Project Fur-Tress: Building a Home SOC Lab (Part 2)
Introduction
In the first part of Project Fur-Tress, which you can read here, I used Proxmox, hosted on a Dell server, to set up a Linux Bridge, ensuring all VMs in the lab would utilise this for network connectivity. After that, I created a VM, installed pfSense, and configured the LAN interface with a static IP and DHCP server.
In this section, I will be setting up a couple of VMs to configure pfSense and get started with setting up VLANs and devices. One aspect I initially overlooked in the network design was a dedicated management system. This system allows me to access and configure pfSense and all other systems, if needed, from outside the VLANs. I’ll begin with setting this up before moving on to other systems and configurations.
I also want to note something I should have mentioned in Part 1: the overall network design, applications, and setup may change or evolve as I progress through the project or over time. This is a journey of learning and adapting, and I’m excited to share each step with you.
The Management System
VM configuration
For my management system, I opted for a lightweight installation of Debian. This system only needs to run some network tools, a light desktop environment, and a browser to handle configurations and settings for other devices on the network. I downloaded the Debian 12.7 ISO from the official website and uploaded it to my Proxmox server for installation. Given that the management system doesn’t require significant resources, I created the VM with 2 vCPUs, 2 GB of RAM, and 15 GB of disk space, which is plenty for its intended use.
To ensure connectivity during the initial setup, I set the network interface to vmbr0, the same interface used by the pfSense VM for internet access. Since pfSense hasn't been fully configured for the VLANs and firewall rules yet, connectivity on the vmbr5 interface might be limited. Once the Debian installation is complete, I'll proceed with configuring pfSense and the required network settings.
Installing Debian
The Debian installation was straightforward. After selecting the language, location, and keyboard layout, most of the installation proceeded automatically until it reached the hostname setup. I set the hostname to 'socmgr' and left the domain name blank since this system is purely for managing the network. After setting the root password and creating a new user for non-root administrative actions, the installation continued with disk management and partition configuration.
I selected the package mirror, opted out of the 'popularity contest', and then chose to install Xfce, the SSH server, and standard system utilities. The installation finalized with setting the GRUB loader, followed by a reboot. Logging in confirmed a successful installation. I then shut down the VM, switched the network interface from vmbr0 to vmbr5, and rebooted.
Setting Sudo Access
Upon restarting, I logged in as root to ensure the new user had sudo privileges. Opening the terminal, I used the following command to set my preferred editor for the sudoers file:
update-alternatives --config editor
Next, I edited the sudoers file using visudo:
visudoI scrolled down to the #User privilege specification section, pressed 'I' to enter Insert mode in the vim editor, and added my user below the root entry.
After saving and exiting the editor with :wq, I switched to the new user and verified the sudo privileges:
sudo su mgmt
sudo -l
The expected sudo privileges were correctly assigned.
Now it’s time to configure the pfSense firewall to ensure this device has internet access and to start setting up the VLANs for each part of my network. Initially, I’ll set up simple firewall rules to grant full internet access to each device in each VLAN until they are fully updated and configured. Then, I’ll implement the planned access controls and restrictions.
Configuring pfSense
With Debian installed and my user configured with root access, I logged out of the root account, switched to my user account, and started setting up pfSense. pfSense can be quite complex and intimidating at times, but its documentation is comprehensive and user-friendly. There are also numerous guides and tutorials available online. I highly recommend checking out the pfSense guide from Lawrence Systems on YouTube; though a few years old, it was incredibly informative and well-produced.
To access the pfSense web interface, I opened my web browser and entered the IP address of my pfSense router on the vmbr5 network, which was 172.16.200.247 in my case. I clicked on the Advanced button and accepted the risk to proceed past the Potential Security Risk Warning, which appeared due to the self-signed certificate. This isn't a concern in this context.
When the login page loaded, I logged in using the default credentials: the username `admin `and the password pfsense.
pfSense Configuration Wizard
After logging in, pfSense started the initial configuration wizard, guiding me through the basic setup. Clicking through to the 'General Information' configuration, I changed the hostname to firewall and set the domain to fur-tress.soc, as this will be the domain name for the 'Corporate' environment. I set the primary DNS to 1.1.1.1, disabled Override DNS, and clicked next.
On the Time Server information page, I left the time-server hostname as it was and made sure to set the timezone to UTC. Since I plan to collect logs from pfSense as part of the SOC lab, I prefer having all systems share a standardized timezone for easier tracking through logs from different systems and devices.
