pfSense Virtual Lab for VulnHub machines

VulnHub is a community that creates intentionally vulnerable virtual machines to practice penetration testing skills. When these machines are run on a host computer, they could technically be running any number of programs and communicating with the internet if not properly cordoned off from other devices in your network.

Virtual machine managers, like Microsoft Hyper-V, tend to provide private virtual switches that one can use to connect multiple virtual machines while segmenting it off from the public internet and the host machine. While the private switches work to completely block traffic from passing, if any granularity is needed when choosing what traffic should be allowed or blocked, a virtual firewall will work best.

pfSense is a free and open source firewall based on FreeBSD. Placing pfSense into the virtual environment and having it set as the default gateway for machines connected to the private switches allows us to control what goes in and out. The traffic from the machines connected to the virtual switches cannot travel out to the internet without going through the firewall where we can apply rules onto the traffic as we see fit.

In my lab setup, I created a private switch for untrusted machines, like from VulnHub, whose outbound traffic to the internet is completely blocked, but allowed when communicating with the trusted private switch machines like my attack machine, Kali Linux. Each switch is connected to a separate pfSense interface, with it running DHCP for the private switch subnets, LAN and OPT1, excluding the home network, labeled as WAN, which gets its IP assigned from the physical router.

Draw.io is the web-based diagramming tool that I used to draw out the network diagram of my virtual setup. Using tools like this helps immensely with drafting and explaining complex network designs by visualizing not only the physical components, but logical topology as well, which is important when dealing with virtual environments.