20 KiB
20 KiB
FILE: MOD1_Secure_Infrastructure.md
MODULE 1: SECURE INFRASTRUCTURE PROVISIONING
Learning Objectives
By completing this module, you will:
- Configure VLAN-aware networking in Proxmox
- Deploy and configure pfSense as a virtual firewall/router
- Create isolated network segments using 802.1Q VLAN tagging
- Implement firewall rules to prevent malicious traffic from escaping the lab
- Validate network segmentation through connectivity testing
Key Concepts
Hypervisor Networking
Proxmox uses Linux Bridges (vmbr0, vmbr1, etc.) to connect virtual network interface cards (vNICs) to physical hardware. Think of a bridge as a virtual switch inside your hypervisor.
VLAN Tagging (802.1Q)
What is a VLAN? A Virtual Local Area Network allows multiple isolated networks to coexist on the same physical infrastructure. Each VLAN has a unique ID (1-4094).
Tagged vs Untagged Traffic:
- Untagged: Normal traffic (like your home Wi-Fi) - no VLAN ID
- Tagged: Traffic with an 802.1Q header containing VLAN ID
- Trunk Port: Network port that carries multiple VLANs (tagged)
- Access Port: Network port for a single VLAN (untagged)
The Virtual Firewall
pfSense will act as the default gateway for all lab VLANs, strictly controlling traffic flow between them. Without proper firewall rules, your attack traffic could leak into your home network!
LAB 1.1: PROXMOX NETWORK CONFIGURATION
Prerequisites
- Proxmox VE installed and accessible via web interface (https://PROXMOX-IP:8006)
- Physical network port connected to your home network
Step-by-Step: Enable VLAN Awareness
1. Access Proxmox Web Interface:
- Open browser: https://<PROXMOX-IP>:8006
- Login with root credentials
2. Navigate to Network Configuration:
- Click on your Proxmox node (e.g., "pve")
- Click "System" > "Network"
3. Identify Your Bridge:
- You should see "vmbr0" (default bridge)
- Note which physical interface it's connected to (e.g., eno1, eth0)
4. Enable VLAN Awareness:
- Select "vmbr0"
- Click "Edit"
- Check the box: "VLAN aware"
- Comment: "VLAN-aware bridge for security lab"
- Click "OK"
5. Apply Configuration:
- Click "Apply Configuration" at the top
- WARNING: This may briefly disconnect your Proxmox web interface
- Wait 10 seconds, then refresh browser
6. Verify Configuration:
- SSH into Proxmox host (or use Shell button in web GUI)
- Run: cat /etc/network/interfaces
- Verify "bridge-vlan-aware yes" appears under vmbr0
Expected Output (Proxmox Bridge Config):
auto vmbr0
iface vmbr0 inet static
address 192.168.2.100/24
gateway 192.168.2.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
# Note: Your Proxmox hypervisor management remains on 192.168.2.0/24 (VLAN 2)
# Lab VMs will use VLAN tags 100-400 for the 10.10.x.0/24 networks
# pfSense will route between the lab VLANs and provide internet via WAN
LAB 1.2: PFSENSE VM DEPLOYMENT
pfSense VM Specifications
- CPU: 2 cores
- RAM: 2048 MB (2 GB)
- Disk: 16 GB (thin provision)
- Network Adapters: 2
- vNIC 0 (WAN): Bridged to vmbr0, VLAN Tag: 2 (connects to 192.168.2.0/24)
- vNIC 1 (LAN): Bridged to vmbr0, no VLAN tag (will create subinterfaces for VLANs 100-400)
Step-by-Step: Create pfSense VM
1. Download pfSense ISO:
- Visit: https://www.pfsense.org/download/
- Select: AMD64 (64-bit), DVD Image (ISO Installer)
- Upload to Proxmox: Storage > ISO Images > Upload
2. Create Virtual Machine:
- Click "Create VM" (top right)
GENERAL TAB:
- Node: (your Proxmox node)
- VM ID: 100
- Name: pfSense-Firewall
- Click "Next"
OS TAB:
- ISO image: pfsense-CE-X.X.X-amd64.iso
- Guest OS Type: Linux
- Kernel: 6.x - 2.6 Kernel
- Click "Next"
SYSTEM TAB:
- Graphic card: Default
- Machine: Default (i440fx)
- BIOS: Default (SeaBIOS)
- Qemu Agent: Unchecked (for now)
- Click "Next"
DISKS TAB:
- Bus/Device: SCSI / 0
- Storage: local-lvm (or your storage)
- Disk size: 16 GB
- Click "Next"
CPU TAB:
