ESXi + pfsense traffic segregation

0

I'm kind of new to setting up networking with ESXi and working with pfsense, so please excuse if this cannot be done or I'm asking something the wrong way.

I'm using ESXi 5.5.0 and I want to host some honeypots on my network that are accessible to the internet, but the honeypots themselves can't access anything outside of their subnet. Ideally I'd port forward specific ports like 21, 22, 80, 443 into various honeypot machines.

Now, I'm also hosting this at home, so I would like to segregate my honeypot network from my home network. My home network shouldn't be able to touch anything in the honeypot network, and vice-versa.

My current set up is this: Internet -> modem -> consumer router/switch combo. On that switch combo are my wireless devices and other home devices. Also attached to it is my ESXi server. My ESXi server also has the following network setup:

ESXi network

And my pfsense box has the following interfaces:

pfsense interfaces

At this point, mostly everything is working except for two issues:

  1. Boxes in my honeypot network (10.0.0.x) can talk to boxes in my home network (192.168.1.x)
  2. DHCP server running on my pfsense LAN interface (em1) is handing out IP addresses that my comsumer router should be handing out. So when my phone connects to my wifi, it gets an address from pfsense, when it shouldn't be.

So my question is, how can I get this properly segregated so the two networks can't talk to each other and that DHCP isn't handing out addresses outside of its network?

Thanks! I really appreciate the help!

Chiggins

Posted 2015-05-20T17:03:50.883

Reputation: 379

Answers

1

  1. Set up an IPTables rule to drop forward traffic from 10.0.0.0/24 to 192.168.1.0/24

  2. Turn off DHCP on your pfsense box if you don't need it and statically set IP addresses on your honeypot network. You don't want boxes refreshing their DHCP lease if you have firewall / NAT rules pointing to specific IP addresses.

  3. Make sure you have disabled the ability to administer your router / firewall (pfsense in this instance?) from your honeypot. In the event that one of your boxes gets rooted you don't want them to be able to break free.

  4. Make good and sure you know what you're doing before you open the flood gates from the internet to your honeypots - a misconfiguration might have disastrous consequences.

DKNUCKLES

Posted 2015-05-20T17:03:50.883

Reputation: 243

>

  • Should I add the iptables rule directly on pfsense from the command line, or is there a better way to do it through the web interface?

  • Yeah I was thinking about that, probably a good idea to set everything static.

  • Also yeah, definitely. Working on trying to get it accessible from the WAN, then shutting it off from LAN.

  • Most definitely. I'm going to give another hacker friend of mine remote access to get another set of eyes on it to see if he can find a way to break out.

    • Thanks for this reply! – Chiggins – 2015-05-20T17:28:22.533

    @Chiggins it doesn't matter where you set the rule (web or cmd line) just make sure they get saved and that should do it. – DKNUCKLES – 2015-05-20T17:31:41.263

    1

    "Make good and sure you know what you're doing before you open the flood gates from the internet to your honeypots - a misconfiguration might have disastrous consequences."

    Pay attention to this very closely - this is great advice.

    I would also suggest if you can do it, maybe installing or deploying some kind of intermediary to scan that traffic like a dev/free version of ArcSight or any McAfee DLP. You're about to expose yourself.

    Matthew Dartez

    Posted 2015-05-20T17:03:50.883

    Reputation: 26

    I was thinking about throwing up an instance of Snort to monitor traffic as well, just so I have a better idea of what's going on. – Chiggins – 2015-05-20T18:41:28.067

    Probably a good idea. Something else that could be a good thought since you're using ESXi 5.5 is to engage VXLAN via NSX and use VDS Security enablement - or monitor via PowerCLI – Matthew Dartez – 2015-05-20T19:45:27.877

    I'll be honest, not sure what VXLAN / VDS is. Is there a resource you could suggest? – Chiggins – 2015-05-20T20:52:05.723

    If you have a VMware Account, sign up for it: https://www.vmware.com/products/nsx

    – Matthew Dartez – 2015-05-21T14:30:50.793

    1

    Before looking at iptables or anything else.

    Where are the 2 Ethernet cables mapped to the vmnic0 and vmnic1 connected?

    Those 2 connections must exist your VMware host - on separate physical Ethernet nics - be physical connected to different systems, i.e. one to the pFsense box, one to your LAN.

    In other words, make sure your physical layer 2 is separated before trying anything eotic.

    ============================= Structure ==================== 1) where is your WAN connection? pFsense needs 2 vnics, 1 of which must physically connect to your physical WAN (not he LAN labled as WAN in your setup)

    so AFAIK you need 3 isolated vnics to do what you want.

    1) LAN/Mgmgnt 2) Honeypot network 3) you WAN connection into PFsense

    at no point can you plug any of the 3 ethernets coming out of your VMware host into the same switch of hub unless you configure isolation between the ports involved.

    otherwise your crosstalk is coming at the copper (layer 2) level.

    David Nilson

    Posted 2015-05-20T17:03:50.883

    Reputation:

    Asked: 2015-05-20T17:03:50.883

    Viewed: 1 009 times

    Active: 2015-05-22T02:33:42.123