123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606 |
- %
- % Firewall-opnsense.tex
- %
- % Fork Sand IT Manual
- %
- % Copyright (C) 2018, Fork Sand, Inc.
- % Issued by Oleksandr Papevis
- %
- % This document is licensed under the Creative Commons Attribution 4.0
- % International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
- %
- \section{Hardware Overview}
- \begin{itemize}
- \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/}
- \\ \url{https://wiki.opnsense.org/index.html}
- \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm}
- \end{itemize}
- The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O.
- That means that both the rear I/O ports as well as the I/O expansion
- ports are found along the front side of the rack. In many cases this
- is a desirable configuration as it can make cabling very simple.
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ss-front.png}
- \caption{Supermicro SuperServer 1018D-FRN8T Front}
- \label{fig:supermicroSSfront}
- \end{figure}
- The rear of the unit has a redundant 400W power supply. Rated at 80
- Plus Platinum the power supplies are efficient as well. The remainder
- of the rear is simply a bezel for fans.
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ss-rear.png}
- \caption{Supermicro SuperServer 1018D-FRN8T Rear}
- \label{fig:supermicroSSrear}
- \end{figure}
- The onboard I/O is plentiful. There are two USB 3.0 ports along with
- a VGA port for \gls{kvm} carts. Above the USB ports there is a RJ-45
- Ethernet port for out-of-band management that can be directly
- connected to a dedicated management network.
- %-------------------
- Furthermore there are
- six 1GbE ports connected to two Intel i210-at controllers and an
- Intel i350-am4 controller. The two SFP+ ports are controlled by the
- Xeon D’s Intel X552 NIC. For \glspl{firewall} and other appliances, this is
- a very strong configuration.
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/iris-fw1100-front.png}
- \caption{Supermicro SuperServer 1018D-FRN8T interfaces}
- \label{fig:supermicroSSinterfaces}
- \end{figure}
- Inside the system we see a redundant set of fans near the PSU bezel
- and a very small motherboard inside. One can see our two stacks of
- Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed
- the PCIe riser and the airflow shroud from this picture to show off
- the internals better.
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ss-noshroud.png}
- \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud}
- \label{fig:supermicroSSnoshroud}
- \end{figure}
- \subsection{Remote Management}
- %(11:43:34 PM) forksand@jabb.im: I'm doing the install a bit different.
- %After doing the opnsense installer and booting up, i *only* set up the
- %firewall WAN interface statically. This allows you to admin from the WAN
- %interface. If you configure a LAN, it firewalls out the WAN from remote.
- %So to get started, I have to just to the WAN, then write a rule that
- %allows WAN remote access.
- Supermicro’s \gls{ipmi} and \gls{kvm}-over-IP enables deployment flexibility.
- One can do remote power up, power down, and reset of the server in
- the event that it becomes unresponsive.
- \begin{itemize}
- \item fan speeds, chassis intrusion sensors, thermal sensors,
- and etc. can be monitored remotely
- \item remote power control. One can do remote power up, power
- down, and reset of the server in the event that it becomes
- unresponsive.
- \item alerts can be setup to notify the admins of issues.
- \item remotely mount CD images and floppy images to the machine
- over the dedicated management Ethernet controller. This keeps
- maintenance traffic off of the primary Intel NICs.
- At the same time it removes the need for an optical disk to
- be connected to the Supermicro motherboard.
- \end{itemize}
- Supermicro's BIOS has a feature: the BMC IP address shows
- up on the post screen!
- If you have a \gls{kvm} cart hooked up to the system, it gives an
- indicator of which machine one is connected to during post.
- Supermicro does include \gls{kvm}-over-IP functionality with the motherboard.
- \begin{itemize}
- \item Default \gls{ipmi} connection is in cleartext http.
- \item SSL certificate for Supermicro \gls{ipmi} is bad (like all of them).
- \item Can't change password on \gls{ipmi}.
- %\item Root password for server and \gls{ipmi} is sent via email.
- %\item There is an attack window between their machine imaging and first login.
- %\item Customer should control timing of first power on.
- %\item System is also possibly vuln during the ISP's initial power up and commissioning period.
- %\item First reboot, the system hung (.png XXX).
- %\item Hard reset, lots of DHCP queries at boot.
- %\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}!
