OSSIM+PFSENSE ZONE LAN
-
dude if you put all the vms on different vmnet - what works?? What vmnet did you put them on. There is a bridged one, host only and then nat and I believe internal.
Your wan of pfsense should be on your bridged vmnet connected to your machines real network, I assume your behind a router so lets say your normal real physical network is 192.168.1.0/24
So your machine gets from your router via dhcp lets say 192.168.1.100, pfsense wan would get say 192.168.1.101, now the lan of pfsense would be connected to host only or prob better internal. This network should be say 192.168.0.0/24
All your other vms should be connected to this internal vmnet. They should all be able to get IP address from pfsense dhcp server. They should all be able to ping each other (depending on vm software firewalls settings if running on on that vm)
The default lan rules on pfsense are any any, so yes you should be able to ping the pfsense lan IP, most likely 192.168.0.1
Your going to want to make sure your real network IP range is different than pfsense LAN network. Having same network on both sides of pfsense is not going to work. Once you have that all working you can put another ossim interface in this same network - does not need an IP this will be the interface that ossim.
Another maybe better option would be to put the ossim management interface in the host only vm. So your host can talk to ossim via this network. Not sure what the default ip range of that vmnet is. Then you would put the ossim monitor interface in the internal vmnet so it can see traffic on that network. REMEMBER your going to want this internal network in promiscuous mode so that ossim monitor interface will see ALL traffic on this network, not just broadcast traffic or traffic to its mac. I do not recall off the top of my head if this can be just done on the vmnic setting or the internal network in general. Have not used virtualbox in quite some time.
There also might be option for dhcp server on the internal network - your going to want to make sure this is OFF.. Since your going to want to use the network that pfsense is using on its lan, and use its dhcp server.
How is it your using virtualbox for a networking project, and don't understand how networking is done on virtualbox. I would really suggest you go over the manual for virtualbox before attempting to use it, especially for such a project. Here is link to the networking section https://www.virtualbox.org/manual/ch06.html
edit: here I drew you a picture
So example IPs in this layout would be
Your router
192.168.0.1Your Host
192.168.0.100 (real network and bridged vmnet)
192.168.3.2 ( host only network)Pfsense
192.168.0.101 ( real network, pfsense wan on bridged vmnet)
192.168.1.1 (vmnet internal, pfsense lan)Ossim
192.168.3.1 (host only vmnet - management interface)
Monitor/sniffing interface - No IP needed ( vmnet internal - promiscuous mode)VMs
192.168.1.2, 192.168.1.3, etc.. (vmnet internal, via dhcp from pfsense)You would then access ossim managment gui via its host only vmnet 192.168.3.1 from your hosts connection to that vmnet.
-
i use vmware and my internal network is 10.215.10.0/24 its diffrent than wan network for pfsense,putting interface ossim host only and with the same subnet that internal network of pfsense didnt make them all ping each other even ossim do not ping 10.215.10.1 that is the internal interface of pfsense and too the dhcp server is disable for all host only card from virtual network editor…so what's wrong
-
and thank you for the draw but all of it is correct exept of course 10.215.10.0/24 is the internal network and host only ip for ossim is 10.215.10.8
-
"putting interface ossim host only and with the same subnet that internal network of pfsense didnt make them all ping"
Why would they are not the same network, doesn't matter if you use the same IP ranges. Think of vmnet as switches.. If you have 2 switches that are not connected to each other.. Just because you put the same network IP range on them why would you think they could talk to each other.
Your ossim is going to want 2 interfaces, its managment interface and the interface it uses to monitor/sniff (this interface does not even need an IP)
Set it up as I drew and it will work.. You can use any actual network IP ranges you want, those were just examples showing that they are 3 different networks.
If your internal vmnet is not setup for promiscuous mode, then the ossim interface would only see broadcast traffic and traffic sent to its mac. You need this to be promiscuous so that that ossim will see all traffic on this network be it sent to its mac or not. So when vm1 talks to vm2 it will see these packets, when vm1 talks to pfsense it will see the traffic, etc. etc..
-
ok i understand now,one more thing to be sure how internal network should be i dont see it it in the options,my internal network as you whould say is vmnet1 host only
-
you can create multiple vmnets.. See the doc I linked too..
Here
https://www.virtualbox.org/manual/ch06.html#network_internal -
i am using vmware but still i will look for something like that in vmware and i will let you know how it will ends after applying just what you said,only one more question in my physical host what configuration should be made
-
Oh dude my bad, must of confused this with another thread.. I thought you were using virtual box.. DOH.. You can kick me ;)
vmware is the same principle to be sure. They call it custom. So same thing you have a bridged vmnet, and then a host only vmnet and then use a custom one for the pfsense lan, your other vms and your monitor interface for ossim.
Pretty sure the standard vmnets0 1 and 8 shouldn't be used for your custom vmnet.. Use one of the other ones.. If I recall 0 is bridged, 1 is host only and 8 is nat out of the box, these can be altered.. But just pick one of the other ones make sure its custom, and same thing your going to want promiscuous mode so that ossim can see all the traffic on this custom vmnet.
What version are you using 11?
-
no vmware workstation 12,so far when i put it in the same vmnet that is internal lan network for pfsense,now i receive logs from pfsense to ossim so that is good i think but not from the others vm that they are from same internal network,but still i am happy with that :) and i didnt figured out how management interface config should be in ossim i think that is the problem
-
Oh 12 is out wow.. Missed that.
Dude put your management interface in the host only network.. What interface are you sending the logs too in ossim?? If it was in host only network pfsense would not be able to talk to the management interface IP
As for ossim to see traffic, did you create the monitor/sniffing interface.. Did you put that vmnet in promiscuous mode?