OPNsense Forum
English Forums => General Discussion => Topic started by: opojomo on May 12, 2021, 12:22:54 pm
-
Hello all,
i have had the following idea and would love to hear from you experts what you think of it.
I have an OPNsense and nine VLANs configured. I want all clients in each VLAN to use Unbound DNS configured in OPNsense and also the NTP service provided by OPNsense.
I created a VLAN [2] called NetServices without DHCP. I created a floating rule including every vlan interface allowing access to VLAN [2]. In every VLAN DHCP configuration i entered the NetServices address to be used as DNS and NTP.
With this set up, Unbound DNS now only listens on NetServices address and nslookup of the opnsense hostname will only return this address. I did not like it, when every client on every subnet could see which subnets are configured inside OPNsense (which happens, when Unbound DNS listens on every net).
What do you think? What are your practices?
Best regards
-
I start from a security policy that divides my network into classes of users and servers. I then decide which of those can be together and which need to be separate. This is a compromise between ease of use, work required for implementation/maintenance and the ability to respond to threats.
The number of tiers in the network determines the number of IP subnets and the required firewall rules between them. Where these subnets need to share physical network infrastructure, they are assigned VLAN's. I then create a sensible numbering scheme and start testing.
It's tempting to start with creating VLAN's but it's worth starting from the general and working down to the specific.
Bart...