Any and all copyright materials used are for educational, non-commercial, illustrative (research, criticism, & comment), unpublished purposes only. Facts themselves are not copyrightable.

Any other works of mine are under the Attribution NonCommercial ShareAlike 4.0 International license.

Shield:

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Acknowledgements

Ben Heater's OG pfSense VLAN guide was immensley helpful. Go check out Ben's other great guides no his website!
BobCares website to force a DHCP release came in handy! I guess Bob really does care.

How-to Guide about the PfSense firewall

Why you want a pfSense firewall:

Protect your network.
Limit vulnerbilities.
Separate VMs from other devices on the network.
Create a guest or IOT network separate from your home.
Create a sandbox environment.
Create a malware test lab.

This guide will teach you how to seperate (VLAN) your VMs from your home/prodcution network so you can stop attackers/guests/gaming-buddies from moving laterally in your network and viewing/accessing/infecting/compromising other machines on the same network.

Provisioning pfSense

For reference, see pfSense's install guide.

Download a pfSense .iso from the official site: https://www.pfsense.org/download/

Note: This guide assumes you are deploying the pfSense to a VM in Proxmox; however, if you wish to deploy to a dedicated machine you may wish to download the USB version or burn the .iso file to a bootable USB instead.

At the time of writing this guide, pfSense does not have a ARM compatible (i.e. RaspberryPi or ARM-based cloud solutions won't work).

Upload the .iso to your Proxmox hypervisor.

Once you have uploaded the .iso, click Create VM (button on the top right of Proxmox UI).

Provision the VM to have the reccomended specs that PfSense advises. Check the PfSense Min Hardware Reqs, but here's what I found:

64-bit amd64 (x86-64) compatible CPU

1GB RAM or more

8GB disk drive disk drive (SSD, HDD, etc) or larger

One or more compatible network interface cards. We will circle back NICs after the install, but see Configure NICs for to skip ahead to setting up VLANs on Proxmox.

Configure Proxmox NICs

To leverage pfSense VLANs we need to configure Proxmox NICs and assign VLAN tags which will be passed through to the pfSense firewall VM.

Install network dependencies on the Proxmox node:

Select Proxmox node > Shell (button) > copy and paste the following:

apt clean && apt update
apt install ifupdown2 openvswitch-switch -y

Backup your network interface (in case something goes wrong).

Open a shell to your Proxmox node and run the following:

cp /etc/network/interfaces /etc/network/interfaces.bak

Backup Note: You can always restore the original configuration by overwritting the interfaces file with your backup interfaces.bak file.

Click on your Proxmox Node > Network. Select vmbr0 and choose Remove.

Create open vSwtiches:

Important: Use a second physical NIC if available for your pfSense web UI/production network because on reboot, Proxmox hijacks the web IP of the pfSense and changes the Proxmox web UI URL access to the pfSense IP. Perhpas this is a bug, but physically attach a different, secondary ehternet cable to a secondary physical NIC on the Proxmox machine and create a third OVS Bridge and assign it to the secondary physical NIC to avoid this issue.

Create > OVS Bridge > Bridge ports: <your physical eth interface>

Fill in the fields as seen in the screenshot below and click Create.

Note: Your physical interface will likely be different than mine. Therefore you MUST enter YOUR physical interface name instead. To get your interface name, open a shell to the Proxmox node and enter ip addr and it will list the interface(s). Again, it's important to use a secondary physical NIC for the pfSense web UI to avoid a Proxmox IP conflict.

Create the management interface for the Proxmox UI:

Create > OVS IntPort

Create a pfSense internal switch:

Create > OVS Bridge > Name: vmbr1 > Comment: <pfSense int>

Create a VLAN for publically accessible (internet-facing), non-isloated and unsecure VMs:

The following VLANs are ideal for cybersecurity and malware analysis lab setups. If that's not your jam, then create VLANs to your desired outcome and skip all the SEC_EGRESS and SEC_ISOLATED firewall rules and simply create an RFC1918 alias for all the subnets (i.e. 10.0.0.0/24, 192.168.0.0/24, etc.) and add some basic firewall rules to VLAN'd networks instead. If you just want to set up simple firewall rules that prevent VLAN'd networks from communicating to each other, then see the end of this guide here on basic pfSense firewall rules.

