177 lines
8.1 KiB
Markdown
177 lines
8.1 KiB
Markdown
---
|
||
tags:
|
||
- landing-page
|
||
- upnote-import
|
||
---
|
||
|
||
# Heimnetz
|
||
|
||
TODO
|
||
|
||
[OPNsense - Router - schulnetzkonzept.de](https://old.schulnetzkonzept.de/opnsense)
|
||
|
||
# Seiten
|
||
|
||
- [[N: Home-Assistent über HAProxy 📑]]
|
||
- [[N: Full Cert Chain in OpnSense verwenden 📑]]
|
||
|
||
[[N: Paperless-NGX 📑]]
|
||
|
||
# Planung neues Netzwerk:
|
||
|
||
[Netzwerkstruktur und IP-Segmentierung](https://chatgpt.com/c/68d793e6-1f84-8331-867c-ea6842b1a6d3)
|
||
|
||
Hardware-Kauf-Optionen:
|
||
|
||
[Firewall Micro Appliance N150 Lüfterloser Mini PC mit 4 Ports i226 2,5GHz LAN, für pfSense, Firewall, Router, OpenWRT, ohne RAM, ohne Speicher, ohne System.: Amazon.de: Computer & Zubehör](https://www.amazon.de/dp/B0F3JLKMB3?ref=emc_p_m_5_i_atc&th=1)
|
||
|
||
AliExpress: [Intel N150 N100 Mini-PC-Firewall-Router 4 LAN i226-V 2,5 G Celeron N5105 N6210 NVMe Lüfterloser Mini-Computer Low Power pfSense Box - AliExpress](https://de.aliexpress.com/item/1005007002786305.html?spm=a2g0o.productlist.main.3.35d3Z6kOZ6kO5G&algo_pvid=12b128c3-7a02-4c23-9467-a41ff8c4770d&algo_exp_id=12b128c3-7a02-4c23-9467-a41ff8c4770d-2&pdp_ext_f=%7B%22order%22%3A%22152%22%2C%22eval%22%3A%221%22%2C%22fromPage%22%3A%22search%22%7D&pdp_npi=6%40dis%21EUR%21183.32%21120.99%21%21%21210.20%21138.73%21%40210384b917593333635278191edfa7%2112000046663703988%21sea%21DE%210%21ABX%211%210%21n_tag%3A-29910%3Bd%3Aa233012%3Bm03_new_user%3A-29895&curPageLogUid=vZzqLxp7ExnI&utparam-url=scene%3Asearch%7Cquery_from%3A%7Cx_object_id%3A1005007002786305%7C_p_origin_prod%3A#nav-specification)
|
||
|
||
## Terra-Firewall:
|
||
|
||
Inventarseite [[I: TERRA FIREWALL "BLACK DWARF" G3 UTM 1 Jahr🗄️]]
|
||
|
||
MAC: 00:07:32:7B:91:93
|
||
|
||
IP: 192.168.1.1
|
||
|
||
[https://192.168.1.1:55443/](https://192.168.1.1:55443/)
|
||
|
||
diverse OpnSense tutorials: [Wie konfiguriert man DoT (DNS über TLS) auf der OPNsense-Firewall? - zenarmor.com](https://www.zenarmor.com/docs/de/netzwerksicherheitstutorials/wie-konfiguriert-man-dot-auf-der-opnsense-firewall)
|
||
|
||
## LANCom Switch GS-2310:
|
||
|
||
Inventarseite: [[I: Switch LANCom GS-2310 🗄️]]
|
||
|
||
MAC: 00:A0:57:41:67:87
|
||
|
||
[http://192.168.1.2/](http://192.168.1.2/)
|
||
|
||
[Downloads - LANCOM Systems GmbH](https://my.lancom-systems.de/downloads/?L=0&unique_id=2c8b76d14646c62f86bd3c495973c816&dllang=DE)
|
||
|
||
Ports:
|
||
|
||
| | | | |
|
||
| --- | --- | --- | --- |
|
||
| Port | Beschreibung | VLANs | **Egress Rule**<br> |
|
||
| 1 | Uplink Firewall | 1 | Hybrid |
|
||
| 2 | TRUNK | 1 | Trunk |
|
||
| 3 | PowerLine | 10-User | Hybrid<br> |
|
||
| 7 | admin-Port<br> | 1-default | Hybrid<br> |
|
||
| 8 | <br> | 10-User | <br> |
|
||
| <br> | <br> | <br> | <br> |
|
||
|
||
## DIGITUS DN-95331
|
||
|
||
| | | | |
|
||
