PfSense configuration for a virtualized security lab



  • Hey guys,

    I am setting up a virtual security lab environment as part of a senior project at my school using  a VMware esxi host (mostly managed via vcenter).

    Currently, I have three separate networks I am configuring, a LAN network, a DMZ network, and an external network (this one is outside the firewall and internet facing). The idea is to have students on the external network us Kali Linux VMs to attempt to penetrate the two internal networks (DMZ & LAN).

    There would be a second group of students on the inside of the network, monitoring traffic on the firewall as wells as hardening and maintaining the internal servers. The internal networks are made up of a mix of windows and Linux servers.

    I was wondering what would potentially be the steps to configure the firewall for this type of environment? Also I have limited experience with pfSense and was wondering if this could also function as a router?

    I have also attached a diagram of the lab environment.



  • wondering if this could also function as a router?

    Yes.

    Nobody is going to write a book of steps for you.  Just start and ask questions if you get stuck.  This should help get you started:

    https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi



  • this is not a serious answer. Anyone can find the document you are referring to and it doesn't provide any insight on what to do differently to allow for this kind of setup.
    I am trying to come up with a similar setup in order to create a template for virtual firewalling for use in virtual labs in my employer's virtual infrastructure.
    From what I have seen so far, the situation is summarized as follows:

    • Almost everything out there (Open Source Firewalls) is based on iptables
    • IP tables can cover any scenario really, coupled with linux/free BSD routing capabilities.
    • IP tables is complicated to comprehend, configure but most of all pass on as knowledge to other admins that don't have time to go deep into it.
    • Any solution that tries to give an easier manipulation of an OSS Firewall comes down to these use cases:
            - Host Based Firewalling : Using the Operating System's firewall to allow or deny services on the host or make the host a two interface internet access gateway, with Lan on one side and WAN/Internet on the other, providing dynamic NAT for LAN clients (IP Masquerading). SuSE Firewall2 and UFW are such cases, where these scripts don't allow complex setups that divert from the original ones I mentioned. Main cause is the inability to define rules for forwarding traffic through the SuSE Firewall and UFW scripts since they mostly allow rules where the source is defined and destination is presumed to be the host where the firewall operates.
            - Pre packaged OSS firewalls like pfsense, ipfire etc. : those systems allow for more features and a little more complex setup, however their automated features presume a more or less specific setup: A Wan interface facing the internet and a Lan where the management of the firewall takes place.

    In my case the management needs to happen from the internal network where also lies the access to the internet (through our own set of security devices and routing path). The lab needs to isolate systems, possibly communicating between different subnets and filtering intersubnet traffic or even performing NAT or allowing admin access to those lab systems from the internal network.

    It seems I can't even get to the point where I get access to the web ui, because if Pfsense is configured with our internal network as a WAN interfaces (where the access to the internet lies) then the default gateway is set correctly but web access is moved to an isolated interface (the lan one). If the reverse setup is used, with WAN in the isolated section and LAN on the internal network then the management interface is placed in the correct segment (internal) but no default gateway is set  so no communication with the web ui.

    these are very common setups in enterprises and performed extremely easily with commercial routers (eg cisco) and commercial firewalls (eg checkpoint). If OSS systems are to even begin to tackle such use cases, then the community needs to grow up and stop attacking each other.

    To Mr. Tiberius:
    Your setup has the benefit of having the interfaces in the correct side. You should assign your interfaces correctly, set ip addresses and get webui access in order to set the rest of it. The Pfsense like any linux/FreeBSD system operating as a transit firewall will easily enable routing (forwarding) between the network where its interfaces belong. However if your infrastructure in the green, blue and red areas are not all included in one sengment (ip subnet) respectively, then it will not be enough. You will need to configure static routes inside your pfsense box in order to allow traffic to reach other subnets in your networks. It may possible from the webui to accomplish that but I can't be sure as I have not yet gotten access to it (I have a different setup in mind).