- %\item They block NTP to prevent \gls{ddos}, so you have to use their time server
- % \texttt{time.sharktech.net}
- \end{itemize}
- \subsection{Supermicro Setup over IPMI bios}
- {{\grenewcommand{\currentColor}{secondary-brown}}}
- {{\grenewcommand{\currentTextColor}{ao-black}}}
- \providecommand{\sharkIPConfigItem}[4]{}
- \renewcommand{\sharkIPConfigItem}[4]{
- \rowcolor{\currentColor} \vspace{-1pt}
- \rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt}
- \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
- \small{\textcolor{\currentTextColor}{#2}} \\
- }
- \providecommand{\sharkIPConfigLastItem}[4]{}
- \renewcommand{\sharkIPConfigLastItem}[4]{
- \rowcolor{\currentColor} \vspace{-1pt}
- \rule[-1.0em]{0pt}{1em} \vspace{-1pt}
- \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
- \small{\textcolor{\currentTextColor}{#2}} \\
- \tabucline[2pt]{1-2}
- }
- \providecommand{\SIPCCwidth}{3.5cm}
- \renewcommand{\SIPCCwidth}{5cm}
- Before \gls{ipmi} Initialization, choose in Boot Agent GE an entry PXE
- (Preboot eXecution Environment)
- In Aptio Setup Utility set the following Boot Features:
- \begin{table}[!htb]
- \caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{}
- \sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{}
- \sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{}
- \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{}
- \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{}
- \sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{}
- \end{tabu}
- \end{table}
- \begin{table}[!htb]
- \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Power Configuration }{}{}{}
- \sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{}
- \sharkIPConfigLastItem{ Restore on AC Power Loss}{ \char`[Power On\char`] }{}{}
- \multicolumn{2}{|[2pt]c|[2pt]}{
- \rule[-0.7em]{0pt}{2em} \vspace{-1pt}
- \cellcolor{\currentColor} Set system Date/Time}\\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{}
- \sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{}
- \sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{}
- \multicolumn{2}{|[2pt]c|[2pt]}{
- \rule[-0.7em]{0pt}{2em} \vspace{-1pt}
- \cellcolor{\currentColor} Let default option 5 execute}\\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Adapter }{LSI2116-IT}{}{}
- \sharkIPConfigItem { PCI Slot }{0B}{}{}
- \sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{}
- \sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{}
- \sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{}
- \sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{}
- \sharkIPConfigItem { Status }{Disabled}{}{}
- \sharkIPConfigItem { Boot Order}{0}{}{}
- \sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{}
- \end{tabu}
- \end{table}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-ipmi-init.png}
- \caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization}
- \label{fig:supermicroSSCIpmiInit}
- \end{figure}
- \subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{ipmi}
- }\end{picture}
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-ipmi-boot1.png}
- \caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu}
- \label{fig:supermicroSSCIpmiBoot1}
- \end{figure}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-ipmi-boot2.png}
- \caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader}
- \label{fig:supermicroSSCIpmiBoot2}
- \end{figure}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-ipmi-opnsense-boot1.png}
- \caption{Supermicro SuperServer OPNsense Boot variant}
- \label{fig:supermicroSSCIpmiOpnsenseBoot1}
- \end{figure}
- \newpage
- \subsection{Configurate with OPNsense Dashboard}
- {{\grenewcommand{\currentColor}{primary-blue}}}
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash1.png}
- \caption{Supermicro SuperServer OPNsense Dashboard}
- \label{fig:supermicroSSCIpmiOpnsenseDash1}
- \end{figure}
- \begin{table}[!htb]
- \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Hostname }{sf-fw1}{}{}
- \sharkIPConfigItem { Domain }{forksand.com}{}{}
- \sharkIPConfigItem { Language }{English}{}{}
- \sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{}
- \sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{}
- \sharkIPConfigLastItem{ Override DNS }{unchecked}{}{}
- \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
- \sharkIPConfigLastItem{ Others }{leave unchecked}{}{}
- \end{tabu}
- \end{table}
- \begin{itemize}
- \item Set server time information
- \item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty
- \item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24
- \item Set Web GUI Password
- \item Reload to apply changes
- \item Finished initial configuration, click a href "continue to the dashboard"
- \item Configure console appears, refer to table
- \ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2}
- \item Set root password and reboot
- \item Re-enter Aptio Setup Utility Boot tab
- \item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`]
- \item Start the boot
- \item OPNsense: Let default option 5 execute
- \end{itemize}
- {{\grenewcommand{\currentColor}{secondary-brown}}}
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash2.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Continued}
- \label{fig:supermicroSSCIpmiOpnsenseDash2}
- \end{figure}
- \begin{table}[!htb]
- \caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Configure Console }{Accept these Settings}{}{}
- \sharkIPConfigItem { Select task }{Guided installation}{}{}
- \sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{}
- \sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{}
- \sharkIPConfigItem { Swap Partition }{yes}{}{}
- \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
- \end{tabu}
- \end{table}
- {{\grenewcommand{\currentColor}{primary-blue}}}
- \subsection{Update OPNsense Firmware using Dashboard}
- \begin{itemize}
- \item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML
- \item Execute update firmware, refer to figure
- \ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3}
- \end{itemize}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash3-update.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware}
- \label{fig:supermicroSSCIpmiOpnsenseDash3}
- \end{figure}
- \begin{itemize}
- \item Standby until updating finished, refer to figure
- \ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4}
- \item Switch to tab Settings, refer to figure
- \ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5}
- \end{itemize}
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash4-update.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued}
- \label{fig:supermicroSSCIpmiOpnsenseDash4}
- \end{figure}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash5-fw.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings}
- \label{fig:supermicroSSCIpmiOpnsenseDash5}
- \end{figure}
- \begin{itemize}
- \item Set mirror to LeaseWeb (San Francisco, US)
- \item Set Flavour to LibreSSL
- \item Set Release Type to Production
- \item Click save and return to Updates tab.
