Open in app

Sign in

Write

Sign in

Home Lab Series: pfSense Setup

josegpac
6 min readAug 4, 2024

--

Setting Up and Configuring pfSense Firewall for Network Segmentation & Security

Welcome to the second installment of my series on creating a home lab for cybersecurity and networking projects! If you’re passionate about cybersecurity and eager to gain hands-on experience, a home lab is an invaluable resource. It allows you to experiment, learn, and develop your skills in a controlled environment. This series of posts will walk you through various projects and setups, starting with the essential foundation: setting up and configuring a pfSense firewall for network segmentation and security.

Introduction to My Home Lab

Creating a home lab for cybersecurity and networking projects involves several crucial steps, each with its own methodology and rationale. The goal of this first post is to guide you through the process of setting up a pfSense firewall, which will serve as the cornerstone of our network infrastructure. The pfSense firewall will enable network segmentation and provide enhanced security, creating a robust environment for all our future projects.

Home Lab Diagram

Network Diagram and Intentions

The lab is designed with several primary segments:

LAN 0 (Management and Administration):

  • Purpose: General management and administration tasks.
  • Devices: Kali Linux for both management and penetration testing.

CYBER_RANGE (Vulnerability Testing):

  • Purpose: Vulnerability testing and exploitation practice.
  • Devices: Metasploitable, Chronos 1, DVWA.

SECURITY (Logging and Monitoring):

  • Purpose: Security monitoring and analysis.
  • Devices: Tsurugi Linux, Splunk, Security Onion.

AD_LAB (Active Directory):

  • Purpose: Active Directory domain environment for testing and learning.
  • Devices: Windows Server 2019 (Domain Controller), Windows 10 Enterprise configured with Sysmon and Atomic Red Team for endpoint security and attack simulations.

ISOLATED (Malware Analysis):

  • Purpose: Malware analysis and reverse engineering.
  • Devices: Flare VM, REMnux.

Downloading and Preparing pfSense

To begin with, I needed a reliable firewall solution that could handle network segmentation effectively. I chose pfSense due to its robust feature set and open-source nature. Here’s how I got started:

  1. Download the pfSense ISO File:
  • Visit the pfSense Download Page, select the appropriate version and architecture for your system, and download the ISO installer image.
pfSense File

Creating the pfSense Virtual Machine

Next, I created a virtual machine (VM) in VirtualBox. Here’s the process:

  1. Create VM:
  • Open VirtualBox, click on Tools -> New, and configure the VM:
  • Name: pfSense
  • Type: BSD
  • Version: FreeBSD (64-bit)
  • Memory: 2048MB (2GB)
  • Hard Disk: 20GB dynamically allocated VDI
  • Attach the downloaded pfSense ISO image to the VM to ensure it boots from the ISO file.
pfSense VirtualBox Interface

Configuring Network Adapters

Proper network segmentation required setting up multiple network adapters for the pfSense VM:

  • Adapter 1 (WAN): Attached to a NAT Network for external connectivity.
  • Adapter 2 (LAN 0): Attached to an Internal Network for general management and administration.
  • Adapter 3 (CYBER_RANGE): Attached to an Internal Network for vulnerability testing.
  • Adapter 4 (AD_LAB): Attached to an Internal Network for the Active Directory network.
  • Adapter 5 (ISOLATED): Attached to an Internal Network for isolated malware analysis.
  • Adapter 6 (SECURITY): Attached to an Internal Network for security monitoring

This configuration allowed me to create distinct network segments, each serving a specific purpose within the lab.

pfSense CLI Completed Setup

Installing and Initial Setup of pfSense

I then proceeded with the installation and initial setup of pfSense:

  1. Install pfSense:

Start the VM, follow the on-screen prompts to install pfSense, and configure the network interfaces:

  • WAN: vtnet0
  • LAN 0: vtnet1
  • CYBER_RANGE: vtnet2
  • AD_LAB: vtnet3
  • ISOLATED: vtnet4
  • SECURITY: vtnet5

2. Access the Web Interface:

  • Open a browser on the host machine and navigate to http://10.0.0.1 (LAN 0 IP address) to access the pfSense web interface.
  • Follow the setup wizard to configure basic settings such as the hostname, domain, primary DNS, and time zone.

Interface and Firewall Configuration

Configuring the WAN and LAN interfaces was essential for defining clear network boundaries and ensuring proper traffic flow:

  • WAN Interface: Received an IP address from the VirtualBox DHCP.
  • LAN Interfaces: Assigned static IP addresses:
  • LAN 0 (vtnet1): 10.0.0.1/24
  • CYBER_RANGE (vtnet2): 10.6.6.1/24
  • AD_LAB (vtnet3): 10.80.80.1/24
  • ISOLATED (vtnet4): 10.99.99.1/24
  • SECURITY (vtnet5): 10.10.10.1/24

Configuring Firewall Rules and NAT

Setting up firewall rules and NAT settings was crucial for controlling traffic between network segments and ensuring security. Here’s a breakdown of the firewall rules I configured:

