this post was submitted on 12 Jul 2026
22 points (95.8% liked)

networking

3595 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 3 years ago
MODERATORS
 

Hey y'all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven't seen how to do it correctly

you are viewing a single comment's thread
view the rest of the comments
[–] Jean_le_Flambeur@discuss.tchncs.de 1 points 6 days ago (1 children)

Thanks for you thoughts! It will take a while to go through the tools, but having a list really helps.

For the auth, you are suggesting that clients on the same subnet should always have the same permissions?

Usecase would be: We have a WiFi for family A, mother shall get access to the media server on a different subnet, tech savy son should not get acces to it. We have client isolation, but that would not stop the son from "stealing" the IP address his mom uses by spoofing their Mac address. I dont see how client isolation would help here, but I would need some kind of auth approach.

Sure putting them on different subnets would be an elegant solution, but I can only host 4 wifis from my ap and have more than 4 "permission groups"

[–] moonpiedumplings@programming.dev 1 points 5 days ago* (last edited 5 days ago)

We have client isolation, but that would not stop the son from “stealing” the IP address his mom uses by spoofing their Mac address. I dont see how client isolation would help here, but I would need some kind of auth approach.

You can have more than one SSID/Wifi Network, each with their own auth, VLAN, and ofc, access to the network.

Although, the approach I would prefer is to just auth the media server itself.

Sure putting them on different subnets would be an elegant solution, but I can only host 4 wifis from my ap and have more than 4 “permission groups”

Ah. Yeah. Then you have to auth the media server itself.

Although, another approach you can do is have people VPN in (even if already local) and the VPN puts them on different subnets.

Or another approach is to use WPA enterprise, where clients have to use a username and a password to connect to the wifi. With each client having a unique identity, you can then control access or assign them to subnets. But your hardware/software has to support that, and you would also need an LDAP/Radius setup probably, it's the most complicated bundle.

So I guess the above 3 options are listed in order of simple to complex.