- \end{itemize}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash6-fw-updates.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates}
- \label{fig:supermicroSSCIpmiOpnsenseDash6}
- \end{figure}
- \begin{itemize}
- \item Click Update now.
- \item Standby until Update is completed.
- \item Restore configs from XML, refer to figure
- \ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8}
- \end{itemize}
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash7-fw-update.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing}
- \label{fig:supermicroSSCIpmiOpnsenseDash7}
- \end{figure}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash8-fw-backupandreboot.png}
- \caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup}
- \label{fig:supermicroSSCIpmiOpnsenseDash8}
- \end{figure}
- \begin{itemize}
- \item Upload the config and restore
- \item Add a user, refer to figure
- \ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9}
- using parameters from table
- \ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser}
- \end{itemize}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash9-user.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Add User}
- \label{fig:supermicroSSCIpmiOpnsenseDash9}
- \end{figure}
- \begin{table}[!htb]
- \caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Username }{jebba}{}{}
- \sharkIPConfigItem { Disabled }{unchecked}{}{}
- \sharkIPConfigItem { Full name }{Jeff Moe}{}{}
- \sharkIPConfigItem { E-mail }{moe@forksand.com}{}{}
- \sharkIPConfigItem { Comment }{}{}{}
- \sharkIPConfigItem { Expiration date }{}{}{}
- \sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{}
- \sharkIPConfigItem { Certificate }{unchecked}{}{}
- \sharkIPConfigLastItem{ OTP seed }{}{}{}
- \end{tabu}
- \end{table}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash10-dhcpv4.png}
- \caption{Supermicro SuperServer OPNsense Dashboard DHCPv4}
- \label{fig:supermicroSSCIpmiOpnsenseDash10}
- \end{figure}
- \begin{itemize}
- \item Disable DHCPv4
- \end{itemize}
- \begin{table}[!htb]
- \caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Enable }{unchecked}{}{}
- \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
- \sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
- \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
- \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
- \sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
- \end{tabu}
- \end{table}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash11-plugins.png}
- \includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0]
- {sf-fw/ssc-opns-dash11-plugins.png}
- \caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation}
- \label{fig:supermicroSSCIpmiOpnsenseDash11}
- \end{figure}
- \begin{itemize}
- \item Make sure os-dyndns plugin installed
- \item Install os-acme-client
- \end{itemize}
- %\begin{table}[!htb]
- % \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins}
- % \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- % \tabucline[2pt]{1-2}
- % \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- % \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- % \tabucline[2pt]{1-2}
- % \sharkIPConfigItem { Enable }{unchecked}{}{}
- % \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
- % \sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
- % \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
- % \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
- % \sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
- % \end{tabu}
- %\end{table}
- \newpage
- \begin{figure}[!htb]
- \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- {sf-fw/ssc-opns-dash12-lea.png}
- \caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account}
- \label{fig:supermicroSSCIpmiOpnsenseDash12}
- \end{figure}
- \begin{itemize}
- \item Add Let's Encrypt account
- \item Modify global Let's Encrypt settings
- \item Apply Let's Encrypt settings
- \item Refer to Certificates menu
- \end{itemize}
- \begin{table}[!htb]
- \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Enable }{checked}{}{}
- \sharkIPConfigItem { Name }{sf-fw1}{}{}
- \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{}
- \sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{}
- \sharkIPConfigItem { Enable Plugin }{checked}{}{}
- \sharkIPConfigItem { Auto Renewal }{checked}{}{}
- \sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{}
- \sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{}
- \end{tabu}
- \end{table}
- \newpage
- %\begin{figure}[!htb]
- % \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
