0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Create a pfSense Firewall for Our Proxmox Lab

In this module, we will look at setting up a pfSense firewall VM in Proxmox to segment our home lab network.
0xBEN
23 min read
Create a pfSense Firewall for Our Proxmox Lab
In: Proxmox, Proxmox Cybersecurity Lab Project, Computer Networking, Home Lab
ℹ️
This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click here to be taken back to the project home page.

Previous Step

Getting to Know Proxmox
In this module, we will take a look at some basic tasks and the core areas of the Proxmox web front end.
0xBEN0xBEN





System Setup

⚠️
pfSense is acting as the NAT router and firewall for the lab environment. Therefore, pfSense will need to be the first VM to boot when running your lab hosts on vmbr1. After pfSense boots, you can start your other VMs on that switch.

Download pfSense CE ISO

As of recently, Netgate is requiring users to create an account and provide personal information in order to download the pfSense CE ISO images, which I am not thrilled to see.

I understand that this is a mitigation strategy to combat piracy of their pfSense Plus software by third-party firewall appliance vendors (among other reasons). That said, I will show you a way to download the file whilst protecting your privacy.

Whenever you are building a lab – whether in the cloud or on premise – you should always plan your network first. You should factor in future growth as well. It's much more difficult to change network design later than planning for it now.

Download pfSense Community Edition
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more
pfSense Logo
Click Download
Choose AMD64 ISO and click ADD TO CART
Click on Create an Account
Temp Mail - Disposable Temporary Email
Keep spam out of your mail and stay safe - just use a disposable temporary email address! Protect your personal email address from spam with Temp-mail
Temp Mail

Go here to get a temporary email for the email requirement

quackr: Free Temporary Phone Numbers for Verification | Receive SMS Online for OTP
Protect your privacy & identity with quackr. Use our free temporary phone numbers for SMS verification and receive SMS now. Phone Numbers from USA, UK, India & more.
quackr.io

Go here to get a temporary number for the phone requirement

Fill it out using junk data and your disposable email
Fill it out with your junk data
Click Complete order
Proceed to download the ISO file here



Extracting the ISO Image

7-Zip

Download an archive file handler such as 7-Zip or simialr

The .iso file will be stored in this folder



Upload the ISO and Create the VM

After uploading the .iso file to Proxmox, you're ready to create the VM. Refer here if you need a refresher on uploading ISOs to Proxmox.

This is either going to be the pfSense-CE or netgate-installer-amd64 ISO file
🛑
Proceed to confirm the settings, but do not start the VM yet
Click on the pfSense VM > Hardware > Add > Network Device
Add another NIC and attach it to vmbr1
Click on "Options" and verify your "Start at boot", "Start/Shutdown order", and "Boot Order" match what's shown here
🛑
Do not start the VM yet



Give your pfSense VM a Static DHCP Reservation

ℹ️
Note the MAC Address of net0. This is the WAN interface on your pfSense VM. It is going to ask your home router for a DHCP address.

We want the WAN IP address of the pfSense VM to stay the same every time it reboots.

  1. Log into your home router and give the pfSense WAN MAC Address a static IP address.
  2. If your home IP address space is 192.168.1.0/24, give pfSense an IP of 192.168.1.2. If your address space is 172.16.1.0/24, give pfSense and IP of 172.16.1.2. Something llike this.
You may now start the VM





Install and pfSense Initial Setup

Power on the VM and accept
Choose "Install" and "OK"
vtnet0 is the WAN
Continue
vtnet1 is the LAN
Continue
Looks good. Continue.
Choose "Install CE"
Proceed with the defaults
OK
OK
Yes
Choose "Current Stable Release"
Be patient while the installer downloads core files and completes the installation...
When complete, continue to the next screen and choose "Reboot"



Configure VLANs

At the beginning of the guide, when we first installed Proxmox, we setup some Open vSwitch bridges and defined some VLANs on the vmbr1 bridge. In order for VLANs to function, both the switch and the router need to be aware of the VLANs.

You can read more about VLANs here if you'd like:

How Do VLANs Work? Exploring the 802.1q Protocol
In this post, I cover the 802.1q protocol and the concept of VLANs
0xBEN0xBEN
Enter Y at the blinking cursor which is offset due to some output
Enter vtnet1 as the parent interface
Enter VLAN tag 666
Again, vtnet1 and then VLAN tag 999
That's it for now. Press "Enter" to finish configuring VLANs and you should see them listed.



