# Some Key Adaptations
## Learning Proxmox
Due to the differences between Proxmox an VMware (both Workstation and ESXi) I had to learn how to create virtual subnets. Hvaing been pampered by the VMware products, I had no idea this would be a lot more tedious in Proxmox and required the usage of Open vSwitch (OVS). Most of my Proxmox education came through the following of 0xBEN's writeups on creating a homelab (links below).
## Differences between Proxmox and VMware networking
Life would have probably been easier had I chosen to learn how to use zones within Proxmox and used the SDNs instead of relearning how to create isolated networks in pfSense - however, that process was also greatly appreciated for it's educational value, even if it made my hair-regrowth shampoo work overtime.
*(Update: Tried to get SDN's to work, accidentally locked myself out of the proxmox webUI, ALMOST wanted to employ scorched-earth policy and just reinstall proxmox, but managed to restore some old network settings, and then spent the better part of the day resetting it all and building it up from scratch HAHA. GG me. That network diagram above? I hope you weren't too attached to it because most of that is [dead and gone, dead and gone](https://youtu.be/6mEx9FtuN0k?si=BOzwUkV3hNbLZ1Vu) )*
So, the main difference is that I used pfSense to create the necessary isolated networks and have pfSense function as the DHCP server for the "Outside network".
# Proxmox Networking Setup
First to make a backup of the initial networking setup
`cat /etc/network/interface > interface.bak`
This way, if I mess it up (I did), I can always restore it to the original networking setup using `cat interface.back > interface` while in the /etc/network folder, and then issuing the `ifreload -a` command.
Then we delete the initial Linux Bridge vmbr0 and replace it with the OVS Bridge vmbr0 instead.
In the image we can see that vmbr0_mgmt is listed as a bridge port - this will happen later after we create the vmbr_mgmt IntPort, which we do like so:
- We need to supply the IPv4/CIDR address of the Proxmox WebUI (the same ip address that was assigned to it by our router/DHCP server to that we don't lose connection to the WebUI)
- Also, the ip address of our router as the gateway
**OVS Bridges = Switches
OVS IntPorts = A way to create VLANs**
We then create the following two VLANs
# pfSense Setup
We create a VM with the following settings.
- Also, login to the home router and assign a Static IP to the pfSense for it's WAN (In this case, I will be using the MAC address attached to vmbr0)
Install pfSense as usual
- Y to setting up vlans after install - like so
- Assign the interfaces
- Finally end up with this
- Enable DHCP Server on both LAN and OPT1
- LAN IP Address Pool: 10.10.10.100 - 10.10.10.200
- OPT1 IP Address Pool: 172.16.66.100 - 172.16.66.200
- OPT2 won't have DHCP enabled as the DC will be the DHCP for that VLAN
- Once we set everything up, then we should have a network that is like this - yes, indeed, this is the new network diagram.:
- e.g Kali in:
- vmbr1
- vmbr1_666
Now that the network zones *(**NOTE**: I'm using the term zones a little more collquially here. "Zones" in Proxmox is a very specific term within its networking functionalities, but as mentioned they have been a real pain in the ass, so I'm reclaiming the term.)* have been established it's time to get on to setting up the windows clients and Domain Controller.
## pfSense Web UI
We need to disable the firewall to allow access to the web ui.
1. Use option 8 to get shell in pfSense
2. `pfctl -d`
3. Access WebUI through any machine within one of the networks that pfSense has access to
- I'll be doing this with my Kali machine which is on the 172.16.66.0/24 network
- Accept the risk and continue
4. Use admin:pfsense to log in
5. Click next
6. Step 2 of 9
- Adjust hostname and domain name
- Since the plan was for the network to be like so (with DC01 "in charge" of the oscp.lab domain):
- I'm going to set the domain name for pfsense to cyber.range
7. Select timezone
8. Configure WAN Interface
- This client identifier will be what your actual router sees as the pfSense's name
9. Allow access to the pfSense WebUI on the WAN
- Uncheck the Block RFC1918 Private Networks option
10. Skip configuring LAN interface
11. Reset admin password
12. pfSense will reload
13. We have to wait a while, then issue the `pfctl -d` command in the pfsense shell again as the firewall will reset.
14. Then login again and see this
15. Create rule to allow access to WebUI from WAN (so we don't have to `pfctl -d` every single time)
- Firewall > Rules > Add Rule to top of list
16. Apply changes
17. We can add a similar rule for the other interfaces if we want to access the WebUI from within the other vlans
## Renaming the Interfaces
WAN -> WAN
LAN -> LAN
OPT1 -> EGRESS (Can be accessed from outside vlan)
OPT2 -> ISOLATED (Not meant to be accessed from outside vlan)
1. Interfaces > Interface Assignments
2. Select OPT1, Change Description to new name
3. Repeat for OPT2
## Firewall Rules
Firewall > Rules
### WAN
#### Allow WAN to Access LAN
1. Add to end of list
2. Use following options
#### Allow WAN to ping Firewall
#### Desired WAN End State
### LAN
<!---->
### EGRESS
### ISOLATED
Sign in with Wallet
Connect another wallet