Create > OVS IntPort > Name: "vmbr1_<VLAN tag>" > VLAN Tag: <number you choose> > Comment: <pfsense egress>

Create VLAN for publically acessible (internet-facing), isolated and unsecure VMs:

Create > OVS IntPort > Name: "vmbr1_<VLAN tag>" > VLAN Tag: <number you choose> > Comment: <pfsense isloated egress>

Apply the New NIC Settings

Summary of VLANs on Proxmox

You should have a configuration that is similar to the following:

Troublehooting Connectivity

If you encountered connectivity issues to the ProxMox UI after applying the NIC config changes (i.e. OVS Bridge and VLAN), then you can restore your known working session by logging into your Proxmox server locally (i.e. physically connect a keyboard and monitor to the Proxmox machine) and run the following command from the shell:

cp /etc/network/interfaces.bak /etc/network/interfaces
ifreload -a

This will restore the original, functional network configurations to that you should be able to access your Proxmox web UI again from another computer on the network just as before.

Deploy pfSense

pfSense Proxmox Conigurations

Select the pfSense VM > Options > OS Type > Edit (button) > Select "other"

Ensure your pfSense VM has a staticly assigned IP address from your router:

If the IP address of the DHCP server (usually assigned by your router) changes, you will have issues. To mitigate this problem:

access your router settings to change the DHCP server settings (usually in LAN > DHCP Server > Mannual IP Assignment)
identify your pfSense VM's WAN IP/MAC address (usually assigned by DHCP dynamically),
change it to a static IP,
then apply the settings in your router.

Add the vmbr1 NIC to the pfSense VM

The following action adds the pfSense internal switch NIC created earlier to the pfSense VM. Once the VM is stopped, you can add the secondary NIC we made before.

Proxmox Node > pfSense VM > Hardware > Add (button) > Network Device > Bridge: vmbr1

Note: If you get the following error, then reboot your Proxmox machine and try to launch the pfSense VM again.

Start the pfSense VM to begin the setup:

Click on the VM > Start (button, top right)
Open a console or ssh session to the pfSense
Wait for the intiial load screen
Hit Enter to accept the terms

Progress through the GUI installer

Note: You may need to enter the advance disk settings to create a mount point if the auto installer method fails. Format as MBR, create a partition, then use the auto installer thereafter.

Interface Setup

When prompted to setup VLANs, enter n for now.
Enter the WAN interface name (enter what is provided in the prompt;for me it was vtnet0), and do not use the auto-detection a as it will fail.
When prompted to enter a 2nd NIC for the LAN interface type: vtnet1
Type y to proceed.

After the installer runs, you should come to an end screen, you should see the WAN and LAN and an IP address to the web UI for pfSense.

Take note of the IP that was assigned (or statically set) by the DHCP Server. This IP is how you will access the pfSense web UI later. Does it match what you assigned? If not, you may need to renew the IP.

Note: You may need to manually invoke a dhclient -r <interface> command from the shell of the VM and reboot the VM in order to get the static IP to apply. If you don't know what the interface is on your VM, simply run nmcli con to get the name of the interface.

Configure VLANs

Start the pfSense VM
Select option 1 to assing the new NIC and setup VLANs

Should VLANs be setup now [y|n]

Enter Y

Enter the parent interface name for the new VLAN

Enter vtnet1 (vtnet1 is the LAN interface)
- Enter tag 666
Enter vtnet1 (again)
- Enter 999

Press Enter to complete the VLAN setup

You should come this screen in the VLAN setup stage:

Enter the parent interface for the new VLAN

Enter the WAN interface name which is: vtnet0

Enter the LAN interface

Enter vtnet1

Enter the Optional 1 interface

Enter vtnet1.666

Enter the Optional 2 interface

Enter vtnet1.999.