- Sockets: 1
- Cores: 2
- Type: host (or kvm64)
- Click "Next"
MEMORY TAB:
- Memory (MiB): 2048
- Click "Next"
NETWORK TAB (WAN Interface):
- Bridge: vmbr0
- VLAN Tag: 2 (connects to 192.168.2.0/24 management network)
- Model: VirtIO (paravirtualized)
- Click "Next"
CONFIRM:
- Start after created: Unchecked
- Click "Finish"
3. Add Second Network Interface (LAN):
- Select pfSense VM > Hardware
- Click "Add" > "Network Device"
- Bridge: vmbr0
- VLAN Tag: <leave blank> (we'll tag inside pfSense)
- Model: VirtIO
- Click "Add"
4. Start pfSense Installation:
- Select pfSense VM > Console
- Click "Start"
- Wait for boot menu
pfSense Installation Process
1. Boot Menu:
- Select: "1) Boot Multi User [Enter]"
- Wait for FreeBSD kernel to load
2. Welcome Screen:
- Accept: Press Enter
3. Install pfSense:
- Select: "Install" > "OK"
4. Partitioning:
- Select: "Auto (ZFS)" > "OK"
- Select: "Stripe" > "OK"
- Select: vtbd0 (your virtual disk) > Spacebar to select > "OK"
- Confirm: "YES" (will erase disk)
- Wait for installation (2-3 minutes)
5. Reboot:
- Select: "No" (to manual configuration)
- Select: "Reboot"
- When rebooting starts: VM > Hardware > CD/DVD > "Do not use any media"
- Wait for pfSense to boot
6. Interface Assignment:
- Should VLANs be set up now? n (No - we'll do this via web GUI)
- Enter WAN interface name: vtnet0
- Enter LAN interface name: vtnet1
- Do you want to proceed? y (Yes)
7. pfSense Menu:
- You should now see the pfSense menu
- Note the LAN IP address (default: 192.168.1.1)
LAB 1.3: PFSENSE WEB INTERFACE SETUP
Temporary Access to pfSense WebGUI
Since pfSense LAN is 192.168.1.1 but we want our management network on VLAN 100, we need temporary access:
OPTION A: Create Temporary VM in Proxmox
1. Create small Linux VM (Alpine or Ubuntu)
2. Set its vNIC to vmbr0, no VLAN tag
3. Configure static IP: 192.168.1.50/24
4. Open browser to: https://192.168.1.1
5. Default credentials: admin / pfsense
OPTION B: Configure via Console (Recommended)
1. In pfSense console menu, select: 2) Set interface(s) IP address
2. Select: 1 - WAN
3. Configure IPv4 address WAN interface via DHCP? n (No, static)
4. Enter new IPv4 address: 192.168.2.2
5. Enter subnet bit count: 24
6. Enter upstream gateway: 192.168.2.1
7. Configure IPv6? n (No)
8. Do you want to revert to HTTP? n (No, keep HTTPS)
9. Press Enter to complete
10. Return to menu, select: 2) Set interface(s) IP address
11. Select: 2 - LAN
12. Enter new IP: 10.10.1.1
13. Enter subnet: 24
14. No upstream gateway: <leave blank>
15. No DHCP server for now: <leave blank>
16. Do NOT configure IPv6: <leave blank>
17. Do you want to revert to HTTP? n (No, keep HTTPS)
Now access pfSense from Proxmox host (both on 192.168.2.0/24):
https://192.168.2.2 (via WAN interface)
or configure a temporary VM on VLAN 100 to access https://10.10.1.1
pfSense Initial Wizard
1. Access WebGUI:
- Browser: https://10.10.1.1
- Accept self-signed certificate warning
- Username: admin
- Password: pfsense
2. Setup Wizard:
- Click "Next"
GENERAL INFORMATION:
- Hostname: pfsense
- Domain: apophis.local
- Primary DNS: 8.8.8.8 (Google DNS)
- Secondary DNS: 1.1.1.1 (Cloudflare DNS)
- Uncheck "Override DNS"
- Click "Next"
TIME SERVER:
- Time server hostname: pool.ntp.org
- Timezone: (Select your timezone)
- Click "Next"
WAN CONFIGURATION:
- Type: Static IP
- IP Address: 192.168.2.2
- Subnet Mask: 24 (/24)
- Upstream Gateway: 192.168.2.1
- Click "Next"
LAN CONFIGURATION:
- IP Address: 10.10.1.1
- Subnet Mask: 24 (/24)
- Click "Next"
ADMIN PASSWORD:
- Change default password from "pfsense" to strong password
- Confirm password
- Click "Next"
RELOAD:
- Click "Reload"
- Wait for pfSense to apply configuration
3. Login with New Password:
- Username: admin
- Password: (your new password)
LAB 1.4: VLAN INTERFACE CREATION
Now we create VLANs 200, 300, 400 for Red/Blue/Victim networks.