Example of Firewall Rule Setup
  1. Allow traffic from LAN 0 to CYBER_RANGE:
  • Purpose: Ensure management and attacker VMs in LAN 0 can communicate with monitoring tools in CYBER_RANGE.
  • Source: LAN 0 net
  • Destination: CYBER_RANGE net

2. Allow traffic from CYBER_RANGE to LAN 0:

  • Purpose: Allow monitoring tools in CYBER_RANGE to receive data from devices in LAN 0.
  • Source: CYBER_RANGE net
  • Destination: LAN 0 net

3. Allow traffic from LAN 0 to AD_LAB:

  • Purpose: Permit administrative access to the Active Directory network from LAN 0.
  • Source: LAN 0 net
  • Destination: AD_LAB net

4. Allow traffic from AD_LAB to LAN 0:

  • Purpose: Allow domain controller communications and Windows hosts in AD_LAB to interact with management devices in LAN 0.
  • Source: AD_LAB net
  • Destination: LAN 0 net

5. Allow traffic from LAN 0 to SECURITY:

  • Purpose: Permit administrative access to the security network from LAN 0.
  • Source: LAN 0 net
  • Destination: SECURITY net

6. Allow traffic from SECURITY to LAN 0:

  • Purpose: Allow security devices in the SECURITY network to communicate with management devices in LAN 0.
  • Source: SECURITY net
  • Destination: LAN 0 net

7. Block traffic between CYBER_RANGE and AD_LAB:

  • Purpose: Maintain network segmentation and prevent potential attacks.
  • Source: CYBER_RANGE net
  • Destination: AD_LAB net
  • Action: Block

8. Block traffic between CYBER_RANGE and SECURITY:

  • Purpose: Maintain network segmentation and prevent potential attacks.
  • Source: CYBER_RANGE net
  • Destination: SECURITY net
  • Action: Block

9. Allow traffic from ISOLATED to SECURITY:

  • Purpose: Enable malware analysis tools in the ISOLATED network to send logs to SECURITY tools for further inspection.
  • Source: ISOLATED net
  • Destination: SECURITY net

10. Allow SSH traffic from ISOLATED to SECURITY (Tsurugi Linux):

  • Purpose: Allow SSH access from ISOLATED network to SECURITY network for managing DFIR VM.
  • Source: ISOLATED net
  • Destination: 10.10.10.2 (Tsurugi Linux)
  • Port: SSH (22)

11. Allow traffic from CYBER_RANGE to internet:

  • Purpose: Allow devices in the CYBER_RANGE to access the internet.
  • Source: CYBER_RANGE net
  • Destination: WAN net

12. Allow traffic from CYBER_RANGE to Splunk (SECURITY):

  • Purpose: Enable logging from CYBER_RANGE to Splunk in SECURITY network.
  • Source: CYBER_RANGE net
  • Destination: 10.10.10.13 (Splunk)

13. Block traffic from ISOLATED to WAN:

  • Purpose: Prevent ISOLATED network from accessing the internet.
  • Source: ISOLATED net
  • Destination: WAN net
  • Action: Block

14. Allow traffic from AD_LAB to Splunk (SECURITY):

  • Purpose: Enable logging from AD_LAB to Splunk in SECURITY network.
  • Source: AD_LAB net
  • Destination: 10.10.10.13 (Splunk)

15. Block traffic from SECURITY to LAN:

  • Purpose: Prevent SECURITY network from accessing LAN resources.
  • Source: SECURITY net
  • Destination: LAN net
  • Action: Block
SSH Firewall Rule Example

DHCP Services

Enabling DHCP services on LAN 0 and CYBER_RANGE provided IP addresses to devices on these networks, facilitating connectivity and management. The DHCP ranges were set as follows:

Configure LAN Interface:

  • IPv4 Address: 10.0.0.1
  • Subnet Mask: 24
  • Enable DHCP Server: Yes
  • DHCP Range: 10.0.0.10–10.0.0.243

Configure CYBER_RANGE Interface (OPT1):

  • IPv4 Address: 10.6.6.1
  • Subnet Mask: 24
  • Enable DHCP Server: Yes
  • DHCP Range: 10.6.6.11–10.6.6.243

Now, devices on LAN 0 and CYBER_RANGE automatically receive IP addresses within the specified ranges, ensuring network connectivity and efficient management.

By carefully planning and configuring the pfSense firewall, I achieved a robust and segmented network environment. This setup enhances security and provides a structured framework for further experimentation and learning in cybersecurity. Stay tuned for the next post in this series, where I’ll delve into additional configurations and projects within this home lab setup. Additionally, I’ll include an extra post on how to add additional VirtualBox interfaces for the home lab since it only accepts four adapters when we need six. Happy networking!

Information Security
Cybersecurity
Firewall
Projects
Setup

--

--

josegpac

Written by josegpac

49 Followers

Physical security professional & CIS master's student focusing on cybersecurity. Tech lover, aspiring cybersecurity expert. A+ Certified.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams