Create a pfSense Firewall for Our Proxmox Lab

In this module, we will look at setting up a pfSense firewall VM in Proxmox to segment our home lab network.
Create a pfSense Firewall for Our Proxmox Lab
In: Proxmox, Computer Networking, Home Lab
ℹ️
This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click here to be taken back to the project home page.

Previous Step

Getting to Know Proxmox
In this module, we will take a look at some basic tasks and the core areas of the Proxmox web front end.





System Setup

pfSense is a modern, easy-to-use, and modular router and firewall. It will act as the gateway and firewall to an internal network that will primarily house our vulnerable infrastructure and security related infrastructure.

As of recently, Netgate is requiring users to create an account and provide personal information in order to download the pfSense CE ISO images, which I am not thrilled to see.

I understand that this is a mitigation strategy to combat piracy of their pfSense Plus software by third-party firewall appliance vendors (among other reasons). That said, I will show you a way to download the file whilst protecting your privacy.

Download pfSense CE ISO

The Netgate Way

Download pfSense Community Edition
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more
Click Download
Choose AMD64 ISO and click ADD TO CART
Click on Create an Account
Temp Mail - Disposable Temporary Email
Keep spam out of your mail and stay safe - just use a disposable temporary email address! Protect your personal email address from spam with Temp-mail

Go here to get a temporary email for the email requirement

quackr: Free Temporary Phone Numbers for Verification | Receive SMS Online for OTP
Protect your privacy & identity with quackr. Use our free temporary phone numbers for SMS verification and receive SMS now. Phone Numbers from USA, UK, India & more.

Go here to get a temporary number for the phone requirement

Fill it out using junk data and your disposable email
Fill it out with your junk data
Click Complete order
Proceed to download the ISO file here



The Google Way

site:*.netgate.com download -site:forum.netgate.com -site:docs.netgate.com -inurl:blog -site:www.netgate.com -site:shop.netgate.com -site:forums.netgate.com -site:info.netgate.com - Google Search
Index of /mirror/downloads/

Download the latest version here -- e.g. pfSense-CE-2.7.2-RELEASE-amd64.iso.gz



Extracting the ISO Image

7-Zip

Download an archive file handler such as 7-Zip or simialr

The .iso file will be stored in this folder



Upload the ISO to Proxmox

Upload the ISO file to Proxmox and create a VM with this hardware configuration:

ℹ️
This VM has two network interfaces: net0 and net1.

Create the VM first then add the second adapter afterward. If you need a refresher on uploading ISOs and creating VMs, refer back to this post:

Getting to Know Proxmox
In this module, we will take a look at some basic tasks and the core areas of the Proxmox web front end.




Give your pfSense VM a Static DHCP Reservation

ℹ️
Note the MAC Address of net0. This is the WAN interface on your pfSense VM. It is going to ask your home router for a DHCP address.

We want the WAN IP address of the pfSense VM to stay the same every time it reboots.

  1. Log into your home router and give the pfSense WAN MAC Address a static IP address.
  2. If your home IP address space is 192.168.1.0/24, give pfSense an IP of 192.168.1.2. If your address space is 172.16.1.0/24, give pfSense and IP of 172.16.1.2. Something llike this.




Double Check the Options

Before you boot up the pfSense VM, check the options in Proxmox and make sure they look like this.

Your name can be different. The other options are most important.

Start the pfSense VM and double click it to open the NoVNC shell.





Install and pfSense Initial Setup

Power on the VM and let the auto-start load the installer.





Configure VLANs

At the beginning of the guide, when we first installed Proxmox, we setup some Open vSwitch bridges and defined some VLANs on the vmbr1 bridge. In order for VLANs to function, both the switch and the router need to be aware of the VLANs.