    For me, it seems I will probably need to use iptables directly on a common linux distribution, unless anyone a little bit more experienced gives me some directions on where to modify settings inside the shell to get the webui to work from the "wan interface". I have a feeling though that noone will and also that it won't be the only problem I have (I saw somewhere the need to set an option to allow private ip addresses on the wan side or pfsense will discard relevant packets).
    I will create a different post and keep my fingers crossed.

    If you do decide to take a look at iptables, I will give you a couple of links to get started:
    https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
    https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
    https://www.digitalocean.com/community/tutorials/how-to-set-up-an-iptables-firewall-to-protect-traffic-between-your-servers
    The netfilter hooks in the kernel and where they hook in the packet flow

    The last one will probably explain alot.. If you don't know much about networking you will probably need some help..
    Good Luck



  • About my own problem:
    It's possible to "fool" the wizard on the pfsense console for setting ip addresses and give a gateway to a lan interface and refuse one to a wan interface. So I do have my access to the web ui now.
    I will post my findings in another post if everything goes to plan.
    Let me know if you have more questions.



  • this is not a serious answer. Anyone can find the document you are referring to and it doesn't provide any insight on what to do differently to allow for this kind of setup.

    I'm relieved that you have appeared to set me straight and show us all how it's done.



  • You give me too much credit. I have not shown anyone anything. It's virtually impossible to teach someone the meaning of courtesy. I wasn't trying to.
    I am also old enough to know how flaming works. Good luck with that.



  • It certainly takes a special kind of person to show up to a new forum, tell a regular he's wrong in a blunt way, hijack someone else's thread with his unrelated problem and then state that nobody will help him and then also assume that he is going to have more problems with the insinuation that Netgate is doing it wrong or made a dumb design decision.



  • @MrTiberius:

    Hey guys,

    I am setting up a virtual security lab environment as part of a senior project at my school using  a VMware esxi host (mostly managed via vcenter).

    Currently, I have three separate networks I am configuring, a LAN network, a DMZ network, and an external network (this one is outside the firewall and internet facing). The idea is to have students on the external network us Kali Linux VMs to attempt to penetrate the two internal networks (DMZ & LAN).

    There would be a second group of students on the inside of the network, monitoring traffic on the firewall as wells as hardening and maintaining the internal servers. The internal networks are made up of a mix of windows and Linux servers.

    I was wondering what would potentially be the steps to configure the firewall for this type of environment? Also I have limited experience with pfSense and was wondering if this could also function as a router?

    I have also attached a diagram of the lab environment.

    Ok, some more feedback.
    I have been playing with this on my own lab and came to some conclusions. I haven't tested NAT yet so nothing there yet.
    If your networks are composed of just one IP subnet per color then you have a lot less work. The routing will be setup automatically.  Automatic outbound NAT rules as well.
    The firewall management will be activated on the lan interface so assign interfaces and then only configure the LAN interface's IP address. This will give you access to the webconfigurator (it will show you the ip you can connect to). It will ask you if you want to convert the protocol to http. Don't, https is better for security reasons.
    Connect on the webconfigurator and go through the wizard. At this point you will probably need to configure the rest of the interfaces ip addresses. If internet access is indeed on the red side, then the next hop on that path should be your default gateway, configured on the WAN interface (red) and on the same ip subnet.
    Routing should now work between the different ip segments connected to the firewall interfaces. But to access services you need to configurre firewall rules.
    From what I figured through testing you need to configure floating rules. Make things as specific as possible (use the any option as less as possible).
    Monitor the firewall logs (provided you checked the logging option in the rules) to see what is passed and what is dropped. The logs are under status->system logs->firewall
    In case you need more complex static routing, check what you currently have in Diagnostics->Routes, and then add more if necessary in system->Routing.
    If you can configure the firewalls own internet access correctly, you can check for available packages (addons). These include a lot you may find usufull such as snort, ospf routing, ntopng, etc.
    Let me know if you need any specific help.