A Blog About Self-Imposed IT Projects and Tech Exploration

Month: May 2023

Creating a DMZ in pfsense to Separate Internal Servers

The next step to set up my lab involves configuring the pfsense firewall to create a DMZ. Within the DMZ I will create a DNS server using Pi-hole, email server using iRedMail, and a vulnerable web server from Vulnhub. Using a DMZ allows me to set different firewall rules for external facing and internal servers. This also allows me to control the traffic between the DMZ and LAN which provides a greater level of protection for the internal network.

How pfsense Firewall Rules Work

Before creating any rules it helps to understand the traffic flow through pfsense on our small network. There are two ways of setting up a DMZ. One way is to have two separate firewalls, one attached to the WAN, and one to the LAN. Between the two firewalls is the DMZ.

Example DMZ using two firewalls to separate the external and internal networks
Example configuration using two firewalls

Configuring rules is fairly straightforward in this setup since each firewall only has two interfaces to configure. In my network I am using a single firewall to enable this using this network diagram.

Diagram of lab network with firewall, external, DMZ, and internal networks.
Lab network overview diagram

To help understand how to configure rules in this setup, we need to think about how the traffic flows. The WAN interface is by default configured to block all traffic, and each interface is configured with a default deny. I will configure WAN rules later to forward specific ports to servers in the DMZ. To configure the DMZ I need to choose which traffic to allow out and to where. All traffic not specifically permitted will be denied.

Firewall rule configuration on each interface in the lab network
Firewall rule configuration in pfsense

Creating the DMZ in pfsense

Prerequisite: Creating the Linux Admin Workstation

Using the Linux admin workstation I accessed the firewall’s webConfigurator and changed the OPT1 interface’s firewall rules. The first rule shown in a step by step below was adding UDP port 53 to allow DNS traffic.

Empty firewall rules page on DMZ interface in pfsense
Firewall rules page on DMZ interface before rules are added
Add a UDP port 53 rule in the pfsense add rule interface.
Adding the rule for UDP port 53 to enable DNS traffic
Adding a rule description for future reference to understand the rule's purpose
Adding a rule description for future reference

While configuring the DMZ I also added rule necessary for web traffic and the ability to ping between the LAN and DMZ. These rules included:

  • TCP port 80 (HTTP) from DMZ to all
  • TCP port 443 (HTTPS) from DMZ to all
  • ICMP any from LAN to DMZ
  • ICMP echo reply from DMZ to LAN
Full DMZ list of rules for the lab network
Full DMZ firewall rule set for my lab

The last step I took was to rename the OPT1 interface and make sure the right MTU is set for VXLANs.

Renaming the DMZ interface to DMZ and setting the MTU to 1450
Rename the DMZ interface

That’s all there is to it, I created a DMZ using pfsense and it’s ready for server deployment. Next I am going to install a DNS server on the external and DMZ networks.

Creating the Linux Admin Workstation

To connect to the LAN interface of the pfsense firewall and use the webConfigurator I need a virtual machine on the LAN Vnet. I am going to install Ubuntu Desktop in Proxmox to act as the Linux admin workstation for my lab network. The desktop version will give me a web browser to access the firewall, and later I can add the machine to the networks Active Directory domain.

Install Ubuntu Desktop in Proxmox

Prerequisite: Installing a Network Firewall Using Pfsense in Proxmox

I covered the step by step instructions with screenshots for creating a virtual machine in Proxmox in the post linked above. From this post on I will list the settings used for each machine instead of walking through each step.

Linux Admin Workstation:

  • Name: UbuntuDesktop
  • Start on boot: no
  • ISO image: ubuntu-22.04.2-desktop-amd64.iso
  • System: defaults
  • Disk size: 40GB
  • CPU: 1 socket / 2 cores
  • Memory: 2048MB
  • Network: LANnet / MTU 1450

On boot you will see the Install screen for Ubuntu where you select the language and install Ubuntu.

Ubuntu Desktop install screen with language select and try or install Ubuntu options.
Install screen for Ubuntu Desktop

I kept the default options throughout the install with the exception of selecting “minimal installation” instead of “normal installation”.

Updates and other software screen. Select minimal installation instead of normal installation.
Selecting minimal installation on the updates and other software screen

Post Install Actions

After installing Ubuntu, I needed to check my network configuration to ensure the MTU settings were correct and I had network connectivity to the firewall and to the WAN by pinging one of my hosts.