  1. Should VLANs be setup now [y|n]
    • Enter Y
    • Enter vtnet1 (vtnet1 is the LAN interface)
      • Enter tag 666
    • Enter vtnet1 (again)
      • Enter 999
    • Press Enter to complete the VLAN setup
  2. Enter the WAN interface name
    • Enter vtnet0
  3. Enter the LAN interface
    • Enter vtnet1
  4. Enter the Optional 1 interface
    • Enter vtnet1.666
  5. Enter the Optional 2 interface
    • Enter vtnet1.999
  6. Do you want to proceed?
    • Enter Y
    • Wait for additional setup steps to complete

You can read more about VLANs here:

How Do VLANs Work? Exploring the 802.1q Protocol
In this post, I cover the 802.1q protocol and the concept of VLANs




Configuring Interface IP Address Ranges

Now, we are going to configure each interface and sub-interface with IP address spaces for clients on each LAN. Choose 2) Set interface(s) IP address.

  • Enter 2 (LAN)
    • Configure IPv4 address LAN interface via DHCP? (y/n)
      • Enter N
    • Enter the new IPv4 address
      • 10.0.0.1
      • Enter 24
      • Press Enter (for LAN)
    • Configure IPv6 address LAN interface via DHCP6? (y/n)
      • Enter N
    • Enter the new LAN IPv6 address. Press Enter for none:
      • Press Enter
    • Do you want to enable the DHCP server on LAN? (y/n)
      • Enter Y
      • Start of range: 10.0.0.11
      • End of range: 10.0.0.244
    • Do you want to revert to HTTP?
      • Enter N
    • Press Enter to complete

Choose 2) Set interface(s) IP address again.

  • Enter 3 (OPT1)
    • Configure IPv4 address OPT1 interface via DHCP? (y/n)
      • Enter N
    • Enter the new IPv4 address
      • 10.6.6.1
      • Enter 24
      • Press Enter (for LAN)
    • Configure IPv6 address OPT1 interface via DHCP6? (y/n)
      • Enter N
      • Enter the new LAN IPv6 address. Press Enter for none:
        • Press Enter
    • Do you want to enable the DHCP server on OPT1? (y/n)
      • Enter Y
      • Start of range: 10.6.6.11
      • End of range: 10.6.6.244
    • Do you want to revert to HTTP?
      • Enter N
    • Press Enter to complete

Choose 2) Set interface(s) IP address yet again.

  • Enter 4 (OPT2)
    • Configure IPv4 address OPT2 interface via DHCP? (y/n)
      • Enter N
    • Enter the new IPv4 address
      • 10.9.9.1
      • Enter 24
      • Press Enter (for LAN)
    • Configure IPv6 address OPT2 interface via DHCP6? (y/n)
      • Enter N
      • Enter the new LAN IPv6 address. Press Enter for none:
        • Press Enter
    • Do you want to enable the DHCP server on OPT2? (y/n)
      • Enter Y
      • Start of range: 10.9.9.11
      • End of range: 10.9.9.244
    • Do you want to revert to HTTP?
      • Enter N
    • Press Enter to complete




Configuring the System Settings

We can now configure the rest of the setup through the GUI. However, if you go try to login to pfSense at the WAN IP address, it's going to fail.

This is because pfSense is blocking WAN access to the web console. This is a good thing if your pfSense router is sitting at the edge of your network. You wouldn't want any body to be able to reach the login page of your home router from the internet.

In reality, the IP address on the WAN port is a private IP address – which is not accessible from the Internet without some workarounds. So, in this case, it's perfectly safe to open the WAN port inside our home network.





Allowing Access to the Web Console from the WAN

Enter option 8 to open a system shell on pfSense. Then, type this command to disable the firewall. We need to do this at first to allow access.

pfctl -d




Logging in and Setting Up

Open up your web browser and go to https://pfsense-ip-address. You may get a security warning about an untrusted certificate. Disregard and continue.

The default login for the web console is:

  • Username: admin
  • Password: pfsense




Hostname and Domain

Click Next > Next. Set the hostname and domain.

  • Hostname: pfSense-sec
  • Domain: cyber.range




DNS Settings

You can specify DNS servers here. The Override DNS box tells pfSense to use DNS settings from your home router. If you want to use the DNS settings from your home router, check this box and leave the DNS server boxes empty.





