Ah, ok. Understood. Even better 
Off topic: Looked at the last 500 lines of /var/log/messages. omg
I definitely have to change ssh and disable passwordauth thus switch to cert based on the nethserver too as I have done already longtime ago for the host system. Way better than enabling fail2ban to eliminate all those useless logentries.
cert based is much faster and secure, too!
Yep, was just too lazy to do that on nethserver yet, but those entries two or three attempts per second make me think I should do it better sooner than later 
Will have to check other vms like opnsense, fogserver and pihole too, but I think, ssh ports are not open there…
Did you check if internally, the DNS is correct for SSL? SSL needs a hostname, IP does not work correctly, especially with proxies / reverse inbetween…
You mean for cloud.mydomain.com? I have set dns entries in nethserver for internal translation to internal nethserver ip, so I can successfully open the page cloud.ourdomain.com from vms in green network and it translates to the green ip of nethserver. That works fine.
SSH can be opened on opnsense, and so can cert based ssh!
Also a good idea is to enable serial access.
System -> Einstellungen -> Verwaltung
Proxmox can virtualize a connection, say from your windows/linux vm. Screen works wonders in Linux with serial connections. If you NEED troubleshooting on opnsense. With local AND Proxmox backups, I never needed that, but it’s still good to have…
Sure, but for now, I did not yet open it I think, unless it was open on image I had reveived. But I recall not having seen open port when going through settings, and I leave it like this for now. I prefer only having one single open port to prox host, and ssh to it and opening port with -L xy:internalip_opnsense:80
I’ll check that too (serial access), but not tonite
Another good idea is to replicate the NethServer DNS entries in OPNsense (unbound). If upgrading/updating or maintenence, all internal stuff still gets resolved correctly…
And set that on those boxes with fixed ip, DHCP can be set in NethServer as second DNS.
Yeah, I have seen your entries in unbound, and now, understand why you have put it that way indeed!
Uf guet Düütsch: Ficki & Müli !!!
(English translation: By hook or by crook…)
Yep, macht sehr Sinn! Makes good sense for the red network. (opnsense is not aware of the green one in my setup, so for green only dns is nethserver)
Another idea would be providing a third (or fourth) NIC for OPNsense, with connection to the green network. No Routing or Firewalling, but access to OPNsense (Interface and Internal DNS…). On the green network, OPNsense is “just” a DNS server…
Note: This doesn’t interfere with anything existing!
Absolutely, had the same thought. True! I see there is still plenty of room for optimization
I really am looking forward for after my holidays when we get the hardware thus I’ll be able to start setting up two more local proxmox nodes and implementing replicaton, HA and all these wonderfull things while going live with our clients, rolling out image with fog server and everything
Two really good things (at least!) came out of the BSD fork called OpenBSD:
OpenSSH (Yes, the one everyone uses was developed by the same guy!)
CARP - a high availability protocoll for redundant firewalls.
OPNsense uses both!
From 1997 to about 2010, I ran my external and internal DNS servers on OpenBSD.
In more than ten years, two small holes in the default install… That’s amazing, compared to linux, windows, mac or anything else!
Nice, and thank to you I became aware of them! What a wonderfull playground you gave me
Indeed it is!
Small hint: OpenBSD runs very well in Proxmox, Zabbix agents and SNMP is also possible…
One of the most secure UN*X based distros anywhere.
Playground, or a base to run other stuff, extremly secure, small but mighty!
Theo de Raadt, the developer, is a known paranod freak. All open source (no BLOBs in there!) is personally reviewed by him, and a lot of changes - which also goes back upstream.
Even though he was very outspoken against the US, the DOD contracted him. He is among the best, I wouldn’t want to miss OpenSSH (or plain ssh, as we call it)!
He was amoung the four founders of NetBSD, but forked after disagreements…
Yep, Zabbix maybe even snmp - noted on my pending list for sure. Playground is nice as in the same time setting up our new environement for our small company is extremly motivating.
I beleive ya; defintively worth reading more about bsd! For sure!
OPNsense has both monitoring agents “on board”. Zabbix, SNMP and even Nagios, which i don’t use anymore.
OPNsense also supports NUT (USV), which not every firewall supports.
I had a look into zabbix 5 or 6 years ago, and even then it looked very promising. When we setup local systems, we’ll also look on NUT for our usv - was aware of nethserver module; nice to know that it also is available in opnsense.
I use at all sites a small raspberry as NUT Server. That is connected with USB cable to the UPS battery.
The NUT Server is accessed by all VMs, Proxmox, NethServer, NAS and OPNsense, to correctly shut down if needed. VMs in Proxmox are doubly connected, by the NUT locally, but also via ACPI / Proxmox…
This takes about 10 - 15 minutes to set up. of course I set up the raspberry also with Zabbix and SNMP monitoring - and get nice graphs out of it.
Better than an APC SNMP box, costing nearly a thou!
This is cheap, so cheap that a spare can be kept configured in the cupboard. And again, completly independent from any other device in there!
Sure, I could set up a NUT server on one of my Proxmox servers. But if i have High Availability, and need to replace one of those Proxmox (Hardware issues or whaatever), I might forget to setup a new NUT Server in the replacement Proxmox - or forget the USB… I also wouldn’t want to have to reboot the Proxmox, just because the USB connection need reinitializing…
Another thing: Don’t waste money on the more expensive RPi4. A RPi3B+ is sufficient, with 98x/100x 16 GB SD card. The Raspberry at pi-shop costs about 70-80 with Power supply and casing, and the SD about 20 at Interdiscount.