0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Configuring the pfSense Firewall for Our VMware Lab

In this module, we will log into the pfSense web portal and configure firewall rules for our VMware Workstation lab using our Kali VM.
0xBEN
9 min read
Configuring the pfSense Firewall for Our VMware Lab
In: VMware, VMware Cybersecurity Lab Project, Home Lab, Computer Networking
ℹ️
This page is part of a larger series on building a cybersecurity lab using VMware Workstation Pro. Click here to be taken back to the project home page.

Previous Step

Importing Kali Using the Official VMware Image
In this module, we will look at the process of importing the pre-packaged Kali VM for VMware directly from the official source.
0xBEN0xBEN



Log into the Web Portal

In this step, we'll be using the Kali Linux VM to configure the pfSense firewall for the lab. Kali is currently configured with the IP address 10.0.0.11. We can log into the firewall by going to the subnet's default gateway address, which in this case is 10.0.0.1.

Open up web browser on your Kali Linux VM and navigate to https://10.0.0.1.

Click Advanced

The default credentials are:

  • Username: admin
  • Password: pfsense

Click Next

Click Next
Set the local domain to cyber.range
Leave the NTP server to the default
Allow private IPv4 addresses into the WAN interface, since it's a pfSense VM behind NAT
We already configured the LAN before, leave this as it is
Set a new admin password, click Next, and reload the configuration



Configure the Interfaces

Isolated Interface

Choose OPT1

Set the Description to Isolated. Scroll down and click Save and Apply Changes.



AD_LAB Interface

Choose OPT2

Set the Description to AD_LAB. Scroll down and click Save and Apply Changes.



Optimize the DNS Resolver

Go to Services > DNS Resolver

Check these boxes, click save and apply changes.

⚠️
Note: Jan 1, 2024
Netgate is pushing people to the Kea DHCP daemon, as they're deprecating the ISC DHCP daemon. If you opt to move to the Kea DHCP daemon, these options will not be available.

You will need to switch back to ISC DHCP, make your desired selections, then switch back to Kea DHCP.

https://redmine.pfsense.org/issues/14972#:~:text=Seems%20like%20it%20is%20already,Reactivate%20KEA
Check these boxes and click "Save"

Still under DNS Resolver, go to Advanced Settings. Check both of these boxes. Click save and apply changes.



Give Kali a Static DHCP Lease

Go to Status > DHCP Leases

Click on the button to add a static mapping
Set the IP address to 10.0.0.2



Configure the Firewall Rules

Create an Alias for RFC1918

This alias will be used in some future firewall rules to reference all private IPv4 address spaces.

Go to Firewall > Aliases

Click Add

Click Save



Create an Alias for Kali

Click Add

Click Save and Apply Changes



LAN

Click on Firewall > Rules

Click on LAN.

Add a rule

  • Action: Block
  • Interface: LAN
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: WAN subnets
  • Description: Block access to any on same network as host OS
  • Click Save



LAN Desired End-State

ℹ️
If you're missing the Block bogon networks rule, it's not entirely necessary on LAN interfaces. But if you wish to enable it, go to Interfaces > LAN, then scroll to the bottom and check the box for Block bogon networks. Then, save and apply your changes and it should automatically be applied to the rules table.



ISOLATED

Click on ISOLATED

Add a rule

  • Action: Pass
  • Interface: Isolated
  • Address Family: IPv4
  • Protocol: UDP
  • Source: ISOLATED subnets
  • Destination: ISOLATED address
  • Destination Port Range:
    • From: DNS (53)
    • To: DNS (53)
  • Description: Allow DNS lookups to the default gateway
  • Click Save

Add a rule

  • Action: Pass
  • Interface: Isolated
  • Address Family: IPv4
  • Protocol: Any
  • Source: ISOLATED subnets
  • Destination: Address or alias = Kali
  • Description: Allow packets to Kali VM
  • Click Save

Final Isolated rule

  • Action: Block
  • Interface: Isolated
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: Any
  • Description: Block access to everything
  • Click Save



ISOLATED Desired End-State



AD_LAB

Click on AD_LAB

Add a rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = RFC1918 (✅invert match)
  7. Description: Allow packets to any non-private address
  8. Click Save
⚠️
Note: This rule effectively blocks traffic to any private IP address. As you'll see just below, we'll add another rule above this one to allow traffic to Kali, which is aliased to 10.0.0.2.