NTP Server

Click Next. Select an NTP server. Click Next.





Configure the WAN Interface

Select the type to DHCP

  • DHCP Hostname: pfSense-sec

Uncheck the box: Block RFC1918 Private Networks, as we want to allow private IP addresses through to the WAN interface.





Configure the LAN Interface

Skip this part





Wrapping Up

Change the admin password. Click Next > Reload > Finish.





Permanent Access via WAN IP

Disable the Firewall Again

After the initial setup, the firewall re-enables itself. We need to disable it one more time, so we can create some firewall rules in the GUI.

Go back to your pfSense system shell and run this command:

pfctl -d

If the web GUI is stalling, you probably have an asymmetric routes issue (we will cover that later). For now, go to the pfSense system shell and run these commands to restart the WAN network interface:

ifconfig vtnet0 down
ifconfig vtnet0 up

You should now be able to log into pfSense again.





Add a WAN Rule

Go to Firewall > Rules > WAN

Click Add

Click Save and Apply Changes





Finalize System Setup

Disable Hardware Checksum Offloading

Go to System > Advanced

Go to the Networking tab. Check the box: Disable hardware checksum offloading. Reboot the VM when prompted.





Rename the Optional Interfaces

Go to Interface > Assignments

Then, click on each interface shown below and change their descriptions accordingly.

OPT1

Click Save and Apply Changes

OPT2

Click Save and Apply Changes





Set up Firewall Rules

Create Firewall Aliases

Go to Firewall > Aliases

Create an Alias for RFC1918

This alias will be used in some future firewall rules to reference all private IPv4 address spaces.

Click Add





Create an Alias for Kali

Just create this for now even though we haven't create a Kali VM yet. We are going to assign a static DHCP reservation for Kali later.

Click Add

Click Save and Apply Changes





WAN Firewall Rules

Go to Firewall > Rules > WAN

💡
You don't need to click Apply Changes until all of your rules have been configured.

Allow Home Network to Internal LAN

We want to allow our home network to reach the LAN where Kali is going to sit. That way you can ssh or open a remote desktop to your Kali VM.

Click Add

Click Save and Apply Changes





WAN Desired End State





LAN Firewall Rules

No changes necessary. Leave it as-is.





SEC_EGRESS Rules

Allow Packets to Local Gateway

Packets need to be able to reach the default gateway in order to reach the Internet. We have to do it this way, because we will be blocking RFC1918 addresses a few rules later.

Click Add

Click Save





Allow Packets to Kali VM

Click Add

Click Save





Allow Packets to Internet (Non-Private Addresses)

Click Add

Click Save.





Block Everything Else

Click Add

Click Save.





SEC_EGRESS Desired End State





SEC_ISOLATED Rules

Allow SEC_ISOLATED DNS Lookups

Click Add

Click Save. No need to apply changes yet.



Allow SEC_ISOLATED LAN to Kali VM

Click Add

Click Save.





Block Everything Else

Click Add

Click Save.





SEC_ISOLATED Desired End State





FLOATING Rules

ℹ️
Floating rules are a firewall area where you can craft a rule or set of rules that will apply to one or many interfaces. I typically keep my rules organized under each interface, but in special circumstances, it just makes more sense to use a floating rule, so we don't have to create the same rule on multiple interfaces.

Add the Port Alias

Go to Firewall > Aliases
Click on Ports
Click Add
Fill out accordingly and click Save



Add the Separators

Go to Firewall > Rules
Choose Floating
Click this button to add a separator
Click 'Save'
Click this button to add another separator
Click 'Save'
You should have two separators where we're going to sandwich some rules
Click the 'Save' button at the bottom



Block Logins to the Firewall

Add a rule
Use the CTRL button and select multiple interfaces
💡
We choose SEC_EGRESS and SEC_ISOLATED here, as we don't want these subnets to be able to reach the firewall login ports. We choose in for the direction here, as the traffic is going into the firewall interface from hosts.
Click Save and Apply Changes



FLOATING Rules Desired End State

Drag and drop items to re-order, then click Save and Apply Changes
🛑
Keep in mind that as you move through the Proxmox lab, you'll create additional interfaces where you don't want hosts to reach the firewall login. In that case, just come back here, edit the rules, and add the interface name to the list.
ℹ️
The reason we've created these rules is that we have (or will have) some subnets that are allowed to access the internet, but not allowed to access private IP addresses. In order for these subnets to get to the internet, they need to be able to reach the gateway address. We don't — however — want them to be able to reach the login ports of the firewall.





