Configuring the pfSense Firewall for Our VirtualBox Lab

In this module, we will log into the pfSense web portal and configure firewall rules for our VirtualBox lab using our Kali VM.
Configuring the pfSense Firewall for Our VirtualBox Lab
In: VirtualBox, Home Lab, Computer Networking
ℹ️
This page is part of a larger series on building a cybersecurity lab using VirtualBox. Click here to be taken back to the project home page.

Previous Step

Importing Kali Using the Official VirtualBox Image
In this module, we will look at the process of importing the pre-packaged Kali VM for VirtualBox directly from the official source.





Log into the Web Portal

In Kali, open your web browser and navigate to: https://10.0.0.1

Click Advanced

The default credentials are:

  • Username: admin
  • Password: pfsense

Click Next

Click Next (again). Fill out the Hostname and Domain. Uncheck Override DNS. Click Next.

Double check your timezone and click Next.

Scroll down and uncheck this box. We’re double-NAT, which means that the WAN network is also a private network, so we want to allow this. Click Next.

Leave this alone. Click Next.

Change the admin password. Save it in a password vault. Click next.

Click Reload and wait for the web configurator to refresh. Click Finish.





Configure the Interfaces

Isolated Interface

Choose OPT1

Set the Description to Isolated. Scroll down and click Save and Apply Changes.





AD_LAB Interface

Choose OPT2

Set the Description to AD_LAB. Scroll down and click Save and Apply Changes.





Optimize the DNS Resolver Service

Go to Services > DNS Resolver

Check these boxes, click save and apply changes.

⚠️
Note: Jan 1, 2024
Netgate is pushing people to the Kea DHCP daemon, as they're deprecating the ISC DHCP daemon. If you opt to move to the Kea DHCP daemon, these options will not be available.

You will need to switch back to ISC DHCP, make your desired selections, then switch back to Kea DHCP.

https://www.reddit.com/r/PFSENSE/comments/17z1u6f/dhcp_registration_on_dns_resolver/

Still under DNS Resolver, go to Advanced Settings. Check both of these boxes. Click save and apply changes.





Give Kali a Static DHCP Lease

Go to Status > DHCP Leases

Click on the button to add a static mapping
Set the IP address to 10.0.0.2

Click Save and Apply Changes.





Configure the Firewall Rules

Create an Alias for RFC1918

This alias will be used in some future firewall rules to reference all private IPv4 address spaces.

Go to Firewall > Aliases

Click Add

Click Save



Create an Alias for Kali

Click Add

Click Save and Apply Changes



LAN

Click on Firewall > Rules

Click on LAN.

Add a rule

  • Action: Block
  • Interface: LAN
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: WAN subnets
  • Description: Block access to any on same network as host OS
  • Click Save





LAN Desired End-State

ℹ️
If you're missing the Block bogon networks rule, it's not entirely necessary on LAN interfaces. But if you wish to enable it, go to Interfaces > LAN, then scroll to the bottom and check the box for Block bogon networks. Then, save and apply your changes and it should automatically be applied to the rules table.





ISOLATED

Click on ISOLATED

Add a rule

  • Action: Pass
  • Interface: Isolated
  • Address Family: IPv4
  • Protocol: UDP
  • Source: ISOLATED subnets
  • Destination: ISOLATED address
  • Destination Port Range: DNS (53)
  • Description: Allow DNS lookups to the default gateway
  • Click Save and Apply Changes

Add a rule

  • Action: Pass
  • Interface: Isolated
  • Address Family: IPv4
  • Protocol: Any
  • Source: ISOLATED subnets
  • Destination: Address or alias = Kali
  • Description: Allow packets to Kali VM
  • Click Save and Apply Changes

Final Isolated rule

  • Action: Block
  • Interface: Isolated
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: Any
  • Description: Block access to everything
  • Click Save





ISOLATED Desired End-State





AD_LAB

Click on AD_LAB

Add a rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = RFC1918 (✅invert match)
  7. Description: Allow packets to any non-private address
  8. Click Save
⚠️
Note: This rule effectively blocks traffic to any private IP address. As you'll see just below, we'll add another rule above this one to allow traffic to Kali, which is aliased to 10.0.0.2.

Moving forward, if there are additional private IPv4 addresses you want your AD_LAB hosts to be able to talk to, you'll need to place the firewall rules above this one, as rules are evaluated from top to bottom.

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = Kali
  7. Description: Allow packets to Kali VM
  8. Click Save

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: AD_LAB address
  7. Description: Allow packets to default gateway
  8. Click Save

Final AD lab rule

  1. Action: Block
  2. Interface: AD_LAB
  3. Address Family: IPv4 + IPv6
  4. Protocol: Any
  5. Source: Any
  6. Destination: Any
  7. Description: Block everything else
  8. Click Save and Apply Changes





AD_LAB Desired End-State

💡
Remember, the rules are processed from top to bottom. The Kali rule is above the RFC1918 rule, as having the rule below it would prevent the traffic from reaching Kali.

If you put Kali on the same subnet as the rest of the AD hosts, the firewall rules don't really matter, since the packets are switched locally on the same network.





FLOATING Rules

ℹ️
Floating rules are a firewall area where you can craft a rule or set of rules that will apply to one or many interfaces. I typically keep my rules organized under each interface, but in special circumstances, it just makes more sense to use a floating rule, so we don't have to create the same rule on multiple interfaces.

Add the Port Alias

Go to Firewall > Aliases
Click on Ports
Click Add
Fill out accordingly and click Save



Add the Separators

Go to Firewall > Rules
Choose Floating
Click this button to add a separator
Click 'Save'
Click this button to add another separator
Click 'Save'
You should have two separators where we're going to sandwich some rules
Click the 'Save' button at the bottom



Block Logins to the Firewall

Add a rule
💡
We choose ISOLATED and AD_LAB here, as we don't want these subnets to be able to reach the firewall login ports. We choose in for the direction here, as the traffic is going into the firewall interface from hosts.
Click Save and Apply Changes



FLOATING Rules Desired End State

Drag and drop items to re-order, then click Save and Apply Changes
🛑
Keep in mind that as you move through the VirtualBox lab, you'll create additional interfaces where you don't want hosts to reach the firewall login. In that case, just come back here, edit the rules, and add the interface name to the list.
ℹ️
The reason we've created these rules is that we have (or will have) some subnets that are allowed to access the internet, but not allowed to access private IP addresses. In order for these subnets to get to the internet, they need to be able to reach the gateway address. We don't — however — want them to be able to reach the login ports of the firewall.





Make Some System Tweaks to pfSense

Go to System > Advanced

Go to Networking

Scroll down and check this box

Click Save and Apply Changes. Click Reboot and reboot now.

⚠️
Wait for pfSense to come back up before proceeding





Grab Kali's New DHCP Reservation

Log into your Kali VM and open a terminal. Run the command as pictured below.

Your IP address should now be 10.0.0.2 as configured.





Next Step

Adding Vulnhub VMs to Our VirtualBox Cyber Range
In this module, we will look at two different ways, based on file type, to import VMs from Vulnhub into our home lab.
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.