Moving forward, if there are additional private IPv4 addresses you want your AD_LAB hosts to be able to talk to, you'll need to place the firewall rules above this one, as rules are evaluated from top to bottom.

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = Kali
  7. Description: Allow packets to Kali VM
  8. Click Save

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: AD_LAB address
  7. Description: Allow packets to default gateway
  8. Click Save

Final AD lab rule

  1. Action: Block
  2. Interface: AD_LAB
  3. Address Family: IPv4 + IPv6
  4. Protocol: Any
  5. Source: Any
  6. Destination: Any
  7. Description: Block everything else
  8. Click Save



AD_LAB Desired End-State

💡
Remember, the rules are processed from top to bottom. The Kali rule is above the RFC1918 rule, as having the rule below it would prevent the traffic from reaching Kali.

If you put Kali on the same subnet as the rest of the AD hosts, the firewall rules don't really matter, since the packets are switched locally on the same network.



FLOATING Rules

ℹ️
Floating rules are a firewall area where you can craft a rule or set of rules that will apply to one or many interfaces. I typically keep my rules organized under each interface, but in special circumstances, it just makes more sense to use a floating rule, so we don't have to create the same rule on multiple interfaces.

Add the Port Alias

Go to Firewall > Aliases
Click on Ports
Click Add
Fill out accordingly and click Save



Add the Whitelist Alias

Making an IP alias
Click Add
Fill out accordingly and click save



Add the Separators

Go to Firewall > Rules
Choose Floating
Click this button to add a separator
Click 'Save'
Click this button to add another separator
Click 'Save'
You should have two separators where we're going to sandwich some rules
Click the 'Save' button at the bottom



Block Logins to the Firewall

Add a rule
  • Action: Block
  • Quick:
  • Interface: Any
  • Direction: in (packets entering the pfSense interface)
  • Address Family: IPv4+IPv6
  • Protocol: TCP
💡
We set Interface to Any in the rule, because we use some inverse logic when selecting the source. Effectively, Any address that is NOT in the WHITELIST_FIREWALL_MGMT alias we created before, will be blocked by the rule.
Destination uses the "FIREWALL_MGMT" alias we created bfore
Click Save and Apply Changes



FLOATING Rules Desired End State

ℹ️
The reason we've created this rules is that we have (or will have) some subnets that are allowed to access the internet, but not allowed to access private IP addresses. In order for these subnets to get to the internet, they need to be able to reach the gateway address. We don't — however — want them to be able to reach the login ports of the firewall.



Make Some System Tweaks to pfSense

Go to System > Advanced

Go to Networking

Scroll down and check this box

Click Save and Apply Changes. Click Reboot and "Normal Reboot".

⚠️
Wait for pfSense to come back up before proceeding



Grab Kali's New DHCP Reservation

Log into your Kali VM and open a terminal. Run the command as pictured below.

Your IP address should now be 10.0.0.2 as configured.



Next Step

Adding Vulnhub VMs to Our VMware Cyber Range
In this module, we will look at two different ways, based on file type, to import VMs from Vulnhub into our VMware cyber range.
0xBEN0xBEN
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Building a Security Lab in VMware Workstation Pro
VMware

Building a Security Lab in VMware Workstation Pro

In this project, broken up into multiple modules, you will build a comprehensive cybersecurity home lab using VMware Workstation Pro. Upon completion, you will have an environment where you can safely practice penetration testing against a wide variety of targets, as well as detection in your SIEM.
0xBEN
7 min read
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.