Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.
As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.
Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?
What do you check if looking for security issues?
The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.
Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

Just protecting for spoofed IP doesn’t add much in my opinion, at least compared to the effort of setting up and maintaining 802.1x. Easier way would be to set up different local networks per family and allow access to shared services via common firewall. That doesn’t require support from devices nor it doesn’t rely on security on them. Properly setting 802.1x would mean that you’ll need to manage every device on the network somehow and, assuming you don’t actually own or control the devices, that would be at least challenging.
Your thinking isn’t wrong, in that scenario network level authentication would help, but overhead of such setup is, again in my opinion, way more complex than what you can actually get in return. Of course if you want to just do it for the fun of it, go ahead. And also, if the devices are on the same network, they can sniff MAC addresses and IPs of neighboring devices, so protecting anything with just IP/MAC is a lost cause.