I need advice on setting up virtual lab

warloxian · Mar 24, 2022, 8:46 PM

I don't necessarily want direct answers. I don't learn well unless I have to do the work. What I really need is some starting advise and direction and maybe someone to kind of hold my hand while I am learning this. I am not selfish when it comes to my knowledge. Anything you guys can teach me will be reciprocated in the future to others looking for help. I appreciate you spending a little of your valuable time to help me get started.
I am setting up a home lab to learn networking and ethical hacking. I am not a rich man so I am limited on the hardware I can afford, but I do update as I am able.
At this time I have Charter/Spectrum internet and I my speeds average 293 Mpbs down, 19 up with an average latency of 60ms on my WiFi. My wired system is Frankenstein'd together. I have a Netgear power line adapters to carry my wired connection to my garage. Its what I have now and it's not the best, but I have to work with what I have.
In my garage I have an old Toshiba P755, with a USB adapter for my second NIC, that is my Pfsense router/firewall. I have an Asus RT-AC66U router that I have converted to DD-WRT with wireless disabled at this time that is set as an AP. I have two Netgear GS108PEv3 switches and then I have 6 older servers all running Proxmox and all clustered together.
My question is about setting up all my routers and switches. I have attempted to look for answers online, but obviously no one has this exact setup, and there are several trains of thought about how to put a lab environment together, so it makes it difficult for a complete N00B @ networking to decide how to build this the best way?
What I am trying to figure out is this

All my Proxmox servers have static IP's with the 192.168.1.1/24 address range
I am coming right from my power line adapter into my Pfsense firewall. I am trying to figure out the best way to use the DD-WRT and Netgear switches in this setup?
Do I go power line to Pfsense to DD-WRT and then use my switches after that or do I use my switches first and then use my DD-WRT to distribute my connection to my servers? My Proxmox servers are all equipped with 4 NIC's each and I also have two PC's that each have 1 NIC. At this point I do not want to set up Pfsense as a virtual machine. Its easier for me to isolate and fix problems if i just keep the Toshiba as my firewall/router.
Im also trying to use a different IP range for my lab so I am not sure if should manually change the IP's on my servers to fit into a 10.10 network , or a 192.168.2.1/24 network?

AndyRH · Mar 24, 2022, 9:11 PM

Not a direct answer, which may be what you are after.
In my logical world...
Internet -> ATT (POS) -> pfSense -> clients & 2nd pfSense
So 2ndPF sees my LAN as its WAN. This allows me to do all sorts of crazy stuff and not make the wife mad.

In my physical world...
Internet -> ATT (POS) -> managed switch -> pfSense (primary), pfSense (secondary), clients. There are several VLANs to direct traffic. This allows me to "move" a port without touching a cable. Both pfSense installs have several connections to the switch, some are trunked, some are not.

SteveITS · Mar 24, 2022, 9:23 PM

@warloxian Unless you have a lot of networks I would probably make them something not-similar so diagnosing issues is easier. For example the 10.x.x.x, or 192.168.111.x and 192.168.222.x, etc. .2.1 is an easy typo from .1.1. :)

bingo600 · Mar 25, 2022, 10:49 AM

@warloxian

1:
May i suggest you download the Free DIA diagram writer program
https://forum.netgate.com/topic/166945/free-network-diagram-drawing-tool-for-win-mac-or-linux

And make a drawing of your "As IS" and "To BE" network.

2:
Since this is a LAB , that will end up with multiple vlans (else it's not a lab)
I will suggest you assign a : 10.xx.yy.00/16 network to your lab network.
Then you would have room for 255 labs (xx) with 255 (yy) /24 networks (vlans) , that can be used in your lab(s).
Match the xx to your "Lab number" , and yy in the ip address to the same vlan number.
Ie. 10.xx.10.0/24 would also be vlan 10
Ie. 10.xx.20.0/24 would also be vlan 20
etc ...

Hint ... Do not use 10.00.x.x or 10.01.xx.xx
Aka avoid using "Lab 00" and "Lab 01"
Those ip's are way to used by ISP's , and will bite your behind at some time.

I'd start with "Lab 101" (10.101.xx.00/16) or something "random" you feel for

3:
If possible i'd prob use the USB as "Lab Wan" , as the built in adapter prob. has higher performance , and would be better used for the "Lab inside vlans"
I like to always have my WAN connected via a "Real L3 interface" , have seen too many "Vlan Leak bugs" on "Consumer switches" to trust a Vlan as my WAN.

4:
You would need a Vlan capable switch for your LAB inside, to "Fan out" the multi vlans to separate ports.

5:
I did a ultra brief intro on how2 make a vlan on a pfSense here
https://forum.netgate.com/topic/158196/making-best-use-of-physical-nics-vlans/6

Affordable switches
I like the D-Link DGS-1100-08v2 switches $42
https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08P2C2GXF/

They are basic vlan capable switches , for a nice price.
Basic means they can't do ie. 802.1x authentication , or SNMP write confguration.
But they can do (i think 32 Vlans) and IGMP etc ....
They're nice low wattage fanless "sattelite" switches ...

I also like the DGS-1210 series also fanless (they can do 802.1x auth etc ...)
But they seems to be in backorder , prob. due to the Chip shortage.
I use DGS-1210-24 and DGS-1210-28 , in EU you can get them for around $150 , if in stock.

I'm not sure if the TP-Link's have gotten their vlan leaks under control in the current revision, but they were NOT recommended a few years ago.

/Bingo