Define the Interfaces

vtnet0 is the WAN
vtnet1 is the LAN
vtnet1.666 is the "Optional 1" interface
vtnet1.999 is the "Optional 2" interface
Enter y to proceed with the configuration



Configuring Interface IP Address Ranges

Now, we are going to configure each interface and sub-interface with IP address spaces for clients on each Local Area Network (LAN).

Default LAN

Choose "2) Set interface(s) IP address"

Enter 2 to configure2 — LAN (vtnet1 — static)

  • Configure IPv4 address LAN interface via DHCP? (y/n)
    • Enter N
  • Enter the new LAN IPv4 address. Press <ENTER> for none
    • Enter 10.0.0.1
    • Enter 24 for the network mask
  • For a WAN, enter the new LAN IPv4 upstream gateway address.
    For a LAN, press <ENTER> for none:
    • Press Enter key
  • Configure IPv6 address LAN interface via DHCP6? (y/n)
    • Enter N
  • Enter the new LAN IPv6 address. Press <ENTER> for none:
    • Press Enter key
  • Do you want to enable the DHCP server on LAN? (y/n)
    • Enter y
    • Start of Range: 10.0.0.11
    • End of Range: 10.0.0.244
  • Do you want to revert to HTTP as the webConfigurator protocol? (y/n)
    • Enter N
  • Press Enter key to continue when prompted



Optional 1

Choose "2) Set interface(s) IP address"

Enter 3 to configure interface 3 — OPT1 (vtnet1.666)

  • Configure IPv4 address LAN interface via DHCP? (y/n)
    • Enter N
  • Enter the new LAN IPv4 address. Press <ENTER> for none
    • Enter 10.6.6.1
    • Enter 24 for the network mask
  • For a WAN, enter the new LAN IPv4 upstream gateway address.
    For a LAN, press <ENTER> for none:
    • Press Enter key
  • Configure IPv6 address LAN interface via DHCP6? (y/n)
    • Enter N
  • Enter the new LAN IPv6 address. Press <ENTER> for none:
    • Press Enter key
  • Do you want to enable the DHCP server on LAN? (y/n)
    • Enter y
    • Start of Range: 10.6.6.11
    • End of Range: 10.6.6.244
  • Do you want to revert to HTTP as the webConfigurator protocol? (y/n)
    • Enter N
  • Press Enter key to continue when prompted



Optional 2

Choose "2) Set interface(s) IP address"

Enter 4 to configure interface 4 — OPT2 (vtnet1.999)

  • Configure IPv4 address LAN interface via DHCP? (y/n)
    • Enter N
  • Enter the new LAN IPv4 address. Press <ENTER> for none
    • Enter 10.9.9.1
    • Enter 24 for the network mask
  • For a WAN, enter the new LAN IPv4 upstream gateway address.
    For a LAN, press <ENTER> for none:
    • Press Enter key
  • Configure IPv6 address LAN interface via DHCP6? (y/n)
    • Enter N
  • Enter the new LAN IPv6 address. Press <ENTER> for none:
    • Press Enter key
  • Do you want to enable the DHCP server on LAN? (y/n)
    • Enter y
    • Start of Range: 10.9.9.11
    • End of Range: 10.9.9.244
  • Do you want to revert to HTTP as the webConfigurator protocol? (y/n)
    • Enter N
  • Press Enter key to continue when prompted



Configuring the System Settings

We can now configure the rest of the setup through the GUI. However, if you go try to login to pfSense at the WAN IP address, it's going to fail.

This is because pfSense is blocking WAN access to the web console. This is a good thing if your pfSense router is sitting at the edge of your network. You wouldn't want anybody to be able to reach the login page of your home router from the internet.

In reality, the IP address on the WAN port is a private IP address – which is not accessible from the Internet without some workarounds. So, in this case, it's perfectly safe to open the WAN port inside our home network.



Allowing Access to the Web Console from the WAN

Enter option 8 to open a system shell on pfSense. Then, type this command to disable the firewall. We need to do this at first to allow access. 

pfctl -d



Logging in and Setting Up

Open up your web browser and go to https://pfsense-ip-address. You may get a security warning about an untrusted certificate. Disregard and continue.

The default login for the web console is:

  • Username: admin
  • Password: pfsense



Hostname and Domain

Click Next > Next. Set the hostname and domain.

