# FILE: MOD1_Secure_Infrastructure.md # MODULE 1: SECURE INFRASTRUCTURE PROVISIONING ## Learning Objectives By completing this module, you will: - Configure VLAN-aware networking in Proxmox - Deploy and configure pfSense as a virtual firewall/router - Create isolated network segments using 802.1Q VLAN tagging - Implement firewall rules to prevent malicious traffic from escaping the lab - Validate network segmentation through connectivity testing --- ## Key Concepts ### Hypervisor Networking **Proxmox uses Linux Bridges** (`vmbr0`, `vmbr1`, etc.) to connect virtual network interface cards (vNICs) to physical hardware. Think of a bridge as a virtual switch inside your hypervisor. ### VLAN Tagging (802.1Q) **What is a VLAN?** A Virtual Local Area Network allows multiple isolated networks to coexist on the same physical infrastructure. Each VLAN has a unique ID (1-4094). **Tagged vs Untagged Traffic:** - **Untagged:** Normal traffic (like your home Wi-Fi) - no VLAN ID - **Tagged:** Traffic with an 802.1Q header containing VLAN ID - **Trunk Port:** Network port that carries multiple VLANs (tagged) - **Access Port:** Network port for a single VLAN (untagged) ### The Virtual Firewall **pfSense** will act as the default gateway for all lab VLANs, strictly controlling traffic flow between them. Without proper firewall rules, your attack traffic could leak into your home network! --- ## LAB 1.1: PROXMOX NETWORK CONFIGURATION ### Prerequisites - Proxmox VE installed and accessible via web interface (https://PROXMOX-IP:8006) - Physical network port connected to your home network ### Step-by-Step: Enable VLAN Awareness ``` 1. Access Proxmox Web Interface: - Open browser: https://:8006 - Login with root credentials 2. Navigate to Network Configuration: - Click on your Proxmox node (e.g., "pve") - Click "System" > "Network" 3. Identify Your Bridge: - You should see "vmbr0" (default bridge) - Note which physical interface it's connected to (e.g., eno1, eth0) 4. Enable VLAN Awareness: - Select "vmbr0" - Click "Edit" - Check the box: "VLAN aware" - Comment: "VLAN-aware bridge for security lab" - Click "OK" 5. Apply Configuration: - Click "Apply Configuration" at the top - WARNING: This may briefly disconnect your Proxmox web interface - Wait 10 seconds, then refresh browser 6. Verify Configuration: - SSH into Proxmox host (or use Shell button in web GUI) - Run: cat /etc/network/interfaces - Verify "bridge-vlan-aware yes" appears under vmbr0 ``` **Expected Output (Proxmox Bridge Config):** ``` auto vmbr0 iface vmbr0 inet static address 192.168.2.100/24 gateway 192.168.2.1 bridge-ports eno1 bridge-stp off bridge-fd 0 bridge-vlan-aware yes # Note: Your Proxmox hypervisor management remains on 192.168.2.0/24 (VLAN 2) # Lab VMs will use VLAN tags 100-400 for the 10.10.x.0/24 networks # pfSense will route between the lab VLANs and provide internet via WAN ``` --- ## LAB 1.2: PFSENSE VM DEPLOYMENT ### pfSense VM Specifications - **CPU:** 2 cores - **RAM:** 2048 MB (2 GB) - **Disk:** 16 GB (thin provision) - **Network Adapters:** 2 - vNIC 0 (WAN): Bridged to vmbr0, VLAN Tag: 2 (connects to 192.168.2.0/24) - vNIC 1 (LAN): Bridged to vmbr0, no VLAN tag (will create subinterfaces for VLANs 100-400) ### Step-by-Step: Create pfSense VM ``` 1. Download pfSense ISO: - Visit: https://www.pfsense.org/download/ - Select: AMD64 (64-bit), DVD Image (ISO Installer) - Upload to Proxmox: Storage > ISO Images > Upload 2. Create Virtual Machine: - Click "Create VM" (top right) GENERAL TAB: - Node: (your Proxmox node) - VM ID: 100 - Name: pfSense-Firewall - Click "Next" OS TAB: - ISO image: pfsense-CE-X.X.X-amd64.iso - Guest OS Type: Linux - Kernel: 6.x - 2.6 Kernel - Click "Next" SYSTEM TAB: - Graphic card: Default - Machine: Default (i440fx) - BIOS: Default (SeaBIOS) - Qemu Agent: Unchecked (for now) - Click "Next" DISKS TAB: - Bus/Device: SCSI / 0 - Storage: local-lvm (or your storage) - Disk size: 16 GB - Click "Next" CPU TAB: - Sockets: 1 - Cores: 2 - Type: host (or kvm64) - Click "Next" MEMORY TAB: - Memory (MiB): 2048 - Click "Next" NETWORK TAB (WAN Interface): - Bridge: vmbr0 - VLAN Tag: 2 (connects to 192.168.2.0/24 management network) - Model: VirtIO (paravirtualized) - Click "Next" CONFIRM: - Start after created: Unchecked - Click "Finish" 3. Add Second Network Interface (LAN): - Select pfSense VM > Hardware - Click "Add" > "Network Device" - Bridge: vmbr0 - VLAN Tag: (we'll tag inside pfSense) - Model: VirtIO - Click "Add" 4. Start pfSense Installation: - Select pfSense VM > Console - Click "Start" - Wait for boot menu ``` ### pfSense Installation Process ``` 1. Boot Menu: - Select: "1) Boot Multi User [Enter]" - Wait for FreeBSD kernel to load 2. Welcome Screen: - Accept: Press Enter 3. Install pfSense: - Select: "Install" > "OK" 4. Partitioning: - Select: "Auto (ZFS)" > "OK" - Select: "Stripe" > "OK" - Select: vtbd0 (your virtual disk) > Spacebar to select > "OK" - Confirm: "YES" (will erase disk) - Wait for installation (2-3 minutes) 5. Reboot: - Select: "No" (to manual configuration) - Select: "Reboot" - When rebooting starts: VM > Hardware > CD/DVD > "Do not use any media" - Wait for pfSense to boot 6. Interface Assignment: - Should VLANs be set up now? n (No - we'll do this via web GUI) - Enter WAN interface name: vtnet0 - Enter LAN interface name: vtnet1 - Do you want to proceed? y (Yes) 7. pfSense Menu: - You should now see the pfSense menu - Note the LAN IP address (default: 192.168.1.1) ``` --- ## LAB 1.3: PFSENSE WEB INTERFACE SETUP ### Temporary Access to pfSense WebGUI Since pfSense LAN is 192.168.1.1 but we want our management network on VLAN 100, we need temporary access: ``` OPTION A: Create Temporary VM in Proxmox 1. Create small Linux VM (Alpine or Ubuntu) 2. Set its vNIC to vmbr0, no VLAN tag 3. Configure static IP: 192.168.1.50/24 4. Open browser to: https://192.168.1.1 5. Default credentials: admin / pfsense OPTION B: Configure via Console (Recommended) 1. In pfSense console menu, select: 2) Set interface(s) IP address 2. Select: 1 - WAN 3. Configure IPv4 address WAN interface via DHCP? n (No, static) 4. Enter new IPv4 address: 192.168.2.2 5. Enter subnet bit count: 24 6. Enter upstream gateway: 192.168.2.1 7. Configure IPv6? n (No) 8. Do you want to revert to HTTP? n (No, keep HTTPS) 9. Press Enter to complete 10. Return to menu, select: 2) Set interface(s) IP address 11. Select: 2 - LAN 12. Enter new IP: 10.10.1.1 13. Enter subnet: 24 14. No upstream gateway: 15. No DHCP server for now: 16. Do NOT configure IPv6: 17. Do you want to revert to HTTP? n (No, keep HTTPS) Now access pfSense from Proxmox host (both on 192.168.2.0/24): https://192.168.2.2 (via WAN interface) or configure a temporary VM on VLAN 100 to access https://10.10.1.1 ``` ### pfSense Initial Wizard ``` 1. Access WebGUI: - Browser: https://10.10.1.1 - Accept self-signed certificate warning - Username: admin - Password: pfsense 2. Setup Wizard: - Click "Next" GENERAL INFORMATION: - Hostname: pfsense - Domain: apophis.local - Primary DNS: 8.8.8.8 (Google DNS) - Secondary DNS: 1.1.1.1 (Cloudflare DNS) - Uncheck "Override DNS" - Click "Next" TIME SERVER: - Time server hostname: pool.ntp.org - Timezone: (Select your timezone) - Click "Next" WAN CONFIGURATION: - Type: Static IP - IP Address: 192.168.2.2 - Subnet Mask: 24 (/24) - Upstream Gateway: 192.168.2.1 - Click "Next" LAN CONFIGURATION: - IP Address: 10.10.1.1 - Subnet Mask: 24 (/24) - Click "Next" ADMIN PASSWORD: - Change default password from "pfsense" to strong password - Confirm password - Click "Next" RELOAD: - Click "Reload" - Wait for pfSense to apply configuration 3. Login with New Password: - Username: admin - Password: (your new password) ``` --- ## LAB 1.4: VLAN INTERFACE CREATION Now we create VLANs 200, 300, 400 for Red/Blue/Victim networks. ### Step-by-Step: Create VLANs ``` 1. Navigate to VLAN Configuration: - Interfaces > Assignments > VLANs 2. Create VLAN 200 (Red Team): - Click "+ Add" - Parent Interface: vtnet1 (LAN interface) - VLAN Tag: 200 - VLAN Priority: 0 - Description: RED_TEAM - Click "Save" 3. Create VLAN 300 (Blue Team): - Click "+ Add" - Parent Interface: vtnet1 - VLAN Tag: 300 - Description: BLUE_TEAM - Click "Save" 4. Create VLAN 400 (Victim Network): - Click "+ Add" - Parent Interface: vtnet1 - VLAN Tag: 400 - Description: VICTIM_NET - Click "Save" 5. Verify VLANs: - You should see: vtnet1.200, vtnet1.300, vtnet1.400 ``` ### Assign VLANs to Interfaces ``` 1. Navigate to Interface Assignments: - Interfaces > Assignments 2. Assign VLAN 200: - Available network ports: Select "vtnet1.200 (RED_TEAM)" - Click "+ Add" - New interface appears as "OPT1" 3. Assign VLAN 300: - Select "vtnet1.300 (BLUE_TEAM)" - Click "+ Add" (becomes OPT2) 4. Assign VLAN 400: - Select "vtnet1.400 (VICTIM_NET)" - Click "+ Add" (becomes OPT3) 5. Configure OPT1 (Red Team): - Click "OPT1" - Check "Enable interface" - Description: RED_TEAM - IPv4 Configuration Type: Static IPv4 - IPv4 Address: 10.10.2.1 / 24 - Click "Save" - Click "Apply Changes" 6. Configure OPT2 (Blue Team): - Click "OPT2" - Enable interface - Description: BLUE_TEAM - IPv4 Address: 10.10.3.1 / 24 - Click "Save" > "Apply Changes" 7. Configure OPT3 (Victim Network): - Click "OPT3" - Enable interface - Description: VICTIM_NET - IPv4 Address: 10.10.4.1 / 24 - Click "Save" > "Apply Changes" ``` --- ## LAB 1.5: FIREWALL RULE CONFIGURATION **Critical Security Principle:** Default Deny Everything, Explicitly Allow Only What's Needed ### Understanding pfSense Firewall Logic - Rules are processed **top to bottom** - **First match wins** (stops processing) - Each interface has its own rule set - Traffic is filtered on the **incoming interface** ### Step-by-Step: Configure Security Rules ``` 1. Enable DHCP for Each VLAN: - Services > DHCP Server > RED_TEAM - Check "Enable DHCP server on RED_TEAM" - Range: 10.10.2.100 to 10.10.2.200 - Click "Save" - Repeat for BLUE_TEAM (10.10.3.100 - .200) - Repeat for VICTIM_NET (10.10.4.100 - .200) 2. Configure RED_TEAM Firewall Rules: - Firewall > Rules > RED_TEAM DELETE DEFAULT "Allow All" RULE: - Click trash icon on default allow rule - Confirm deletion ADD RULE 1: Allow Red to Victim Network - Click "Add" (up arrow to add to top) - Action: Pass - Interface: RED_TEAM - Address Family: IPv4 - Protocol: Any - Source: RED_TEAM net - Destination: VICTIM_NET net - Description: Allow Red Team to attack Victim Network - Click "Save" ADD RULE 2: Allow Red to Internet (for tool updates) - Click "Add" - Action: Pass - Interface: RED_TEAM - Protocol: Any - Source: RED_TEAM net - Destination: Any - Description: Allow Red Team internet access for tools - Click "Save" ADD RULE 3: Block Red to Everything Else (implicit, but good practice) - Click "Add" (add to bottom) - Action: Block - Interface: RED_TEAM - Protocol: Any - Source: Any - Destination: Any - Description: Block all other Red Team traffic - Click "Save" - Click "Apply Changes" 3. Configure BLUE_TEAM Firewall Rules: - Firewall > Rules > BLUE_TEAM - Delete default allow rule ADD RULE: Allow Blue to Monitor All Networks - Action: Pass - Interface: BLUE_TEAM - Protocol: Any - Source: BLUE_TEAM net - Destination: Any - Description: Allow Blue Team full network access - Click "Save" > "Apply Changes" 4. Configure VICTIM_NET