Well it has been a few weeks since I decided to completely revamp most of our home network and FreeBSD server. The progress to date has been good and there were some detours along the way….
|Ubiquiti ER4 (replace ER5 POE)||Done|
|SPF Fiber from ER4 to 24 Port Switch||Done|
|Firewall rewrite (done for IPv4, semi-done IPv6)||Done|
|Implement IPv6||In Progress|
|Native FreeBSD Jails (remove ezJail)||Done|
|Fix Samba (visible via Network)||Done|
|rspamd (replaced amavisd/spamassassin)||In Progress|
|Internet VLAN (segregate incoming internet traffic)||Done (*)|
The conversion from ezJail to native FreeBSD jails went extremely smoothly once I figured out the steps for our implementation. Basically followed the instructions to create native jails and then transferred the non-symlinked directories to the new jail via rsync (piped tar had a few problems with /var sub-directories). Since a few programs had issues I decided to login to every jail and simply rebuild every port in place with portmaster.
The implementation of IPv6 resulted in a few challenges relative to setup (ER4, Switch, Unifi Wifi, etc. for SLAAC) but everything is working on all four networks (LAN, IoT, Guest, and Internet). This morning I was finally able to setup dnsmasq to properly resolve the static IPv6 addresses internally (externally is already working). I still have a few tweaks I want to make as I would like DNS resolution to work for some of our other computers without having to “hardcode” everything in dnsmasq.
The firewall rules are done relative to IPv4 traffic to keep everything separated and allow our LAN traffic to create connection to the IoT/Guest network as needed but the reverse is blocked. The IoT/Guest (and Internet) are restricted to themselves and the internet. I still need to complete and test the rules regarding IPv6 to ensure separation is properly configured.
Took a slight detour and replaced amavisd/spamassassin with rspamd. This turned out to be significantly more work than expected. Part of the problem was copying setting from the internet but not completely understanding what was being copied (yeah, guilty). Since our setup is Maildir (real accounts) and not mbox there was a setting for Dovecot’s imap service which set a service_count (service_count=256) which resulted in security errors being thrown when Postfix delivered eMail and clients logged in to retrieve eMail.
WireGuard is coming but first I want to resolve the rspamd not processing eMails through clamav and the IPv6 SLAAC local DNS resolution…..
I probably should have documented everything here but so many mistakes were made it would probably be semi-useless.