il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.0.0 Release IaaS

Browse Source
This commit is contained in:
Il Lee
2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
docs/archives/2025-12/05_firewall/05_01_opnsense_vm.md Normal file
View File

@@ -0,0 +1,130 @@
Tags: #os, #firewall, #configuration, #network, #virtualization
## Preparation
### Create VM template
- ~/data/config/scripts/opnsense.sh
```bash
virt-install \
--import \ # Start without CD-ROM or location - This is for Serial installation.
--boot uefi \ # Supports secure booting
--name opnsense \ # VM name
--os-variant freebsd14.2 \ # Choose kind of OS
--vcpus 2 \ # Set number of vcpu (It means core of pcpu)
--memory 4096 \ # Set the memory volume (Default: MiB)
--disk path=/var/lib/libvirt/images/OPNs
ense-25.7-serial-amd64.img,format=raw \ # Installation image file, format raw
--disk pool=vm-images,size=72,format=qcow2,discard=unmap \ # The target disk to install opnsense, it is on SSD; discard=unmap option will emulate SSD.
--network network=ovs-wan-net,model=virtio,mac=0A:49:6E:4D:00:00 \ # Use pre-designated network and specific MAC address
--network network=ovs-lan-net,portgroup=vlan-trunk,model=virtio,mac=0A:49:6E:4D:00:01 \
--graphics none \ # Don't use any graphic
--console pty,target_type=serial # Use console serial
# After enter this command, then the console start automatically
# Remove all annotation before you make the sh file.
```
### OPNsense installation
```sh
# Interface setting
Press any key to start the manual interface assignment: [enter]
LAGGs: N
VLANs: N
Enter the WAN interface name or 'a' for auto-detection: vtnet0
Enter the LAN interface name or 'a' for auto-detection: vtnet1
Enter the Optional interface 1 name or 'a' for auto-detection: [blank]
Do you want to proceed? : Y
# Login as an installer account
login: installer
password: opnsense
# installing
Continue with default keymap
Install (ZFS)
stripe
[*] vtbd1: yes
Complete Install: Halt Now
```
### Modify VM template
- virsh edit
```bash
virsh edit opnsense
```
- Edit template file
```xml
<!-- opnsense -->
...
</vcpu>
<cputune>
<shares>2048</shares>
</cputune>
<!-- cpu priority - 1024: default/2048: high/512: low -->
<!--
<disk>
...
<source file='/var/lib/libvirt/images/opnsense.img'/>
...
</disk>
# Remove booting disk
-->
...
</console>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>
<!-- Define QEMU-Guest-Agent channel -->
```
- Save template file
```bash
virsh dumpxml opnsense > ~/data/config/vms/dumps/opnsense.xml
```
- opnsense.service
```ini
# ~/data/config/services/opnsense.service
# ~/.config/systemd/user/opnsense.service
[Unit]
Description=opnsense Auto Booting
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
# Maintain status as active
RemainAfterExit=yes
# Run the service
ExecStart=/usr/bin/virsh -c qemu:///system start opnsense
# Stop the service
ExecStop=/usr/bin/virsh -c qemu:///system shutdown opnsense
[Install]
WantedBy=default.target
```
```bash
mkdir -p ~/.config/systemd/user
chmod -R 700 ~/.config
ln -s ~/data/config/services/opnsense.service ~/.config/systemd/user/opnsense.service
systemctl --user daemon-reload
systemctl --user enable opnsense.service
systemctl --user start opnsense.service
```

91
docs/archives/2025-12/05_firewall/05_02_opnsense_general.md Normal file
View File