Wired network settings in Ubuntu GUI showing MTU of 1450
Confirm MTU is set to 1450 for VXLAN
Ubuntu terminal showing three successful pings to the vmhost. Access is available through the firewall to the WAN.
Successful ping to the vmhost outside of the VXLAN and through the firewall

Login to the pfsense webConfigurator

Now I navigate to the pfsense webConfigurator address and login to finish setting up the pfsense software.

pfsense webConfigurator page showing next steps to finish software configuration
Pfsense webConfigurator initial page on first load to finish software configuration

I set my hostname and domain to pfsense and the globomantics.local domain I will use for Pluralsight courses.

Example pfsense hostname and domain configuration screen.
Configure hostname and domain

For my network I am unchecking the box to block RFC1918 private networks. My simulated WAN is using the network 172.16.1.0/24 which falls in this range. If I left this checked I would not be able to access anything inside the network.

Uncheck the block RFC1918 private networks option in pfsense webConfigurator
Uncheck block RFC1918 private networks

After finishing these steps, I checked for updates and then finished the configuration. On my network the interfaces reset to 1500 MTU and I had to manually change them back on the shell to regain access. This was covered in the previous post. You can also set the MTU in the webConfigurator on each interface.

pfsense Interface configuration showing LAN interface enabled with MTU set to 1450
Setting the MTU in the webConfigurator

Now my first workstation is online and the initial firewall setup is complete. I am ready to set up the DMZ and configure DNS for my Globomantics network. These topics are the next couple of posts.

Installing a Network Firewall Using Pfsense in Proxmox

I need to enable communication between the VXLANs and the Internet, so the first machine I will create is a pfsense firewall in Proxmox. I will connect the WAN interface to the external network and 2 other interfaces to the VXLANs. This will grant Internet access to the VXLANs, but force the traffic to flow through the firewall.

Creating the Virtual Machine

Prerequisite: Configure Software Defined Networking

The creation of a virtual machine in Proxmox is pretty straightforward. Since this is the first machine in the lab and the first one in this guide I will go into more detail in this post. The first step is to create the machine itself and name it. I configured it to start when the host boots so the VXLNAS have immediate Internet access.

View of create virtual machine showing pfsense name. First step in creating a firewall using pfsense in Proxmox.
Create the virtual machine and give it a name

Next I selected the pfsense ISO image and added it to the CD/DVD drive. I left the system settings default and gave the machine a 40 GB disk.

Selecting pfsense ISO as the operating system installer image.
Selecting the operating system installer image from software uploaded to the server
Leaving the system settings with default settings.
Default system settings for the virtual machine
Setting the disk size to 40GB for the pfsense firewall in Proxmox
Configure disk size set to 40GB

After configuring the disk size, I had to set the CPU and memory settings. I chose to use 1 socket with 2 cores for CPU, and gave the firewall 2048MB or 2GB of RAM.

Configure the CPU to 1 socket with 2 cores in Proxmox
Setting the CPU to 1 socket with 2 cores
Setting RAM to 2048MB or 2GB in Proxmox
Memory set to 2048MB or 2GB for the firewall

Next I set the WAN interface to vmbr0 which is the external facing bridge on my host. Then I confirmed the settings to finish the initial configuration. Before booting I have to add the other 2 interfaces.

Setting the WAN interface to vmbr0 in Proxmox
Set the WAN interface to vmbr0
Screen to confirm settings prior to VM launch. "Start after created" is unchecked.
Confirm settings, uncheck start after created

Before booting the machine I added the DMZ and LAN interfaces, selecting the appropriate Vnet for each bridge. I did not make the change here but recommend configuring the MTU to 1450 now in your setup. You can change it in the pfsense web console if you forget like I did.

LANnet and DMZnet interfaces added to pfsense.
Add the LAN and DMZ interfaces prior to boot

Next, I boot up the machine and am greeted with the pfsense installer.

pfsense installer screen after configuring the virtual machine
Pfsense installer screen

Installing pfsense firewall in Proxmox

Installing pfsense on a virtual machine is also a straight forward process so I will skip the first few installer screens and list the options I selected below.

  • Select Install
  • Select the keyboard layout
  • Select preferred partition method: I went with default
  • Remaining disk options: again I stuck with default
  • When you see a “Last Change!” ZFS configuration select yes to install
  • Once the install is complete select “No” for manual configuration and reboot

After the installation is complete and pfsense reboots you should see a screen stating all links are up. Select no to set up VLANs now.

Installer screen showing all interfaces up and asking to configure VLANs.

Configure the Interfaces

I set my pfsense interfaces to the appropriate Vnets:

  • WAN = vtnet0
  • LAN = vtnet1
  • OPT1 = vtnet2
Example interface configuration assigning the WAN, LAN, and OPT1 to the right virtual interfaces.
Pfsense interface configuration

Next I had to configure the right IP addresses on the interfaces. I left WAN as DHCP, but used option 2 on the main screen to set the LAN and DMZ IPs to the right networks.

