Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.
As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.
Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?
What do you check if looking for security issues?
The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.
Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

I tried that a little, but my problem was that there was to much stuff going on in the network for me to understand and review all. I am currently not reachable at all from the big internet, only local server access and I only get working connections if I rset an IP corresponding to the vlan I am in, but unify broadcasting, Nat, VPN, etc. Make a lot of connections and connection attempts internally I dont understand.
Problem with no client authentication is that the network is used by multiple separate households not necessary trusting each other, and some now want to host servers to the public, which would mean lots of untrusted traffic. I am concerned if they dont handle their security right and have access to for example our shared media server, they could scrape ip-mac address pairs to get deeper in the network. Any thoughts on benefits and lows of 802.1 vs. Radius?
Radius is a part of 802.1x standard and for your threat model that does absolutely nothing. If a bad actor can access a device already in your network, then network level authentication doesn’t do anything. For example it prevents from someone randomly plugging their device in your switch and getting access that way, or it only allows verified clients to your WLAN. But once the network connectivity is already established you need a totally different tools.
Mainly that means firewall on your network and/or servers. There’s multiple ways to build that. You could get a separate firewall device to block access from the rest of the network to your devices or you can set up firewall for each of your things separately. All solutions have their own pros and cons and ‘correct’ solution depends on multiple variables.
Okay, maybe I’m misunderstanding something, but my thinking goes like this:
In my mind I could prevent this with authentication, as I could force a device to have a keyfile or something in order to use that IP address. So the bad actor would at least first need to get access to the real device and steal the keyfile in order to spoof it. Which (in my mind) is way harder than iterating through all Mac addresses and testing which addresses get which IPs with which permissions.
The issue i want to solve (with this part) would basically boil down to: securely giving different permissions to devices on the same network/subnet.
The only other way I would see would be to buy more APs so there is a separate WiFi for every set of permissions I want to give out, so spoofing Mac addresses becomes irrelevant.
Just protecting for spoofed IP doesn’t add much in my opinion, at least compared to the effort of setting up and maintaining 802.1x. Easier way would be to set up different local networks per family and allow access to shared services via common firewall. That doesn’t require support from devices nor it doesn’t rely on security on them. Properly setting 802.1x would mean that you’ll need to manage every device on the network somehow and, assuming you don’t actually own or control the devices, that would be at least challenging.
Your thinking isn’t wrong, in that scenario network level authentication would help, but overhead of such setup is, again in my opinion, way more complex than what you can actually get in return. Of course if you want to just do it for the fun of it, go ahead. And also, if the devices are on the same network, they can sniff MAC addresses and IPs of neighboring devices, so protecting anything with just IP/MAC is a lost cause.