If configured corretly, you should see a screen like this:

Do you want to proceed?

Enter Y
Wait for additional setup steps to complete

Special thanks to Ben Heater for these excellently defined steps in his guide. Thanks, Ben!

Configure LAN IP Range 10.0.0.1

Enter 2 at the pfSense config screen to change the LAN IP range from the default.
Select the interface you wish to configure the IP range.
Configure IPv4 address LAN interface via DHCP? (y/n)
- Enter n
Enter the new IPv4 address as: 10.0.0.1
- Enter 24
- Press Enter (for LAN)
Configure IPv6 address LAN interface via DHCP6? (y/n)
- Enter n
Enter the new LAN IPv6 address. Press Enter for none.
Do you want to enable the DHCP server on LAN? (y/n)
- Enter y
- Start of range: 10.0.0.11
- End of range: 10.0.0.244
Do you want to revert to HTTP?
- Enter n
- Press Enter to complete
You should see an output that reflects the changes made that looks similar to this:

Configure LAN IP Range 10.6.6.1

Enter 2 at the pfSense config screen to change the LAN IP range from the default.
Select the interface you wish to configure the IP range.
Configure IPv4 address LAN interface via DHCP? (y/n)
- Enter n
Enter the new IPv4 address as: 10.6.6.1
- Enter 24
- Press Enter (for LAN)
Configure IPv6 address LAN interface via DHCP6? (y/n)
- Enter n
Enter the new LAN IPv6 address. Press Enter for none.
Do you want to enable the DHCP server on LAN? (y/n)
- Enter y
- Start of range: 10.0.0.11
- End of range: 10.0.0.244
Do you want to revert to HTTP?
- Enter n
- Press Enter to complete

Configure LAN IP Range 10.9.9.1

Enter 2 at the pfSense config screen to change the LAN IP range from the default.
Select the interface you wish to configure the IP range.
Configure IPv4 address LAN interface via DHCP? (y/n)
- Enter n
Enter the new IPv4 address as: 10.9.9.1
- Enter 24
- Press Enter (for LAN)
Configure IPv6 address LAN interface via DHCP6? (y/n)
- Enter n
Enter the new LAN IPv6 address. Press Enter for none.
Do you want to enable the DHCP server on LAN? (y/n)
- Enter y
- Start of range: 10.0.0.11
- End of range: 10.0.0.244
Do you want to revert to HTTP?
- Enter n
- Press Enter to complete

pfSense Config Summary

After completing the intial pfSense configuration via CLI, you should see a result as shown in the screenshot below:

Troubleshooting pfSense CLI Config

If something goes wrong or the prompts do not match this guide, simply select option 4 at the main prompt screen to restore factory defaults and start over.

Add Other VLANs

Repeat the steps to create a new NIC (i.e vmbr1, VLAN tag 300, VLAN tag 400, etc.) in Proxmox
Repeat the Configure LAN IP Range for the new VLAN (i.e. "OPT3 > 10.3.3.11, OPT4 10.4.4.11, etc.)

Enable web UI access to pfSense

From the pfSense UI, enter 8 and type in pfctl -d to enable the pfSense web UI access needed to change other settings using the GUI instead of CLI.

Note: A reboot will cause the web UI to revert to defaults and you'll have to repeat this step after a reboot to regain access to the web GUI again. Ben Heater explains on his website: "pfSense is blocking WAN access to the web console. This is a good thing if your pfSense router is sitting at the edge of your network. You wouldn't want any body to be able to reach the login page of your home router from the internet. In reality, the IP address on the WAN port is a private IP address – which is not accessible from the Internet without some workarounds. So, in this case, it's perfectly safe to open the WAN port inside our home network."