Main screen after interface assignment showing WAN and LAN IPs. This requires a change.
Main screen after initial interface configuration

After changing the LAN interface you will receive an IP address for the webConfigurator, in my case the is http://10.0.1.1. Before I switched to the web interface, I had to set the MTU to 1450 on my interfaces using the shell (option 8 from this screen) using the command below.

root: ifconfig vtnet1 inet 10.0.1.1 netmask 255.255.255.0 mtu 1450
root: ifconfig vtnet2 inet 10.10.1.1 netmask 255.255.255.0 mtu 1450
Set the interfaces for internal networks to mtu of 1450 using command ifconfig vtnet1 inet 10.0.1.1 netmask 255.255.255.0 mtu 1450

With that my firewall install is complete and I can switch to the webConfigurator to configure the DMZ network. First, I need a machine to connect to the webConfigurator, which is the subject of the next post.

Configure Software Defined Networking in Proxmox

In the last post I installed Proxmox and set up a cluster with three VM hosts. Before I start setting up virtual machines, I need a way to segment the network so I can make it match the diagram below. To meet this requirement, I need to enable communication between the hosts, but keep the networks segmented using the firewall. The best way I found to accomplish this was to configure software defined networking in Proxmox to create VXLANs for the DMZ and LAN.

Diagram of lab network with firewall, external, DMZ, and internal networks.
Overview of Lab Network Topology

Preparing the Hosts

Prerequisite: Install Proxmox and Configure a Cluster

The first step in any installation is to make sure your hosts are updated. By default, Proxmox hosts will reach out to the enterprise repository, so I need to configure the pve-no-subscription repository. To enable that, I added it to /etc/apt/sources.list like the image below.

View of /etc/apt/sources.list file with pve-no-subscription repository added.
Add the pve-no-subscription repository

After adding the repository, I run an apt update and upgrade to install the latest patches and make sure the new repository works.

# apt update && apt upgrade -y

Now I can install the needed dependencies on each host. Important note here, the next few steps are run on EVERY node in the cluster.

# apt install libpve-network-perl ifupdown2

Configure Software Defined Networking in Proxmox

After updating the hosts and installing the dependencies the last step to enable software defined networking is to add a line to the interface configuration. I added the line below to the /etc/network/interfaces file on every host.

source /etc/network/interfaces.d/*
Image of the /etc/network/interfaces file with added line from one of the hosts.
Example /etc/network/interfaces file with additional line

Once added, you should automatically see the software defined network menu in your datacenter view.

Software defined network menu in Proxmox datacenter view

Adding VXLANs to the Lab Network

Configuring a software defined network in Proxmox consists of three steps for each network. I need to configure a Zone, a Vnet, and if I want to assign an IP range, a Subnet for each VXLAN.

Adding a VXLAN zone

To add a VXLAN zone, you select that zone type in the Proxmox SDN interface. According to Proxmox SDN documentation, when adding a VXLAN, you need to set the MTU to a slightly lower value than the standard 1500. A VXLANs is a simulated layer 2 network on top of the existing network. So the extra 50 bytes allows for the VXLAN header added to each packet. You also need to configure an ID and peer IP address list.

Example VXLAN zone configuration for Lab Network
Example VXLAN zone configuration
Overview of VXLAN zones in Lab Network
DMZ and LAN VXLAN zones added to Lab Network

Adding Vnets and Subnets

Once you configure a VXLAN zone, the next step is to add the associated Vnets and Subnets to each zone. In my lab, each zone will have a single Vnet and Subnet. Here is an example configuration of the LANnet and LAN subnet.

Example Vnet configuration in Proxmox
LANnet Vnet configuration
Vnets overview for the Proxmox lab network
Vnet configuration overview for Lab Network
Example subnet configuration for the LAN network
Example subnet configuration

Apply to Configure Software Defined Networking in Proxmox Lab

The last step is to go back to the SDN overview and apply the configuration. I hit apply and then Proxmox configures the DMZ and LAN VXLANs on each host in the cluster.

Lab Network SDN overview after applying the software defined networking configuration.
Data center overview after software defined network configuration

That’s all there is to it, my lab network is ready for virtual machines. Next up, I create a virtual firewall running pfsense and configure the WAN, LAN, and DMZ interfaces.

Trying Something New – Install Proxmox and Configure a Cluster

I have never used Proxmox before for virtual machines. I was prepared to use VMWare ESXi for this project, but was looking for an option that would allow me to use features only available using vSphere which comes with a cost. After doing some research I ran across Proxmox. I was ready to try something new, and Proxmox offered all of the features I was looking for. So, I figured I would test it out on this build. The steps below walk through how to install Proxmox and configure a cluster.