Configure the DNS Resolver Service

Go to Services > DNS Resolver

Check both of these boxes

⚠️
Note: Jan 1, 2024
Netgate is pushing people to the Kea DHCP daemon, as they're deprecating the ISC DHCP daemon. If you opt to move to the Kea DHCP daemon, these options will not be available.

You will need to switch back to ISC DHCP, make your desired selections, then switch back to Kea DHCP.

https://www.reddit.com/r/PFSENSE/comments/17z1u6f/dhcp_registration_on_dns_resolver/

Go to Advanced Settings

Verify your settings match:





Adding Additional VLANs to the Cyber Range

As you grow your lab, you may find yourself wanting to add additional VLANs to your cyber range network. Fortunately, with pfSense and Open vSwitch, the process couldn’t be easier.

Go to your Proxmox node > Network





Add a VLAN to VMBR1 in Proxmox

Select vmbr1 and click Create > OVS IntPort. Fill out the fields like this:

Adding a test VLAN 345

We are indicating that if we attach a container or VM to the switch vmbr1 – and we tag it with the VLAN ID of 345 – pfSense should route it through its intended VLAN.

Click Apply Configuration





Add the VLAN to pfSense

Log into pfSense and go to Interfaces > Assignments.

Click on VLANs

Click Add. Fill out the fields like this:

vtnet1 is the LAN interface. We are saying that 345 is a sub-interface of this interface. vtnet1 is the parent. Click Save.

Go to Interface Assignments

Click Add next to the newly added sub-interface.

Click Save. You should now see an OPT# interface. Click on the OPT# interface name.





Configure the Interface

You can use whatever private IP address range you want. This is just an example. You need to specify the IPv4 address of the gateway – not the network. That’s why I entered 192.168.10.1/24 and not 192.168.10.0/24.

Scroll to the bottom. Check the box Block bogon networks. Click Save and Apply Changes.





Configure the DHCP Server

Go to Services > DHCP Server > TEST_NETWORK
Enable
the DHCP server on this interface. Set the range to whatever you wish. I will be entering: 192.168.10.11 -- 192.168.10.244.

Click Save and Apply Changes.





Add Some Firewall Rules

In pfSense, go to Firewall > Rules > TEST_NETWORK
There are not going to be any rules by default (except if you’re blocking bogon nets).

It's up to you how you want to configure your firewall rules and routes.

  • Do you want this VLAN to have Internet access?
  • Which other LANs should it be allowed to talk to?
  • Do you want to route to it from your WAN?




Recommended: Configuring Static Routes

Why Add Static Routes?

If you look at the network diagram for the lab, you'll note a couple of things:

  • The network on home router has a subnet of 172.16.1.0/24
  • And the laptop acting as a SSH / RDP client is addressed at 172.16.1.110/24
The question is then ...
If 172.16.1.110 is trying to reach 10.0.0.2 — which is behind the pfSense VM, how is it going to get there?
  • Being on the 172.16.1.0/24 network, it has no means of reaching 10.0.0.2 as a neighbor
  • Hosts on the 172.16.1.0/24 network can't just magically become aware of how to get the traffic to the 10.0.0.0/24 network



Where to Add Static Routes

Global Static Routes (Router)

If you configure the static route in the router, this route becomes available to any host that uses the router as a gateway.

