brain/08 Landing Pages/Heimnetz.md

177 lines
8.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
tags:
- landing-page
- upnote-import
---
# Heimnetz
TODO
[OPNsense - Router - schulnetzkonzept.de](https://old.schulnetzkonzept.de/opnsense)
# Seiten
- [[N: Home-Assistent über HAProxy 📑]]
- [[N: Full Cert Chain in OpnSense verwenden 📑]]
[[N: Paperless-NGX 📑]]
# Planung neues Netzwerk:
[Netzwerkstruktur und IP-Segmentierung](https://chatgpt.com/c/68d793e6-1f84-8331-867c-ea6842b1a6d3)
Hardware-Kauf-Optionen:
[Firewall Micro Appliance N150 Lüfterloser Mini PC mit 4 Ports i226 2,5GHz LAN, für pfSense, Firewall, Router, OpenWRT, ohne RAM, ohne Speicher, ohne System.: Amazon.de: Computer & Zubehör](https://www.amazon.de/dp/B0F3JLKMB3?ref=emc_p_m_5_i_atc&th=1)
AliExpress: [Intel N150 N100 Mini-PC-Firewall-Router 4 LAN i226-V 2,5 G Celeron N5105 N6210 NVMe Lüfterloser Mini-Computer Low Power pfSense Box - AliExpress](https://de.aliexpress.com/item/1005007002786305.html?spm=a2g0o.productlist.main.3.35d3Z6kOZ6kO5G&algo_pvid=12b128c3-7a02-4c23-9467-a41ff8c4770d&algo_exp_id=12b128c3-7a02-4c23-9467-a41ff8c4770d-2&pdp_ext_f=%7B%22order%22%3A%22152%22%2C%22eval%22%3A%221%22%2C%22fromPage%22%3A%22search%22%7D&pdp_npi=6%40dis%21EUR%21183.32%21120.99%21%21%21210.20%21138.73%21%40210384b917593333635278191edfa7%2112000046663703988%21sea%21DE%210%21ABX%211%210%21n_tag%3A-29910%3Bd%3Aa233012%3Bm03_new_user%3A-29895&curPageLogUid=vZzqLxp7ExnI&utparam-url=scene%3Asearch%7Cquery_from%3A%7Cx_object_id%3A1005007002786305%7C_p_origin_prod%3A#nav-specification)
## Terra-Firewall: 
Inventarseite [[I: TERRA FIREWALL "BLACK DWARF" G3 UTM 1 Jahr🗄]]
MAC: 00:07:32:7B:91:93
IP: 192.168.1.1
[https://192.168.1.1:55443/](https://192.168.1.1:55443/)
diverse OpnSense tutorials: [Wie konfiguriert man DoT (DNS über TLS) auf der OPNsense-Firewall? - zenarmor.com](https://www.zenarmor.com/docs/de/netzwerksicherheitstutorials/wie-konfiguriert-man-dot-auf-der-opnsense-firewall)
## LANCom Switch GS-2310: 
Inventarseite: [[I: Switch LANCom GS-2310 🗄️]]
MAC: 00:A0:57:41:67:87
[http://192.168.1.2/](http://192.168.1.2/)
[Downloads - LANCOM Systems GmbH](https://my.lancom-systems.de/downloads/?L=0&unique_id=2c8b76d14646c62f86bd3c495973c816&dllang=DE)
Ports:
| | | | |
| --- | --- | --- | --- |
| Port | Beschreibung | VLANs | **Egress Rule**<br> |
| 1 | Uplink Firewall | 1 | Hybrid |
| 2 | TRUNK | 1 | Trunk |
| 3 | PowerLine | 10-User | Hybrid<br> |
| 7 | admin-Port<br> | 1-default | Hybrid<br> |
| 8 | <br> | 10-User | <br> |
| <br> | <br> | <br> | <br> |
## DIGITUS DN-95331
| | | | |
| --- | --- | --- | --- |
| Port | Beschreibung | VLANs | **Egress Rule**<br> |
