Perimeter Defense with pfSense

The goal of this project is to build a homelab for practicing the setup of IT infrastructure, specifically for monitoring networks.

In the first part of this series, we will be installing pfSense. pfSense is an open-source router and firewall software solution that offers more features out of the box compared to a standard home router. These features include VLAN configuration, traffic monitoring, and the ability to download plugins for additional functionalities.

For this homelab, pfSense will be installed as a virtual machine (VM) and will serve as a gateway and firewall for an internal network where we will place our test machines. Here's how the lab will look by the end of this series:

Setting Up the Environment

Download pfSense Iso

Download the community edition iso from the pfsense website. https://www.pfsense.org/download/

Once downloaded, you can unzip on Windows 7zip (https://www.7-zip.org/) or on linux using:

#gzip -d filename

where filename is the name of the pfsense .gz file.

For this purpose I am using windows.

Upload the iso to your Proxmox server. Click on local drive you want to save on the left menu bar, click ISO images, then on the window that pops up, click select file and go the path where the iso is located. Hit upload.

Setting up Open vSwitch

Removing Linux Bridge

Instead of using the default Linux bridges, we will use Open vSwitch for features required later, such as port mirroring to monitor traffic in our lab networks.

If open vswitch isn’t already installed on your Proxmox server, run the following command:

#apt install ifupdown2 openvswitch-switch -y

In the Proxmox shell, run the following command to save the current network setting in case something goes wrong:

#cp /etc/network/interfaces /etc/network/interfaces.bak

Next, remove the Linux bridge. Navigate to your Proxmox node, click on "Network," then select "vmbr0." Click "Remove." DO NOT click "Apply Configuration" until the next setup steps are completed, or you will lose access to the web interface.

Switch Creation

We will now create two switches. The first one will be designated for servers accessible from our home/production network. The second switch will serve our internal network located behind the pfSense firewall.

Take note of the name of your network device; you'll need it for the next step. For instance, 'enp0s25' is the name of my interface.

Creating the Production Switch

To initiate the production switch, follow these steps on your Proxmox node:

1. Click on "Network."

2. Select "Create New OVS Bridge."

Continue with the configuration steps for your new Open vSwitch bridge.

For the bridge port of the production switch, use the name of your physical network interface. There is no need to assign an IP address at this stage. In the comment section, label it as "LAN Switch" or something distinctive to differentiate it from the pfSense switch we will be setting up next

Next, hit “Create,” then “OVS IntPort.” This step is to ensure we can log in to the web interface for Proxmox. The IP address and gateway will be for what is on your network.

Create another switch. Name it “pfSense Internal Switch” or some other identifier. This switch won’t have a bridge port since it is going to be attach to our pfSense firewall.

Create another OVS IntPort. This port is going to host the VLAN of the Active Director network. Include the VLAN tag in the name. The OVS bridge will be the bridge of the pfSense internal switch which in my case is vmbr1. Make sure to include the VLAN tag.

With the switches created, we’re now going to install pfSense.

Installing pfSense

VM Creation

Create a new VM. Name it pfSense. Hit next.

On OS choose pfsense iso, rest remains same and click next

For System default settings are ok.

For Disks I am giving it 32 GB, the minimum needed is only 8GB. Click next

For CPU I have selected 1 Cores ( minimum 1 Core) and next for memory 2048MB.

On Network make sure Bridge is set to vmbr0

Click Next and check the config, uncheck Start after created box (we dont want to start it now ) and click Finish .

Before starting the machine, we need to attach the other switch to this machine. Click on the pfSense node, then hardware.

Select the other network interface, vmbr1, as the bridge. Now our pfSense firewall is attached to both our internal home network so it can receive an IP address from our home router and the internal switch so it can act the router for the lab network.

*** Before we start, take a snapshot of our machine. Select the pfSense VM name and select “Snapshots”, then “Take Snapshot.” Name it something descriptive. ***

Restart proxmox to take affect all the changes

Now, we can start our machine. Select pfSense node then select “Console”, then select “Start.” Wait for the installation prompts.

Click “Accept.”

Make sure Install pfSense is highlighted, then hit OK.

Leave the keymap as default if it doesn’t need to be changed.

Then choose Auto(ZFS).

Choose Install

Choose stripe, we’re not optimizing for performance or redundancy for this machine.

Press the space key to select the disk, then press enter.

Hit the left arrow key to highlight “yes”, then press enter to start the installation.

Select “No’ on the next screen asking for final manual changes.

On the next screen, select “Reboot.”

Set VLANs

When the machine starts up, it will ask to configure VLANs. Type “y”, then enter.

Enter vtnet1.100 as the optional interface. Type “y” to confirm the interface assignments.

Next, you will be asked to enter parent interface of the VLAN. Type “vtnet1.” The VLAN tag is 100.

Press “enter”, when asked to enter another VLAN. Type in “vtnet0” for the WAN interface.

Assign IP Address Ranges

After pfSense finishes initializing, type in “2” to start assigning the IP address ranges to our interfaces.

Enter "10.0.10.1/28" as the IP address (assuming a 14-usable IP range for hosts; if you need fewer, consider using "10.0.10.1/29"). Press Enter for the IPv6 address (leave it blank). Type "y" to enable the DHCP server, and the address range will be from 10.0.10.1 to 10.0.10.14. Type "n" to opt out of using HTTPS. Press "Enter" to complete the configuration for this interface.

Back at the main menu, type “2” again. Type 3 to configure the OPT1 interface. The OPT1 IPv4 address is 10.10.20.1/28. Hit “enter” for the upstream gateway and IPv6 address. Type “n” for DHCP server. On this network, our domain controller will be the DHCP server. Press "Enter" when done.

And with that, pfSense is installed. In next part, we’ll access the pfSense web interface to configure the firewall rules, name all the interface ( for me : WAN, KaliLAB, ACTIVE_DIRECTORY_NETWORK) and make other adjustments.