| --- | --- | --- | --- |
|
||
| Port | Beschreibung | VLANs | **Egress Rule**<br> |
|
||
| 5 | NSA NW-Port2 | 41-DOCKER\_NAS | Hybrid |
|
||
| 6 | USV | <br> | <br> |
|
||
| 7 | NAS NW-Port1 | 40-SERVER | Hybrid<br> |
|
||
| 8 | Uplink Trunk von NW Dose Wohnzimmer | 1-default | <br> |
|
||
|
||
## Netgear Switch GS308EPP
|
||
|
||
### Fritzbox WLAN Controller + WAN Router
|
||
|
||
[http://192.168.178.1/](http://192.168.178.1/)
|
||
|
||
Notfall-IP: 169.254.1.1 - PC über Port 2 verbinden
|
||
|
||
# VLANs
|
||
|
||
Tagged: Ports, die den VLAN Traffic durchlassen
|
||
|
||
UnTagged: Ports für ein bestimmtes Gerät, um ein VLAN zuzuweisen
|
||
|
||
| | | | |
|
||
| --- | --- | --- | --- |
|
||
| VLAN | Interface | DHCP | Netz |
|
||
| 1 - defaut<br> | 192.168.1.1<br> | <br> | 192.168.1.0/24<br> |
|
||
| 10 - USER<br> | 10.10.0.1<br> | 10.10.0.2 - 10.10.0.199<br> | <br> |
|
||
| 20 - GUEST<br> | 10.20.0.1<br> | 10.20.0.1<br> | <br> |
|
||
| 30 - IOT<br> | 10.30.0.1<br> | <br> | <br> |
|
||
| 40 - SERVER<br> | 10.40.0.1<br> | 10.40.0.3 - 10.40.0.199<br> | 10.40.0.0/16<br> |
|
||
| 41 - DOCKER\_NAS | 10.40.10.1<br> | 10.40.10.3 - 10.40.10.199<br> | 10.40.10.0/24<br> |
|
||
|
||
Netze
|
||
|
||
10.10.0.0/16 - USER
|
||
|
||
10.20.0.0/16 - GUEST
|
||
|
||
10.30.0.0/16 - IOT
|
||
|
||
10.40.0.0/16 - SERVER
|
||
|
||
# Übersicht
|
||
|
||
| | | | |
|
||
| --- | --- | --- | --- |
|
||
| Gerät | Port | IP | Pages |
|
||
| FritzBox alt DSL<br> | WAN <br> | Telekom IP<br> | <br> |
|
||
| FritzBox alt DSL<br> | LAN DHCP -> OpnSense WAN Port<br> | 192.168.178.106<br> | dhcp<br> |
|
||
| FritzBox alt DSL<br> | <br> | [192.168.178.1](http://192.168.178.1/) | <br> |
|
||
| OpnSense <br> | WAN Port (Port LAN2)<br> | 192.168.178.21<br> | dhcp |
|
||
| OpnSense<br> | LAN Port (Port LAN1)<br> | [192.168.1.1](https://192.168.1.1:55443/)<br>[AdGuard](http://192.168.1.1:3000/) | static<br>[[N: Multicast DNS Repeater zwischen 📑]]<br>[[N: HAProxy Reverse-Proxy-Servers auf OPNsense 📑]] |
|
||
| LANCOM GS-23310 | <br> | [192.168.1.2](http://192.168.1.2/)<br> | [[I: Switch LANCom GS-2310 🗄️]] |
|
||
| FritzBox Neu WLAN<br> | 3 | [192.168.1.103](http://192.168.1.103/#/)<br> | <br> |
|
||
| Home-Assistant | <br> | [192.168.1.192](http://192.168.1.192:8123/)<br>Proxy: 192.168.1.1 | <br> |
|
||
| EMMA | <br> | 192.168.1.178<br> | [[I: Huawai EMMA 🗄️]] |
|
||
| HUE Bridge | <br> | 192.168.1.137<br> | 00:17:88:69:AD:F8<br> |
|
||
| DIGITUS Gigabit Keller<br> | <br> | [192.168.1.111](http://192.168.1.111/) | [[I: DIGITUS DN-95331 Netzwerkswitch 🗄️]] |
|
||
| NAS | <br> | [192.168.1.124](http://192.168.1.124/) | [[I: Synology NAS DS 🗄️]]<br><br>[[N: MACVLAN für Docker anlegen 📑]]<br>[[N: Netzwerk-Interface neu starten 📑]]<br>[[Neue Notiz]]<br>[[N: AdGuard auf OPNsense installieren 📑]] |
|
||
| <br> | <br> | <br> | <br> |
|
||
|
||
| | | | | | |
|
||
