In the pervious part we installed VirtualBox and prepared to start installing our VMs. In this part we will finish the networking part of the lab setup.
As we get started with building our lab we have some plumbing we should take care of. With the gateway, we will be able to allow our lab access to the Internet but prevent it from accessing our home network. This is important as it will allow us to do updates and install applications while protecting our home network from unintended targeting by any tools we run in our lab.
Warning: This is in no way a best practices guide and should not be used for the installation of a production or even home firewall.
.png)
Create VM
First, let's Download and extract the installer for OPNSense
Download from https://opnsense.org/download/ we want the "amd64" and "dvd" options
Once downloaded right click select 7-Zip and Extract here
Open up VirtualBox select Machine and New
Set our Name and Operating system
- Name: GW - OPNSense
- Folder: This should be the default location we set in part 2, only change this if you need to store your VM's in different locations
- ISO Image: select the installer we extracted
- Type: BSD
- Subtype: FreeBSD(this is what OPNSense runs under the hood)
Next let's go to hardware, I know this is not what is on the plan from part 1. The installer can fail with less then 3GB of ram and the extra CPU just makes the install much faster. We will turn these back down after the install is complete.
- Base Memory: 3096 MB
- Processors: 2
Lastly, let's go to Hard Disk set our size and Finish
- Hard Disk File location and Size: Size to 16.00 GB (even if you have extra space no need to go larger here)
Now we have our VM but we still need to tweak our network interfaces. By default, we only get one and it is not set the way we want it
Select our VM and click on the settings gear
Go down to Network and change Adapter 1 to bridged, the Name should be the host's active network adaptor, in my case that is the built in WiFi. This will be our WAN/Internet interface.
Take note of the MAC Address listed we will want that in a later step
On the Adaptor 2 tab we will set up our LAN/lab interface, then click OK.
- Enable Network Adaptor: check
- Attached to: Host-only Adaptor
- Name: VirtualBox Host-Only Ethernet Adaptor #2 ( the one we created in part 2)
We are now done with the initial setup of the VM and ready to install OPNSense
Install OPNSense
With our GW VM selected click on the start arrow, you can also use the detached mode from the down arrow on the start button to get a larger separate window.
This will boot up the live disk it may take a while
Once we get to the login prompt we will log in with the user "installer" and password "opnsense" to begin the install
- User: installer
- Password: opnsense
Select your keyboard layout using the arrow keys and the spacebar then Select
Take the default Install (ZFS) and OK
You should only see this if you selected less than 3 GB of ram, from my experience the installer will fail if you continue. Power off the VM and adjust the ram under the settings menu
We have one drive and don't need redundancy for this lab so select stripe
Select your drive with the spacebar then OK
Yes, we really want to destroy our virtual drive, as long as you have the VirtualBox menu and icons here you are safe to proceed, the disk listed is a file on your host's storage so this will not hurt your host ssytem
Now we wait while the installer runs, if you added that second CPU just imagine how slow this would be with out it. If you didn't add it, you might want to find something to do for a while...
And the install is finally done, let's set a root password
Type in then confirm your password
Complete Install
Select Halt now, this will power off our VM so we can go in an update the hardware
Back in the settings under System then Motherboard set our ran to 512 MB
- Base Memory: 512 MB
On the Processor tab we can go back to 1, If you have extra CPU you can leave this but this VM really won't need more than 1
- Processors: 1
Under Storage let's remove our install media, select the DVD ISO and Remove Attachment
Yes, we want to remove the optical drive, it is unneeded past the installer
Now we have OPNSense fully installed we can move on to configuring it.
Configure OPNSense
Let's start our VM back up and login with root and the password we created
First, we need to assign our interfaces, OPNSense will take a guess at it but is not always correct.
Enter 1 to assign interfaces
No LAGGs or VLANs needed for our lab setup
Okay for our WAN interface, this will be Adaptor 1 in our VM, if you noted the MAC address from before you can use it to select the correct interface. You can also go into the VM settings and look if needed. Type in the name em0/em1 of the matching interface and hit enter
We will then enter the other interface for our LAN then just hit enter for Optional Interface 1 as we only have 2 interfaces. If your WAN and LAN interface selection looks correct Y to proceed
Back at the main menu, type in 2 to set our IP addresses
We only need to configure our LAN interface it should be option 1
- LAN IPv4 address: 172.16.254.1
- Subnet Mask: 24
Select No(n) the rest of the way through the interface config
Now OPNSense is installed and configured. One last set to go.
Create Rule
Now for the reason, we are using a firewall and not just a router. Let's create a rule that will prevent our lab from talking to any private networks our host computer happens to be connected to.
From your host computer, you should be able to browse to https://172.16.254.1, here we should find the web gui for OPNSense login with root and the password you created.
Now go to the Firewall menu and Aliases, click on the Add button
Let's create the following Alias and save
- Name: RFC1918_Addresses
- Type: Network(s)
- Content: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
- Description: Private address blocks
After saving we need to Apply our changes
On to the Rules then WAN menu still under Firewall and select Add
Here we will create the rule using our Alias then save at the bottom
- Action: Block
- Direction: out
- Destination: RFC1918_Addresses
After saving we need to Apply changes
This rule will take a few seconds to apply but will prevent our lab from being able to communicate with the private IPv4 networks that are used for both home and business networks.
Now that our plumbing is finished we will move on to getting Active Directory setup in the next part.
No comments:
Post a Comment