Moving on to the WAN configuration page, I left all the settings as they were, except for Block RFC1918 Private Networks and Block bogon networks. I disabled both of these because pfSense is running in a virtualized environment in my lab, and these settings often cause connectivity issues due to their intended use in dedicated environments.
When configuring the LAN interface, my LAN IP address and subnet mask had already been set, so there was no need to change this. Lastly, I set up a secure Admin password for pfSense before restarting it to apply the new changes.
After the restart, I noticed on the Dashboard that my version of pfSense could be updated. I proceeded with the update and was then ready to move on to the next steps.
Setting up VLANs
From the pfSense web configurator interface, I navigated to the top menu and selected Interfaces > Assignments and then VLANs. This is where I would create the VLANs for each part of my network that I wanted to separate. Clicking on Add, I began configuring the settings for a new VLAN.
I started with my Management VLAN, making sure it was properly set up and that firewall rules were configured for internet access before moving on to the other VLANs. This approach helps ensure I know what settings are required for each VLAN.
I wanted all my VLANs to be on the LAN interface, so I selected vtnet1 for the interface. For the Management VLAN, I set the VLAN Tag to 100 and entered the description as Management VLAN.
Once the VLAN was created, I navigated to Interfaces and could see that the VLAN was available but not yet assigned. Pressing the Add button next to the interface assigned it to OPT1.
Clicking into OPT1 brought me to the configuration page, where I enabled the interface, set its name, and configured the IP settings.
After saving, I went back to Interfaces and saw that OPT1 reflected the changes I made.
Setting Firewall Rules
Next, I needed to create a firewall rule to allow traffic from the Management VLAN to all other devices on the LAN and VLANs while retaining internet access. From the main menu, I went to Firewall > Rules and then to the LAN tab. First, I disabled the rule for IPv6 since I won’t be using IPv6 services at the moment.
After applying the change, I selected the Copy icon from the active IPv4 rule to duplicate it and edit it for my VLAN.
In the MANAGEMENT_VLAN100 firewall rules section, I could see my newly created rule.
Configuring DNS Server
Before configuring devices to use the Management VLAN, I needed to set up the DHCP server. This step is necessary for every VLAN or Interface we enable. From the menu, I selected Services > DHCP Server and then clicked on the Management VLAN tab. I enabled the DHCP server, set the address pool range from 10.100.1.50 to 10.100.1.100, and entered the DNS servers. The primary DNS server was set to 10.100.1.254 (within the VLAN range), and the secondary to Cloudflare’s DNS, 1.1.1.1. I then saved and applied the changes.
Finally, I shut down the Debian VM, edited the network interface to add the correct VLAN tag for this device, and restarted the VM.
Final Steps
With the Management VLAN set and my device connected, automatically assigned an IP address in the correct range, and retaining internet access, it was time to set up the remaining VLANs and Interfaces. Each VLAN needed the correct DNS Server configuration and an initial firewall rule to allow full internet access.
Below is a table displaying the VLAN tags, IP addresses, DNS servers, and DHCP ranges for each VLAN:
| Interface | VLAN | IP | DHCP | DNS |
|---|---|---|---|---|
| MANAGEMENT | 100 | 10.100.1.254/24 | 10.100.1.50 - 10.100.1.100 | 10.100.1.254 |
| FAKE_INTERNET | 10 | 10.10.10.254/24 | 10.10.10.50 - 10.10.10.100 | 10.10.10.254 |
| CORPORATE_LAN | 20 | 10.10.20.254/24 | 10.10.20.50 - 10.10.20.100 | 10.10.20.254 |
| SECURITY | 50 | 10.10.50.254/24 | 10.10.50.50 - 10.10.50.100 | 10.10.50.254 |
| ISOLATED | 99 | 10.10.99.254/24 | 10.10.99.50 - 10.10.99.100 | 10.10.99.254 |
Summary
In this part of the project, I set up a Debian VM to act as the management device for my pfSense firewall and VLANs. Once it was up and running, I configured the VLANs, interfaces, DHCP servers, and firewall rules for each VLAN. I confirmed that my management device was correctly assigned an IP address within the specified range, could access the internal pfSense web interface, and still had internet connectivity.
Next steps will involve setting up a Kali Linux VM in the Fake Internet VLAN to simulate external threats to the Corporate LAN VLAN. This will allow me to test security settings and gather valuable logs and data. Additionally, I will set up a Windows Server 2019 Evaluation VM in the Corporate LAN VLAN to serve as the Domain Controller, Active Directory, DNS, and DHCP server for the Corporate LAN VLAN.