Building a Homelab & Cyber Range: Architecting the Network with pfSense and VLANs


A flat network is a vulnerable network. Here’s how I used pfSense to slice my lab into isolated Virtual LANs (VLANs), creating distinct zones for monitoring, attacks, and even a quarantined malware environment.

Introduction to Network Segmentation

Welcome back to the Ultimate Cybersecurity Lab build! In our last post, we established the vision. Today, we construct the foundation—the critical network infrastructure that will enable secure testing, attack simulation, and forensic analysis.

Before deploying attack tools and vulnerable machines, we must architect the digital highways and security barriers of our lab environment. In networking terms, this means implementing proper segmentation through Virtual LANs (VLANs).

Why Network Segmentation Matters

Placing all lab machines on a single, flat network creates a scenario similar to a house without walls is chaotic, insecure, and operationally inefficient. When one machine becomes compromised, lateral movement becomes trivial, potentially affecting every system on the network.

VLANs solve this fundamental problem by partitioning a single physical network into multiple, logically isolated segments. Each VLAN operates as its own security domain, with inter-VLAN communication controlled through explicit firewall rules. This architecture provides:

Security Isolation: Contains attacks and prevents lateral movement between network segments

Operational Organization: Groups functionally similar systems (attack tools, vulnerable targets, enterprise simulation)

Performance Optimization: Reduces broadcast domain size and unnecessary cross-segment traffic

Compliance Alignment: Mirrors real-world enterprise network segmentation practices

pfSense: The Network Control Plane

For our lab’s routing, firewalling, and VLAN management, I selected pfSense—a robust, open-source firewall distribution built on FreeBSD. Running as a virtual machine on our Proxmox hypervisor, pfSense serves as the central control plane for all network traffic.

Initial Deployment and Configuration

The pfSense implementation involved several key phases:

VM Provisioning: Created a dedicated VM in Proxmox with sufficient resources (2 vCPUs, 4GB RAM, 20GB storage)

Interface Assignment: Configured two network interfaces:

  • WAN Interface: Bridged to physical network (vmbr0) for internet connectivity
  • LAN Interface: Connected to dedicated virtual bridge (vmbr2) serving as VLAN trunk

VLAN Creation: Established four distinct network segments within pfSense:

Network Architecture Deep Dive

VLAN Structure and Addressing

VLAN IDNetwork SegmentSubnetGatewayPurpose
1 (LAN)Security Tools192.168.1.0/24192.168.1.254Command & control network
10Vulnerable VMs192.168.10.0/24192.168.10.254Standalone vulnerable machines
20Active Directory192.168.20.0/24192.168.20.254Enterprise domain simulation
30Applications192.168.30.0/24192.168.30.254Containerized web applications
N/AMalware AnalysisAIR-GAPPEDISOLATEDHardware-isolated malware environment

Segment-Specific Roles

VLAN 1 – Security Tools Network (192.168.1.0/24) This serves as our “Purple Team” command center, hosting:

  • Parrot OS Pen-testing Distribution and Caldera Threat Emulation
  • Network monitoring tools (Wazuh, Security Onion, The Hive + Cortex)
  • Forensic analysis workstation
  • Vulnerability scanners (Nessus)

VLAN 10 – Vulnerable VM Segment (192.168.10.0/24) A dedicated testing range containing:

  • VulnHub challenge machines
  • Deliberately vulnerable Linux distributions (Metasploitable)
  • Isolated penetration testing targets

VLAN 20 – Active Directory Environment (192.168.20.0/24) Enterprise simulation network featuring:

  • Windows Server 2022 Domain Controller
  • Windows 10 client workstation
  • Ubuntu 22.04 Joined to Active Directory
  • Realistic AD attack scenarios (Kerberoasting, Golden Ticket, etc.)

