issue View Git Blame Copy Permalink