This module is a part of a larger series of building a security lab in VirtualBox. Click here to be taken back to the series landing page.

Building a Security Lab in VirtualBox

In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox

0xBEN0xBEN

Whenever your are building a lab – whether in the cloud or on premise – you should always plan your network first. You should factor in future growth as well. It's much more difficult to change network design later than planning for it now.

NOTE: pfSense is acting as the NAT router and firewall for the lab environment. Therefore, pfSense will need to be the first VM to boot when running your lab. After pfSense boots, you can start your other VMs.

VirtualBox 7.0.x Warning

Warning: In this guide, we setup the pfSense VM with several interfaces – all of them using the paravirtualized (virtio-net) driver. In VirtualBox 7.0.x there is a known issue with the virtio-net driver on FreeBSD 12.3 (the operating system of pfSense 2.6.0).

According to this ticket, the issue should have been fixed in VirtualBox 7.0.4, but appears to still be an issue. I have re-checked (Mar. 11, 2023) if the issue has been resolved in VirtualBox version 7.0.6 and it appears the issue is still ongoing.

First Time Visitors

The Workaround: You have three choices to fix the issue:

• Run a snapshot release of pfSense 2.7.x
  • This fixes the issue because pfSense 2.7.x is based on FreeBSD 14.x and the issue is due to the virtio-net drivers on FreeBSD 12.3
  • Snapshot releases are not considered stable, but you shouldn't have any trouble running it in a lab environment
  • If you decide to run pfSense 2.7.x the installation instructions will differ only slightly and I'll cover that below
• Or, run pfSense 2.6.x and use the Intel 1000 MT Server driver instead of the paravirtualized (virtio-net) in the VM's settings menu in VirtualBox.
  • There should be no noticeable performance decrease when using this driver
• Or, downgrade to VirtualBox 6.x and proceed with the guide as normal

Returning Readers

If you've followed this guide before upgrading to VirtualBox 7.0.x and are reading this page because your VM is broken, then you have a couple of choices to fix the issue.

The Workaround:

• Downgrade to the latest version of VirtualBox 6.x
• Or, change your WAN driver to Intel 1000 MT (server) in the VM's settings
  • Then, when you boot the VM, choose option 1 at the menu to reassign interfaces
    • em0 should be for WAN in the new configuration
    • vtnet1, vtnet2, and vtnet3 can all be reassigned as was done originally
    • em0 should now get a DHCP lease

Download pfSense

Go to: https://www.pfsense.org/download/ and choose the image with the following specifications:

• AMD64
• ISO installer
• Choose the mirror closest to you

Now, go to the folder where you downloaded pfSense. We need to extract the .iso file form the archive.

Install 7zip or some other archive extraction utility to decompress the .gz archive.

You should now have a pfSense-CE-#.#.#-RELEASE-amd64.iso file in your folder.

Create the VM

Click the New button

The Name and Machine Folder are specific to your computer. Ensure you choose the correct Type and Version as shown here.

Customize the VM

Right-click the VM and choose Settings

Move Hard Disk above Optical

Choose a Disk File

Disable audio

Disable USB

Configure the Network Interfaces

Adapter 1: WAN

Adapter 2: LAN

Adapter 3: ISOLATED

Adapter 4: AD_LAB

All done. Click OK.

Installing pfSense

If it asks for the startup disk, just choose the .iso disk we downloaded earlier. Press Enter.

Choose Install pfSense

Continue with defaults, unless you want to choose another language

pfSense 2.6 (Normal Install)

Choose Auto (UFS) BIOS

Wait for installation process to complete. Choose No.

pfSense 2.7 (VirtualBox 7 Workaround)

Choose Auto UFS

Configuring pfSense

Wait for the VM to finish booting. When asked Should VLANs be set up now [y|n]?, choose N.

Configuring the Interfaces

You should see something like this

• The WAN interface pulled an IP address from my home network.
• The Default LAN IP address space is 192.168.1.1/24
• OPT1 (optional interface 1) – Isolated – is not yet configured.
• OPT2 (optional interface 2) – AD_LAB – is not yet configured.

Configure the LAN

Configure the Isolated LAN

All done with the ISOLATED LAN

Configure the AD Lab LAN

All done with the AD_LAB LAN

Final Check

You should now see something like this

A Note on Configuring the Firewall

In this guide, we will not be making the pfSense web console available from the WAN.

This is because you may be using a laptop and if you connect to public wireless, then your pfSense web console would be open to the others on that network.

We will be using our Kali VM to configure the pfSense firewall rules in a bit.

Next Step: Importing Kali from Offensive Security Images

Importing Kali Using the Official VirtualBox Image

In this module, we will look at the process of importing the pre-packaged Kali VM for VirtualBox directly from the official source.

0xBEN0xBEN