Messages

I was not able to connect to windows AD.

There are a whole bunch of records required for clients to find a DC: https://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
In the Microsoft ecosystem this is easy - just have at least one DC/DNS per site. I can appreciate that you may not want to pay for a second Windows Server on your home network.
Also make sure 10.0.100.0/24 is recorded in AD: https://theitbros.com/active-directory-sites-and-subnets/

Bart...

Which type of VPN? Is the MTU the same everywhere? Same behaviour in IPv6 as well? What do the packet traces show?

Generally you would configure an internal authoritative DNS tree with a primary in one site and a secondary in all other sites. https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/

Alternatively, what about running pi-hole on both sides and replicating the settings with nebula? https://technotim.live/posts/pihole-sync-nebula/ Set the internal DNS records in pi-hole under Settings, Local DNS Records.

Both Windows and Proxmox are reasonably well suited to running containers.

Bart...

Have a look at the routing table on the hosts you can't ping. Make sure they have a route back to your homelab.

Capture the DHCP traffic on the firewall while bringing the device on the network.

Yes, DHCP uses broadcast. Restricting clients by MAC has limited value since you cannot control the address that the client uses. For instance, an attacker can sniff packets on the network and assume the MAC and IP of a client that is allowed to connect.

Do your hardening on layer 2 by implementing VLAN separation on managed switches and multi-SSID WiFi access points.

For the 10Gbe I'm using copper.

That's ambitious ;-)

Any sources of interference? Have you tried different patch cables? Can you bring the Unifi next to the DEC and use a pre-made CAT6A cable?

Check your physical connections and make sure you're not doing jumbo frames on one side only.

Are you using fibre or copper for 10Gbe?

DHCP sits between layer 2 (network) and layer 3 (IP). You can't have more than one DHCP server per (broadcast) network. Additionally when you add an interface to OPNsense (e.g. OPT1), it is seen as a separate network and no default firewall rules are created for it.

You essentially have three options:
- Leave your networking to your switch infrastructure and only have one OPNsense LAN interface
- Separate your network into security zones, each with their own IP subnet and DHCP (what @EricPerl hinted at)
- Create a bridge on OPNsense for your LAN interfaces

Bart...

I suspect that the user of said device may disagree with the block? If you don't have their cooperation, you need to enforce separate access through a VLAN.

If the device is wired, set its network port to have this as its native VLAN. If it is wireless, you need a separate SSID with its own credentials. Quite a few access points support multiple SSID's and VLAN's. You can also run a separate AP.

For this VLAN change the DNS to a curated DNS provider such as OpenDNS https://www.opendns.com/home-internet-security/

Bart...

There are plenty tools to create QR codes. I would recommend self-hosting https://github.com/CorentinTh/it-tools

Hi Samvel, why not just give the DMZ a /64 from your /56 allocation? Set your web hosts up with static IP's from the /64 subnet and allow inbound traffic (e.g. TCP 443) on OPNsense firewall rules.

The OPNsense DMZ interface will need a static IP on the same subnet so you can set the default gateway on the web hosts.

External DNS is simple AAAA records for your web hosts. a.k.a. applying the KISS principle ;-)

Bart...

I have DNScrypt setup to listen on port 853 because that is what Android wants to you use by default.

Where does this run? Did you forward port 853 for it? Plain DNS uses both UDP and TCP but not sure what DNScrypt does.

Can you put your WAN router in modem mode? NAT strictly speaking breaks HTTP and double NAT doubly so.

Bypassing OPNsense and connecting directly to WAN router loads https://www.dessmonitor.com.

Run a Wireshark while accessing the site via the WAN router then another trace through OPNsense. See what is different.