@@ -0,0 +1,91 @@
Tags: #os, #firewall, #configuration, #network
## Web UI
### Access
- Browser: https://192.168.1.1
- Login with root
### Wizard setting
- Hostname: opnsense
- Domain: ilnmors.internal
- Timezone: Asia/Seoul
> - System:Settings:General - Time Zone
- DNS Server: 1.1.1.2
> Temporary DNS server, when Adguard home and BIND is building, the change it.
> - System:Setting:General - DNS server
- \[ \] Override DNS
- \[ \] Enable Resolver
- WAN
- type dhcp
- \[\*\]Block RFC1918 Private Networks
- \[\*\]Block bogon networks
- LAN
- \[ \] Configure DHCP server
- Change root password
### User setting
- System:Access:Users - \[+\]
- Name: opnsense
- Full name: opnsense management account
- E-mail: opnsense@ilnmors.internal
- Group: admins
> When console access is needed, root account is necessary. Only root account can access console program. However, when using WebUI it is better to use separated account for security.
### system update and pkg
#### Updates
- System:Firmware:Updates
#### Plugins
- System:Firmware:Plugins
- \[\*\] Community plugins
- os-crowdsec
- os-acme-client
- os-qemu-guest-agent
>after install and restart plugin check with CLI `virsh qemu-agent-command opnsense '{"execute":"guest-get-osinfo"}'` on hypervisor
- os-telegraf
- os-sftp-backup
## Disable unused basic function
In this homelab project, Kea DHCP and AdGuard home, BIND will be used as DHCP server and DNS server. Therefore, it is necessary to disable Dnsmasq, ISC DHCP and Unbound which are used as basic function of DHCP and DNS in OPNsense.
- Services:Dnsmasq DNS&DHCP:General
- \[ \] Enable
- `Apply`
- Services:ISC DHCPv4
- \[ \] Enable
- `Apply`
- Services:ISC DHCPv6
- \[ \] Enable
- `Apply`
- Services:Unbound DNS:General
- \[ \] Enable
- `Apply`
## Backup
### ZFS Snapshot
Before major updating, it is important to make a ZFS snapshot.
- System:Snapshots - \[+\]
- Name: \[Date\]
- `Save`
### Setting backup
OPNsense is managed with configuration file. You can download the configuration file as XML format.
- System:Configuration:Backups
- Download: `Download configuration`
- Restore: Select file > `Restore configuration`
- sftp: URL / SSH private key

159
docs/archives/2025-12/05_firewall/05_03_opnsense_interface.md Normal file
View File

