Building a Secure Lab: Kali Linux and pfSense Deployment

Project Overview

Creating a dedicated penetration testing and security lab is essential for any aspiring security professional. This article documents the complete deployment of a secure homelab environment featuring Kali Linux and pfSense running on Proxmox VE.

Lab Architecture

Proxmox Host
├── pfSense VM (Firewall/Router)
│   ├── WAN (vmbr0) → 192.168.11.253
│   └── LAN (vmbr1) → 192.168.1.1
├── Kali Linux VM (Penetration Testing)
│   └── Network: vmbr1 → 192.168.1.10
└── Ubuntu Server VM (Services)
    └── Network: vmbr1 → 192.168.1.20

Kali Linux VM Installation

VM Specifications

Hardware Configuration: - BIOS: SeaBIOS (after OVMF compatibility issues) - Disk: 80 GB (VirtIO SCSI Single controller) - CPU: 4 cores - RAM: 8 GB - Network: VirtIO (connected to vmbr1) - Boot Order: Disk first, CD-ROM second

Why These Specs?

Disk Size (80 GB): - Base Kali installation: ~20 GB - Tools and exploits database: ~15 GB - Workspace and project files: ~20 GB - VM snapshots and updates: ~25 GB

CPU (4 cores): - Parallel scanning and exploitation - Efficient password cracking - Smooth GUI performance - Multithreaded tool support

RAM (8 GB): - Comfortable GUI operation - Multiple VMs for lab scenarios - In-memory exploit development - Browser-based tools (Burp Suite)

Creating the VM in Proxmox

Step 1: Download Kali Linux ISO

# On Proxmox host
cd /var/lib/vz/template/iso

# Download latest Kali Linux
wget https://cdimage.kali.org/kali-2024.4/kali-linux-2024.4-installer-amd64.iso

# Verify checksum
wget https://cdimage.kali.org/kali-2024.4/SHA256SUMS
sha256sum -c SHA256SUMS 2>&1 | grep kali-linux-2024.4-installer-amd64.iso

Step 2: Create VM via Proxmox UI

  1. General:
    • VM ID: 101 (or your preference)
    • Name: kali-pentest
    • Start at boot: No (manual start for lab work)
  2. OS:
    • ISO Image: kali-linux-2024.4-installer-amd64.iso
    • Guest OS Type: Linux
    • Version: 6.x - 2.6 Kernel
  3. System:
    • BIOS: SeaBIOS
    • Machine: i440fx (or q35 for better hardware support)
    • SCSI Controller: VirtIO SCSI Single
    • Qemu Agent: ✓ (enable after OS install)
  4. Disks:
    • Bus/Device: SCSI
    • Storage: local-lvm
    • Disk size: 80 GB
    • Cache: Write back (for better performance)
    • Discard: ✓ (for thin provisioning)
    • SSD emulation: ✓ (if host uses SSD)
  5. CPU:
    • Sockets: 1
    • Cores: 4
    • Type: host (or kvm64 for compatibility)
  6. Memory:
    • Memory: 8192 MB
    • Minimum: 4096 MB (ballooning)
  7. Network:
    • Bridge: vmbr1 (isolated lab network)
    • Model: VirtIO (paravirtualized)
    • Firewall: Disabled (pfSense will handle this)

Step 3: Install Kali Linux

  1. Start VM and open console
  2. Boot from installer
  3. Select Graphical Install
  4. Language, Location, Keyboard: Your preferences
  5. Network Configuration:
    • Configure automatically via DHCP (pfSense will provide)
    • Hostname: kali-pentest
    • Domain: lab.local
  6. User Setup:
    • Full name: Penetration Tester
    • Username: pentest
    • Password: Strong password required
  7. Partitioning:
    • Method: Guided - use entire disk
    • Scheme: All files in one partition
    • Write changes: Yes
  8. Software Selection:
    • ✓ Default Kali Desktop (XFCE recommended for performance)
    • ✓ Top 10 security tools
    • ✓ Large tool collection (if disk space permits)
  9. GRUB Bootloader:
    • Install to: /dev/sda
    • Continue
  10. Reboot and login

Post-Installation Configuration

Update System

# Full system update
sudo apt update
sudo apt full-upgrade -y

# Update Kali package list
sudo apt update

# Install additional tools
sudo apt install -y \
    vim \
    git \
    curl \
    wget \
    tmux \
    net-tools \
    nmap \
    wireshark \
    metasploit-framework

Install Proxmox Guest Agent

# Install qemu-guest-agent
sudo apt install qemu-guest-agent -y

# Enable and start service
sudo systemctl enable qemu-guest-agent
sudo systemctl start qemu-guest-agent

# In Proxmox UI: VM → Options → QEMU Guest Agent → Enable

pfSense VM Installation

VM Specifications

Hardware Configuration: - BIOS: SeaBIOS - Disk: 20 GB (sufficient for pfSense + packages) - CPU: 2 cores (adequate for small lab) - RAM: 4 GB (2 GB minimum, 4 GB comfortable) - Network Interfaces: - vtnet0 (WAN) → vmbr0 - vtnet1 (LAN) → vmbr1

Creating Virtual Bridge (vmbr1)

Before creating pfSense VM, ensure vmbr1 exists:

# On Proxmox host, edit network config
nano /etc/network/interfaces

# Add vmbr1 configuration:
auto vmbr1
iface vmbr1 inet manual
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
    # No IP address - this is for VMs only

# Apply changes
ifreload -a

# Verify
ip link show vmbr1

Creating pfSense VM

Download pfSense ISO

# On Proxmox host
cd /var/lib/vz/template/iso

# Download pfSense (community edition)
wget https://nyifiles.netgate.com/mirror/downloads/pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

# Extract
gunzip pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

Create VM via Proxmox UI

  1. General:
    • VM ID: 100
    • Name: pfsense-firewall
    • Start at boot: Yes (critical infrastructure)
  2. OS:
    • ISO Image: pfSense-CE-2.7.2-RELEASE-amd64.iso
    • Guest OS Type: Other
  3. System:
    • BIOS: SeaBIOS
    • SCSI Controller: VirtIO SCSI
  4. Disks:
    • Bus/Device: SCSI
    • Disk size: 20 GB
    • Cache: Write back
  5. CPU:
    • Cores: 2
  6. Memory:
    • Memory: 4096 MB
  7. Network:
    • First Interface (WAN):
      • Bridge: vmbr0
      • Model: VirtIO
    • After creation, add second interface (LAN):
      • Hardware → Add → Network Device
      • Bridge: vmbr1
      • Model: VirtIO

Install pfSense

  1. Start VM and open console
  2. Accept copyright notice
  3. Install pfSense: Select Install
  4. Keymap: Auto (ZFS)
  5. Partitioning: Stripe (single disk)
  6. Select disk: da0 (20GB)
  7. Confirm: Yes
  8. Installation completes
  9. Reboot

Initial pfSense Configuration

After reboot, configure interfaces via console:

Should VLANs be set up now? n

Enter the WAN interface name: vtnet0
Enter the LAN interface name: vtnet1

Proceed? y

Set LAN IP address:

Set interface(s) IP address
Select interface: 2 (LAN)

Configure IPv4 address via DHCP? n
Enter new LAN IPv4 address: 192.168.1.1
Enter new LAN IPv4 subnet: 24

Configure IPv6? n

Enable DHCP server on LAN? y
Enter start IP: 192.168.1.10
Enter end IP: 192.168.1.250

Access pfSense Web Interface

From Kali VM or another VM on vmbr1:

# Get DHCP lease from pfSense
sudo dhclient

# Verify IP
ip addr show

# Access pfSense GUI
https://192.168.1.1

# Default credentials:
# Username: admin
# Password: pfsense

Lab Network Configuration

Network Diagram

Internet
   ↓
Router (192.168.11.1)
   ↓
Proxmox vmbr0 (192.168.11.254)
   ↓
pfSense WAN (192.168.11.253)
   ↓
pfSense LAN (192.168.1.1)
   ↓
vmbr1 (Internal Lab Network)
   ├── Kali Linux (192.168.1.10)
   ├── Ubuntu Server (192.168.1.20)
   └── Target VMs (192.168.1.50-100)

Configure Kali Network

# Edit network config
sudo nano /etc/network/interfaces

# Add static IP (optional, DHCP works too)
auto eth0
iface eth0 inet static
    address 192.168.1.10
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 192.168.1.1

# Restart networking
sudo systemctl restart networking

# Or use network manager
sudo nmtui

Taking Snapshots

Why Snapshot?

  • Safe experimentation: Revert after tests
  • Configuration backups: Before major changes
  • Quick recovery: Rollback from failures

Create Snapshot via Proxmox UI

  1. Select VM (Kali or pfSense)
  2. Go to Snapshots tab
  3. Click Take Snapshot
  4. Name: post-install-clean or working-config
  5. Description: “Fresh install, fully updated”
  6. Include RAM: No (smaller snapshot)

Create Snapshot via CLI

# Snapshot Kali VM (ID 101)
qm snapshot 101 post-install --description "Clean Kali install after updates"

# Snapshot pfSense VM (ID 100)
qm snapshot 100 baseline-config --description "Working pfSense configuration"

# List snapshots
qm listsnapshot 101

# Rollback to snapshot
qm rollback 101 post-install

Testing the Lab

Verify Network Connectivity

# From Kali VM:

# Test LAN gateway
ping 192.168.1.1

# Test WAN gateway (through pfSense)
ping 8.8.8.8

# Test DNS resolution
nslookup google.com

Basic Penetration Testing

# Scan internal network
nmap -sn 192.168.1.0/24

# Scan pfSense
nmap -sV -p 1-1000 192.168.1.1

# Test vulnerability scanning
nikto -h https://192.168.1.1

Conclusion

This secure lab deployment provides:

  • ✅ Isolated penetration testing environment
  • ✅ Proper network segmentation with pfSense
  • ✅ Fully functional Kali Linux workstation
  • ✅ Snapshot-based safety net
  • ✅ Scalable architecture for additional VMs

This lab serves as the foundation for: - Security tool testing - Exploit development - Network penetration testing - Certification study (OSCP, CEH, etc.)

Next steps: Deploy vulnerable VMs (Metasploitable, DVWA) and configure pfSense with IDS/IPS (Suricata/Snort).