#status/elaborate

HomeLab Networking

Online Resources

VNet Overview

HomeLab-Network-Diagram.excalidraw.png

Name Alias Subnet Gateway SNAT DHCP Range
AttDMZ Attacker DMZ 10.1.0.0/24 10.1.0.1 FALSE 10.1.0.100 - 10.1.0.254
AttExt Attacker External 10.1.1.0/24 10.1.1.1 FALSE 10.1.1.100 - 10.1.1.254
AttInt Attacker Internal 10.1.2.0/24 10.1.2.1 FALSE 10.1.2.100 - 10.1.2.254
TarDMZ Target DMZ 10.2.0.0/24 10.2.0.1 FALSE 10.2.0.100 - 10.2.0.254
TarAdm Target Admin 10.2.1.0/24 10.2.1.1 FALSE 10.2.1.100 - 10.2.1.254
TarIT Target IT 10.2.2.0/24 10.2.2.1 FALSE 10.2.2.100 - 10.2.2.254
TarHR Target HR 10.2.3.0/24 10.2.3.1 FALSE 10.2.3.100 - 10.2.3.254
Important

Do NOT specify a Gateway in Proxmox's Subnet UI, as this will cause an IP conflict with the OPNsense Firewall we'll configure in the next section.
HomeLab Networking_NO Subnet Gateway.png

Important

Do NOT specify any DHCP Ranges either, we'll configure those in OPNsense as well.
HomeLab Networking_NO DHCP Ranges.png

Configuring the OPNsense Firewalls

Hardware

HomeLab Networking_Hardware.png
[1]

Install OPNsense permanently

  1. Login with: installer:opnsense
  2. Then go through the installation wizard

Setup GUI Access from WAN Interface

Warning

This is especially not recommended for PROD! But since this Lab is isolated, and I'm my own attacker, I am configuring GUI Access on the WAN interface for convenience’s sake.

  1. Login using root:[THE_PASSWORD_YOU_CHOSE_DURING_SETUP]
  2. Open the Shell
  3. Temporarily disable the Firewall: pfctl -d
  4. All the following rule to the WAN Interface:
    HomeLab Networking_Allow WAN GUI Access.png

Basic Config

  1. Login using root:[THE_PASSWORD_YOU_CHOSE_DURING_SETUP]
  2. Set the WAN interface to vmbr0 interface and leave the rest as optional interfaces
  3. Add the other interfaces (to the VNets) and give them a representative name
    HomeLab Networking_Target_OPNsense_Interfaces.png
  4. Enable all the interfaces in the Web GUI
    HomeLab Networking_OPNsense_enabling_the_interfaces.png
  5. For each interface set their static IPv4 to the gateway address of the respective VNet (e.g.: TarDMZ gets 10.2.0.1)
    HomeLab Networking_OPNsense_interface_static_ip.png
  6. Enable DHCP on each Interface and Configure the DHCP ranges as described in the table above
    HomeLab Networking_OPNsense_DHCP_ranges.png
  7. Set DNS servers and uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
    HomeLab Networking_Set DNS Servers.png
    [2]

Rules

  1. Add a new alias for private networks:
    HomeLab Networking_RFC1918_Alias.png

  2. Create a new firewall rule to enable internet traffic and clone it to the interfaces TarAdm, TarDMZ, TarHR & TarIT:
    HomeLab Networking_Allow_connections_to_non_private_networks.png

  3. Create rules to allow traffic from the respective VNet into the VNets on each interface:

    Warning

    Please note that these rules are very broad/loose!

    HomeLab Networking_TarAdm_rules.png
    HomeLab Networking_TarDMZ_rules.png
    HomeLab Networking_TarHR_rules.png
    HomeLab Networking_TarIT_rules.png

[3]

Relevant Note(s): Proxmox Hardening

  1. https://docs.opnsense.org/manual/hardware.html#hardware-requirements ↩︎

  2. https://homenetworkguy.com/how-to/confused-about-dns-configuration-in-opnsense/ ↩︎

  3. https://docs.opnsense.org/manual/firewall.html ↩︎