  • Hostname: pfSense-sec
  • Domain: cyber.range



DNS Settings

You can specify DNS servers here. The Override DNS box tells pfSense to use DNS settings from your home router. If you want to use the DNS settings from your home router, check this box and leave the DNS server boxes empty.



NTP Server

Click Next. Select an NTP server. Click Next.



Configure the WAN Interface

Select the type to DHCP

  • DHCP Hostname: pfSense-sec

Uncheck the box: Block RFC1918 Private Networks, as we want to allow private IP addresses through to the WAN interface.



Configure the LAN Interface

Skip this part



Wrapping Up

Change the admin password. Click Next > Reload > Finish.





Permanent Access via WAN IP

Disable the Firewall Again

After the initial setup, the firewall re-enables itself. We need to disable it one more time, so we can create some firewall rules in the GUI.

Go back to your pfSense system shell and run this command:

pfctl -d

If the web GUI is stalling, you probably have an asymmetric routes issue (we will cover that later). For now, go to the pfSense system shell and run these commands to restart the WAN network interface:

ifconfig vtnet0 down
ifconfig vtnet0 up

You should now be able to log into pfSense again.



Add a WAN Rule

Go to Firewall > Rules > WAN

Click Add

Click Save and Apply Changes





Finalize System Setup

Disable Hardware Checksum Offloading

Go to System > Advanced

Go to the Networking tab. Check the box: Disable hardware checksum offloading. Reboot the VM when prompted.



Rename the Optional Interfaces

Go to Interface > Assignments

Then, click on each interface shown below and change their descriptions accordingly.

OPT1

Click Save and Apply Changes

OPT2

Click Save and Apply Changes





Set up Firewall Rules

Create Firewall Aliases

Go to Firewall > Aliases

Create an Alias for RFC1918

This alias will be used in some future firewall rules to reference all private IPv4 address spaces.

Click Add



Create an Alias for Kali

Just create this for now even though we haven't create a Kali VM yet. We are going to assign a static DHCP reservation for Kali later.

Click Add

Click Save and Apply Changes



WAN Firewall Rules

Go to Firewall > Rules > WAN

💡
You don't need to click Apply Changes until all of your rules have been configured.

Allow Home Network to Internal LAN

We want to allow our home network to reach the LAN where Kali is going to sit. That way you can ssh or open a remote desktop to your Kali VM.

Click Add

Click Save and Apply Changes



WAN Desired End State

ℹ️
The ping rule is there for debugging and not required in your environment, but you're certainly free to add it if you'd like.



LAN Firewall Rules

No changes necessary. Leave it as-is.



SEC_EGRESS Rules

Allow Packets to Local Gateway

Packets need to be able to reach the default gateway in order to reach the Internet. We have to do it this way, because we will be blocking RFC1918 addresses a few rules later.

Click Add

Click Save



Allow Packets to Kali VM

Click Add

Click Save



Allow Packets to Internet (Non-Private Addresses)

Click Add

Click Save.



Block Everything Else

Click Add

Click Save.



SEC_EGRESS Desired End State



SEC_ISOLATED Rules

Allow SEC_ISOLATED DNS Lookups

Click Add

Click Save. No need to apply changes yet.



Allow SEC_ISOLATED LAN to Kali VM

Click Add

Click Save.



Block Everything Else

Click Add

Click Save.



SEC_ISOLATED Desired End State



FLOATING Rules

ℹ️
Floating rules are a firewall area where you can craft a rule or set of rules that will apply to one or many interfaces. I typically keep my rules organized under each interface, but in special circumstances, it just makes more sense to use a floating rule, so we don't have to create the same rule on multiple interfaces.

Add the Port Alias

Go to Firewall > Aliases
Click on Ports
Click Add
Fill out accordingly and click Save



Add the Whitelist Alias

Making an IP alias
Click Add
Fill out accordingly and click save



Add the Separators

Go to Firewall > Rules
Choose Floating
Click this button to add a separator
Click 'Save'
Click this button to add another separator
Click 'Save'
You should have two separators where we're going to sandwich some rules
Click the 'Save' button at the bottom



Block Logins to the Firewall

Add a rule
  • Action: Block
  • Quick:
  • Interface: Any
  • Direction: in (packets entering the pfSense interface)
  • Address Family: IPv4+IPv6
  • Protocol: TCP
💡
We set Interface to Any in the rule, because we use some inverse logic when selecting the source. Effectively, Any address that is NOT in the WHITELIST_FIREWALL_MGMT alias we created before, will be blocked by the rule.
Destination uses the "FIREWALL_MGMT" alias we created bfore
Click Save and Apply Changes



FLOATING Rules Desired End State

ℹ️
The reason we've created this rules is that we have (or will have) some subnets that are allowed to access the internet, but not allowed to access private IP addresses. In order for these subnets to get to the internet, they need to be able to reach the gateway address. We don't — however — want them to be able to reach the login ports of the firewall.





