Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

  • SomeLemmyUser@discuss.tchncs.deOP
    link
    fedilink
    arrow-up
    1
    ·
    1 day ago

    Okay, yeah i do look at the reporting to Register things that look off, but I am not sure I recognize everything that IS off.

    Generally I keep outbound and inbound completely closed except for the connections I need, which I manually allow for in the rules for each subnet. for the client WiFi I have a alias with all private (ipv4) ranges, and a rule that allows outbound to anything but that (so only connections to “the internet” not to stuff in my network.

    Radius is the thing I at least came across a few times in my settings, from what I understand I would need a dedicated radius server all can reach an authenticate against right? At the moment I only have a bare metal Debian server for the self hosted unifi controller, maybe I could learn proxmox and do radius and unifi in different VMs on that machine.

    What would the tailscale option mean? I have heard about it (but mostly mentioned in combination with arr stacks, which I dont have, so I never looked at it. What does it do? What are the benefits over for example radius?

    Okay, so radius/tailscale for client networks, for iot I rely on subnet separation would be your advice?