Home network schema



  • Hello!
    I am wondering if something like the following would be possible:
    2 physical PCs:

    • Linux box

    • Windows box with Virtualbox VMs

    Virtualbox:

    • pfsense VM

    • metasploitable VM

    • ubuntu VM

    metasploitable VM and ubuntu VM should be accessed through pfsense VM.

    Now what I would like to do is get from Linux box into metasploitable VM or ubuntu VM.
    Is that possible at all?
    Any other ideas or suggestion?

    Thanks in advance,
    jardacle


  • Rebel Alliance Global Moderator

    Yes its possible..



  • Any suggestions about how to set that up?
    I know how to setup so vms get lan ip from pfsense but no idea how to acces them from my linux box.


  • Rebel Alliance Global Moderator

    So the way I take it your setting this up is your normal physical network is the wan to pfsense..  But it could very well be just another lan segment..  How are wanting to do it, doesn't seem like your using pfsense as your normal isp router, and just a firewall/router between your network and some vms.

    Well if pfsense wan is your network, and vms are on their own just virtual network, then just create a port forward on pfsense to the ports and IPs you want… Or you could just completely disable nat if this is all inside your network and just firewall.. Your vm network could be different than your normal network, or you could turn pfsense into a bridge, etc etc..

    There are always multiple ways to skin the cat, knowing the breed of cat your working with helps determine the best way to skin it..  But as of now don't know if you have a siamese or a calico manx, maybe you actually want a balinese?



  • Yeah currently I've been using pfsense as a firewall/router and pfsense wan is my network cause thats the most used way I found when googling for guides.

    Its a penetration testing lab so the idea is to be as real as it can be to a seperate networks.

    Any suggestions on what road to take?


  • Rebel Alliance Global Moderator

    Well if your boxes are behind pfsense, and linux is the attacker unless you forward traffic or do not nat and allow taffic linux is not going to see those machines behind pfsense at all.

    You can pen test it all you want against pfsense wan IP.. I don't think you going to lean much ;)  What exactly are you looking to test?  What is the point of firewall between you and testing exploits against machines?  The firewall job is to prevent access to those machines that you do not want.

    If you want to forward port 80 or 443 to your vms, there you go - so you don't know how to port forward?



  • That makes sense.
    Wouldn't bypassing firewall/IDS be a good practice to begin with?
    Regardless I need pfsense as a virtual lab router so my host can't be compromised by vulnerable vms, don't I ?

    I'm sorry but I'm pretty new at this  :-[
    I know how to port forward in pfsense. Going to try that when I get home.


  • Rebel Alliance Global Moderator

    So typical role of pfsense or anything like pfsense is at the edge where there is public and then users network that is rfc1918 space.. So nat is going to normally be done, unless your wanting to play with ipv6 so yeah normally only unsolicited traffic that would be allowed from public network to users machine would be through port forward.

    As to lab setup of your vms, yes I would normally think you would want isolation between them and your normal network - but normally that would be other direction, ie you wouldn't want your lab machines to talk to your network without specific permission in the firewall.. For example maybe you want to print something from your lab machines.  Or maybe you want a lab machine to have access to a video camera or something to test something.  Normally your network would have un fettered access into the lab network.. Lets call it dmz or firewalled segment.

    If that is how you were going to set it up, then I wouldn't be doing nat between your network and the vms..  And depending if your vms in this lab/dmz needed internet access would determine how you would need to set it up.

    But in general lets look at your setup like this..  See attached.. Where pfsense wan would on your network, and vms would be on pfsense lan network..




  • Thank you very much for all your help! You've been more then helpfull!
    I'm going to try and set this up today like it is on this attachment.

    Learned so much from your posts :)



  • OK..So I've managed to set my network to be the same as the one in the picture.
    Now the only issues are
    how to get internet access in vms?
    how to get from linux box to a vm1 (for example)?


  • Rebel Alliance Global Moderator

    well what is the gateway you set on pfsense wan?  If points to your router as its gatway you would have internet access for all your vms just like any other machine on your normal network.. Since out of the box pfsense would nat all the traffic to its IP that is on your normal network.

    To get to vm1 you would need to setup a port forward for what port you want to send to vm1 IP in pfsense, then hit pfsense wan IP from the linux box on that port.

    Only if you don't have pfsense not natting do you run into complications because of possible asynchronous routing and your isp router not know how to get to the downstream network that is behind pfsense, and not setup to nat that network or even allow it, etc..