You might consider setting up a transparent firewall with opnsense. This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall.
Quote from: FLguy on June 17, 2024, 07:31:29 amYou might consider setting up a transparent firewall with opnsense. This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. Considering the diagram above: protection against what?I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.There could be one LAN which has all the trustworthy devices (e.g. PC and Homeserver/NAS) and another IoT LAN for devices which you cannot control, but must have cloud access. If these also need access to the NAS or Homeserver, you can create rules.
Suppose you don't mind your home server and NAS being on different IP networks. In that case, there isn't anything extraordinary here other than installing the Firewall and connecting your home server and NAS to the firewall. You must create three networks, including the existing IP (opnsense WAN) that's live off FRITZ!Box router, one for your home server, and one for your NAS.If you want your home server and NAS to be in the same network but connected to different interfaces on opnsense then you may want to look at configuring a bridge. In this case, it is just two networks, the existing network and the new network behind opnsense for the home server/NAS.https://docs.opnsense.org/manual/how-tos/lan_bridge.htmlYou might consider setting up a transparent firewall with opnsense. This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. https://docs.opnsense.org/manual/how-tos/transparent_bridge.htmlhttps://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
How would I go about initially setting it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.
I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.
Someday I‘ll be reorganize my whole LAN to include VLANs and a DMZ. But for now, this setup suit all my needs and works just as designed.
Quote from: FLguy on June 17, 2024, 07:31:29 amYou might consider setting up a transparent firewall with opnsense. This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. Considering the diagram above: protection against what?I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.
And there you have it: Your (trustworthy) PC is on the wrong side of the setup. It must be trustworthy if you want to configure your firewall from it. That is what I meant: You are about to design a non-standard setup and now the problems turn up one by one...
[...] With that aside, this issue you are raising is for sure something you will have to deal with moving forward with your diagram. No big deal, add a rule to the WAN interface allowing HTTPS to "this firewall". You will then use the WAN IP to manage the firewall from your PC or any system on the WAN side will be able to manage opnsense firewall. By default, the LAN is set to 192.168.1.1, but you have to be on the LAN side of the firewall to set the initial configuration. My suggestion is to connect a laptop or temporarily your PC to the LAN side of the firewall to set the initial configuration. One of those items will be the rule mentioned above. Once the firewall is configured, cable it up to your diagram.If you want both your NAS and Homeserver in the same subnet and connect them to different ports on the opnsense firewall, you will have to go with a bridge configuration. I sent a link for this already. Here is a video, https://youtu.be/q1Rv4gB8fkI?si=VgPnQgBHdGYG0q_Z&t=160, the guy is a bit chatty. Before setting up the end-state bridge, I would either configure the WAN rule above, allowing you to manage opnsense from the WAN, or use two different ports than ETH1. So Eth0 (WAN), Eth1 (LAN), and Eth2 and 3 could be the new bridge. So if the bridge doesn't work after the initial configuration, you don't lose admin access to opnsense.
