Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

  • hoodoo5x5@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    15 minutes ago

    Honestly, OPNSense has some fairly decent reporting that can take you a fair ways. https://docs.opnsense.org/manual/reporting_traffic.html

    Watching the traffic in those tools can highlight a lot of concerns. Is outbound wide open from all networks?

    In general, I wouldn’t recommend doing auth at the network layer. You could do radius, AD, or something similar if that’s a concern. You could use Tailscale and create a mesh overlay - I’d do that before VPN. Going down this road can, of course, cause a lot of challenges with phones and other iot devices. I tend to keep the iot vlan barebones for that reason.

  • HamsterRage@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    9 hours ago

    Remember that separation by VLANs does very little unless you have firewall rules that limit traffic between them.

    • Blue_Morpho@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 hour ago

      I have argued that vlans do very little for home users.

      Vlans with firewall rules mean that every room in your house has a rule that you have to go out the locked front door before going back into another room. But if an external threat can bypass the front lock, having a rule that everyone inside has to use the front lock does nothing. Either the front lock works in which case everything is safe or it doesn’t work in which case the rule to use the front door lock every time you go from inside room to inside room does nothing.

  • IsoKiero@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 hours ago

    Perhaps the easiest, and still at least decent, approach is to just run nmap (or any other port scanner) against your own subnets/IP addresses. That way you’ll at least find out if the firewall allows something trough which it shouldn’t, Also you can run tcpdump/wireshark on destination host to see if it receives packets it shouldn’t.

    For client authentication, if ARP filtering is not enough, you could set up 802.1x, but that’s likely a massive overkill (and overhead) for home network. I personally don’t authenticate clients separately. Just WPA2 on wifi and firewall rules to allow/deny traffic between subnets. Sure, it’s pretty easy to bypass, but in practise you’d need to be inside the house to access some parts of the network. But my threat model is mostly about a handful of IOT things which I don’t trust with full network access, not about someone unauthorized getting access to my home network.