Creating A Virtual Cybersecurity Lab on Proxmox

Installing pfSense Firewall on Virtual Network

Welcome to the first part of my step-by-step guide on building a virtual network segmented under a pfSense firewall. This is part one of the build, and in this guide, we’ll be installing and configuring pfSense and a Kali Linux machine. This guide will be done using bare-metal Proxmox as the hypervisor (this tutorial requires the prior installation of Proxmox).

This is a multipart series explaining how I built my cybersecurity lab. In this series, we will build a multi-part network with Kali, Nessus, Wazuh, Cortex, TheHive, Caldera, SecurityOnion, Metasploit, Vulnhub, DVWA (Damn Vulnerable Web App), a Windows server with Active Directory with a FLARE instance, and a Docker/Portainer server for deploying containers, all under separate VLANs created by our pfSense firewall.

By Collin Foster

Materials Used

• Dell Workstation: 64 GB DDR3 RAM, 16-core 2.6GHz E5-2670 CPU, AMD Radeon R5 340X GPU, 2 TB SSD
• Removable Storage Device: 100 GB USB drive

Step 1: Uploading .iso Files to Proxmox

In this guide, we will need two ISO images. The links are provided below:

• pfSense ISO file: Download pfSense

• Kali Linux: Scroll down to installer images and click the recommended 64-bit installer. Download Kali Linux

• After downloading the required files, navigate to your Proxmox server page and click onto your removable boot drive connected to your workstation. Press ISO Images, then click Upload:
• Press Select File and select the pfSense .iso file you've just downloaded and click Upload.
• Repeat for the Kali Linux .iso as well.

Step 2: Creating pfSense Instance

Before we get started, we must create a new network adapter for the lab. This will allow us to create new VLANs in our environment.

1. Head to the Proxmox server page, and under the Proxmox instance navigate to System then to Network.
2. Click Create then Linux Bridge.
3. A new window will open, name the new network adapter anything that makes sense in your case; I used the default vmbr1.
4. Under the IPv4/CIDR option, enter the IP address range 10.10.1.0/24.
5. Make sure to click the option VLAN aware as the lab will not work without it.
6. Add a comment into the comment section to easily remember what the network adapter is for; I used Lab LAN in this case.
7. Make sure to press Apply Configuration.

On the Proxmox server page, click the Create VM button near the top right.

• Under VM ID choose a number that works best for you; in this case, I used the ID 101.
• Under the name section, choose a name that fits with your case; in this case, I used LAB-FW.
• Click next, under the ISO image toggle, select the pfSense .iso file.
• Press next and leave everything as default, then next again.
• You should be on the Disks page, under storage and disk size choose the adequate options for your system. I left the storage size at 32 GB as the firewall should not require too much storage.
• Click next, under the CPU page you may leave the default settings. (Adding more cores will make things faster but is not required).
• Under the Memory this is where you delegate how much RAM your VM will partition; the default setting of 2 GB (2048 MiB) is fine in this instance. Press next.
• Leave the network adapter bridge as vmbr0 for now.
• Press Finish.

Now the firewall should show under your VMs, before you start click the instance, navigate to hardware, and at the top click add, then Network Device then add the new network bridge you've created. Click add.

Step 3: Installing pfSense

1. Now with the Lab FW selected, click on the start button on the top right side.
2. Click the Console button next to that, and a new window will open. This is your pfSense firewall.
3. Let the machine boot up, and once you get to the setup wizard, select Install.
4. Press Okay on the next screen with the Guided Root.
5. Press okay on the next screen as well, then select the Stripe no redundancy option.
6. On the next screen, make sure to press your spacebar to select the hard drive and allow pfSense to install. Press okay.
7. Next, use arrow keys to select the YES option on the ZFS config menu.
8. You will now allow pfSense to be installed; this may take a few minutes.
9. On the installation complete menu, press the reboot option.
10. A new command line interface will open with a few configuration options.
11. On the first config should VLANs be set up now? type n for no.
12. Enter the WAN interface, this is the 0 vtnet adapter. Type vtnet0 and press enter.
13. The LAN interface option is the vtnet1 interface. Type vtnet1 into the command line and press enter.
14. You will receive a do you want to proceed option; type y to select yes.
15. Let the command line do its work, then once completed, there will be a screen with different options to configure. Press 2 to select the Set Interface IP address option.
16. Type 2 again to select the LAN interface. On the next prompt about configuring DHCP, select no. We want a static IP address. On the prompt where it asks for an IP address, choose 10.10.1.254. This will be the IP address of the firewall in this first VLAN.
17. Next, on the subnet prompt, select 24. Press enter on the next option, then no on the IPv6 option.
18. Next, on the do you want to enable the DHCP server on LAN? select yes. This will allow other VMs to be assigned an IP address from the range we will configure later.
19. For the DHCP range, type 10.10.1.50 and for the end, type 10.10.1.100.
20. Select no on the HTTP config setting.
21. Press enter to continue. We have now set up the base config of our firewall. Next, we will set up a Kali instance so we can access the firewall in a browser to continue configuration.