@@ -0,0 +1,159 @@
Tags: #os, #firewall, #configuration, #network
## Interface configuration
### VLAN setting
- Interfaces:Devices:VLAN - \[+\]
| Device | Parent | Tag | Description |
| :--------: | :----: | :-: | :---------: |
| vlan0.1.10 | vtnet1 | 10 | Server |
> The device name is reserved in Web UI; Name of VLAN device must start with `vlan0` or `qinq0`. In this project, name of vlan device would be `vlan0.[interface_num].[tag_num]`
- `Apply`
### VPN setting
- VPN:WireGuard
- \[\*\] Enable WireGuard
- VPN:WireGuard:Instance - \[+\]
| Name | Listen Port | Tunnel Address |
| :-------: | :---------: | :------------: |
| WG_SERVER | 11290 | 10.10.10.1/24 |
| WG_USER | 11291 | 10.10.1.1/24 |
- VPN:WireGuard:PeerGenerate
| Instance | End point | Name | Address | Pre-shared Key | Allowed IP | Keepalive interval | DNS |
| :-------: | :---------------: | :-----: | :-----------: | :------------: | :------------: | :----------------: | :-----------: |
| WG_SERVER | ilnmors.com:11290 | console | 10.10.10.2/32 | Generate | 192.168.0.0/16 | 25 | 192.168.10.11 |
| WG_SERVER | ilnmors.com:11290 | phone | 10.10.10.3/32 | Generate | 192.168.0.0/16 | 25 | 192.168.10.11 |
| WG_SERVER | ilnmors.com:11290 | spare | 10.10.10.4/32 | Generate | 192.168.0.0/16 | 25 | 192.168.10.11 |
> Set `PersistentKeepalive = 25` on peer, to avoid NAT timeout.
> Press `Store and generate next` button after generate each row.
> Before building net server (Private DNS), use 1.1.1.2 instead of 192.168.10.11.
```ini
# console
[Interface]
PrivateKey = 2ACJCZV7Zg4fxCHTxfbmAggX/x06Nt05CC6gJvcrokI=
Address = 10.10.10.2/32
DNS = 192.168.10.11
[Peer]
PublicKey = jqDJKe8pZSK8GXwBnrjBJiflYvJDB7GfgogLsSSdnA4=
PresharedKey = OCx3mohOp2Uipxda7ZJs+78Mjh3Lbf0UfvGZB4SULk4=
Endpoint = ilnmors.com:11290
AllowedIPs = 192.168.0.0/16
PersistentKeepalive = 25
# phone
[Interface]
PrivateKey = oIhpQn7yTEU3wH+eOVJuzcgo4t05MBqv+OmD1KC/Z38=
Address = 10.10.10.3/32
DNS = 192.168.10.11
[Peer]
PublicKey = jqDJKe8pZSK8GXwBnrjBJiflYvJDB7GfgogLsSSdnA4=
PresharedKey = pqA5OtJy7lZHD+PzzqVEYa/iMHOOCNagAzCfTLoaDmw=
Endpoint = ilnmors.com:11290
AllowedIPs = 192.168.0.0/16
PersistentKeepalive = 25
# spare
[Interface]
PrivateKey = EIHZRuI5IDG3h8mC3ez4I1duYuVbe5UwgWnVxbg9uFk=
Address = 10.10.10.4/32
DNS = 192.168.10.11
[Peer]
PublicKey = jqDJKe8pZSK8GXwBnrjBJiflYvJDB7GfgogLsSSdnA4=
PresharedKey = Xuf/G0HJ2S/zO0C4zUjjW2rD1b51yUYNhZaByEgfM6I=
Endpoint = ilnmors.com:11290
AllowedIPs = 192.168.0.0/16
PersistentKeepalive = 25
```
- `Apply`
### Interface assignment
- Interface:Assignments
- vlan0.1.10 - VLAN10 - `Add`
- wg0 - WG_SERVER - `Add`
- wg1 - WG_USER - `Add`
- `Save`
### Assigned interface setting
- Interface:WAN
- \[\*\] Enable
- \[\*\] Block private
- \[\*\] Block bogon
- \[\*\] IPv4 DHCP
- `Save`
- Interface:LAN
- \[\*\] Enable
- IPv4 Static (IPv6 Configuration Type: None)
- 192.168.1.1/24
- `Save`
- Interface:VLAN10
- \[\*\] Enable
- IPv4 Static
- 192.168.10.1/24
- Interface:WG_SERVER
- \[\*\] Enable
- `Save`
- Interface:WG_USER
- \[\*\] Enable
- `Save`
- `Apply change`
### Web UI itself settings
- System:Settings:Administration
- Web GUI
- Listen Interfaces: LAN, VLAN10
- `Save`
- Firewall:Settings:Advanced
- \[\*\] Disable anti-lockout
- `Save`
## Aliases and group configuration
### Aliases setting
- Firewall:Aliases - \[+\]
| Name | Type | Content | Description |
| :------------: | :-----: | :----------------------------------------------------------------------------------------------------: | :-----------------------------: |
| ports_vpn | port(s) | 11290,11291 | ports udp vpn |
| ports_web | port(s) | 80,443 | ports tcp web |
| ports_dhcp4 | port(s) | 67,68 | ports udp dhcp4 |
| ports_dns | port(s) | 53,443 | ports tcp/udp dns including DoH |
| ports_crowdsec | port(s) | 8080 | ports tcp crowdsec |
| hosts_console | host(s) | 192.168.1.11,10.10.10.2,10.10.10.3,10.10.10.4 | hosts console |
| hosts_server | host(s) | 192.168.10.10,192.168.10.11,192.168.10.12,192.168.10.13,192.168.10.14,10.10.10.2,10.10.10.3,10.10.10.4 | hosts servers |
| hosts_net | host(s) | 192.168.10.11 | hosts net |
| hosts_auth | host(s) | 192.168.10.12 | hosts auth |
- `Apply`
### Group setting
- Firewall:Groups - \[+\]
| Name | Members | Description |
| :----: | :---------------: | :----------: |
| SERVER | VLAN10, WG_SERVER | Server group |
| USER | LAN, WG_USER | User group |
- `Apply`

79
docs/archives/2025-12/05_firewall/05_04_opnsense_rules.md Normal file
View File