Configure the DNS Resolver Service

Go to Services > DNS Resolver

Check both of these boxes

⚠️
Note: Jan 1, 2024
Netgate is pushing people to the Kea DHCP daemon, as they're deprecating the ISC DHCP daemon. If you opt to move to the Kea DHCP daemon, these options will not be available.

You will need to switch back to ISC DHCP, make your desired selections, then switch back to Kea DHCP.

https://redmine.pfsense.org/issues/14972#:~:text=Seems%20like%20it%20is%20already,Reactivate%20KEA

Go to Advanced Settings

Verify your settings match:





Adding Additional VLANs to the Cyber Range

As you grow your lab, you may find yourself wanting to add additional VLANs to your cyber range network. Fortunately, with pfSense and Open vSwitch, the process couldn’t be easier.

On the project home page, we already did the following:

  1. Created a SDN VLAN Zone
  2. Created a VNet and attached it to the VLAN Zone and set the VLAN tag
  3. Applied the SDN changes
⚠️
This guide was created long before SDN became available in Proxmox VE. If you previously followed the old instructions that used Classic Networking, you can follow along with my notes here to migrate your VLANs to SDN.



Trunk the New VLAN to VMBR1

All we have to do on the Proxmox side, is add another VNet and apply the changes.

  1. Go to Datacenter
    1. SDN
      1. VNets
Click "Create"
Fill out accordingly and click "Create"
Go to "SDN" > click "Apply"



Add the VLAN to pfSense

Log into pfSense and go to Interfaces > Assignments.

Click on VLANs

Click Add. Fill out the fields like this:

vtnet1 is the LAN interface. We are saying that 345 is a sub-interface of this interface. vtnet1 is the parent. Click Save.

Go to Interface Assignments

Click Add next to the newly added sub-interface.

Click Save. You should now see an OPT# interface. Click on the OPT# interface name.



Configure the Interface

You can use whatever private IP address range you want. This is just an example. You need to specify the IPv4 address of the gateway – not the network. That’s why I entered 192.168.10.1/24 and not 192.168.10.0/24.

Scroll to the bottom. Check the box Block bogon networks. Click Save and Apply Changes.



Configure the DHCP Server

Go to Services > DHCP Server > TEST_NETWORK
Enable the DHCP server on this interface. Set the range to whatever you wish. I will be entering: 192.168.10.11 -- 192.168.10.244.

Click Save and Apply Changes.



Add Some Firewall Rules

In pfSense, go to Firewall > Rules > TEST_NETWORK
There are not going to be any rules by default (except if you’re blocking bogon nets).

It's up to you how you want to configure your firewall rules and routes.

  • Do you want this VLAN to have Internet access?
  • Which other LANs should it be allowed to talk to?
  • Do you want to route to it from your WAN?





Recommended: Configuring Static Routes

Why Add Static Routes?

If you look at the network diagram for the lab, you'll note a couple of things:

  • The network on home router has a subnet of 172.16.1.0/24
  • And the laptop acting as a SSH / RDP client is addressed at 172.16.1.110/24
The question is then ...
If 172.16.1.110 is trying to reach 10.0.0.2 — which is behind the pfSense VM, how is it going to get there?
  • Being on the 172.16.1.0/24 network, it has no means of reaching 10.0.0.2 as a neighbor
  • Hosts on the 172.16.1.0/24 network can't just magically become aware of how to get the traffic to the 10.0.0.0/24 network



Where to Add Static Routes

Global Static Routes (Router)

If you configure the static route in the router, this route becomes available to any host that uses the router as a gateway.

