Skip to main content
Background Image

home.lab: Networking (part 2)

·535 words·3 mins

Network
#

In my previous post I listed all the networks lab should have. To create bridges in Proxmox Webui go to:

Firewall transit network:

Node -> System -> Network -> Create Linux bridge

  • vmbr1 (fw <-> host)
  • vmbr2 (fw <-> client networks)

Client network:

Node -> System -> Network -> Create OVS bridge

  • vmbr5 (clients)

Now we have everything we need in this stage and we can proceed to firewall install.

For port mirroring we first need to have a virtual machine with tap interface, so I’ll add that later.

Firewall
#

I like to use pfSense because it has a nice webui and it gives me everything I need in my lab and more. If you are running your lab on your own equipment, you might want to consider the option of installing firewall on separate machine or buying a dedicated firewall with pfSense preinstalled.

You can download pfSense here:

pfSense

Install is pretty straightforward, you create a virtual machine and add boot from ISO-image. There are options you can choose, but mostly you can install with default settings and you are good to go.

After the install process is finnished, I need access to webui but at this point there is no easy way to do that since webui is only available from internal network. It is possible to enable webui on WAN or do routing on a host machine, but to circumvent this problem, I just installed Linux server with GUI and web browser to internal side of the lab network, opened a console and used that to configure rest of the basic settings for the firewall.

I’ll install dedicated workstation or server which has access to all parts of the network and use that for administrative tasks later on. It is a good idea to have this type of privileged access workstation which has access to all management interfaces and services but which has otherwise limited connectivity eg. no internet.

To ease my own access to internal network I added separate jumpserver which I can use to access internal network and bypass firewall. This way I can just ssh to my host and tunnel traffic from my laptop to lab. For jumphost I installed Debian with the most minimal footprint possible. Jumphost only has 256MB of memory and eight gigs of storage. I’ll will not do any routing, jumphost will have separate interface on every VLAN my lab will ever have. This enables me to connect all parts of the lab with minimal hassle.

MobaXterm is a ssh client which allows you to set multiple jumphosts and I can highly recommend that you give it a try.

VLAN setup
#

Pfsense needs to have a separate network interface for every VLAN-id lab has.

My lab has following address scheme:

* VLAN10 (Servers): 10.26.10.0/24
* VLAN20 (DMZ): 10.26.20.0/24
* VLAN30 (Clients): 10.26.30.0/24

It is important that you assign virtual machines with right VLAN-id. Firewall will act as DHCP server for all the VLANs we setup. At this point I won’t create any rules, I’ll add them later after servers and clients have been installed.

Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.