Building a Cybersecurity Purple Team Home Lab — Part Two
If you haven’t read Part One of this home lab build, click here.
This article was significantly updated on 6/23/2024.
Changes:
- Edits to the pfSense networking configuration
- Updated most screenshots for accuracy of lab setup
- Updated OpenVPN configuration instructions
pfSense — Routing and Switching
Now that we have networking setup on the Proxmox hypervisor. We move on to our pfSense virtual machine for routing and switching configurations.
Download the pfsense Community Edition ISO: https://www.pfsense.org/download/
Upload the ISO to the local hypervisor image database.
The pfSense configuration that works for my home lab may have different requirements for your home lab due to your hardware constraints. I used almost 10GB of RAM because pfSense gets overloaded easily due to six subnets constantly communicating with it.
When configuring the pfSense networking configuration, make sure the VLAN numbers and subnets match what we configured on the PVE proxmox hypervisor.
The pfSense hardware networking configuration requires the WAN bridge (vmbr0) that we configured in part one for Internet connectivity. We need to add the SPAN/Mirrored bridge (vmbr1) as well. vmbr1 VLANs from 10 to 40 also need to be included.
Here is the network map from Part 1 as a refresher:
Start the pfSense VM and take a look on the console. The picture below is my final interface and address configuration. I’ll run you through some of the steps I took.
Lets take a look at the network map so I can better explain the router configuration.
The red box in the image above is our focus right now. Each VLAN as its own network requires an interface address on the pfSense side. VLAN 1.10 has a subnet of 10.0.1.0/24, which would have an interface address of 10.0.1.1/24 on the pfSense router. This process would be repeated on all the pfSense VLAN interfaces that follow.
The blue box in the configuration above has internet access and is dynamically assigned by my home router using the DHCP protocol. When running through setup say “yes” to assign vtnet0 to DHCP. The interface addresses in the red box are static IP addresses assigned to the vmbr1 VLAN interfaces (vtnet 1–5)
WAN interface setup and IP assignment:
You should end up with a DHCP assigned address to your WAN interface.
LAN interface assignments:
You will be asked: “Should VLANs be setup first?”, say no to that since we have already setup VLANs on the proxmox hypervisor through vmbr1.
Your interface assignments should look like the picture below. In my final interface configuration there was also ovpns1 which is used as our VPN to access the lab.
LAN interface IP addressing
Repeat the above process for vtnet interfaces 1–5.
Next, login to the Web Configurator at your DHCP assigned address on vtnet0. The default credentials are username: admin and password: pfsense.
Sometimes you may encounter issues connecting to the pfSense Web Configurator, in that case make sure to disable the pfSense firewall. The firewall rules are not setup by default and because of that there is a deny all on these interfaces to prevent unauthorized logins.
One of my subnets (AD_Victim) has dual stack addressing. Which means that the interface uses both IPv4 and IPv6 addressing. This is my Active Directory network which I want to perform attacks on. Due to the nature of some cyber attacks, IPv6 is required which is why I have it enabled to have a realistic practice scenario. Here is my configuration for that subnet:
Note above, that the IPv4 configuration type is not DHCP but static. Why is that? It is because I’ve run into issues setting IPv4 to DHCP within the interfaces tab, I’ve noticed that if that make that interface static, then I am able to configure DHCP on that interface within that subnet.
Firewall Rules
Firewall rules are annoying to setup, and can cause a lot of issues with routing and switching. Honestly, I’m not good at setting up firewall rules on pfSense. So take my firewall rule configuration recommendations with a grain of salt. Regardless of that, I will share my firewall rules so it may be of some help and hopefully you won’t have to suffer as much figuring it out by yourself. You may not even need firewall rules on every interface since you may have a completely different lab build. Note: I may be prone to errors in my firewall rules. Please let me know in the comments if you notice a flaw in my pfSense rule logic and I will fix and update this article ASAP.
WAN Firewall Rules
LAN Firewall Rules
LAMP Webserver Firewall Rules
Blue Team Firewall Rules
Malware Analysis Firewall Rules
Active Directory Firewall Rules
OpenVPN Firewall Rules
Essentially the WAN firewall rule set requires a deny all to all incoming traffic (v4 and v6), since there’s a lot of malicious web crawlers and bots that are looking for public facing vulnerabilities on the Internet. I left a port open for OpenVPN on UDP 1194 for VPN access. There’s also a rule for admin access within the 192.168.0.0/24 subnet and administrative ports (22,80,443 etc.,) which is my private subnet.
The umbrella LAN interface allows DNS queries and ICMP probes (for troubleshooting) within its network. Additionally, these rules allow remote admin access, all LAN traffic is allowed outbound everywhere, all OpenVPN traffic is allowed onto the LAN. Finally, all outside traffic from the LAN not matching the rules are dropped.
The individual LAN rules (webserver, blue team, malware analysis etc.,) are mostly the same. You have an allow rule from that subnet to everywhere else with all its ports enabled. The second rule is to allow OpenVPN connections to that LAN.
Regarding the Active Directory firewall rules, all IPv4 and IPv6 traffic on need to be outbound. The OpenVPN subnet is enabled to account for IPv4 and IPv6 traffic.
VPN Access to Lab
Setup the OpenVPN Server
When you click “Add” follow the specifications in the picture above, if you want to.
Client Export
I prefer the “Inline configurations” option because I can just import the .ovpn file into my Open VPN client, making it more portable.
Once you connect to the OpenVPN configuration you should be able to ping all your subnet gateways (router interfaces).
Note: this OpenVPN subnet will be used as a launching pad for our attack paths and administration of the LAB.
Next time we will be setting up the Security Onion IDS for sniffing on vmbr1 and getting started with security monitoring, access Part three here.
If you found this article helpful and want to support me in my content creation then buy me a coffee!