  • In this situation, if 172.16.1.110 tries to send a packet to 10.0.0.2, the destination IP is in a foreign subnet, so 172.16.1.110 sends the packet to the default gateway on the router — 172.16.1.1 — for assistance moving the packet
    • Once home router receives the packet, then what?
      • Does home router have any knowledge of the 10.0.0.0/24 network? No, not yet at least.
      • That's why we need to log into home router and add the static route(s) to tell it how to get to that network
💡
And, when we add the static route, what is the doorway into the 10.0.0.2 network?
  • That would be the pfSense VM WAN IP
    • The WAN Interface on pfSense is plugged into vmbr0 as is home router
      • Home router receives the packet from 172.16.1.110 addressed to 10.0.0.2 and sends the packet to pfSense WAN IP in accordance with the static route
      • Home router and pfSense VM manage the conversation between them



Local Static Routes (Host)

If you configure the static route locally at the host — for example, a laptop like 172.16.1.110 — then only the host knows about the route.

  • In this situation, 172.16.1.110 is connected to the wireless and is on the same subnet as pfSense WAN IP
  • We alter the routing table on 172.16.1.110 and add a static route locally to say if a packet is destined for 10.0.0.0/24 then we send it pfSense WAN IP
  • Again, 172.16.1.110 is the only one that knows this now, since we've only added the route locally
  • If we send a packet to 10.0.0.2, then 172.16.1.110 sends the packet directly to pfSense WAN IP itself without the assistance of the router, since it knows where to send it



How to Add Static Routes

Router (Global)

⚠️
This is specific to each device! Consult your router’s manual for advice on configuring static routes in your own device

Log into your router with the administrative credentials and navigate to the interface for configuring static routes

Example 1:

  • Destination: 10.0.0.0/24
  • Gateway: [pfSense WAN IP address]
  • Description: Route to pfSense internal LAN

Example 2:

  • Destination: 10.80.80.0
  • Subnet Mask: 255.255.255.0 (same as /24)
  • Gateway: [pfSense WAN IP address]
  • Description: Route to pfSense internal AD subnet



Laptop (Local)

⚠️
This example is going to be done on a Windows laptop, but you should be able to get the idea and find enough information on Google to complete the steps on any other operating system

Example 1

Open the start menu, search powershell and open it as administrator
This route does not persist reboots. So, next time you reboot your computer, you need to run this command again. If you want to make the route persist reboots, add the parameter -PolicyStore PersistentStore to the cmdlet below. 
Get-NetIPConfiguration
Showing the interface details for the 172.16.1.0/24 configuration on my laptop
$destinationNet = '10.0.0.0/24'
$pfsenseWanIP = '172.16.1.3'
$interfaceIndex = 28
New-NetRoute -DestinationPrefix $destinationNet -NextHop $pfsenseWanIP -InterfaceIndex $interfaceIndex -RouteMetric 2
  • NextHop is the term indicating the next router that will receive the packet for routing
  • InterfaceIndex is 28 in accordance with the IP configuration screenshot above, since that's the interface that will be transmitting the packet to 10.0.0.2
  • RouteMetric is 2 as a smaller number here indicates a higher importance
  • If desired, add -PolicyStore PersistentStore to make the route persist reboots (as mentioned above).



Configure pfSense VM

💡
You don’t need a static route on the pfSense side. A route back into your home network already exists in pfSense’s routing table via the WAN interface.

However, you will need to create some firewall rules to allow the traffic from your home network into the pfSense internal LANs.

WAN Firewall Rules

Allow WAN subnet to LAN

Click "Add"
Click Save when finished



Resolving Packet Loss

⚠️
I was losing an incredible amount of packets between my personal computer and my Kali VM behind the virtual pfSense as a result of asymmetric routing, due to my home pfSense router not being able to track the TCP state of asymmetric packets and dropping the connection.

If your home router is a stateful firewall — it probably is — you should strongly heed the advice linked in the article just below.

  • Click System > Advanced
  • Click the Firewall/NAT tab
  • Check Bypass firewall rules for traffic on the same interface
  • Click Save
Routing — Static Routes | pfSense Documentation
pfSense Documentation





Next Step

Create a Kali Linux VM in Proxmox
In this module, we will look at the process of creating a Kali Linux VM using the GUI and command line in Proxmox
0xBEN0xBEN
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Infrastructure-as-Code with Proxmox
Proxmox

Infrastructure-as-Code with Proxmox

In this project, broken up into multiple modules, you will gain hands-on, interactive practice with defining and managing Infrastructure-as-Code using industry-standard DevSecOps tooling and zero-trust security principles.
0xBEN
10 min read
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.