Post

Building a Virtual Security Home Lab: Part 2 - pfSense Setup & Configuration

A step-by-step guide for building your very own Cybersecurity Home Lab using VirtualBox

Posted
Preview Image
By David Varghese
10 min read

Banner Background by logturnal on Freepik
Hacker Image by catalyststuff on Freepik

Changelog

  • Nov. 01, 2024
    • Updated the article to indicate pfSense download from the official website now requires an account.
    • Updated the pfSense download link to point to pfSense official mirror from where the ISO can be downloaded without an account.
    • Updated Virtual Box instructions to reference the “Expert” mode option.

In this module, we will go over the installation of pfSense. Additionally, we will also complete the initial configuration required to onboard the subnets that make up our lab into pfSense.

Lab Startup
pfSense is going to be the default gateway and firewall for our home lab. The pfSense VM should be the first VM that is booted. Once the pfSense VM up other VMs in the lab can be launched.

Download pfSense

Go to the following link: pfSense CE Download
As of writing the latest version of pfSense is 2.7.2
Download the amd64 version ISO of the latest version available

pfSense Download
Downloads from the pfSense official website now require registration. The download from the website has also been changed to use Netgate which is not the same as CE edition. Make sure to use the link provided above to download the ISO directly from their mirror.

Is Netgate requiring a login to download CE now? : r/PFSENSE
PFSense ISO Download Requires an Account and Billing Address : r/PFSENSE

pfsense-download

The downloaded file will have the extension .iso.gz. Use a decompression software like 7-Zip to extract the image.

download-1

After extraction, we will have a file that has the .iso extension.

download-2

pfSense VM Creation

Launch VirtualBox. Check on Tools from the sidebar and then Select New from the Toolbar.

vbox-01

For Name, you can enter anything that makes sense. The Folder option defines the location where the VM will be saved. From the ISO Image dropdown select Others and select the .iso file that we just downloaded. Select Type as BSD and Version as FreeBSD (64-bit) and then click on Next.

vbox-02

Here we select the amount of RAM and CPU that the VM can use. No need to change anything. Click on Next to continue.

vbox-03

On this page, we choose the amount of storage space to reserve for the VM. Enter 20GB in the input field.

vbox-04

10.2. Understanding Virtual Disks

Confirm that everything looks right and then click on Finish.

vbox-05

Once done we should see the newly created VM in the sidebar.

Ignore the “Security Home Lab” and “Other VMs” Group that will be present in all the images. These groups contain VMs I have created for testing purposes. They will not be present in your instance.

Adding VM to Group

I like to keep my VMs organized by using the Groups feature of VirtualBox. This makes it easy to store related VMs together.

vbox-06

Right-click on the pfSense VM from the sidebar, select Move to Group -> [New]. The VM will now be added to a Group called New Group.

vbox-07

Right-click on the Group, and select Rename Group. Name the Group Firewall.

vbox-08

The final result should match the following:

vbox-09

pfSense VM Configuration

Before we boot the VM we need to configure some settings related to VirtualBox. Select the pfSense VM from the sidebar and then click on Settings.

vbox-10

System Configuration

UI Changes
Make sure “Expert” Mode is selected using the toggle at the top left corner of the menu. Some of the options that are required to setup this lab will not show up in “Basic” mode.

vbox-73

Select System -> Motherboard in the Boot Order section use the arrows to move the Hard Disk to the top, Optical should be next. Ensure that Floppy is unchecked.

vbox-11

Audio & USB Configuration

Go to the Audio tab and uncheck the Enable Audio option. Since the VM we are configuring is a router we do not need audio.

vbox-12

Go to the USB tab and uncheck the Enable USB Controller option. Since the VM we are configuring is a router we do not need USB support.

vbox-13

Network Configuration

Go to Network -> Adapter 1. For the Attached to field select NAT. Expand the Advanced section and for Adaptor Type select Paravirtualized Network (virtio-net).

vbox-14

Select Adapter 2. Tick the Enable Network Adapter option. For the Attached to option select Internal Network. For Name enter LAN 0. Expand the Advanced section. For Adapter Type select Paravirtualized Network (virtio-net).

vbox-15

Select Adapter 3. Tick the Enable Network Adapter option. For the Attached to option select Internal Network. For Name enter LAN 1. Expand the Advanced section. For Adapter Type select Paravirtualized Network (virtio-net).

vbox-16

Select Adapter 4. Tick the Enable Network Adapter option. For the Attached to option select Internal Network. For Name enter LAN 2. Expand the Advanced section. For Adapter Type select Paravirtualized Network (virtio-net).

Once done click on OK to save the changes and close the configuration menu.

vbox-17

VirtualBox Network Settings: All You Need to Know

The network diagram shown in the first module consisted of 6 network interfaces. VirtualBox only allows us to configure 4 interfaces uses the UI. Towards the end of the guide we will see how to add more interfaces using VirtualBox CLI.

pfSense Installation

Select the pfSense VM from the sidebar and click on Start from the toolbar.

pfsense-1

On boot, a banner will be shown followed by a lot of text. Wait for the below screen to appear. Press Enter to Accept the agreement.

pfsense-2

Press Enter to start the Installation.

pfsense-3

Press Enter to select the Auto (ZFS) partition option.

pfsense-4

Press Enter to select Proceed with Installation.

pfsense-5

Press Enter to select Stripe - No Redundancy.

pfsense-6

Use the Spacebar key to select the Hard Drive (ada0) then press Enter to continue.

pfsense-7

Use the Left Arrow to select YES and then press Enter to continue.

pfsense-8

Wait for the installation to complete.

pfsense-9

Press Enter to Reboot the VM.

pfsense-10

pfSense Configuration

Once pfSense reboots the first order of business is to onboard the adapters we configured in the VM settings.

