Homelab learning: Configuring pfSense in Proxmox VE for isolation and traffic routing
Hi, all. This is the third part in an ongoing series walking through the steps required to build my isolated homelab with a corporate environment, attack network, security operations center, and remote access VPN.
For greater context, take a look at my previous posts:
Let’s get started on this installment!
After setting up proxmox and laying out the general virtual network infrastructure, it is still necessary to route incoming/outgoing traffic to each network. Moreover, as I alluded to briefly above, if you plan to host a DHCP server within your homelab, you must ensure you isolate this network from your regular home network–otherwise, your home devices may receive DHCP leases from the DHCP Server inside the homelab.
After setting up the physical topology of my network (1 Eth –> Modem; 1 USB-to-Eth –> TP-LINK switch), configuring pfSense was rather straightforward. Perhaps most importantly, I recommend focusing on only two interfaces to begin: WAN and LAN. Later, after pfSense configuration is complete and you are able to access the pfSense “webconfigurator,” (henceforth referred to as webGUI) it will be much easier to configure the additional interfaces.
Again, I’ve placed an install tutorial for pfSense in the references section below.
Once you’ve completed the install process, you should see the pfSense home screen, which has a list of options from 0 to 16 for various forms of configuration and management. Option 2, set interface(s) IP address, allows you to set up the WAN and LAN interfaces. The IP address for the LAN interface (static, 10.0.1.1 in my lab) will be the address for the webGUI. For simplicity later on, I assigned a DHCP scope to the LAN interface of 10.0.1.10–10.0.1.245.
- Note: the device you are using to manage proxmox and the pfSense VM will likely be on a different network/subnet than 10.0.1.0/24, meaning it is not possible access the webGUI. In my case, I spun up a quick Ubuntu Linux VM first, and assigned it an IP in the DHCP scope, enabling me to reach the webGUI at https://10.0.1.1 in the browser. Seen below, 115 (FW-Mgmt) is the Ubuntu Linux VM I used to manage pfSense and reach the webGUI. Be sure to assign it the appropriate vmbr# so that it can receive an IP in the same subnet as pfSense.
After reaching the pfSense GUI in this client located on the “LAN” network, complete the general setup wizard. There’s nothing too complicated in there, except you may way to rename your host from “pfsense” to a more unique name for your domain. We also want to uncheck the setting for DNS Server Override.
Then, from the top menu, go to Interfaces –> Assignments. On this page, you will be able to create additional interfaces for the other network segments you intend to include in your homelab. That said, we first need to add the network devices to pfSense in Proxmox.
pfSense VM –> Hardware –> Add dropdown –> Network Device
Here, select each of the bridges you plan to include (those comments come in handy, eh?), with no need to fill in other information. To simplify install, I turn off the firewall in network device settings of proxmox, as I will be configuring firewall rules in pfSense for these networks.
My final hardware settings for pfSense.
webGUI interface assignments
Here, I created four additional interface assignments for the Corp_Env, Attack_Net, SOC, and Py_Dev network segments, and I renamed the LAN interface to Mgmt.
Note: We’ll discuss OpenVPN later on. You can omit it for now.
Initial firewall rules
By default, pfSense has an implicit deny rule in effect, meaning it will not allow anything to pass through unless you grant it explicit permission to do so. As such, unless we make some brief changes, we won’t be able to access the internet. To simplify troubleshooting at this stage (this is the first interface we’re setting up), I created two extremely simple firewall rules for this interface that allow any IPv4 or IPv6 traffic from the interface over any port out to any interface. While this is not a long-term solution or a secure setup, especially in a production environment and/or public-facing network, it is fine to get us up and running. We’ll be circling back to shore up these rules momentarily
The basic FW rules needed to gain internet access. At this point, your FW-Mgmt VM should be able to reach the internet and ping either IPs (e.g., 8.8.8.8) or fully-qualified domain names (FQDNs; e.g., news.com).
DHCP server configuration
At this point, I wanted to adjust the DHCP Server settings for my various interfaces. Before the new interfaces would show up in pfSense webGUI, however, pfSense itself needed a reboot. You can do this through proxmox or through pfSense’s console view. During the reboot, pfSense required a few minutes to configure the new interfaces I just added. Once pfSense was fully booted, the IPs it automatically assigned required modification. You can follow the same steps we used above while configuring LAN/MGMT: assign a static IP, enable DHCP, set your DHCP scope.
Note: If you are assigned an IP outside your intended network (10.x.x.x), as SOC was above, confirm you assigned the right network device in proxmox. The above image is an example of what you don’t want your config to look like.
This is what we’re aiming for. Again, no need to worry about OpenVPN at this point.
Next, I configured the DHCP server settings through the pfSense webGUI. To reach it, go to the DHCP server page under Services –> DHCP Server. You can see all the interfaces you added now, with individual DHCP server settings for each network interface. This allows you to select certain interfaces where you would like to have pfSense serve as the DHCP Server. At this point, the DHCP server has been enabled on all five of our network interfaces, with DHCP scopes assigned for each.
On the Corp_Env network, I won’t ultimately be using pfSense as a DHCP server on this interface. Instead, for the next step in my homelab build, I created the core components of a corporate environment: a Windows Server instance (configured as an Active Directory Domain Controller for DHCP and DNS) and a Windows 10 Enterprise desktop client. After building this corporate environment, I insulated it with a concise yet secure firewall ruleset.
Now that pfSense is configured, it’s time to shift focus to the individual networks we’re planning to use. In the next post, I’ll discuss how to setup and configure firewall rules for a Corporate Environment subnet.
References:
pfSense
- Basic Install: How to Virtualize Your Home Router / Firewall Using pfSense
- A more comprehensive, text walkthrough: How to install pfSense software on Proxmox VE