Step-by-Step: Create VLANs
1. Navigate to VLAN Configuration:
- Interfaces > Assignments > VLANs
2. Create VLAN 200 (Red Team):
- Click "+ Add"
- Parent Interface: vtnet1 (LAN interface)
- VLAN Tag: 200
- VLAN Priority: 0
- Description: RED_TEAM
- Click "Save"
3. Create VLAN 300 (Blue Team):
- Click "+ Add"
- Parent Interface: vtnet1
- VLAN Tag: 300
- Description: BLUE_TEAM
- Click "Save"
4. Create VLAN 400 (Victim Network):
- Click "+ Add"
- Parent Interface: vtnet1
- VLAN Tag: 400
- Description: VICTIM_NET
- Click "Save"
5. Verify VLANs:
- You should see: vtnet1.200, vtnet1.300, vtnet1.400
Assign VLANs to Interfaces
1. Navigate to Interface Assignments:
- Interfaces > Assignments
2. Assign VLAN 200:
- Available network ports: Select "vtnet1.200 (RED_TEAM)"
- Click "+ Add"
- New interface appears as "OPT1"
3. Assign VLAN 300:
- Select "vtnet1.300 (BLUE_TEAM)"
- Click "+ Add" (becomes OPT2)
4. Assign VLAN 400:
- Select "vtnet1.400 (VICTIM_NET)"
- Click "+ Add" (becomes OPT3)
5. Configure OPT1 (Red Team):
- Click "OPT1"
- Check "Enable interface"
- Description: RED_TEAM
- IPv4 Configuration Type: Static IPv4
- IPv4 Address: 10.10.2.1 / 24
- Click "Save"
- Click "Apply Changes"
6. Configure OPT2 (Blue Team):
- Click "OPT2"
- Enable interface
- Description: BLUE_TEAM
- IPv4 Address: 10.10.3.1 / 24
- Click "Save" > "Apply Changes"
7. Configure OPT3 (Victim Network):
- Click "OPT3"
- Enable interface
- Description: VICTIM_NET
- IPv4 Address: 10.10.4.1 / 24
- Click "Save" > "Apply Changes"
LAB 1.5: FIREWALL RULE CONFIGURATION
Critical Security Principle: Default Deny Everything, Explicitly Allow Only What's Needed
Understanding pfSense Firewall Logic
- Rules are processed top to bottom
- First match wins (stops processing)
- Each interface has its own rule set
- Traffic is filtered on the incoming interface
Step-by-Step: Configure Security Rules
1. Enable DHCP for Each VLAN:
- Services > DHCP Server > RED_TEAM
- Check "Enable DHCP server on RED_TEAM"
- Range: 10.10.2.100 to 10.10.2.200
- Click "Save"
- Repeat for BLUE_TEAM (10.10.3.100 - .200)
- Repeat for VICTIM_NET (10.10.4.100 - .200)
2. Configure RED_TEAM Firewall Rules:
- Firewall > Rules > RED_TEAM
DELETE DEFAULT "Allow All" RULE:
- Click trash icon on default allow rule
- Confirm deletion
ADD RULE 1: Allow Red to Victim Network
- Click "Add" (up arrow to add to top)
- Action: Pass
- Interface: RED_TEAM
- Address Family: IPv4
- Protocol: Any
- Source: RED_TEAM net
- Destination: VICTIM_NET net
- Description: Allow Red Team to attack Victim Network
- Click "Save"
ADD RULE 2: Allow Red to Internet (for tool updates)
- Click "Add"
- Action: Pass
- Interface: RED_TEAM
- Protocol: Any
- Source: RED_TEAM net
- Destination: Any
- Description: Allow Red Team internet access for tools
- Click "Save"
ADD RULE 3: Block Red to Everything Else (implicit, but good practice)
- Click "Add" (add to bottom)
- Action: Block
- Interface: RED_TEAM
- Protocol: Any
- Source: Any
- Destination: Any
- Description: Block all other Red Team traffic