@@ -0,0 +1,79 @@
Tags: #os, #firewall, #configuration, #network, #security
## OPNsense rules
### NAT
- Firewall:NAT:Outbound
- Mode: Automatic outbound NAT rule generation (no manual rules can be used)
- Firewall:NAT:Port Forward - \[+\]
| Interface | TCP/IP version | Proto | Destination | Destination port | Redirect target IP | Redirect target port | Description |
| :-------: | :------------: | :---: | :---------: | :--------------: | :----------------: | :------------------: | :-----------------------------------------------: |
| WAN | IPv4 | TCP | WAN address | ports_web | hosts_auth | ports_web | allow wan clients to access web services from WAN |
> Set after building main reverse proxy, all web packets from WAN are going to the reverse proxy.
> Filter rule association's `Add associated filter rule` option will automatically generate the `Pass` rule on WAN interface for Port Forwarding rule.
### Firewall rules
OPNsense has prioirty in order to rule's squence. The upper rule is prior than below one. Moreover, when `Quick` option is enabled, OPNsense doesn't check the rule below. It means OPNsense just applies the rule what it is first matched (First match). Reversely, when `Quick` option is disabled, OPNsense checks all rules to apply the packet (Last match).
#### WAN interface
- Firewall:Rules:WAN - \[+\]
| Action | Quick | Interface | Direction | TCP/IP version | Proto | Source | Destination | Destination port | Description |
| :----: | :---: | :-------: | :-------: | :------------: | :---: | :----: | :---------: | :--------------: | :------------------------------------------------------------------------: |
| Pass | * | WAN | IN | IPv4 | UDP | * | WAN address | ports_vpn | allow vpn clients from WAN |
| Pass | * | WAN | IN | IPv4 | TCP | * | WAN address | ports_web | allow wan clients to access web services from WAN(Automatically generated) |
- `Apply changes`
#### SERVER interface
- Firewall:Rules:SERVER - \[+\]
| Action | Quick | Interface | Direction | TCP/IP version | Proto | Srouce | Destination | Destination port | Description |
| :----: | :---: | :-------: | :-------: | :------------: | :---: | :-----------: | :-----------: | :--------------: | :--------------------------------------------------------------------: |
| Pass | * | SERVER | IN | IPv4 | UDP | * | * | ports_dhcpv4 | allow server clients to access DHCPv4 server from SERVER net |
| Pass | * | SERVER | IN | IPv4 | ICMP | SERVER net | This Firewall | - | allow server clients to access This Firewall with ICMP from SERVER net |
| Block | * | SERVER | IN | IPv4 | * | !hosts_server | * | * | block undesignated server clients to access any from SERVER net |
| Pass | * | SERVER | IN | IPv4 | UDP | SERVER net | This Firewall | NTP | allow server clients to access NTP from SERVER net |
| Pass | * | SERVER | IN | IPv4 | TCP | SERVER net | This Firewall | ports_crowdsec | allow server clients to access CrowdSec LAPI from SERVER net |
| Pass | * | SERVER | IN | IPv4 | TCP | hosts_console | This Firewall | ports_web | allow console to access This Firewall web GUI from SERVER net |
| Pass | * | SERVER | IN | IPv4 | * | hosts_console | USER net | * | allow console to access USER net from SERVER net |
| Block | * | SERVER | IN | IPv4 | TCP | SERVER net | This Firewall | * | block server clients to access This Firewall from SERVER net |
| Block | * | SERVER | IN | IPv4 | * | SERVER net | USER net | * | block server clients to access USER net from SERVER net |
| Pass | - | SERVER | IN | IPv4 | * | SERVER net | * | * | allow server clients to access WAN from SERVER net |
- `Apply changes`
> When you add the new server client, you must edit alias `hosts_server`
#### USER interface
- Firewall:Rules:USER - \[+\]
| Action | Quick | Interface | Direction | TCP/IP version | Proto | Srouce | Destination | Destination port | Description |
| :----: | :---: | :-------: | :-------: | :------------: | :-----: | :-----------: | :-----------: | :--------------: | :----------------------------------------------------------------: |
| Pass | * | USER | IN | IPv4 | UDP | * | * | ports_dhcpv4 | allow user clients to access DHCPv4 server from USER net |
| Pass | * | USER | IN | IPv4 | ICMP | USER net | This Firewall | - | allow user clients to access This Firewall with ICMP from USER net |
| Pass | * | USER | IN | IPv4 | TCP/UDP | USER net | hosts_net | ports_dns | allow user clients to access DNS server from USER net |
| Pass | * | USER | IN | IPv4 | TCP | USER net | hosts_auth | ports_web | allow user clients to access reverse proxy from USER net |
| Pass | * | USER | IN | IPv4 | TCP | hosts_console | This Firewall | ports_web | allow console to access This Firewall web GUI from USER net |
| Pass | * | USER | IN | IPv4 | * | hosts_console | SERVER net | * | allow console to access SERVER net from USER net |
| Block | * | USER | IN | IPv4 | * | USER net | This Firewall | * | block user clients to access This Firewall from USER net |
| Block | * | USER | IN | IPv4 | * | USER net | SERVER net | * | block user clients to access SERVER net from USER net |
| Pass | - | USER | IN | IPv4 | * | USER net | * | * | allow user clients to access WAN from USER net |
- `Apply changes`
#### LAN interface
OPNsense automatically generates all pass rules on LAN interface. The USER group will be used instead of LAN interface, all rules will be disabled after USER interface rules set.
- Firewall:Rules:LAN
- Disable all auto generated rules
- `Apply changes`