| 5 | NSA NW-Port2 | 41-DOCKER\_NAS | Hybrid |
| 6 | USV | <br> | <br> |
| 7 | NAS NW-Port1 | 40-SERVER | Hybrid<br> |
| 8 | Uplink Trunk von NW Dose Wohnzimmer | 1-default | <br> |
## Netgear Switch GS308EPP
### Fritzbox WLAN Controller + WAN Router
[http://192.168.178.1/](http://192.168.178.1/)
Notfall-IP:  169.254.1.1  - PC über Port 2 verbinden
# VLANs
Tagged: Ports, die den VLAN Traffic durchlassen
UnTagged: Ports für ein bestimmtes Gerät, um ein VLAN zuzuweisen
| | | | |
| --- | --- | --- | --- |
| VLAN | Interface | DHCP | Netz |
| 1 - defaut<br> | 192.168.1.1<br> | <br> | 192.168.1.0/24<br> |
| 10 - USER<br> | 10.10.0.1<br> | 10.10.0.2 - 10.10.0.199<br> | <br> |
| 20 - GUEST<br> | 10.20.0.1<br> | 10.20.0.1<br> | <br> |
| 30 - IOT<br> | 10.30.0.1<br> | <br> | <br> |
| 40 - SERVER<br> | 10.40.0.1<br> | 10.40.0.3 - 10.40.0.199<br> | 10.40.0.0/16<br> |
| 41 - DOCKER\_NAS | 10.40.10.1<br> | 10.40.10.3 - 10.40.10.199<br> | 10.40.10.0/24<br> |
Netze
10.10.0.0/16 - USER
10.20.0.0/16 - GUEST
10.30.0.0/16 - IOT
10.40.0.0/16 - SERVER
# Übersicht
| | | | |
| --- | --- | --- | --- |
| Gerät | Port | IP | Pages |
| FritzBox alt DSL<br> | WAN <br> | Telekom IP<br> | <br> |
| FritzBox alt DSL<br> | LAN DHCP -> OpnSense WAN Port<br> | 192.168.178.106<br> | dhcp<br> |
| FritzBox alt DSL<br> | <br> | [192.168.178.1](http://192.168.178.1/) | <br> |
| OpnSense <br> | WAN Port (Port LAN2)<br> | 192.168.178.21<br> | dhcp |
| OpnSense<br> | LAN Port (Port LAN1)<br> | [192.168.1.1](https://192.168.1.1:55443/)<br>[AdGuard](http://192.168.1.1:3000/) | static<br>[[N: Multicast DNS Repeater zwischen 📑]]<br>[[N: HAProxy Reverse-Proxy-Servers auf OPNsense 📑]] |
| LANCOM GS-23310 | <br> | [192.168.1.2](http://192.168.1.2/)<br> | [[I: Switch LANCom GS-2310 🗄️]] |
| FritzBox Neu WLAN<br> | 3 | [192.168.1.103](http://192.168.1.103/#/)<br> | <br> |
| Home-Assistant | <br> | [192.168.1.192](http://192.168.1.192:8123/)<br>Proxy: 192.168.1.1 | <br> |
| EMMA | <br> | 192.168.1.178<br> | [[I: Huawai EMMA 🗄️]] |
| HUE Bridge | <br> | 192.168.1.137<br> | 00:17:88:69:AD:F8<br> |
| DIGITUS Gigabit Keller<br> | <br> | [192.168.1.111](http://192.168.1.111/) | [[I: DIGITUS DN-95331 Netzwerkswitch 🗄️]] |
| NAS | <br> | [192.168.1.124](http://192.168.1.124/) | [[I: Synology NAS DS 🗄️]]<br><br>[[N: MACVLAN für Docker anlegen 📑]]<br>[[N: Netzwerk-Interface neu starten 📑]]<br>[[Neue Notiz]]<br>[[N: AdGuard auf OPNsense installieren 📑]] |
| <br> | <br> | <br> | <br> |
| | | | | | |
| --- | --- | --- | --- | --- | --- |
| **Server** | **IP** | **Ports** | **host** | **Proxy** | **Beschreibung** |
| gitea | 10.40.10.130<br> | 3000 - WebUi<br> | NAS | HA | Git-Server |
