CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f6398bf45c16e3036da5fd4e890efcf5a9d6b2a8
notes/projects/kwa/firewall_migration/20250414-preparation.md
Petar Cubela 0cb3f588fa 20250429 push notes
2025-04-29 16:29:52 +02:00

3.7 KiB
Raw Blame History

Vor Ort Notes

opnsense ui: root, 4H?bh,wXU85JrXs opnsense ui: sbxadmin, %bghY!FH65Z cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU' Main switch: 70:a7:41:ff:e4:4b Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15

General

  • Change public DNS entries (gw.knoppwassmer.de -> <public-ip> )
  • ports der unifi untersuchen
  • setup acme with dns challenge (issue tomorrow)
  • configure dhcp on all unifi devices
  • unifi dashboard - define all vlan networks
  • add to opncentral
  • fotos machen
  • ips/ids anschalten
  • backup via ftp to nas if possible
  • change ilo ip such that its in the mgmt net
  • unifi cloud key mit cloud koppeln
  • Switch und APs in IT-Glue hinterlegen
  • physische Beschriftung anpassen

Kerio Features

Network

  • WAN: 10.0.70.2 (FritzBox PPPoE)
  • LAN: 192.168.70.1/24
  • VPN: 172.16.70.1/24

DNS and DHCP

  • domain name: ad.knoppwassmer.de
  • query forwarding: *.zvelo.com -> 1.1.1.1,1.2.2.1

OPNsense

Network

Name Interface VLAN tag Network Note
WAN WAN / 10.0.70.2/32 FritzBox PPPoE
MGMT LAN 1 192.168.50.1/24
SERVER LAN 70 192.168.70.1/24
CLIENT LAN 20 192.168.20.1/24
WLAN LAN 30 192.168.30.1/24 USE CLIENT net for WLAN
WLAN_GUEST LAN 40 192.168.40.1/24
OpenVPN VPN 172.16.70.1/24

Firewall

Aliase

  • filewave
  • mailstore
  • nas
  • sbxoffice
  • ad
  • printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200)

Rules

WAN
  • enable geo filter (iran, north korea, russia)
  • Allow VPN entrypoint to WAN via VPN port
MGMT
  • allow 'mgmt addr' to AD server via ldap
  • allow 'mgmt net' to AD via dns
USER
  • allow 'user net' to AD via dns
  • allow 'user net' to nas via smb
  • allow 'user net' to AD via ldap(s)
  • allow 'user net' to 'server net' via https
  • allow 'user net' to mailstore via its web port (Reverse Proxy in future)
  • allow 'user net' to vwlizenz via (any?)
  • allow 'user net' to filewaveserver via filewaveservice ports
VPN
  • allow 'vpn net' to AD via dns
  • Allow SMB for VPN Client network
  • allow vpn net to server net
SERVER
  • Allow filewave out

DNAT

  • Port 8462/tcp from WAN address to Mailstore IP NAT
  • Port Group "Filewave" from WAN address to Filewave IP NAT

Authentication Server

  • AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)

VPN

  • depends on: Authentication Server

  • Setup OpenVPN.

    • Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
    • setup openvpn server
    • setup client certs

IPS/IDS

  • setup and configure surricata - very heavy on resources.. need to be tested

Content Filter

  • Recreate - if possible - application, web and https filter

Reverse Proxy (Web Server Protection)

  • projektpro
  • Andere?

NTP

  • Server: srvu-master.ad.knoppwassmer.de

Archive

Vor Ort Notes

  1. Plane Switch Portbelegung
  2. Stelle alle Geraete auf dhcp um:
    1. switches
    2. APs
    3. Cloud-Key
    4. Telefone
    5. Drucker (drucker muss mehr angepasst werden: dns)
  3. Dangerous: Setze VLANs auf designierte Ports um
  4. Geraete runterfahren
  5. Neue Firewall anschalten und hoffen, dass es klappt
Reference in New Issue View Git Blame Copy Permalink