0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Configuring the pfSense Firewall for Our VirtualBox Lab

In this module, we will log into the pfSense web portal and configure firewall rules for our VirtualBox lab using our Kali VM.
0xBEN
6 min read
In: VirtualBox, Home Lab, Computer Networking

This module is a part of a larger series of building a security lab in VirtualBox. Click here to be taken back to the series landing page.

Building a Security Lab in VirtualBox
In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox
0xBEN0xBEN





Log into the Web Portal

In Kali, open your web browser and navigate to: https://10.0.0.1

Click Advanced

The default credentials are:

  • Username: admin
  • Password: pfsense

Click Next

Click Next (again). Fill out the Hostname and Domain. Uncheck Override DNS. Click Next.

Double check your timezone and click Next.

Scroll down and uncheck this box. We’re double-NAT, which means that the WAN network is also a private network, so we want to allow this. Click Next.

Leave this alone. Click Next.

Change the admin password. Save it in a password vault. Click next.

Click Reload and wait for the web configurator to refresh. Click Finish.





Configure the Interfaces

Isolated Interface

Choose OPT1

Set the Description to Isolated. Scroll down and click Save and Apply Changes.





AD_LAB Interface

Choose OPT2

Set the Description to AD_LAB. Scroll down and click Save and Apply Changes.





Optimize the DNS Resolver Service

Go to Services > DNS Resolver

Check these boxes, click save and apply changes.

⚠️
Note: Jan 1, 2024
Netgate is pushing people to the Kea DHCP daemon, as they're deprecating the ISC DHCP daemon. If you opt to move to the Kea DHCP daemon, these options will not be available.

You will need to switch back to ISC DHCP, make your desired selections, then switch back to Kea DHCP.

https://www.reddit.com/r/PFSENSE/comments/17z1u6f/dhcp_registration_on_dns_resolver/

Still under DNS Resolver, go to Advanced Settings. Check both of these boxes. Click save and apply changes.





Give Kali a Static DHCP Lease

Go to Status > DHCP Leases

Click on the button to add a static mapping
Set the IP address to 10.0.0.2

Click Save and Apply Changes.





Configure the Firewall Rules

Create an Alias for RFC1918

This alias will be used in some future firewall rules to reference all private IPv4 address spaces.

Go to Firewall > Aliases

Click Add

Click Save



Create an Alias for Kali

Click Add

Click Save and Apply Changes



LAN

Click on Firewall > Rules

Click on LAN.

Add a rule

  • Action: Block
  • Interface: LAN
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: WAN subnets
  • Description: Block access to any on same network as host OS
  • Click Save





LAN Desired End-State

ℹ️
If you're missing the Block bogon networks rule, it's not entirely necessary on LAN interfaces. But if you wish to enable it, go to Interfaces > LAN, then scroll to the bottom and check the box for Block bogon networks. Then, save and apply your changes and it should automatically be applied to the rules table.





ISOLATED

Click on ISOLATED

Add a rule

  • Action: Pass
  • Interface: Isolated
  • Address Family: IPv4
  • Protocol: Any
  • Source: ISOLATED subnets
  • Destination: Address or alias = Kali
  • Description: Allow packets to Kali VM
  • Click Save and Apply Changes

Final Isolated rule

  • Action: Block
  • Interface: Isolated
  • Address Family: IPv4 + IPv6
  • Protocol: Any
  • Source: Any
  • Destination: Any
  • Description: Block access to everything
  • Click Save





ISOLATED Desired End-State





AD_LAB

Click on AD_LAB

Add a rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = RFC1918 (✅invert match)
  7. Description: Allow packets to any non-private address
  8. Click Save
⚠️
Note: This rule effectively blocks traffic to any private IP address. As you'll see just below, we'll add another rule above this one to allow traffic to Kali, which is aliased to 10.0.0.2.

Moving forward, if there are additional private IPv4 addresses you want your AD_LAB hosts to be able to talk to, you'll need to place the firewall rules above this one, as rules are evaluated from top to bottom.

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: Address or Alias = Kali
  7. Description: Allow packets to Kali VM
  8. Click Save

Add another rule

  1. Action: Pass
  2. Interface: AD_LAB
  3. Address Family: IPv4
  4. Protocol: Any
  5. Source: AD_LAB subnets
  6. Destination: AD_LAB address
  7. Description: Allow packets to default gateway
  8. Click Save

Final AD lab rule

  1. Action: Block
  2. Interface: AD_LAB
  3. Address Family: IPv4 + IPv6
  4. Protocol: Any
  5. Source: Any
  6. Destination: Any
  7. Description: Block everything else
  8. Click Save and Apply Changes





AD_LAB Desired End-State

💡
Remember, the rules are processed from top to bottom. The Kali rule is above the RFC1918 rule, as having the rule below it would prevent the traffic from reaching Kali.

If you put Kali on the same subnet as the rest of the AD hosts, the firewall rules don't really matter, since the packets are switched locally on the same network.





Make Some System Tweaks to pfSense

Go to System > Advanced

Go to Networking

Scroll down and check this box

Click Save and Apply Changes. Click Reboot and reboot now.

⚠️
Wait for pfSense to come back up before proceeding





Grab Kali's New DHCP Reservation

Log into your Kali VM and open a terminal. Run the command as pictured below.

Your IP address should now be 10.0.0.2 as configured.





Next Step: Adding Vulnhub VMs to the Lab

Adding Vulnhub VMs to Our VirtualBox Cyber Range
In this module, we will look at two different ways, based on file type, to import VMs from Vulnhub into our home lab.
0xBEN0xBEN
Written by
0xBEN

0xBEN

View all posts
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.