this post was submitted on 12 Jul 2026
22 points (95.8% liked)

networking

3595 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 3 years ago
MODERATORS
 

Hey y'all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven't seen how to do it correctly

top 9 comments
sorted by: hot top controversial new old
[–] helix@feddit.org 8 points 6 days ago (1 children)

Can you please draw a network diagram, e.g. in draw.io (diagrams.net desktop application) and we can tell you what to check where?

You can use nmap to verify if the rules you set actually work.

Try spoofing your IP yourself and see what happens.

You can use RADIUS for client authentication and MACSec to encrypt layer2 data. In my opinion that's overkill for a home network though.

Try to come up with scenarios in which you are hacked and how they'd do it. Then try to actually do it. Implement counter measures and see if it still works or you successfully mitigated that attack vector.

[–] Jean_le_Flambeur@discuss.tchncs.de 2 points 5 days ago (1 children)

I'll try to do a diagram tomorrow. Its a mixed network of multiple families of whom some want to host a server to the internet. That would mean lots of untrusted traffic, so I get more concerned with auth. If I know the Mac address and IP I want to spoof, I can get the permissions of the device I spoofed, as long as I am in the same subnet, which is the case for wifi (ap can only host 4 different ones, I have more than 4 groups of user permissions so I can't separate them all). That's where some auth would come in in my mind.

The problem is, I just learned about how to use the software, I am far from deep enough in it (and IT-knowledge in general) to actually pen test myself, I would have no idea how someone would worm through my network, if he gets rce on the server of one of the other families, so I can't really say if something like this is possible or not.

[–] helix@feddit.org 1 points 5 days ago

I am far from deep enough in it (and IT-knowledge in general) to actually pen test myself

Yes, but once you try to hack yourself you'll research how it works and this will give you knowledge about how to secure a network.

You basically need to purple team yourself. You're both attacker (red team) and defender (blue team).

Try to make a list of attack surfaces and think about (and research) possible attacks. Then you try to execute said attacks.

There's basically no other way to test if something is safe and stable than to try to break it.

[–] ramble81@lemmy.zip 4 points 6 days ago* (last edited 6 days ago)
  • What it is?
  • Where it connects?
  • What can it access?

Those are ultimately what your questions should distill down to. Starting with a network diagram it one of the best ways. Looking at Layers 1-3 will help answer the first two. From there, keep expanding into 4-7 for your firewall rules and NACLs.

[–] moonpiedumplings@programming.dev 3 points 6 days ago (1 children)

Okay I really want to write a longer post to this, but I don't have much time so I'll just jot down my thoughts real fast:

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

"Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

But I did jot down some tools I found interesting: https://moonpiedumplings.github.io/blog/watched-software/#vulnerability-scanning-greenbone

Unfortunately I haven't compared them or found out which is the best yet.

how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

On wifi, client isolation, on ethernet, port isolation and private vlans.

[–] Jean_le_Flambeur@discuss.tchncs.de 1 points 5 days ago (1 children)

Thanks for you thoughts! It will take a while to go through the tools, but having a list really helps.

For the auth, you are suggesting that clients on the same subnet should always have the same permissions?

Usecase would be: We have a WiFi for family A, mother shall get access to the media server on a different subnet, tech savy son should not get acces to it. We have client isolation, but that would not stop the son from "stealing" the IP address his mom uses by spoofing their Mac address. I dont see how client isolation would help here, but I would need some kind of auth approach.

Sure putting them on different subnets would be an elegant solution, but I can only host 4 wifis from my ap and have more than 4 "permission groups"

[–] moonpiedumplings@programming.dev 1 points 5 days ago* (last edited 5 days ago)

We have client isolation, but that would not stop the son from “stealing” the IP address his mom uses by spoofing their Mac address. I dont see how client isolation would help here, but I would need some kind of auth approach.

You can have more than one SSID/Wifi Network, each with their own auth, VLAN, and ofc, access to the network.

Although, the approach I would prefer is to just auth the media server itself.

Sure putting them on different subnets would be an elegant solution, but I can only host 4 wifis from my ap and have more than 4 “permission groups”

Ah. Yeah. Then you have to auth the media server itself.

Although, another approach you can do is have people VPN in (even if already local) and the VPN puts them on different subnets.

Or another approach is to use WPA enterprise, where clients have to use a username and a password to connect to the wifi. With each client having a unique identity, you can then control access or assign them to subnets. But your hardware/software has to support that, and you would also need an LDAP/Radius setup probably, it's the most complicated bundle.

So I guess the above 3 options are listed in order of simple to complex.

[–] frongt@lemmy.zip 1 points 6 days ago (1 children)

Verify your assumptions. If your config should prohibit connections between subnets, try connecting.

For the advanced user, set up a separate device and try hacking in.

[–] Jean_le_Flambeur@discuss.tchncs.de 1 points 5 days ago* (last edited 5 days ago)

Well I did that for the parts I did understand (trying to connect to server on different subnet, trying to get an IP in the space of a different subnet to get access, trying to get internet access on networks that should have none)

I just wonder how to test for things I dont understand. I have no plan on how one would go about exploiting a flaw in my NAT or VPN setup, so I can't test it