Docs/OPNsense: Difference between revisions

Jump to navigation Jump to search

Docs/OPNsense (view source)

Revision as of 01:51, 15 May 2025

474 bytes removed ,  15 May
no edit summary
No edit summary
No edit summary
We have two OPNsense devices, Lasagna and Ravioli.
 
'''The VLAN configuration (like VLAN IDs) should probably be moved to [[Docs/Switches]] to keep this article strictly Layer3'''
=== Firewall Rules ===
View the WebUI for the specific firewall rules, but some of the more basic/essential ones are:
 
== Management (OOB) ==
# Management cannot communicate with LAN/WAN (the internet), and LAN cannot communicate with Management.
{| class="wikitable"
## Generally, Management should be restricted from everything else. (maybe even other iDrac servers?)
!Subnet
## OOB services tend to be ''super'' vulnerable, there are dozens of [https://github.com/mgargiullo/cve-2018-1207 premade scripts] that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
!VLAN ID
## Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
|-
# Wireguard
* |10.10.100.0/24 - OpenVPN
## The admin/user split is so all members can be given a wireguard config to the internal network without having to worry about them being able to trivially get root on all servers running premade-exploits like [https://github.com/mgargiullo/cve-2018-1207 these] on the iDracs.
|1?
## If someone shows up to a couple meetings they're probably fine to get an admin config; this is more for peace-of-mind to not need to worry about the configs given to people who went to one meeting once at the beginning of the semester and have never been seen again.
|}
## Neither config should have access to WAN, just to prevent someone getting LUG in hot water if they attempt to torrent or something similarly dumb through the VPN.
* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO]) and internal networking hardware.
 
# Management cannot communicate with LAN/WAN (the internet), and LAN cannot communicate with Management.
=== Routing ===
 
## Generally, Management should be restricted from everything else. (maybe even other iDrac servers?)
==== Main networks ====
We have two main networks:
* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO])
* 10.10.1.0/24 - LAN (servers/VMs)
We may also be getting a <code>/27</code> of Tech's <code>141.219.0.0/16</code> block through IT (~28-30 usable public IP addresses).
 
## OOB services tend to be ''super'' vulnerable, there are dozens of [https://github.com/mgargiullo/cve-2018-1207 premade scripts] that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM (so we can't do it like IT and exclusively use publicly routable addresses).
 
## Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
==== VPN Networks ====
In addition, there are two main VPN networks:
 
== LAN ==
* 10.10.10.0/24 - OpenVPN
{| class="wikitable"
* 10.10.11.0/24 - Wireguard
!Subnet
** 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)
!VLAN ID
** 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)
|-
|10.10.1.0/24
|2?
|}
Servers and Virtual Machines.
 
LAN cannot communicate with Management.
 
== WAN ==
{| class="wikitable"
!Subnet
!VLAN ID
|-
|141.219.80.64/27
|640
|}
Our public IP subnet under Tech's <code>141.219.0.0/16</code> block.
 
The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM (so we can't do it like IT and exclusively use publicly routable addresses).
 
==== VPN Networks ====
 
=== RoutingOpenVPN ===
{| class="wikitable"
!Subnet
!VLAN ID
|-
|10.10.10.0/24
|N/A
|}
 
#=== Wireguard ===
{| class="wikitable"
!Subnet
!VLAN ID
|-
* |10.10.11.0/24 - Wireguard
|N/A
|}
** <code>10.10.11.0/25</code> - Wireguard admin range (access to LAN+Management+LAN, no WAN)
 
** <code>10.10.11.128/25</code> - Wireguard user range (access to only LAN, no WAN)
 
All members can be freely given 'user' wireguard configs. Only admin configs need to be restricted (due to the aforementioned iDrac exploit issues).
 
Neither wireguard config should have access to the internet.
Retrieved from "https://lug.mtu.edu/wiki/Special:MobileDiff/7886"

Navigation menu