69
docs/archives/2025-12/05_firewall/05_05_opnsense_suricata.md Normal file
View File

@@ -0,0 +1,69 @@
sTags: #os, #firewall, #configuration, #network, #security
## Suricata
Suricata is IPS(Intrusion Prevent System)/IDS(Intrusion Detection System) to supersede snort in 2010 from OISF for NSM(Network Security Monitoring). This program supports multi-thread and check the packet and even the programs (such as exe or shell script) in it based on rules. When the suricata find the packet matched with rule it has, it decides `pass; with alert`, `block` the packet.
### General setting in OPNsense
#### Enable Suricata
- Services:Intrusion Detection:Administration - Settings
- \[\*\] Enabled
- \[\*\] IPS mode
- \[\*\] Promiscuous mode (Scan all traffic even L2 traffics)
- Interfaces: Select ALL
- Pattern matcher: Hyperscan (Intel's opensource regex matching library)
#### Rule set download and update
- Services:Intrusion Detection:Administration - Download
- Select the rule set below
- ET open/botcc: List of bot net C&C server
- ET open/compromised: List of known zombie PC
- ET open/drop: List of certain malicious traffic
- ET open/dshield: List of current activated malicious IP
- ET open/emerging-attack_response: List of response after attack success
- ET open/emerging-coinminer: List of coinminer malicious code
- ET open/emerging-current_event: List of latest attack pattern
- ET open/emerging-dns: List of malicious DNS query
- ET open/emerging-exploit: List of attack towards software vulnerability
- ET open/emerging-exploit_kit: List of automatic hacking tool
- ET open/emerging-ja3: List of malicious programs'(tools, or browsers) finger print
- ET open/emerging-malware: List of malware C&C server
- ET open/emerging-mobile_malware: List of mobile malware C&C server
- ET open/emerging-phishing: List of communication regard phishing
- ET open/emerging-policy: List of non-standard or malicious TLS version or http traffics
- ET open/emerging-scan: List of port scan or network scan traffic
- ET open/emerging-shellcode: List of malicious attack shell script
- ET open/emerging-sql: List of sql injection traffic
- ET open/emerging-user_agent: List of malicious bot user-agent
- ET open/emerging-web_client: List of attack towards web browser
- ET open/emerging-web_server: List of attack towards web server
- ET open/emerging-web_specific_apps: List of attack towards specific web application(like word press)
- ET open/emerging-CS_c2: List of Cobalt Strike hacking tool
- `Enable selected`
- `Download & Update Rules`
> When you want to delete rule set, then select target rule and click `Disable selected` and `Download & Update Rules`
- Services:Intrusion Detection:Schedule
- \[\*\] Enable update
#### Policy of rule set
Suricata rule set in OPNsense has basically `Alert` policy. Therefore, it is necessary to set rules as `Drop` manually. Except `ET open/emerging-ja3` and `ET open/emerging-policy`, it is good for security to drop all rule set. The reason why `ja3` and `policy` remain as `Alert` is they are not extremely dangerous, and they could drop normal packets frequently.
- Services:Intrusion Detection:Policy - Policies - \[+\]
- Ruleset: All ruleset except `ja3` and `policy`
- Action: Alert, Drop
- New action: Drop
- `Save`
- `Apply`
### Check the log
- Services:Intrusion Detection:Administration - Alerts
If suricata made the wrong action like block the normal packets or pass malicious packet, you can tune the ruleset. At the Alerts section, next to log there's Info column. When you click the pencil icon on info column, then you can change that rule's action in specific environment; source IP. It is a suppress.

