144 lines
3.7 KiB
Markdown
144 lines
3.7 KiB
Markdown
|
|
## Vor Ort Notes
|
|
opnsense ui: root, 4H?bh,wXU85JrXs
|
|
opnsense ui: sbxadmin, %bghY!FH65Z
|
|
cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU'
|
|
Main switch: 70:a7:41:ff:e4:4b
|
|
Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15
|
|
|
|
## General
|
|
|
|
- [x] Change public DNS entries (gw.knoppwassmer.de -> \<public-ip\> )
|
|
- [x] ports der unifi untersuchen
|
|
- [x] setup acme with dns challenge (issue tomorrow)
|
|
- [x] configure dhcp on all unifi devices
|
|
- [x] unifi dashboard - define all vlan networks
|
|
- [x] add to opncentral
|
|
- [x] fotos machen
|
|
- [x] ips/ids anschalten
|
|
- [x] backup via ftp to nas if possible
|
|
- [ ] change ilo ip such that its in the mgmt net
|
|
- [ ] unifi cloud key mit cloud koppeln
|
|
- [ ] Switch und APs in IT-Glue hinterlegen
|
|
- [ ] physische Beschriftung anpassen
|
|
|
|
|
|
## Kerio Features
|
|
|
|
### Network
|
|
|
|
- WAN: 10.0.70.2 (FritzBox PPPoE)
|
|
- LAN: 192.168.70.1/24
|
|
- VPN: 172.16.70.1/24
|
|
|
|
### DNS and DHCP
|
|
|
|
- [x] domain name: ad.knoppwassmer.de
|
|
- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`
|
|
|
|
## OPNsense
|
|
|
|
### Network
|
|
|
|
| Name | Interface | VLAN tag | Network | Note |
|
|
| ---------- | --------- | -------- | --------------- | ----------------------- |
|
|
| WAN | WAN | / | 10.0.70.2/32 | FritzBox PPPoE |
|
|
| MGMT | LAN | 1 | 192.168.50.1/24 | |
|
|
| SERVER | LAN | 70 | 192.168.70.1/24 | |
|
|
| CLIENT | LAN | 20 | 192.168.20.1/24 | |
|
|
| WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN |
|
|
| WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | |
|
|
| OpenVPN | VPN | | 172.16.70.1/24 | |
|
|
|
|
### Firewall
|
|
|
|
#### Aliase
|
|
|
|
- [x] filewave
|
|
- [x] mailstore
|
|
- [x] nas
|
|
- [x] sbxoffice
|
|
- [x] ad
|
|
- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200)
|
|
|
|
#### Rules
|
|
|
|
##### WAN
|
|
|
|
- [ ] enable geo filter (iran, north korea, russia)
|
|
- [x] Allow VPN entrypoint to WAN via VPN port
|
|
|
|
##### MGMT
|
|
|
|
- [x] allow 'mgmt addr' to AD server via ldap
|
|
- [x] allow 'mgmt net' to AD via dns
|
|
|
|
##### USER
|
|
|
|
- [x] allow 'user net' to AD via dns
|
|
- [x] allow 'user net' to nas via smb
|
|
- [x] allow 'user net' to AD via ldap(s)
|
|
- [x] allow 'user net' to 'server net' via https
|
|
- [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
|
|
- [x] allow 'user net' to vwlizenz via (any?)
|
|
- [x] allow 'user net' to filewaveserver via filewaveservice ports
|
|
|
|
##### VPN
|
|
|
|
- [x] allow 'vpn net' to AD via dns
|
|
- [x] Allow SMB for VPN Client network
|
|
- [x] allow vpn net to server net
|
|
|
|
##### SERVER
|
|
|
|
- [x] Allow filewave out
|
|
|
|
#### DNAT
|
|
|
|
- [x] Port 8462/tcp from WAN address to Mailstore IP NAT
|
|
- [x] Port Group "Filewave" from WAN address to Filewave IP NAT
|
|
|
|
### Authentication Server
|
|
|
|
- [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
|
|
|
|
### VPN
|
|
- depends on: Authentication Server
|
|
|
|
- [x] Setup OpenVPN.
|
|
- [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
|
|
- [x] setup openvpn server
|
|
- [x] setup client certs
|
|
|
|
### IPS/IDS
|
|
|
|
- [x] setup and configure surricata - very heavy on resources.. need to be tested
|
|
|
|
### Content Filter
|
|
|
|
- [ ] Recreate - if possible - application, web and https filter
|
|
|
|
### Reverse Proxy (Web Server Protection)
|
|
|
|
- [ ] projektpro
|
|
- [ ] Andere?
|
|
|
|
### NTP
|
|
|
|
- Server: `srvu-master.ad.knoppwassmer.de`
|
|
|
|
## Archive
|
|
|
|
### Vor Ort Notes
|
|
|
|
1. Plane Switch Portbelegung
|
|
2. Stelle alle Geraete auf dhcp um:
|
|
1. [x] switches
|
|
2. [x] APs
|
|
3. [x] Cloud-Key
|
|
4. [x] Telefone
|
|
5. [x] Drucker (drucker muss mehr angepasst werden: dns)
|
|
3. Dangerous: Setze VLANs auf designierte Ports um
|
|
4. Geraete runterfahren
|
|
5. Neue Firewall anschalten und hoffen, dass es klappt
|