Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Home network schema

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jardacle
      last edited by

      Hello!
      I am wondering if something like the following would be possible:
      2 physical PCs:

      • Linux box

      • Windows box with Virtualbox VMs

      Virtualbox:

      • pfsense VM

      • metasploitable VM

      • ubuntu VM

      metasploitable VM and ubuntu VM should be accessed through pfsense VM.

      Now what I would like to do is get from Linux box into metasploitable VM or ubuntu VM.
      Is that possible at all?
      Any other ideas or suggestion?

      Thanks in advance,
      jardacle

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Yes its possible..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J Offline
          jardacle
          last edited by

          Any suggestions about how to set that up?
          I know how to setup so vms get lan ip from pfsense but no idea how to acces them from my linux box.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            So the way I take it your setting this up is your normal physical network is the wan to pfsense..  But it could very well be just another lan segment..  How are wanting to do it, doesn't seem like your using pfsense as your normal isp router, and just a firewall/router between your network and some vms.

            Well if pfsense wan is your network, and vms are on their own just virtual network, then just create a port forward on pfsense to the ports and IPs you want… Or you could just completely disable nat if this is all inside your network and just firewall.. Your vm network could be different than your normal network, or you could turn pfsense into a bridge, etc etc..

            There are always multiple ways to skin the cat, knowing the breed of cat your working with helps determine the best way to skin it..  But as of now don't know if you have a siamese or a calico manx, maybe you actually want a balinese?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J Offline
              jardacle
              last edited by

              Yeah currently I've been using pfsense as a firewall/router and pfsense wan is my network cause thats the most used way I found when googling for guides.

              Its a penetration testing lab so the idea is to be as real as it can be to a seperate networks.

              Any suggestions on what road to take?

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well if your boxes are behind pfsense, and linux is the attacker unless you forward traffic or do not nat and allow taffic linux is not going to see those machines behind pfsense at all.

                You can pen test it all you want against pfsense wan IP.. I don't think you going to lean much ;)  What exactly are you looking to test?  What is the point of firewall between you and testing exploits against machines?  The firewall job is to prevent access to those machines that you do not want.

                If you want to forward port 80 or 443 to your vms, there you go - so you don't know how to port forward?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jardacle
                  last edited by

                  That makes sense.
                  Wouldn't bypassing firewall/IDS be a good practice to begin with?
                  Regardless I need pfsense as a virtual lab router so my host can't be compromised by vulnerable vms, don't I ?

                  I'm sorry but I'm pretty new at this  :-[
                  I know how to port forward in pfsense. Going to try that when I get home.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    So typical role of pfsense or anything like pfsense is at the edge where there is public and then users network that is rfc1918 space.. So nat is going to normally be done, unless your wanting to play with ipv6 so yeah normally only unsolicited traffic that would be allowed from public network to users machine would be through port forward.

                    As to lab setup of your vms, yes I would normally think you would want isolation between them and your normal network - but normally that would be other direction, ie you wouldn't want your lab machines to talk to your network without specific permission in the firewall.. For example maybe you want to print something from your lab machines.  Or maybe you want a lab machine to have access to a video camera or something to test something.  Normally your network would have un fettered access into the lab network.. Lets call it dmz or firewalled segment.

                    If that is how you were going to set it up, then I wouldn't be doing nat between your network and the vms..  And depending if your vms in this lab/dmz needed internet access would determine how you would need to set it up.

                    But in general lets look at your setup like this..  See attached.. Where pfsense wan would on your network, and vms would be on pfsense lan network..

                    yoursetupVB.png
                    yoursetupVB.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jardacle
                      last edited by

                      Thank you very much for all your help! You've been more then helpfull!
                      I'm going to try and set this up today like it is on this attachment.

                      Learned so much from your posts :)

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jardacle
                        last edited by

                        OK..So I've managed to set my network to be the same as the one in the picture.
                        Now the only issues are
                        how to get internet access in vms?
                        how to get from linux box to a vm1 (for example)?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          well what is the gateway you set on pfsense wan?  If points to your router as its gatway you would have internet access for all your vms just like any other machine on your normal network.. Since out of the box pfsense would nat all the traffic to its IP that is on your normal network.

                          To get to vm1 you would need to setup a port forward for what port you want to send to vm1 IP in pfsense, then hit pfsense wan IP from the linux box on that port.

                          Only if you don't have pfsense not natting do you run into complications because of possible asynchronous routing and your isp router not know how to get to the downstream network that is behind pfsense, and not setup to nat that network or even allow it, etc..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.