Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

  • HamsterRage@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    2 天前

    Remember that separation by VLANs does very little unless you have firewall rules that limit traffic between them.

    • SomeLemmyUser@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      1
      ·
      1 天前

      Well I have separate subnets for separate vlans. Connections between them get blocked by the firewall by default from my understanding, but to be safe I explicitly deny all outbound AND inbound connections, so I have to make a rule for each of two subnets if I want inter subnet communication, which is the case for the shared media server. If I do that I whitelist which IPs can reach which IPs on the different subnet. There still is the problem that different clients on the same network can "steal"the IP of other clients with more permissions. That’s why I asked about authentication

    • Blue_Morpho@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      2 天前

      I have argued that vlans do very little for home users.

      Vlans with firewall rules mean that every room in your house has a rule that you have to go out the locked front door before going back into another room. But if an external threat can bypass the front lock, having a rule that everyone inside has to use the front lock does nothing. Either the front lock works in which case everything is safe or it doesn’t work in which case the rule to use the front door lock every time you go from inside room to inside room does nothing.

      • HamsterRage@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        1 天前

        Let’s look at the recent case where the FBI/Google took down a sites related to a botnet that was using Android TV boxes that came equipped with malware. These were cheapo, third tier units probably sold via Temu or some equivalent.

        In this case they were being used to relay and obfuscate crime related traffic, but there’s no reason that the same technique couldn’t be used to more directly attack the hosting network.

        I think that if you assume that device that you plug into your network could be used as an edge router into your network for a WireGuard connection with the outside world, then isolating those devices from your homelab is a good idea.

        Something like an Android TV box obviously needs to connect to the Internet, and there are good reasons that you might want to run a VPN on it too. So trying to limit its access to the Internet via ports would be difficult. A VLAN would give me some piece of mind here.

      • SomeLemmyUser@discuss.tchncs.deOP
        link
        fedilink
        arrow-up
        1
        ·
        1 天前

        Yes, that’s the idea, that everything needs to go through opnsense, where I manage who’s allowed to go where. The question now is how to determine if the front door lock is safe, so that nothing can leak through because I misconfigured nat or VPN or something