Simple AD Cyber Security Lab (Part 3) - OPNSense Gateway

In the pervious part we installed VirtualBox and prepared to start installing our VMs.  In this part we will finish the networking part of the lab setup.

    As we get started with building our lab we have some plumbing we should take care of.  With the gateway, we will be able to allow our lab access to the Internet but prevent it from accessing our home network.  This is important as it will allow us to do updates and install applications while protecting our home network from unintended targeting by any tools we run in our lab.

Warning:  This is in no way a best practices guide and should not be used for the installation of a production or even home firewall.

Create VM

First, let's Download and extract the installer for OPNSense

Download from https://opnsense.org/download/ we want the "amd64" and "dvd" options

Once downloaded right click select 7-Zip and Extract here

Open up VirtualBox select Machine and New

Set our Name and Operating system

• Name: GW - OPNSense
• Folder: This should be the default location we set in part 2, only change this if you need to store your VM's in different locations
• ISO Image: select the installer we extracted
• Type: BSD
• Subtype: FreeBSD(this is what OPNSense runs  under the hood)

Next let's go to hardware, I know this is not what is on the plan from part 1.  The installer can fail with less then 3GB of ram and the extra CPU just makes the install much faster.  We will turn these back down after the install is complete.

• Base Memory: 3096 MB
• Processors: 2

Lastly, let's go to Hard Disk set our size and Finish

• Hard Disk File location and Size:  Size to 16.00 GB (even if you have extra space no need to go larger here)

Now we have our VM but we still need to tweak our network interfaces.  By default, we only get one and it is not set the way we want it

Select our VM and click on the settings gear

Go down to Network and change Adapter 1 to bridged, the Name should be the host's active network adaptor, in my case that is the built in WiFi.  This will be our WAN/Internet interface.  

Take note of the MAC Address listed we will want that in a later step

On the Adaptor 2 tab we will set up our LAN/lab interface, then click OK.

• Enable Network Adaptor: check
• Attached to: Host-only Adaptor
• Name: VirtualBox Host-Only Ethernet Adaptor #2 ( the one we created in part 2)

We are now done with the initial setup of the VM and ready to install OPNSense

Install OPNSense

With our GW VM selected click on the start arrow, you can also use the detached mode from the down arrow on the start button to get a larger separate window.

This will boot up the live disk it may take a while

Once we get to the login prompt we will log in with the user "installer" and password "opnsense" to begin the install

• User: installer
• Password: opnsense

Select your keyboard layout using the arrow keys and the spacebar then Select

Take the default Install (ZFS) and OK

You should only see this if you selected less than 3 GB of ram, from my experience the installer will fail if you continue.  Power off the VM and adjust the ram under the settings menu

We have one drive and don't need redundancy for this lab so select stripe

Select your drive with the spacebar then OK

Yes, we really want to destroy our virtual drive, as long as you have the VirtualBox menu and icons here you are safe to proceed, the disk listed is a file on your host's storage so this will not hurt your host ssytem

Now we wait while the installer runs, if you added that second CPU just imagine how slow this would be with out it.  If you didn't add it, you might want to find something to do for a while...

And the install is finally done, let's set a root password

Type in then confirm your password

Complete Install

Select Halt now, this will power off our VM so we can go in an update the hardware

Back in the settings under System then Motherboard set our ran to 512 MB

• Base Memory: 512 MB

On the Processor tab we can go back to 1,  If you have extra CPU you can leave this but this VM really won't need more than 1

• Processors: 1

Under Storage let's remove our install media, select the DVD ISO and Remove Attachment

Yes, we want to remove the optical drive, it is unneeded past the installer

Now we have OPNSense fully installed we can move on to configuring it.

Configure OPNSense

Let's start our VM back up and login with root and the password we created

First, we need to assign our interfaces, OPNSense will take a guess at it but is not always correct.

Enter 1 to assign interfaces

No LAGGs or VLANs needed for our lab setup

Okay for our WAN interface, this will be Adaptor 1 in our VM, if you noted the MAC address from before you can use it to select the correct interface.  You can also go into the VM settings and look if needed.   Type in the name em0/em1 of the matching interface and hit enter

We will then enter the other interface for our LAN then just hit enter for Optional Interface 1 as we only have 2 interfaces.  If your WAN and LAN interface selection looks correct Y to proceed

Back at the main menu, type in 2 to set our IP addresses

We only need to configure our LAN interface it should be option 1

• LAN IPv4 address: 172.16.254.1
• Subnet Mask: 24

Select No(n) the rest of the way through the interface config

Now OPNSense is installed and configured.  One last set to go.

Create Rule

    Now for the reason, we are using a firewall and not just a router.  Let's create a rule that will prevent our lab from talking to any private networks our host computer happens to be connected to.