Step 4: Creating Kali Instance

1. Back on the Proxmox server page, press Create VM.
2. Change the VM ID to 102, or whatever makes sense for your instance.
3. Change the name to align with your needs; I used LAB-KALI.
4. Press next and select the Kali Linux .iso file uploaded earlier in the guide.
5. Press next, then next again to reach the Disks page. Choose the storage location best fit for you.
6. Also allocate as much storage that makes sense for your workstation; in this case, I used 100 GB.
7. Press next to the CPU page; Kali can be quite demanding on the CPU, so if your machine allows it, I'd recommend adding a core to the Cores section. This will increase processing speed.
8. Next, on the Memory page, allocate as much RAM as needed; I used 6138 MiB, which is about 6 GB of RAM (can always allocate more later if needed). Kali can be quite intensive on RAM, especially when running the tools used later in this guide.
9. On the Network page, change the Bridge adapter to the vmbr1 we set up earlier. That will place the instance under the pfSense firewall.
10. Press next again, then click Finish.

Step 5: Installing Kali Linux

1. Press start while on the new Kali instance on the Proxmox server page. Click the Console button to the right to open a new window with our Kali instance (can also access the console on settings if you wish).
2. Select Graphical Install.
3. Select the correct time zone, country, and keyboard options.
4. Choose a hostname for your Kali Linux; in this case, I chose the default Kali.
5. For the Domain name, leave blank and click continue.
6. Now choose your name, username, and password on the next screens. This will be used to log in.
7. On the Partition Disks screen, select the Use entire disk option.
8. Press continue again on the next page as the virtual disk should be selected.
9. On the next page, select the finish partitioning and write entire disk option and press continue.
10. Make sure to press the yes option on the apply changes menu.
11. Your machine will now install the needed material; this may take some time depending on your speeds.
12. After you should be at the GRUB boot loader menu, select yes and press continue.
13. Select the disk on the next menu, and press continue.
14. On the next screen, select continue, and the machine will auto reboot.
15. While the machine is rebooting, head back to the Proxmox server page and go to the settings on the Kali Linux instance. Select hardware and under the CD/DVD drive, click edit and press do not use any media. This will allow Kali to boot properly.

Step 6: Configuring VLANs on pfSense

1. Login to your Kali instance and open a terminal on the top of the screen and type the command ifconfig under the eth0 adapter. Your IP address should read 10.10.1.50.
2. Open a Firefox browser and type the IP address of the pfSense firewall, which should be 10.10.1.254. (Make sure the pfSense VM is powered on).
3. The default login will be username: admin; password: pfsense.
4. Leave the setup wizard alone for now.
5. We are going to be configuring firewall rules and DHCP for each of the VLANs so they are connected to the internet and can communicate.
6. Navigate to the top of the screen and click Interfaces, Assignments, then click on VLANs on that page
7. Click on Add on the bottom right, and you'll see a VLAN config menu.
8. Change the parent interface to the vtnet1 interface (LAN) and the VLAN tag to 10.
9. Repeat this step for VLANs 20 and 30 (change the tag for the corresponding number).
10. Now click on the Interface Assignments tab and under the available network ports add the 3 new VLANs just created. (Make sure to press save).
11. You should now have 3 new interfaces named OP1-3.
12. Now navigate back to the top of the page and select Interfaces and go to OPT1.
13. Click Enable Interface, and change the name to VLAN10.
14. Change the IPv4 configuration type to Static IPv4.
15. Scroll down to the static IPv4 configuration section, and change the IPv4 address to 10.10.10.254 and change the subnet range to /24 on the right side.
16. Scroll down to the bottom and click save. Scroll back up and click apply.
17. Repeat these steps for the next two, OPT2 and OPT3, but change the names and IPv4 addresses to the corresponding numbers. (VLAN 20 = 10.10.20.254, VLAN 30 = 10.10.30.254).

Step 7: Configuring Firewall Rules and DHCP

1. On the pfSense page, navigate to Firewall, and Rules. Click onto LAN and you will see existing firewall rules already enabled.
2. Navigate to VLAN 10 and click add. The interface should be VLAN10, address family IPv4, and the protocol should be changed to any.
3. The source under the source section should be changed to VLAN10 net. Destination any and scroll down and press save.
4. Repeat these steps for VLANs 20 and 30 but be sure to change the source to the correct VLAN net. These rules are very open and would not be recommended for secure environments.

1. Now we must configure DHCP for each of these networks.
2. Navigate to Services and click DHCP Server.
3. On the LAN interface, scroll down and add the DNS info required. Add the IP 10.10.1.254 and under it add Google’s DNS server 8.8.8.8. Scroll down and press save.
4. Now go to the VLAN10 tab and make sure to click Enable DHCP server on VLAN10 interface.
5. Scroll to the address pool range and enter the range 10.10.10.50 - 10.10.10.100.
6. Scroll down to the DNS info again and enter the IP 10.10.10.254, and under it Google’s DNS server 8.8.8.8. Make sure to press save at the bottom of the screen.
7. Now repeat steps for VLAN20 and 30 but replace the address pool range with the corresponding number changes (VLAN20 = 10.10.20.50 - 10.10.20.100) (VLAN30 = 10.10.30.50 - 10.10.30.100) and the corresponding DNS info (VLAN20 10.10.20.254 and 8.8.8.8) (VLAN30 10.10.30.254 and 8.8.8.8). Make sure to click save at the bottom of the screen and apply changes after.

Congratulations, you have successfully set up and configured the pfSense firewall and created separate VLANs for our first step in this Cybersecurity Lab setup. The next guide will be setting up an Ubuntu server with Docker and Portainer!