| --- | --- | --- | --- | --- | --- |
|
||
| **Server** | **IP** | **Ports** | **host** | **Proxy** | **Beschreibung** |
|
||
| gitea | 10.40.10.130<br> | 3000 - WebUi<br> | NAS | HA | Git-Server |
|
||
| paperless | 10.40.10.131<br> | 8000 - WebUi | NAS | HA | Archivsystem |
|
||
| homeassistant | 192.168.1.192<br> | 8123 - WebUi<br> | Raspberry | HA | Home-Automatisierung |
|
||
| immich<br>immich-prometheus | 10.40.10.132<br>10.40.10.133<br> | 2283 - WebUi<br>9090 - WebUi<br> | NAS<br> | NPM | Foto-Verwaltung |
|
||
| nginx proxy manager | 10.40.10.134<br> | 81 - WebUI | NAS | \- | [Login – Nginx Proxy Manager](http://10.40.10.134:81/login)<br> |
|
||
| <br> | <br> | <br> | <br> | <br> | <br> |
|
||
|
||
Netzwerkdose Wohnzimmer links
|
||
|
||
## Speedport
|
||
|
||
Gerätepasswort: 83767207
|
||
|
||
[http://192.168.2.1/](http://192.168.2.1/)
|
||
|
||
# Zugriff aus dem Web:
|
||
|
||
- [RRset Konflikt (CAA + CNAME) bei HAProxy mit LE Wildcard von deSEC / dedyn.io - Page 3](https://forum.opnsense.org/index.php?topic=49125.30)
|
||
- [Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating](https://forum.opnsense.org/index.php?topic=23339.0)
|
||
|
||
<br>
|
||
|
||
# Statische Routen und doppeltes NATing
|
||
|
||
erst einen Alias für das Fritz-Netz:
|
||
|
||
<br>
|
||
|
||
Um doppeltes Nating zu vermieden legt man in OS eine NAT-Regel an:
|
||
|
||
<br>
|
||
|
||
Das sollte später weiter eingeschränkt werden, z.B. nur Admin, oder IO etc, nicht aber Gäste und User
|
||
|
||
Statische Routen, so dass die Netze hinter der OS auch Geräte im Fritz-Netz erreichen können
|
||
|
||

|
||
|
||
[Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating](https://forum.opnsense.org/index.php?topic=23339.0)
|
||
|
||
[Einstellungen OPNsense hinter FritzBox - Zugriff von außen](https://forum.opnsense.org/index.php?topic=39053.0)
|
||
|
||
[Setup OPNsense with HAProxy and Let's Encrypt | Marcus Holtz](https://blog.holtzweb.com/posts/opnsense-with-haproxy-and-lets-encrypt/)
|
||
|
||
[opnsense Received something which does not look like a PROXY protocol header - Google Suche](https://www.google.com/search?q=opnsense+Received+something+which+does+not+look+like+a+PROXY+protocol+header&newwindow=1&sca_esv=69afb27cda6b1637&sxsrf=AE3TifNGCTUN_X9hUalFtKqVKJ9xTQtN-A%3A1760112723749&ei=UzDpaKqwLciE9u8PyY3QkQw&ved=0ahUKEwjqpaftgpqQAxVIgv0HHckGNMIQ4dUDCBA&uact=5&oq=opnsense+Received+something+which+does+not+look+like+a+PROXY+protocol+header&gs_lp=Egxnd3Mtd2l6LXNlcnAiTG9wbnNlbnNlIFJlY2VpdmVkIHNvbWV0aGluZyB3aGljaCBkb2VzIG5vdCBsb29rIGxpa2UgYSBQUk9YWSBwcm90b2NvbCBoZWFkZXJIjhhQAFibF3AAeAGQAQCYAaMBoAHuCKoBAzEuOLgBA8gBAPgBAZgCAaACfMICBhAAGAcYHpgDAJIHAzAuMaAHuRCyBwMwLjG4B3zCBwMwLjHIBwE&sclient=gws-wiz-serp)
|
||
|
||
DMZ einrichten: [Deploy Nginx Proxy Manager in a DMZ with OPNsense](https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/)
|