Access the web GUI

Enter the IP address you assigned in the DHCP Server in the URL address (ex. http://192.168.1.24).
If you encounter a screen in your browser that warns you about your connection not being private, ignore it and proceed (to unsafe), it's safe because it's your pfSense router on your network.
Enter the default credentials: admin (username) and pfsense (password)
Enter a host name: <name>-<name> (ex. pfsense-fw)
Enter a domain name: `. (ex. pf.range)

If you use a DNS resolver you wish pfSense to use, check the Override DNS, if not, enter a DNS resolver of your choice.
NPT Server: set the timezone and click next to accept the default.
Set the DHCP Hostname to the name you assigned and uncheck the Block RFC1918 Private Networks since we want to allow private IPs through the WAN, not block them.

Skip the LAN interfance config since we already configured it prior.
Important: Change the default admin password!
Click Reload and then Finish to complete the wizard.

Note: You'll lose connection to the web GUI and you'll need to run pfctl -d in the VM console to access again.

Enable web GUI access permantely - add WAN rule

Navigate to: Firewall > Rules > WAN
Add the following firewall settings:

Save and Apply Changes

Rename OP1 and OPT2

What you rename these to is up to you and depends on your purposes, but the goal of this guide is to A) create a separate network from prodcution/home (completed via vmbr1) and B) create two VLANs for security sandbox tools that is segragated from 10.0.0.1/24. Therefore, we will name the OPTs accordingly. See below:

In the pfSense web GUI, navitage to: Interfaces > Assignments
Click on the cooresponding interface and change the description as follows:
Rename OPT1 to SEC_EGRESS
Rename OPT2 to SEC_ISOLATED

If you have other VLAN goals, then change or add new VLAN tags by creating a new OVS IntPortin the Proxmox network node. Revisit NIC Settings to extrapolate.

Save each change and click Apply Changes after to submit the changes.

Create an Alias for `RFC1918`

The alias serves as an alternate name for all private IPv4 addresses.

Firewall > Aliases > Add
Fill in the fields and add networks as follows:

If you change the Type to Host(s) you can assign an static IP in Firewall > Aliases > Add for the DHCP server to assign.

Create WAN firewall fules for security lab

To allow the home network to reach the internal LAN, we need to set a Pass action for all addresses and protocols. This is necessary if we wish to ssh or create an RDP session to the Kali Linux VM on the SEC_EGRESS VLAN.

Firewall > Rules > WAN > Add (down arrow)
Add the following configuration to your WAN rules:

Click Save

Allow WAN net to ping WAN address

Firewall > Rules > WAN > Add (down arrow)

Block ALL WAN access to `SEC_EGRESS` LAN

It's paramount that we do not allow any packets to reach the LAN from the WAN. We only want egress, no ingress.

Click Save
Firewall > Rules > WAN > Add (down arrow)

And Save

Block ALL WAN ingress to `SEC_ISOLATED`

The same impiteous applies to SEC_ISOLATED -- we don't want the isolated VLAN to have internet ingress access.

Firewall > Rules > WAN > Add (down arrow)

Add the following configuration to your WAN rules:

Click Save on this new rule.

WAN outcome summary

The outcome of the rules shouel read as follows:

Leave the LAN firewall rules alone. It is good as-is.

`SEC_EGRESS` rules - allow traffic to local gateway

Because RFC1918 will be blocked in future rules, we can allow the default gateway access to the Internet.

Firewall > Rules > SEC_EGRESS > Add (up arrow)

Add the following rules:

Save

Create `Kali1` alias host

Navitgate to Firewall > Aliases > IP > Add
Enter the following details to create the Kali1 alias:

Save the alias.
Apply Changes

Allow packets to Kali malware lab analysis

Firewall > Rules > SEC_EGRESS > Add (DOWN arrow)
Create the following rules for for the Kali1 VM to access the SEC_EGRESS VLAN:

Save the rules.
If you get an error, check the name you created the for the Kali VM matches what you enterd.

