CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c47451c60b2d527a1d78d868a37e15462d512f5
notes/areas/OPNsense/opnsense-frankeriger-current.md
Petar Cubela 6c47451c60 new notes
2025-03-18 14:23:17 +01:00

3.0 KiB
Raw Blame History

Intro

The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care. The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.

Plugins

  • os-OPNcentral
  • os-squid
  • os-clamav
  • os-c-icap
  • os-acme-client

Sophos features to reproduce

Network

  • LAN port has a static network of: 192.168.9.254/24

  • default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127

  • WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)

  • ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on

  • DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)

  • DNS servers are: itself, and choose arbitrary monopolistic techgiant

  • ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued

Authentication

  • Require MFA for: user portal, web admin console
  • setup ad as "server" in opnsense
  • import users form ad!!! (I hope it works...)

Not required

  • [y] Kerberos for authenticating non-AD users (web authentication??)
  • [y] captive portal

Miscellaneous

  • sophos antivirus alternative (clamav + c-icap + squid web proxy)
  • SSL VPN - Needs to be tested properly
  • using SSL/TLS inspection with squid (transparent web proxy)

Firewall rules to reproduce

  • allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)

  • allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)

    • service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer

  • allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )

IPS

  • default general policies
  • built-in suricata

Web Proxy

  • risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
  • https encryption
  • managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)

Optional

The following features are too complicated and thus only optional.

Web application firewall

  • too complicated

Wireless

  • does it need to be configured on opnsense???

Mail protection

  • [y] scan outgoing incoming mails for malware (why??)

Web Server

  • not used
Reference in New Issue View Git Blame Copy Permalink