Docs/OPNsense: Difference between revisions
No edit summary |
No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
'''For Layer 1 network details, see [[Docs/Cables]].''' |
|||
[[Docs|<small>~/Docs</small>]] |
|||
'''For Layer 2 network details, see [[Docs/Switches]].''' |
|||
OPNsense is our router/firewall. |
OPNsense is our router/firewall. |
||
We have two OPNsense devices, Lasagna and Ravioli. |
We have two OPNsense devices, Lasagna and Ravioli. |
||
'''The VLAN configuration (like VLAN IDs) should probably be moved to [[Docs/Switches]] to keep this article strictly Layer3''' |
|||
== Network == |
== Network == |
||
| Line 12: | Line 12: | ||
{| class="wikitable" |
{| class="wikitable" |
||
!Subnet |
!Subnet |
||
!VLAN ID |
|||
|- |
|- |
||
|10.10.0.0/24 |
|10.10.0.0/24 |
||
|1? |
|||
|} |
|} |
||
OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO] and internal networking hardware. |
OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO] and internal networking hardware. |
||
| Line 30: | Line 28: | ||
{| class="wikitable" |
{| class="wikitable" |
||
!Subnet |
!Subnet |
||
!VLAN ID |
|||
|- |
|- |
||
|10.10.1.0/24 |
|10.10.1.0/24 |
||
|2? |
|||
|} |
|} |
||
Servers and Virtual Machines. |
Servers and Virtual Machines. |
||
| Line 42: | Line 38: | ||
{| class="wikitable" |
{| class="wikitable" |
||
!Subnet |
!Subnet |
||
!VLAN ID |
|||
|- |
|- |
||
|141.219.80.64/27 |
|141.219.80.64/27 |
||
|640 |
|||
|} |
|} |
||
Our public IP subnet under Tech's <code>141.219.0.0/16</code> block. |
Our public IP subnet under Tech's <code>141.219.0.0/16</code> block. |
||
| Line 54: | Line 48: | ||
{| class="wikitable" |
{| class="wikitable" |
||
!Subnet |
!Subnet |
||
!VLAN ID |
|||
|- |
|- |
||
|10.10.10.0/24 |
|10.10.10.0/24 |
||
|N/A |
|||
|} |
|} |
||
| Line 63: | Line 55: | ||
{| class="wikitable" |
{| class="wikitable" |
||
!Subnet |
!Subnet |
||
!VLAN ID |
|||
|- |
|- |
||
|10.10.11.0/24 |
|10.10.11.0/24 |
||
|N/A |
|||
|} |
|} |
||
<code>10.10.11.0/25</code> - Wireguard admin range (access to LAN+Management) |
<code>10.10.11.0/25</code> - Wireguard admin range (access to LAN+Management) |
||
Latest revision as of 08:09, 4 November 2025
For Layer 1 network details, see Docs/Cables.
For Layer 2 network details, see Docs/Switches.
OPNsense is our router/firewall.
We have two OPNsense devices, Lasagna and Ravioli.
Network
Management (OOB)
| Subnet |
|---|
| 10.10.0.0/24 |
OOB Management services like Dell iDRAC / HP iLO and internal networking hardware.
Management cannot communicate with LAN/WAN.
Generally, Management should be restricted from everything else.
OOB services tend to be super vulnerable, there are dozens of premade scripts that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
LAN
| Subnet |
|---|
| 10.10.1.0/24 |
Servers and Virtual Machines.
LAN cannot communicate with Management.
WAN
| Subnet |
|---|
| 141.219.80.64/27 |
Our public IP subnet under Tech's 141.219.0.0/16 block.
The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM.
OpenVPN
| Subnet |
|---|
| 10.10.10.0/24 |
Wireguard
| Subnet |
|---|
| 10.10.11.0/24 |
10.10.11.0/25 - Wireguard admin range (access to LAN+Management)
10.10.11.128/25 - Wireguard user range (access to only LAN)
All members can be freely given 'user' wireguard configs. Only admin configs need to be restricted (due to the aforementioned iDrac exploit issues).
Neither wireguard config should have access to the internet.
OPNSense
<Rules for access, updates, generating wireguard configs, etc>