Firewall Rules: - Firewall > Rules > VICTIM_NET - Delete default allow rule ADD RULE 1: Block Victim to Red Team - Action: Block - Interface: VICTIM_NET - Protocol: Any - Source: VICTIM_NET net - Destination: RED_TEAM net - Description: CRITICAL - Prevent victim from reaching attacker - Log: Check "Log packets matched by this rule" - Click "Save" ADD RULE 2: Block Victim to Blue Team - Action: Block - Source: VICTIM_NET net - Destination: BLUE_TEAM net - Description: Isolate victims from SOC network - Click "Save" ADD RULE 3: Block Victim to WAN (Internet) - Action: Block - Source: VICTIM_NET net - Destination: WAN net - Description: Prevent compromised systems from calling home - Log: Check - Click "Save" ADD RULE 4: Allow Victim to pfSense (for DNS, DHCP) - Action: Pass - Source: VICTIM_NET net - Destination: This Firewall (self) - Description: Allow access to pfSense services - Click "Save" ADD RULE 5: Block Victim Everything Else - Action: Block - Source: VICTIM_NET net - Destination: Any - Description: Default deny all victim traffic - Log: Check - Click "Save" > "Apply Changes" ``` --- ## LAB 1.6: VALIDATION & TESTING **CRITICAL: Do not proceed to Module 2 until all tests pass!** ### Test 1: Red Team to Victim Connectivity ``` 1. Create Test VM in Proxmox: - Create Ubuntu Server VM - VM ID: 201 - Name: Kali-Test - Hardware > Network > Edit: Bridge vmbr0, VLAN Tag: 200 2. Boot VM and verify network: - Login to VM console - Check IP: ip addr show - Should have: 10.10.2.x (from DHCP) 3. Test gateway reachability: - ping 10.10.2.1 - Should succeed (pfSense RED_TEAM gateway) 4. Test Victim network reachability: - Create second VM with VLAN Tag: 400 - Note its IP (10.10.4.x) - From Red Team VM: ping 10.10.4.x - Should succeed (Rule allows Red → Victim) ``` ### Test 2: Victim to Red Team Blocked ``` 1. From Victim VM (VLAN 400): - ping 10.10.2.1 (Red Team gateway) - Should FAIL (timeout) 2. Verify in pfSense logs: - Status > System Logs > Firewall - Should see: "Block" entries from 10.10.4.x to 10.10.2.x ``` ### Test 3: Victim to Internet Blocked ``` 1. From Victim VM: - ping 8.8.8.8 - Should FAIL 2. Try DNS lookup: - nslookup google.com - Should timeout (no WAN access) ``` ### Test 4: Red Team Internet Access ``` 1. From Red Team VM: - ping 8.8.8.8 - Should succeed 2. Update package lists: - sudo apt update - Should work (confirms internet access) ``` ### Test 5: Isolation from Home Network ``` 1. Find your home network device IP (e.g., your desktop): - Example: 192.168.1.50 2. From Red Team VM: - ping 192.168.1.50 - Should FAIL (Red Team cannot reach home network) 3. From Victim VM: - ping 192.168.1.50 - Should FAIL (critical security validation!) ``` --- ## TROUBLESHOOTING GUIDE ### Issue: VM not getting DHCP address ``` Proxmox side: - VM > Hardware > Network Device > Edit - Verify: Bridge = vmbr0, VLAN Tag correct, "Connected" checked pfSense side: - Status > Services - Verify DHCP service is running for that interface - Services > DHCP Server > [Interface] - Verify range is configured and enabled Inside VM: # Linux sudo dhclient -r # Release sudo dhclient # Renew # Windows ipconfig /release ipconfig /renew ``` ### Issue: Can't access pfSense WebGUI ``` 1. Verify pfSense is running: - Proxmox > VM 100 > Console - Should see pfSense menu 2. Check which VM you're accessing from: - Must be on same VLAN or management network - If on VLAN 200: access https://10.10.2.1 - If on management: access https://10.10.1.1 3. Disable HTTPS redirect temporarily: - pfSense console: Option 8 (Shell) - pfSsh.php playback disablehttpredirect - Try http://10.10.1.1 ``` ### Issue: VLAN tags not working ``` 1. Verify Proxmox bridge is VLAN-aware: - SSH to Proxmox - grep -A5 "vmbr0" /etc/network/interfaces - Must show: bridge-vlan-aware yes 2. Verify VM has VLAN tag set: - Proxmox > VM > Hardware > Network Device - VLAN Tag field must have number (200, 300, 400) - NOT blank for tagged traffic 3. Restart networking: - Proxmox: systemctl restart networking (CAREFUL - may lose connection) - Or reboot VM ``` ### Issue: Firewall rules not working ``` 1. Check rule order: - Firewall > Rules > [Interface] - Remember: First match wins - Block rules should be BEFORE allow rules for specificity 2. Verify interface is correct: - Rule must be on the INCOMING interface - To block Red→Victim: Rule goes on RED_TEAM interface 3. Clear states: - Diagnostics > States > Reset States - Click "Reset" (clears connection state table) - Re-test 4. Enable logging: - Edit rule > Check "Log packets matched by this rule" - Save > Apply - Test traffic - Status > System Logs > Firewall (see if rule matched) ``` --- ## PROFESSOR'S GUIDANCE ### Common Mistakes to Avoid **1. Asymmetric Routing:** - Ensure all VMs use pfSense as their gateway (10.10.X.1) - Do NOT configure VMs with your home router as gateway **2. Forgetting to Apply Changes:** - pfSense requires clicking "Apply Changes" after rule modifications - Red banner at top indicates unapplied changes **3. Wrong VLAN Tag Placement:** - Tags go on VM's network interface in Proxmox - NOT on pfSense WAN interface - pfSense LAN interface (vtnet1) should be untagged, then create VLAN subinterfaces **4. Testing from Wrong VM:** - If testing VLAN 200 rules, you must be in a VM with VLAN Tag 200 - Can't test from Proxmox host shell ### Why This Module is Critical Every penetration test begins with a safe, isolated environment. If you skip proper network segmentation, you risk: - Malware escaping to your home network - Accidentally scanning your ISP's infrastructure (illegal) - Bricking your personal devices with exploit tools **Real-world parallel:** Enterprise networks use VLANs to separate: - Guest Wi-Fi (untrusted) - Employee workstations (medium trust) - Server VLAN (high trust) - Management VLAN (admin only) Your lab mirrors this architecture. Master it here, understand it everywhere. ### Time Investment - Initial setup: 2-4 hours - Troubleshooting (first time): 1-3 hours - Validation testing: 30 minutes **Total: 4-8 hours** ### Next Steps Once all validation tests pass: 1. Take Proxmox backup of pfSense VM: Backup > Backup Now 2. **Snapshot pfSense VM** (revert point if you misconfigure later) 3. Document your network diagram (draw VLANs, IP ranges, firewall rules) 4. Proceed to **MOD2: Reconnaissance & Network Traffic Analysis** --- ## KNOWLEDGE CHECK Before proceeding, you should confidently answer: 1. **What is the purpose of VLAN tagging?** - Answer: Allows multiple isolated networks to share physical infrastructure 2. **Which pfSense interface do firewall rules apply to?** - Answer: The incoming interface (where traffic enters) 3. **Why must VICTIM_NET be blocked from reaching WAN?** - Answer: Prevents compromised systems from communicating with attacker C2 servers 4. **If a VM in VLAN 200 can't get DHCP, what are 3 things to check?** - Answer: (1) VLAN tag set in Proxmox, (2) DHCP enabled in pfSense, (3) VM cable "connected" 5. **What does "First match wins" mean in firewall rules?** - Answer: Rules are processed top-to-bottom; once a rule matches, processing stops --- **END OF MODULE 1** **Checklist before MOD2:** - [ ] pfSense firewall is configured and accessible - [ ] VLANs 200, 300, 400 are created and assigned - [ ] Red Team VM can ping Victim network - [ ] Victim VM cannot ping Red Team network - [ ] Victim VM cannot ping internet - [ ] Red Team VM can access internet - [ ] pfSense firewall logs are recording blocked traffic - [ ] Full Proxmox backup of pfSense VM exists