Prerequisite: Creating a New Home Hacking Lab with Proxmox

Installing Proxmox and Configuring a Cluster

I installed Proxmox by downloading the ISO and imaging a USB drive. From there it was a simple process of booting the servers to the USB and installing Proxmox. As mentioned in the design, I placed these devices on a separate segment of my home network and assigned the IP range 172.16.1.0/24. Each host was assigned a hostname and IP:

  • vmhost1 – 172.16.1.10
  • vmhost2 – 172.16.1.11
  • vmhost3 – 172.16.1.12

After I installed Proxmox, I logged into each host using the web interface: https://[host IP address]:8006. From here I could configure a cluster so I could access all of the machines from a single interface and take advantage of features like VM migration and software defined networking. Creating a cluster in Proxmox is pretty straightforward. You create the cluster and then get the join information and use it to join the other hosts. Here is a picture of my cluster after all the machines were joined.

Screenshot of Proxmox cluster with three hosts, node ID, and IP address. Cluster name is LabNetwork.
Lab Network Proxmox cluster

After the creating the cluster, logging in to any host will give you a Datacenter view with all of your cluster hosts.

Proxmox datacenter view with three virtual hosts and datacenter summary showing a good cluster status.
Lab Network Proxmox datacenter view

Uploading the ISO images

After configuring the cluster, I need to upload the ISO images for each of the servers and workstations. This is a time consuming process, but part of the preparation. I uploaded all of the images I needed to the local storage on each of the hosts.

View of ISO images section of the local storage on vmhost1.
ISO images view on vmhost1

Here are the links to get all of the images I used:

That’s it, it doesn’t take much to install Proxmox and configure a cluster. Now that I have the software images uploaded, I am ready to configure software defined networking to allow me to segment the network.

Creating a New Home Hacking Lab with Proxmox

Sadly, my plans with my budget private cloud did not work out. Long story short, I moved internationally twice since I initially made plans to build that cloud. The first move was to Japan, and the second to Italy. Through each of those moves I lost two servers. On the upside, I have plans for the remaining three servers: a better home hacking and lab using Proxmox.

Designing a new hacking lab with Proxmox for learning and new courses.

After taking a year off I am back to making Pluralsight courses. I recently published Security Onion Basic Concepts and Functionality. I am currently working on a new course: Command and Control with Sliver. While creating the new course, I decided that I needed a better lab to simulate an actual network and make use of the Globomantics domain. Globomantics is a fake company Pluralsight uses for demos. I decided to take some old servers I had from a previous project, drew up a design for a potential network, and got to work. The design I came up with is below.

Hacking lab design in Proxmox. External network, firewall, DMZ, and internal network.
Proxmox hacking lab design

The design includes a firewall with separate internal and DMZ networks. The DMZ contains a vulnerable web server from VulnHub, a DNS server using Pi-Hole, and an email server running iRedMail. The DMZ is used because I want to keep the vulnerable hosts separate from the internal network. The internal network is a Microsoft Active Directory domain with a few workstations and a file server. I included one Ubuntu workstation as well that is joined to the domain. For security I have a firewall running pfsense and a Security Onion server acting as an IDS and SIEM.

On the external side I have a Kali Linux VM that is my main workstation for hacking, along with a phishing LXC running Gophish. I also have another Pi-Hole DNS server running that the internal network forwards requests to. This allows me to configure DNS records for fake websites without having to register actual domains.

Available Equipment for Home Lab

The three servers I have left are:

  • VMhost1: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost2: Dell Poweredge R610
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 600 GB HDD
  • VMhost3: Dell Poweredge R510
    • 2x 6 core Intel Xeon processors
    • 16 GB RAM
    • 1.8 TB HDD

The biggest issue I will face is the available RAM with the amount of machines I plan to run. So, I will make use of Linux Containers (LXC) where possible to reduce the resources required for particular services. I should be able to use an LXC for DNS, email, and the phishing server because these services use fewer resources.

Additional Considerations for Network and Proxmox

  1. I am building this on a separate segment of my home network. It will remain behind a firewall, and none of the vulnerable machines will be exposed to the Internet.
  2. I am using Proxmox as the virtualization software because it is free and allows me to use features like software defined networking, clusters for management, and VM migration between hosts.
  3. I have limits on host performance due to using very old equipment. I will likely need to build a new host in the future to improve performance and reduce power consumption in the long term.

Ready to Build the Home Hacking Lab with Proxmox

For this build I am going to create posts about each step that serve as a guide for anyone looking to build something similar. The first post in that series will show the VMhost cluster and cover software defined networking installation.