From your host computer, you should be able to browse to https://172.16.254.1, here we should find the web gui for OPNSense login with root and the password you created.

Now go to the Firewall menu and Aliases, click on the Add button

Let's create the following Alias and save

• Name: RFC1918_Addresses
• Type: Network(s)
• Content: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
• Description: Private address blocks

After saving we need to Apply our changes

On to the Rules then WAN menu still under Firewall and select Add

Here we will create the rule using our Alias then save at the bottom

• Action: Block
• Direction: out
• Destination: RFC1918_Addresses

After saving we need to Apply changes

This rule will take a few seconds to apply but will prevent our lab from being able to communicate with the private IPv4 networks that are used for both home and business networks.  

Now that our plumbing is finished we will move on to getting Active Directory setup in the next part.

Simple AD Cyber Security Lab (Part 2) - Host Setup VirtualBox

     In part one, I went over the reason and design for this lab environment.  In part two we will start to build it.

The Hardware

    Again this doesn't need to be new or powerful hardware to prove this I will be using a pretty low-power system that can be had for under $150 US.  You can easily use an existing computer if it has the resources to spare, when the lab is not running it uses no CPU or RAM it will still take up disk space though.  Old used laptops can also work well having a built-in keyboard and monitor if you have the space or want it to be portable.

Any supported version of Windows will work along with MacOS and Linux, this guide will only focus on Windows but the steps will be similar on MacOS or Linux(with Desktop).

Note on MacOS, this should work on recent MacOS systems I'm not sure what the performance will look like on Arm-based Macs though.

This is what I will be using, you don't need the same thing 

Host

• Windows 10 Home Standard
• 4 core 4 thread Intel N100(4 Intel efficiency cores that boost up to 3.6Ghz, not a powerhouse by any means)
• 12GB of Ram
• 512GB NVME SSD
• Single 1Gbps NIC
• WiFi 5

The Software

    The main piece of software we will be using is Oracles VirtualBox.  This is a type-2 hypervisor, meaning it runs on top of an existing OS such as Windows.  There are some other core differences between type-1 and type-2 hypervisors but they don't really matter for our needs here.

Before we get started, feel free to use any other hypervisor you are familiar with we will be using only very basic networking features so almost any hypervisor should work. I will only be covering VirtualBox though as it is very accessible.


Downloading VirtualBox

https://www.virtualbox.org/wiki/Downloads

Select the "VirtualBox Platform Package" for your OS in my case Windows

Let's also get the "VirtualBox Extension Pack"  There is a license agreement and it is free for personal use but it is just nice to have not needed, it is up to you.

On Windows, VirtualBox requires Microsoft Visual C++ runtimes installed.  So we will need to install or upgrade it if not on the current version.

The current download is here https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170

We will also need 7-Zip later to extract some of the install images.  We might as well install that now.

Download here https://www.7-zip.org/

With everything downloaded let's get started installing. 

Microsoft Visual C++ Runtime

VirtualBox needs the Visual C++ runtimes, so let's install that now.  Just open the installer.

Check the license agreement box and install it.

The installer needs admin access so you should be prompted by User Access Control, select Yes to continue.

After a brief install, we now have the runtimes installed.

Oracle Virtual Box

Now that we have that out of the way, let's get to installing VirtualBox.  Launch the VirtualBox installer.  The installer requires admin access so you should again be prompted by User Access Control.  Select Yes to continue.

Select Next

More license agreements, accept and select Next.

We won't need Python support for what we are doing so let's set that to disabled and select Next.

This is warning us there will be a short network interruption, select Yes when you are ready to continue.

We want to leave the Register file associations checked the rest are up to your preferences.  Select Next to continue.

Last install confirmation page, click Install to continue.

7-Zip

Lastly, let's install 7-Zip, launch the installer, and select install.

The install is very fast

Configure

Oracle Virtual Box

Open VirtualBox and select File then Preferences.

Set the Default Machine Folder to your storage location.  By default, it will be under your user profile.  You can leave it here or move it to another location, wherever it needs to be an SSD and have space for the VMs.

Lastly, we will set up a new network, I prefer not to use the default network.  Select network then create.

That should have created a new Host-Only network.  Host-Only networks are virtual and only accessible to the Host and VMs with interfaces we place on that network but the VMs on that network can communicate with each other.  Select our new Host-Only Network.

We only need to configure the IPv4 Address and IPv4 Network Mask, apply and we are done!

• IPv4 Address: 172.16.254.254
• IPv4 Network Mask: 255.255.255.0

Wrap up

    Now we have VirtualBox setup for what we will need.  In the next part, we will set up a firewall.  The firewall will act as a gateway giving our lab access to the Internet but keeping it from accessing the rest of our network.