- Click "Save"
- Click "Apply Changes"
3. Configure BLUE_TEAM Firewall Rules:
- Firewall > Rules > BLUE_TEAM
- Delete default allow rule
ADD RULE: Allow Blue to Monitor All Networks
- Action: Pass
- Interface: BLUE_TEAM
- Protocol: Any
- Source: BLUE_TEAM net
- Destination: Any
- Description: Allow Blue Team full network access
- Click "Save" > "Apply Changes"
4. Configure VICTIM_NET Firewall Rules:
- Firewall > Rules > VICTIM_NET
- Delete default allow rule
ADD RULE 1: Block Victim to Red Team
- Action: Block
- Interface: VICTIM_NET
- Protocol: Any
- Source: VICTIM_NET net
- Destination: RED_TEAM net
- Description: CRITICAL - Prevent victim from reaching attacker
- Log: Check "Log packets matched by this rule"
- Click "Save"
ADD RULE 2: Block Victim to Blue Team
- Action: Block
- Source: VICTIM_NET net
- Destination: BLUE_TEAM net
- Description: Isolate victims from SOC network
- Click "Save"
ADD RULE 3: Block Victim to WAN (Internet)
- Action: Block
- Source: VICTIM_NET net
- Destination: WAN net
- Description: Prevent compromised systems from calling home
- Log: Check
- Click "Save"
ADD RULE 4: Allow Victim to pfSense (for DNS, DHCP)
- Action: Pass
- Source: VICTIM_NET net
- Destination: This Firewall (self)
- Description: Allow access to pfSense services
- Click "Save"
ADD RULE 5: Block Victim Everything Else
- Action: Block
- Source: VICTIM_NET net
- Destination: Any
- Description: Default deny all victim traffic
- Log: Check
- Click "Save" > "Apply Changes"
LAB 1.6: VALIDATION & TESTING
CRITICAL: Do not proceed to Module 2 until all tests pass!
Test 1: Red Team to Victim Connectivity
1. Create Test VM in Proxmox:
- Create Ubuntu Server VM
- VM ID: 201
- Name: Kali-Test
- Hardware > Network > Edit: Bridge vmbr0, VLAN Tag: 200
2. Boot VM and verify network:
- Login to VM console
- Check IP: ip addr show
- Should have: 10.10.2.x (from DHCP)
3. Test gateway reachability:
- ping 10.10.2.1
- Should succeed (pfSense RED_TEAM gateway)
4. Test Victim network reachability:
- Create second VM with VLAN Tag: 400
- Note its IP (10.10.4.x)
- From Red Team VM: ping 10.10.4.x
- Should succeed (Rule allows Red → Victim)
Test 2: Victim to Red Team Blocked
1. From Victim VM (VLAN 400):
- ping 10.10.2.1 (Red Team gateway)
- Should FAIL (timeout)
2. Verify in pfSense logs:
- Status > System Logs > Firewall
- Should see: "Block" entries from 10.10.4.x to 10.10.2.x
Test 3: Victim to Internet Blocked
1. From Victim VM:
- ping 8.8.8.8
- Should FAIL
2. Try DNS lookup:
- nslookup google.com
- Should timeout (no WAN access)
Test 4: Red Team Internet Access
1. From Red Team VM:
- ping 8.8.8.8
- Should succeed
2. Update package lists:
- sudo apt update
- Should work (confirms internet access)
Test 5: Isolation from Home Network
1. Find your home network device IP (e.g., your desktop):
- Example: 192.168.1.50
2. From Red Team VM:
- ping 192.168.1.50
- Should FAIL (Red Team cannot reach home network)
3. From Victim VM:
- ping 192.168.1.50
- Should FAIL (critical security validation!)