133
docs/archives/2025-12/05_firewall/05_06_opnsense_acme.md Normal file
View File

@@ -0,0 +1,133 @@
Tags: #os, #firewall, #configuration, #network, #security
## ACME client in OPNsense
ACME client needs private CA(Step-CA) and BIND to issue private certificates for TLS.
### Plugin package
- os-acme-client
### DNS records
- Add new domain in BIND, Following [here](../06_network/06_03_net_bind.md).
- net server
- file: ~/data/containers/bind/lib/db.ilnmors.internal
```text
...
opnsense IN A 192.168.10.1
...
```
### Trust setting (CA)
- Add root CA's crt
- System:Settings:Trust:Authorities - \[+\]
- Method: Import an existing Certificate Authority
- Description: step-ca.ilnmors.internal
- Certificate Data: Content of root_ca.crt of Step-CA
- `Save`
### ACME Client setting
#### ACME account and server setting
- Services:ACME Client:Settings
- \[\*\] Enable Plugin
- \[\*\] Auto Renewal
- `Apply`
- Services:ACME Client:Accounts - \[+\]
- Name: acme.ilnmors.internal
> It is only referred to OPNsense itself. It is not the provisioner name. It doesn't support special characters such as `@` or `!`.
- Description: acme
- Custom CA URL: https://step-ca.ilnmors.internal:9000/acme/acme@ilnmors.internal/directory
> `[CA_URL]:[port]/acme/[provisioner_name]/directory`
- `Save`
- `Register account` and check Status column `OK (registered)`
#### ACME challenge
There is private authoritative DNS server in this homelab, therefore DNS-01 challenge will be used.
- Services:ACME Client:Challenge Types - \[+\]
- Name: ilnmors.internal-dns-01-challenge
- Description: step-ca.ilnmors.internal dns-01 challenge
- Challenge Type: DNS-01
- DNS service: nsupdate (RFC 2136)
- DNS Sleep Time: 10
> If this option weren't set, ACME client send query towards public DNS. It is necessary to set this option to use private authoritative DNS server. After set value(second) ACME client send the query towards private authoritative DNS.
- Server (FQDN): bind.ilnmors.internal 2253
> DNS server domain and port. It uses \[space\] as separator.
- Secret Key:
```text
key "acme-key" {
algorithm hmac-sha256;
secret "secret value";
};
```
> About key, following [here](../06_network/06_03_net_bind.md)
- Zone: ilnmors.internal
#### Certificates
- Services:ACME Client:Certificates - \[+\]
- Common name: opnsense.ilnmors.internal
- Description: opnsense
- Alt Names: crowdsec.ilnmors.internal
- ACME account: acme.ilnmors.internal
- Challenge Type: ilnmors.internal-dns-01-challenge
- \[\*\] Auto Renewal
- `Save`
- Click `Issue or renew certificate` and check Last ACME status `OK`
#### Automations
##### Web UI restart automation configuration
- Services:ACME Client:Automations - \[\+\]
- Name: opnsense-auto-restart-web-ui
- Description: restart opnsense web ui
- Run Command: Restart OPNsense web UI
> Web UI account `opnsense` doesn't use `sh`, it makes hard ACME client run the command via sh. Just use crontab to reload the crowdsec service everyday in `/usr/local/etc/cron.d/crowdsec`.
##### Example of remote automations
OPNsense's ACME client can upload certificates to other server or run specific command when the certificates is issued or renewed. Here is the example to upload the certificate towards other server via sftp.
- Services:ACME Client:Automations - \[+\]
- Name: test_acme
- Description: certificate upload test
- Run Command: Upload certificate via SFTP
- SFTP Host: net.ilnmors.internal
- Host Key: \[blank\]
> When it is not set, it automatically registers host key in `known_hosts`.
- Username: net
- Identity Type: ed25519
- Remote Path: /home/net/certificate_test
- `Show Identity` and copy the key value
```text
ssh-ed25519 [key_value] root@opnsense.ilnmors.internal
```
- Add this key on target server's ~/.ssh/authorized_keys
- `Test Connection`
- `Save`
- Services:ACME Client:Certificates - \[Edit Certificates\]
- Automations: test_acme
### OPNsense Web UI certificate setting
- System:Settings:Administration
- SSL certificate: opnsense.ilnmors.internal (ACME Client)
### Crowdsec TLS setting
Following [here](../03_common/03_04_crowdsec.md)