Should VLANs be set up now? n
In the next step, we will configure the interfaces manually.

pfsense-11

Enter the WAN interface name: vtnet0
Enter the LAN interface name: vtnet1
Enter the Optional 1 interface name: vtnet2
Enter the Optional 2 interface name: vtnet3

Do you want to proceed?: y

pfsense-12

Since the WAN interface of pfSense is managed by VirtualBox it has been assigned an IPv4 address by the VirtualBox DHCP server. pfSense has also assigned an IPv4 address to the LAN interface using its DHCP service. The OPT1 and OPT2 interfaces have not been assigned any IP address. We do not want the IP addresses of the interfaces to change on boot so we will assign static IPv4 addresses to the LAN, OPT1 and OPT2 interfaces.

pfsense-13

The IP address of the WAN interface can be different in your case since it is assignment randomly by the VirtualBox DHCP server.

Configuring LAN (vtnet1)

Enter 2 to select “Set interface(s) IP address”. Enter 2 to select the LAN interface.

Configure IPv4 address LAN interface via DHCP?: n
Enter the new LAN IPv4 address: 10.0.0.1
Enter the new LAN IPv4 subnet bit count: 24

pfsense-14

For the next question directly press Enter. Since this is a LAN interface we do not have to worry about configuring the upstream gateway.

Configure IPv6 address LAN interface via DHCP6: n
For the new LAN IPv6 address question press Enter
Do you want to enable the DHCP server on LAN?: y
Enter the start address of the IPv4 client address range: 10.0.0.11
Enter the end address of the IPv4 client address range: 10.0.0.243
Do you want to revert to HTTP as the webConfigurator protocol?: n

pfsense-15

pfSense will use the inputs we provided and configure the interface.
Press Enter to complete the LAN interface configuration.

pfsense-16

Once the changes apply we see that the IP address of the LAN interface has changed to the IP address that we provided.

pfsense-17

Configuring OPT1 (vtnet2)

Enter 2 to select “Set interface(s) IP address”. Enter 3 to select the OPT1 interface.

Configure IPv4 address OPT1 interface via DHCP?: n
Enter the new OPT1 IPv4 address: 10.6.6.1
Enter the new OPT1 IPv4 subnet bit count: 24

pfsense-18

For the next question directly press Enter. Since OPT1 is a LAN interface we do not have to worry about configuring the upstream gateway.

Configure IPv6 address OPT1 interface via DHCP6: n
For the new OPT1 IPv6 address question press Enter
Do you want to enable the DHCP server on OPT1?: y
Enter the start address of the IPv4 client address range: 10.6.6.11
Enter the end address of the IPv4 client address range: 10.6.6.243
Do you want to revert to HTTP as the webConfigurator protocol?: n

pfsense-19

Press Enter to save the changes and return to the main menu.

Configuring OPT2 (vtnet3)

Enter 2 to select “Set interface(s) IP address”. Enter 4 to select the OPT2 interface.

Configure IPv4 address OPT2 interface via DHCP?: n
Enter the new OPT2 IPv4 address: 10.80.80.1
Enter the new OPT2 IPv4 subnet bit count: 24

pfsense-20

For the next question directly press Enter. Since OPT2 is a LAN interface we do not have to worry about configuring the upstream gateway.

Configure IPv6 address OPT2 interface via DHCP6: n
For the new OPT2 IPv6 address question press Enter
Do you want to enable the DHCP server on OPT2?: n
Do you want to revert to HTTP as the webConfigurator protocol?: n

pfsense-21

OPT2 will be used to setup the Active Directory (AD) Lab. The Domain Controller (DC) in the lab will act as the DHCP server. Since the DC will perform DHCP we have disabled DHCP-based IP address assignment for this interface in pfSense.

Press Enter to save the changes and return to the main menu.

The IP addresses for the LAN, OPT1 and OPT2 interfaces should be as follows:

pfsense-22

With this, we have completed the onboarding of the interfaces in pfSense. There are additional settings that need to be configured. We will change these settings once we set up Kali Linux in the next module. From Kali Linux, we will access the pfSense Web Interface and proceed with the setup.

pfSense Web Interface can be accessible for all the LAN interfaces in our LAN.

Shutdown pfSense

When we start the lab pfSense is the first VM that has to be booted. When we shut down the lab pfSense will be the last VM that is stopped.

Enter a option: 6 (Halt system) Do you want to process?: y

This will initiate the shutdown sequence.

pfsense-23

Post-Installation Cleanup

After the VM is shut down. Click on Settings from the toolbar.

vbox-10

Go to the Storage tab. In the Storage Devices section click on the pfSense .iso image then click on the small disk image on the right side of the Optical Drive option.

From the dropdown select Remove Disk from Virtual Drive. Click on OK to save the changes and close the configuration menu.

pfsense-24

The .iso file along with the .iso.gz file that was downloaded to create the VM can be deleted if you do not want to store them.

In the next module, we will set up Kali Linux on the LAN interface. This VM will be used to configure and manage pfSense. It will also be used as the attack VM to target the vulnerable systems on the OPT1 (CYBER_RANGE).

Part 3 - Kali Linux Setup

Security, Home Lab
security home-lab virtualbox networking pfsense
This post is licensed under CC BY 4.0 by the author.