TROUBLESHOOTING GUIDE
Issue: VM not getting DHCP address
Proxmox side:
- VM > Hardware > Network Device > Edit
- Verify: Bridge = vmbr0, VLAN Tag correct, "Connected" checked
pfSense side:
- Status > Services
- Verify DHCP service is running for that interface
- Services > DHCP Server > [Interface]
- Verify range is configured and enabled
Inside VM:
# Linux
sudo dhclient -r # Release
sudo dhclient # Renew
# Windows
ipconfig /release
ipconfig /renew
Issue: Can't access pfSense WebGUI
1. Verify pfSense is running:
- Proxmox > VM 100 > Console
- Should see pfSense menu
2. Check which VM you're accessing from:
- Must be on same VLAN or management network
- If on VLAN 200: access https://10.10.2.1
- If on management: access https://10.10.1.1
3. Disable HTTPS redirect temporarily:
- pfSense console: Option 8 (Shell)
- pfSsh.php playback disablehttpredirect
- Try http://10.10.1.1
Issue: VLAN tags not working
1. Verify Proxmox bridge is VLAN-aware:
- SSH to Proxmox
- grep -A5 "vmbr0" /etc/network/interfaces
- Must show: bridge-vlan-aware yes
2. Verify VM has VLAN tag set:
- Proxmox > VM > Hardware > Network Device
- VLAN Tag field must have number (200, 300, 400)
- NOT blank for tagged traffic
3. Restart networking:
- Proxmox: systemctl restart networking (CAREFUL - may lose connection)
- Or reboot VM
Issue: Firewall rules not working
1. Check rule order:
- Firewall > Rules > [Interface]
- Remember: First match wins
- Block rules should be BEFORE allow rules for specificity
2. Verify interface is correct:
- Rule must be on the INCOMING interface
- To block Red→Victim: Rule goes on RED_TEAM interface
3. Clear states:
- Diagnostics > States > Reset States
- Click "Reset" (clears connection state table)
- Re-test
4. Enable logging:
- Edit rule > Check "Log packets matched by this rule"
- Save > Apply
- Test traffic
- Status > System Logs > Firewall (see if rule matched)
PROFESSOR'S GUIDANCE
Common Mistakes to Avoid
1. Asymmetric Routing:
- Ensure all VMs use pfSense as their gateway (10.10.X.1)
- Do NOT configure VMs with your home router as gateway
2. Forgetting to Apply Changes:
- pfSense requires clicking "Apply Changes" after rule modifications
- Red banner at top indicates unapplied changes
3. Wrong VLAN Tag Placement:
- Tags go on VM's network interface in Proxmox
- NOT on pfSense WAN interface
- pfSense LAN interface (vtnet1) should be untagged, then create VLAN subinterfaces
4. Testing from Wrong VM:
- If testing VLAN 200 rules, you must be in a VM with VLAN Tag 200
- Can't test from Proxmox host shell
Why This Module is Critical
Every penetration test begins with a safe, isolated environment. If you skip proper network segmentation, you risk:
- Malware escaping to your home network
- Accidentally scanning your ISP's infrastructure (illegal)
- Bricking your personal devices with exploit tools
Real-world parallel: Enterprise networks use VLANs to separate:
- Guest Wi-Fi (untrusted)
- Employee workstations (medium trust)
- Server VLAN (high trust)
- Management VLAN (admin only)
Your lab mirrors this architecture. Master it here, understand it everywhere.
Time Investment
- Initial setup: 2-4 hours
- Troubleshooting (first time): 1-3 hours
- Validation testing: 30 minutes
Total: 4-8 hours
Next Steps
Once all validation tests pass:
- Take Proxmox backup of pfSense VM: Backup > Backup Now
- Snapshot pfSense VM (revert point if you misconfigure later)
- Document your network diagram (draw VLANs, IP ranges, firewall rules)
- Proceed to MOD2: Reconnaissance & Network Traffic Analysis
KNOWLEDGE CHECK
Before proceeding, you should confidently answer:
-
What is the purpose of VLAN tagging?
- Answer: Allows multiple isolated networks to share physical infrastructure
-
Which pfSense interface do firewall rules apply to?
- Answer: The incoming interface (where traffic enters)
-
Why must VICTIM_NET be blocked from reaching WAN?
- Answer: Prevents compromised systems from communicating with attacker C2 servers
-
If a VM in VLAN 200 can't get DHCP, what are 3 things to check?
- Answer: (1) VLAN tag set in Proxmox, (2) DHCP enabled in pfSense, (3) VM cable "connected"
-
What does "First match wins" mean in firewall rules?
- Answer: Rules are processed top-to-bottom; once a rule matches, processing stops
END OF MODULE 1
Checklist before MOD2:
- pfSense firewall is configured and accessible
- VLANs 200, 300, 400 are created and assigned
- Red Team VM can ping Victim network
- Victim VM cannot ping Red Team network
- Victim VM cannot ping internet
- Red Team VM can access internet
- pfSense firewall logs are recording blocked traffic
- Full Proxmox backup of pfSense VM exists