40
docs/archives/2025-12/05_firewall/05_07_opnsense_kea.md Normal file
View File

@@ -0,0 +1,40 @@
Tags: #os, #firewall, #configuration, #network
## Kea DHCP in OPNsense
Kea DHCP is the next generation DHCP server of ISC(Internet Systems Consortium) to supersede ISC DHCP. Kea has more flexibility in configuration, and higher performance, and modern API than ISC DHCP. OPNsense also select Kea as the future DHCP server than ISC DHCP. Basically, Kea supports container(Docker or podman) but it doesn't use docker.io repository but cloudsmith.io repository. Moreover, Kea DHCP is separated into 3 module kea ddns, kea dhcp 4, kea dhcp 6 as containers. This fact makes network environment (especially when the rootless podman network and DHCP relay are considered.) complex. Therefore, even though Kea in OPNsense doesn't support DDNS module, in this home lab Kea DHCP will be located in OPNsense.
### Kea DHCP setting
- Services:Kea DHCP:Kea DHCPv4 - Settings
- \[\*\] Enabled
- Interfaces: LAN, VLAN10
- \[ \] Firewall rules (Manually created)
- Services:Kea DHCP:Kea DHCPv4 - Subnets - \[+\]
- \[ \] Match client-id (To match based on MAC)
- \[ \] Auto collect option data (To designate optional data manually)
| Subnet | Description | Pool | Routers(gateway) | DNS | Domain name |
| :-------------: | :---------: | :---------------------------: | :--------------: | :-----------: | :--------------: |
| 192.168.1.0/24 | LAN | 192.168.1.100-192.168.1.254 | 192.168.1.1 | 192.168.10.11 | ilnmors.internal |
| 192.168.10.0/24 | VLAN10 | 192.168.10.254-192.168.10.254 | 192.168.10.1 | 192.168.10.11 | ilnmors.internal |
> Before building net server (Private DNS), use 1.1.1.2 instead of 192.168.10.11.
> The reason why VLAN10's pool has only 192.168.1.254 is VLAN10 allows only reservation IP.
- Services:Kea DHCP:KeaDHCPv4 - Reservation
- Delete all rows.
- Import csv file: kea_dhcp_v4_reservation.csv
```csv
ip_address,hw_address,hostname,description,option_data,
192.168.1.11,D8:E2:DF:FF:1B:D5,surface,console eth,
192.168.1.30,38:CA:84:94:5E:06,printer,printer,
192.168.10.12,0A:49:6E:4D:02:00,auth,auth,
192.168.10.13,0A:49:6E:4D:03:00,dev,dev,
192.168.10.14,0A:49:6E:4D:04:00,app,app,
```
- `Apply`
> vmm(Hypervisor), opnsense(firewall), net(Net server which has DNS in it) should use static IP instead of DHCP reservation. Because these servers are fundamental servers for building network and DHCP. It is very stable for DNS, hypervisor, firewall themselves to use static IP.