VLAN 30 – Application & Container Segment (192.168.30.0/24) Web application security testing environment:

  • Docker containerization platform
  • Vulnerable web applications (bWAPP, DVWA, WebGoat & WebWolf)
  • Custom application deployments in the future

Hardware-Isolated Malware Analysis Environment Complete physical isolation for malware analysis:

  • No Network Configuration: Virtual NICs removed from VM hardware settings
  • Zero Connectivity: No virtual switches, bridges, or network adapters
  • True Air-Gap: Physical isolation at the hypervisor level
  • Analysis Tools: REMnux, Flare VM, and custom analysis frameworks
  • Malware Samples: Live malware execution in completely contained environment

DHCP Configuration

Each VLAN includes an integrated DHCP server configured within pfSense, providing:

  • Automatic IP assignment within designated ranges
  • DNS server configuration (pointing to pfSense)
  • Default gateway assignment
  • Lease duration management

Firewall Rules: The Security Policy Engine

pfSense implements a stateful firewall with default-deny principles. Traffic flows are explicitly permitted through carefully crafted rules:

Core Firewall Policies

Internet Access Rules

Action: Pass
Source: [VLAN_Network]
Destination: !RFC1918_Networks (Inverted private networks)
Description: Allow outbound internet access for updates/downloads

Attack Vector Enablement (Already Configured)

Action: Pass | Source: LAN subnets | Destination: * (Any) | Description: Default allow LAN to any rule

This rule enables security tools on VLAN 1 to access all target networks (VLANs 10, 20, 30) and the internet.

  • LAN (VLAN 1): Anti-lockout rule + Full access to any destination (including all VLANs)
  • VLAN 10: Internet access only (isolated from other VLANs)
  • VLAN 20: Internet access only (isolated from other VLANs)
  • VLAN 30: Internet access only (isolated from other VLANs)

Segmentation in Action

  • VLAN 1 → All Networks: Allowed (enables security tools to access all targets)
  • VLAN 10 ↔ VLAN 20: Blocked (prevents cross-contamination)
  • VLAN 10 ↔ VLAN 30: Blocked (isolates different attack surfaces)
  • VLAN 20 ↔ VLAN 30: Blocked (maintains enterprise/application separation)
  • All VLANs → Internet: Allowed (for updates and downloads)

Advanced Security Features

Intrusion Detection Integration: pfSense can integrate with Wazuh and Security Onion for real-time traffic analysis

Traffic Shaping: QoS policies to prioritize critical lab traffic

Logging & Monitoring: Comprehensive traffic logging for forensic analysis

Isolated Malware Environment: Hardware-Level Air-Gap

The malware analysis environment represents our most secure isolation implementation. Software / hardware-level isolation rather than network-based segmentation. Unlike the VLAN-based approach used for other lab segments, the malware analysis machines operate with the Software NIC removed from the Hardware of the machines removing any ability to connect to the network.

Hardware Isolation Implementation

  • Network Interface Removal: Virtual network adapters completely removed from VM hardware configuration
  • No Virtual Switching: No connection to any virtual switches or bridges within Proxmox
  • Hypervisor-Level Isolation: Isolation enforced at the hardware abstraction layer
  • Snapshot-Based Recovery: Rapid restoration to clean states for repeated analysis
  • Controlled Execution Environment: REMnux and Flare VM configured for safe malware analysis

This hardware level isolation approach ensures that even the most malware cannot establish any form of network communication. There is always the capability of hypervisor escape. The malware we will be interacting with was not given to me by nation state actors and will be variants already well documented. The absence of network hardware at the VM level creates an barrier for malware attempting to communicate with external command-and-control infrastructure or perform lateral movement.

Network Topology Visualization

The accompanying network diagram illustrates our complete lab architecture:

  • Internet Gateway: pfSense WAN interface providing controlled external access
  • Central Firewall: pfSense managing all inter-VLAN communications
  • Segmented Networks: Four distinct VLANs for different security functions
  • Isolated Analysis: Completely disconnected malware environment

Each segment operates independently while maintaining connectivity to our security tools network, creating an ideal environment for comprehensive security testing and research.

Implementation Benefits

This architecture provides several operational advantages:

Realistic Simulation: Mirrors enterprise network segmentation practices

Containment Assurance: Limits blast radius of security incidents

Flexible Testing: Enables complex multi-network attack scenarios

Forensic Capability: Provides network-level visibility and logging

Scalable Design: Easily accommodates additional VLANs or security tools

Next Steps

With our robust network foundation established, we can now safely deploy and configure our security tools without risk of cross-contamination or uncontrolled lateral movement.

In our next post, we’ll focus on VLAN 1 deployment, covering:

  • Parrot OS Pentesting Distribution and Caldera Threat Emulation
  • Network monitoring tools (Wazuh, Security Onion, The Hive + Cortex)
  • Forensic analysis workstation
  • Vulnerability scanners (Nessus)

The network highways are built—now it’s time to populate them with the vehicles of our security research.


Continue following this series as we build out each component of our comprehensive cybersecurity laboratory environment.