Allow packets to Internet (for non-private IPs)

Firewall > Rules > SEC_EGRESS > Add (DOWN arrow)
Add the following rules (make sure to check the "invert match" box):

Block everything else for `SEC_EGRESS`

Firewall > Rules > SEC_EGRESS > Add (DOWN arrow)
Create the following rules:

Check `SEC_EGRESS` final rule state

Do your rules match the following?

If the rules match, click Apply Changes

`SEC_ISOLATED` rule setup - allow to Kali1

Navigate to the SEC_ISOLATED rules Firewall > Rules > SEC_ISOLATED

Click Add (UP arrow) and input the following rules:

Click Save

Block everything else on `SEC_ISOLATED`

Firewall > Rules > SEC_EGRESS > Add (DOWN arrow)
Now to block everything other than Kali1

Rules have an order or execution based upon position. If a rule is above, it ignores all other rules BELOW it. In this case, because the block all rule is last, anything before it is allowed. But if I moved the Kali1 allow rule BELOW the block all rule, Kali1 couldn't communicate with the SEC_ISOLATED hosts.

Check `SEC_ISOLATED` final rule state

No "Block Bogon" found? That's becuase you have to check the box at the bottom of the page on Interfaces > > Block Bogon Networks (checkbox)

If the rules match, click Apply Changes

Configure DNS Resolver Settings

Nav to Services > DNS Resolver
Check these two boxes for DHCP Registration and Static DHCP

Now, nav to Advanced Settings and ensure that your settings match the following configuration:

How to add additional VLANs to pfSense

Nav to: Proxmox Node > Network
Add a new VLAN tag to vmbr1 by: Create > OVS IntPort and select vmbr1 and enter a new VLAN tag and comment.
Apply the by clicking Apply Configuration (button)
Add the new VLAN to pfSense by accessing the pfSense web GUI (i.e. URL)
Nav to: Interfaces > Assignments > VLANs > Add
Fill in the VLAN Configuration with:
- Parent Interface: vtnet1
- VLAN Tag: <your VLAN tag number>
- Descritpion (optional)" <designation comment for your own organizational sanity>
Nav to: Interface Assignments > Add (next to the newly added interface)
Click Save and you should now see an OPT# interfance populate.

Configure new VLAN interface

Click on the new OPT# name to conifigure.
Enter a description if you like.
Set the IPv4 Configuration Type to Static IPv4 (no need for IPv6, so leave as "none")
For the Static IPv4 Configuration, enter the desired IP range youw want (i.e. 10.1.1.1/24 not 10.1.1.0/24).
At the bottom of the Interfaces > be sure to check the Block Bogon Networks (checkbox).

Configure DHCP server over new interface

Nav to: Services > DHCP Server > <interface_name> > Enable
Set the desire IP range (i.e. 10.1.1.11 - 10.1.1.244)
Hit Save and Apply Changes if you are happy with it.

pfSense Firewall Rules

Nav to: Firewall > Rules > <interface_name> to add new rules.

There are not going to be any rules by default (except if you’re blocking bogon nets). Therefore, it's your call on how you configure the firewall rules. For assistance, check out:

pfSense Firewall Rules That Make Sense

RaidOwl's YouTube video about configuring various firewall rules

Speed Proxmox x pfSense VLAN Run Setup

Example Firewall Configs:

The Basic VLAN

This setup prevent VLANs from reaching anything outside of the subnet (i.e. block 192.168.1.48 from reaching 10.0.4.158), but still allows internet access. In order for this config to work, you must have already assigned the aliases for RFC1918; see how to create RFC1918 alias here

Fireway Rule Config Screenshots

The WAN to VLAN

This is the same as above EXCEPT, an additiona rule has been added to allow traffic from WAN net to a VLAN, but prevent VLAN traffic from reaching the WAN net.

Add the same rules as above.
Create from WAN to VLAN rule [WIP]
- All WAN net to VLAN rules fail
- VLAN to WAN net is sucessful, but it's not a two-way street (only the VLAN can ping the WAN net)
- Perhaps a jump machine from LAN net to VLAN net is required for this config?

Files

how-to_pfsense.md

Latest commit

History