Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.
As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.
Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?
What do you check if looking for security issues?
The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.
Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly
Honestly, OPNSense has some fairly decent reporting that can take you a fair ways. https://docs.opnsense.org/manual/reporting_traffic.html
Watching the traffic in those tools can highlight a lot of concerns. Is outbound wide open from all networks?
In general, I wouldn’t recommend doing auth at the network layer. You could do radius, AD, or something similar if that’s a concern. You could use Tailscale and create a mesh overlay - I’d do that before VPN. Going down this road can, of course, cause a lot of challenges with phones and other iot devices. I tend to keep the iot vlan barebones for that reason.
Okay, yeah i do look at the reporting to Register things that look off, but I am not sure I recognize everything that IS off.
Generally I keep outbound and inbound completely closed except for the connections I need, which I manually allow for in the rules for each subnet. for the client WiFi I have a alias with all private (ipv4) ranges, and a rule that allows outbound to anything but that (so only connections to “the internet” not to stuff in my network.
Radius is the thing I at least came across a few times in my settings, from what I understand I would need a dedicated radius server all can reach an authenticate against right? At the moment I only have a bare metal Debian server for the self hosted unifi controller, maybe I could learn proxmox and do radius and unifi in different VMs on that machine.
What would the tailscale option mean? I have heard about it (but mostly mentioned in combination with arr stacks, which I dont have, so I never looked at it. What does it do? What are the benefits over for example radius?
Okay, so radius/tailscale for client networks, for iot I rely on subnet separation would be your advice?
Perhaps the easiest, and still at least decent, approach is to just run nmap (or any other port scanner) against your own subnets/IP addresses. That way you’ll at least find out if the firewall allows something trough which it shouldn’t, Also you can run tcpdump/wireshark on destination host to see if it receives packets it shouldn’t.
For client authentication, if ARP filtering is not enough, you could set up 802.1x, but that’s likely a massive overkill (and overhead) for home network. I personally don’t authenticate clients separately. Just WPA2 on wifi and firewall rules to allow/deny traffic between subnets. Sure, it’s pretty easy to bypass, but in practise you’d need to be inside the house to access some parts of the network. But my threat model is mostly about a handful of IOT things which I don’t trust with full network access, not about someone unauthorized getting access to my home network.
I tried that a little, but my problem was that there was to much stuff going on in the network for me to understand and review all. I am currently not reachable at all from the big internet, only local server access and I only get working connections if I rset an IP corresponding to the vlan I am in, but unify broadcasting, Nat, VPN, etc. Make a lot of connections and connection attempts internally I dont understand.
Problem with no client authentication is that the network is used by multiple separate households not necessary trusting each other, and some now want to host servers to the public, which would mean lots of untrusted traffic. I am concerned if they dont handle their security right and have access to for example our shared media server, they could scrape ip-mac address pairs to get deeper in the network. Any thoughts on benefits and lows of 802.1 vs. Radius?
Radius is a part of 802.1x standard and for your threat model that does absolutely nothing. If a bad actor can access a device already in your network, then network level authentication doesn’t do anything. For example it prevents from someone randomly plugging their device in your switch and getting access that way, or it only allows verified clients to your WLAN. But once the network connectivity is already established you need a totally different tools.
Mainly that means firewall on your network and/or servers. There’s multiple ways to build that. You could get a separate firewall device to block access from the rest of the network to your devices or you can set up firewall for each of your things separately. All solutions have their own pros and cons and ‘correct’ solution depends on multiple variables.
Okay, maybe I’m misunderstanding something, but my thinking goes like this:
- A personal computer I dont control, which is infected logs onto the wifi network of family A. This device has no permissions (based on its ip), so it can’t access the shared media server.
- This device could spoof a Mac address of a device with permissions on the same network through brute force, so it gets their IP along with its permission (access to media server)
- It could at least do bad actions with the permissions inherited from the spoofed device, maybe even spread further if the media server isn’t set up securely.
In my mind I could prevent this with authentication, as I could force a device to have a keyfile or something in order to use that IP address. So the bad actor would at least first need to get access to the real device and steal the keyfile in order to spoof it. Which (in my mind) is way harder than iterating through all Mac addresses and testing which addresses get which IPs with which permissions.
The issue i want to solve (with this part) would basically boil down to: securely giving different permissions to devices on the same network/subnet.
The only other way I would see would be to buy more APs so there is a separate WiFi for every set of permissions I want to give out, so spoofing Mac addresses becomes irrelevant.
Just protecting for spoofed IP doesn’t add much in my opinion, at least compared to the effort of setting up and maintaining 802.1x. Easier way would be to set up different local networks per family and allow access to shared services via common firewall. That doesn’t require support from devices nor it doesn’t rely on security on them. Properly setting 802.1x would mean that you’ll need to manage every device on the network somehow and, assuming you don’t actually own or control the devices, that would be at least challenging.
Your thinking isn’t wrong, in that scenario network level authentication would help, but overhead of such setup is, again in my opinion, way more complex than what you can actually get in return. Of course if you want to just do it for the fun of it, go ahead. And also, if the devices are on the same network, they can sniff MAC addresses and IPs of neighboring devices, so protecting anything with just IP/MAC is a lost cause.
Remember that separation by VLANs does very little unless you have firewall rules that limit traffic between them.
Well I have separate subnets for separate vlans. Connections between them get blocked by the firewall by default from my understanding, but to be safe I explicitly deny all outbound AND inbound connections, so I have to make a rule for each of two subnets if I want inter subnet communication, which is the case for the shared media server. If I do that I whitelist which IPs can reach which IPs on the different subnet. There still is the problem that different clients on the same network can "steal"the IP of other clients with more permissions. That’s why I asked about authentication
I have argued that vlans do very little for home users.
Vlans with firewall rules mean that every room in your house has a rule that you have to go out the locked front door before going back into another room. But if an external threat can bypass the front lock, having a rule that everyone inside has to use the front lock does nothing. Either the front lock works in which case everything is safe or it doesn’t work in which case the rule to use the front door lock every time you go from inside room to inside room does nothing.
Let’s look at the recent case where the FBI/Google took down a sites related to a botnet that was using Android TV boxes that came equipped with malware. These were cheapo, third tier units probably sold via Temu or some equivalent.
In this case they were being used to relay and obfuscate crime related traffic, but there’s no reason that the same technique couldn’t be used to more directly attack the hosting network.
I think that if you assume that device that you plug into your network could be used as an edge router into your network for a WireGuard connection with the outside world, then isolating those devices from your homelab is a good idea.
Something like an Android TV box obviously needs to connect to the Internet, and there are good reasons that you might want to run a VPN on it too. So trying to limit its access to the Internet via ports would be difficult. A VLAN would give me some piece of mind here.
Yes, that’s the idea, that everything needs to go through opnsense, where I manage who’s allowed to go where. The question now is how to determine if the front door lock is safe, so that nothing can leak through because I misconfigured nat or VPN or something