- % {sf-fw/ssc-opns-dash13-cert.png}
- % \caption{Supermicro SuperServer OPNsense Dashboard add Certificate}
- % \label{fig:supermicroSSCIpmiOpnsenseDash12}
- %\end{figure}
- \begin{itemize}
- \item Add Validation Method
- \item Add Certificate
- \item Apply ``Issue/Renew Certificates Now''
- \end{itemize}
- \begin{table}[!htb]
- \caption{sf-fw OPNsense Dashboard Let's Encrypt validation} \label{tab:supermicroSSCIpmiOpnsenseLeaValid}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Validation Method }{}{}{}
- \sharkIPConfigItem { Enable }{checked}{}{}
- \sharkIPConfigItem { Name }{sf-fw1-http}{}{}
- \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1 http validation}{}{}
- \sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{}
- \sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{}
- \sharkIPConfigItem { IP Auto-Discovery }{checked}{}{}
- \sharkIPConfigItem { Interface }{WAN}{}{}
- \sharkIPConfigLastItem{ IP Addresses }{}{}{}
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Certificate }{}{}{}
- \sharkIPConfigItem { Enable }{checked}{}{}
- \sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{}
- \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{}
- \sharkIPConfigItem { Alt Names }{}{}{}
- \sharkIPConfigItem { LE Account }{sf-fw1}{}{}
- \sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{}
- \sharkIPConfigItem { Restart Actions }{}{}{}
- \sharkIPConfigItem { Auto Renewal }{checked}{}{}
- \sharkIPConfigLastItem{ Renewal Interval }{60}{}{}
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Interfaces -\char`> Lan }{}{}{}
- \sharkIPConfigItem { Enable }{checked}{}{}
- \sharkIPConfigItem { Lock }{checked}{}{}
- \sharkIPConfigItem { Description }{LAN}{}{}
- \sharkIPConfigItem { IPv4 Configuration Type }{Static IPv4}{}{}
- \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{}
- \end{tabu}
- \end{table}
- \begin{itemize}
- \item Refer to System -\char`> Gateways -\char`> Single -\char`> WAN\char`_DHCP6
- \item Set Disabled flag to checked
- \item Press Apply changes
- \item Modify LAN and WAN interfaces, disable IPv6 at both
- \item Modify \Gls{firewall} Rules, disable IPv6
- \item Add new rula to \Gls{firewall} Rules WAN
- \end{itemize}
- \begin{table}[!htb]
- \caption{sf-fw OPNsense Dashboard \Gls{firewall} Rules} \label{tab:supermicroSSCIpmiOpnsenseLeaRules}
- \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
- \tabucline[2pt]{1-2}
- \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
- \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { Interfaces -\char`> WAN }{}{}{}
- \sharkIPConfigItem { Enable }{checked}{}{}
- \sharkIPConfigItem { Lock }{checked}{}{}
- \sharkIPConfigItem { Description }{WAN}{}{}
- \sharkIPConfigItem { IPv4 Configuration Type }{DHCP}{}{}
- \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{}
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { \Gls{firewall} -\char`> Settings -\char`> Advanced }{}{}{}
- \sharkIPConfigLastItem{ Allow IPv6 }{unchecked}{}{}
- \tabucline[2pt]{1-2}
- \sharkIPConfigItem { \Gls{firewall} -\char`> Rules -\char`> WAN }{}{}{}
- \sharkIPConfigItem { Action }{Pass}{}{}
- \sharkIPConfigItem { Disabled }{unchecked}{}{}
- \sharkIPConfigItem { Interface }{WAN}{}{}
- \sharkIPConfigItem { TCP/IP Version }{IPv4}{}{}
- \sharkIPConfigItem { Protocol }{TCP}{}{}
- \sharkIPConfigItem { Source/Invert }{unchecked}{}{}
- \sharkIPConfigItem { Source }{any}{}{}
- \sharkIPConfigItem { Destination/Invert }{unchecked}{}{}
- \sharkIPConfigItem { Destination }{This \Gls{firewall}}{}{}
- \sharkIPConfigItem { Destination port range }{https to https}{}{}
- \sharkIPConfigItem { Log }{unchecked}{}{}
- \sharkIPConfigItem { Category }{}{}{}
- \sharkIPConfigItem { Discription }{Enable https to \Gls{firewall}}{}{}
- \sharkIPConfigItem { Source OS }{Any}{}{}
- \sharkIPConfigItem { No XMLRPC Sync }{unchecked}{}{}
- \sharkIPConfigItem { Shedule }{none}{}{}
- \sharkIPConfigLastItem{ Gateway }{default}{}{}
- \end{tabu}
- \end{table}
- \newpage
- \section{Alternatives Hardware Overview}
- Some resellers:
- \begin{itemize}
- \item \url{https://www.deciso.com/}
- \item \url{https://www.pfwhardware.com/}
- \item \url{https://www.osnet.eu/}
- \end{itemize}
- \begin{itemize}
- \item (8) 1 gig ethernet ports
- Connects to (1) 100M ethernet upstream fiber optic
- Connects to (1) 100M ethernet upstream wifi
- Various LAN
- \item (Hot swap?) Dual Power Supplies
- \item (How swap?) RAID (Linux md), with SSD storage.
- \item 2.5'' drive bays
- \item Total ~8GHz CPU
- \item ~8-16 gigs RAM ? Depends on OS.
- \item Two servers total, for standby/failover
- \end{itemize}
|