  • In this situation, if 172.16.1.110 tries to send a packet to 10.0.0.2, the destination IP is in a foreign subnet, so 172.16.1.110 sends the packet to the default gateway on the router — 172.16.1.1 — for assistance moving the packet
    • Once home router receives the packet, then what?
      • Does home router have any knowledge of the 10.0.0.0/24 network? No, not yet at least.
      • That's why we need to log into home router and add the static route(s) to tell it how to get to that network
💡
And, when we add the static route, what is the doorway into the 10.0.0.2 network?
  • That would be the pfSense VM WAN IP
    • The WAN Interface on pfSense is plugged into vmbr0 as is home router
      • Home router receives the packet from 172.16.1.110 addressed to 10.0.0.2 and sends the packet to pfSense WAN IP in accordance with the static route
      • Home router and pfSense VM manage the conversation between them



Local Static Routes (Host)

If you configure the static route locally at the host — for example, a laptop like 172.16.1.110 — then only the host knows about the route.

  • In this situation, 172.16.1.110 is connected to the wireless and is on the same subnet as pfSense WAN IP
  • We alter the routing table on 172.16.1.110 and add a static route locally to say if a packet is destined for 10.0.0.0/24 then we send it pfSense WAN IP
  • Again, 172.16.1.110 is the only one that knows this now, since we've only added the route locally
  • If we send a packet to 10.0.0.2, then 172.16.1.110 sends the packet directly to pfSense WAN IP itself without the assistance of the router, since it knows where to send it



How to Add Static Routes

Router (Global)

⚠️
This is specific to each device! Consult your router’s manual for advice on configuring static routes in your own device

Log into your router with the administrative credentials and navigate to the interface for configuring static routes

Example 1:

  • Destination: 10.0.0.0/24
  • Gateway: [pfSense WAN IP address]
  • Description: Route to pfSense internal LAN

Example 2:

  • Destination: 10.80.80.0
  • Subnet Mask: 255.255.255.0 (same as /24)
  • Gateway: [pfSense WAN IP address]
  • Description: Route to pfSense internal AD subnet



Laptop (Local)

⚠️
This example is going to be done on a Windows laptop, but you should be able to get the idea and find enough information on Google to complete the steps on any other operating system

Example 1

Open the start menu, search powershell and open it as administrator
This route does not persist reboots. So, next time you reboot your computer, you need to run this command again. If you want to automate this, you can do some research on running a PowerShell script using Task Scheduler at certain triggers or intervals.
Get-NetIPConfiguration
Showing the interface details for the 172.16.1.0/24 configuration on my laptop
$destinationNet = '10.0.0.0/24'
$pfsenseWanIP = '172.16.1.3'
New-NetRoute -DestinationPrefix $destinationNet -NextHop $pfsenseWanIP -InterfaceIndex 28 -RouteMetric 2
  • NextHop is the term indicating the next router that will receive the packet for routing
  • InterfaceIndex is 28 in accordance with the IP configuration screenshot above, since that's the interface that will be transmitting the packet to 10.0.0.2
  • RouteMetric is 2 as a smaller number here indicates a higher importance



Configure pfSense VM

💡
You don’t need a static route on the pfSense side. A route back into your home network already exists in pfSense’s routing table via the WAN interface.

However, you will need to create some firewall rules to allow the traffic from your home network into the pfSense internal LANs.

WAN Firewall Rules

Allow WAN subnet to LAN

Click "Add"
Click Save when finished



Allow WAN Subnet to AD LAB

Click Save when finished



Resolving Packet Loss

⚠️
I was losing an incredible amount of packets between my personal computer and my Kali VM behind the virtual pfSense as a result of asymmetric routing, due to my home pfSense router not being able to track the TCP state of asymmetric packets and dropping the connection.

If your home router is a stateful firewall — it probably is — you should strongly heed the advice linked in the article just below.

  • Click System > Advanced
  • Click the Firewall/NAT tab
  • Check Bypass firewall rules for traffic on the same interface
  • Click Save
Routing — Static Routes | pfSense Documentation





Next Step

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the Proxmox Lab
In this module, we will take a look at the process setting up a comprehensive Wazuh SIEM, including a NIDS and some HIDS agents, in our Proxmox home lab.
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.