| paperless | 10.40.10.131<br> | 8000 - WebUi | NAS | HA | Archivsystem |
| homeassistant | 192.168.1.192<br> | 8123 - WebUi<br> | Raspberry | HA | Home-Automatisierung |
| immich<br>immich-prometheus | 10.40.10.132<br>10.40.10.133<br> | 2283 - WebUi<br>9090 - WebUi<br> | NAS<br> | NPM | Foto-Verwaltung |
| nginx proxy manager | 10.40.10.134<br> | 81 - WebUI | NAS | \- | [Login Nginx Proxy Manager](http://10.40.10.134:81/login)<br> |
| <br> | <br> | <br> | <br> | <br> | <br> |
Netzwerkdose Wohnzimmer links
## Speedport
Gerätepasswort: 83767207
[http://192.168.2.1/](http://192.168.2.1/)
# Zugriff aus dem Web:
- [RRset Konflikt (CAA + CNAME) bei HAProxy mit LE Wildcard von deSEC / dedyn.io - Page 3](https://forum.opnsense.org/index.php?topic=49125.30)
- [Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating](https://forum.opnsense.org/index.php?topic=23339.0)
![](..\..\files\301b5284-018a-411d-a8c4-32e0f36fe9a2.png)<br>
# Statische Routen und doppeltes NATing
erst einen Alias für das Fritz-Netz:
![](..\..\files\18213d46-5345-42de-be62-ff1a8ee3a278.png)<br>
Um doppeltes Nating zu vermieden legt man in OS eine NAT-Regel an:
![](..\..\files\d33db927-c4ad-4727-af07-72c41bfb9ed0.png)<br>
Das sollte später weiter eingeschränkt werden, z.B. nur Admin, oder IO etc, nicht aber Gäste und User 
Statische Routen, so dass die Netze hinter der OS auch Geräte im Fritz-Netz erreichen können
![](..\..\files\af0fa525-56ad-4845-80e1-be1abadd58f3.png)
[Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating](https://forum.opnsense.org/index.php?topic=23339.0)
[Einstellungen OPNsense hinter FritzBox - Zugriff von außen](https://forum.opnsense.org/index.php?topic=39053.0)
[Setup OPNsense with HAProxy and Let's Encrypt | Marcus Holtz](https://blog.holtzweb.com/posts/opnsense-with-haproxy-and-lets-encrypt/)
[opnsense Received something which does not look like a PROXY protocol header - Google Suche](https://www.google.com/search?q=opnsense+Received+something+which+does+not+look+like+a+PROXY+protocol+header&newwindow=1&sca_esv=69afb27cda6b1637&sxsrf=AE3TifNGCTUN_X9hUalFtKqVKJ9xTQtN-A%3A1760112723749&ei=UzDpaKqwLciE9u8PyY3QkQw&ved=0ahUKEwjqpaftgpqQAxVIgv0HHckGNMIQ4dUDCBA&uact=5&oq=opnsense+Received+something+which+does+not+look+like+a+PROXY+protocol+header&gs_lp=Egxnd3Mtd2l6LXNlcnAiTG9wbnNlbnNlIFJlY2VpdmVkIHNvbWV0aGluZyB3aGljaCBkb2VzIG5vdCBsb29rIGxpa2UgYSBQUk9YWSBwcm90b2NvbCBoZWFkZXJIjhhQAFibF3AAeAGQAQCYAaMBoAHuCKoBAzEuOLgBA8gBAPgBAZgCAaACfMICBhAAGAcYHpgDAJIHAzAuMaAHuRCyBwMwLjG4B3zCBwMwLjHIBwE&sclient=gws-wiz-serp)
DMZ einrichten: [Deploy Nginx Proxy Manager in a DMZ with OPNsense](https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/)