A flat network is a vulnerable network. Here’s how I used pfSense to slice my lab into isolated Virtual LANs (VLANs), creating distinct zones for monitoring, attacks, and even a quarantined malware environment.
Introduction to Network Segmentation
Welcome back to the Ultimate Cybersecurity Lab build! In our last post, we established the vision. Today, we construct the foundation—the critical network infrastructure that will enable secure testing, attack simulation, and forensic analysis.
Before deploying attack tools and vulnerable machines, we must architect the digital highways and security barriers of our lab environment. In networking terms, this means implementing proper segmentation through Virtual LANs (VLANs).
Why Network Segmentation Matters
Placing all lab machines on a single, flat network creates a scenario similar to a house without walls is chaotic, insecure, and operationally inefficient. When one machine becomes compromised, lateral movement becomes trivial, potentially affecting every system on the network.
VLANs solve this fundamental problem by partitioning a single physical network into multiple, logically isolated segments. Each VLAN operates as its own security domain, with inter-VLAN communication controlled through explicit firewall rules. This architecture provides:
Security Isolation: Contains attacks and prevents lateral movement between network segments
Operational Organization: Groups functionally similar systems (attack tools, vulnerable targets, enterprise simulation)
Performance Optimization: Reduces broadcast domain size and unnecessary cross-segment traffic
Compliance Alignment: Mirrors real-world enterprise network segmentation practices
pfSense: The Network Control Plane
For our lab’s routing, firewalling, and VLAN management, I selected pfSense—a robust, open-source firewall distribution built on FreeBSD. Running as a virtual machine on our Proxmox hypervisor, pfSense serves as the central control plane for all network traffic.
Initial Deployment and Configuration
The pfSense implementation involved several key phases:
VM Provisioning: Created a dedicated VM in Proxmox with sufficient resources (2 vCPUs, 4GB RAM, 20GB storage)
Interface Assignment: Configured two network interfaces:
- WAN Interface: Bridged to physical network (vmbr0) for internet connectivity
- LAN Interface: Connected to dedicated virtual bridge (vmbr2) serving as VLAN trunk
VLAN Creation: Established four distinct network segments within pfSense:
Network Architecture Deep Dive
VLAN Structure and Addressing
| VLAN ID | Network Segment | Subnet | Gateway | Purpose |
|---|---|---|---|---|
| 1 (LAN) | Security Tools | 192.168.1.0/24 | 192.168.1.254 | Command & control network |
| 10 | Vulnerable VMs | 192.168.10.0/24 | 192.168.10.254 | Standalone vulnerable machines |
| 20 | Active Directory | 192.168.20.0/24 | 192.168.20.254 | Enterprise domain simulation |
| 30 | Applications | 192.168.30.0/24 | 192.168.30.254 | Containerized web applications |
| N/A | Malware Analysis | AIR-GAPPED | ISOLATED | Hardware-isolated malware environment |
Segment-Specific Roles
VLAN 1 – Security Tools Network (192.168.1.0/24) This serves as our “Purple Team” command center, hosting:
- Parrot OS Pen-testing Distribution and Caldera Threat Emulation
- Network monitoring tools (Wazuh, Security Onion, The Hive + Cortex)
- Forensic analysis workstation
- Vulnerability scanners (Nessus)
VLAN 10 – Vulnerable VM Segment (192.168.10.0/24) A dedicated testing range containing:
- VulnHub challenge machines
- Deliberately vulnerable Linux distributions (Metasploitable)
- Isolated penetration testing targets
VLAN 20 – Active Directory Environment (192.168.20.0/24) Enterprise simulation network featuring:
- Windows Server 2022 Domain Controller
- Windows 10 client workstation
- Ubuntu 22.04 Joined to Active Directory
- Realistic AD attack scenarios (Kerberoasting, Golden Ticket, etc.)
VLAN 30 – Application & Container Segment (192.168.30.0/24) Web application security testing environment:
- Docker containerization platform
- Vulnerable web applications (bWAPP, DVWA, WebGoat & WebWolf)
- Custom application deployments in the future
Hardware-Isolated Malware Analysis Environment Complete physical isolation for malware analysis:
- No Network Configuration: Virtual NICs removed from VM hardware settings
- Zero Connectivity: No virtual switches, bridges, or network adapters
- True Air-Gap: Physical isolation at the hypervisor level
- Analysis Tools: REMnux, Flare VM, and custom analysis frameworks
- Malware Samples: Live malware execution in completely contained environment
DHCP Configuration
Each VLAN includes an integrated DHCP server configured within pfSense, providing:
- Automatic IP assignment within designated ranges
- DNS server configuration (pointing to pfSense)
- Default gateway assignment
- Lease duration management
Firewall Rules: The Security Policy Engine
pfSense implements a stateful firewall with default-deny principles. Traffic flows are explicitly permitted through carefully crafted rules:
Core Firewall Policies
Internet Access Rules
Action: Pass
Source: [VLAN_Network]
Destination: !RFC1918_Networks (Inverted private networks)
Description: Allow outbound internet access for updates/downloadsAttack Vector Enablement (Already Configured)
Action: Pass | Source: LAN subnets | Destination: * (Any) | Description: Default allow LAN to any rule
This rule enables security tools on VLAN 1 to access all target networks (VLANs 10, 20, 30) and the internet.
- LAN (VLAN 1): Anti-lockout rule + Full access to any destination (including all VLANs)
- VLAN 10: Internet access only (isolated from other VLANs)
- VLAN 20: Internet access only (isolated from other VLANs)
- VLAN 30: Internet access only (isolated from other VLANs)
Segmentation in Action
- VLAN 1 → All Networks: Allowed (enables security tools to access all targets)
- VLAN 10 ↔ VLAN 20: Blocked (prevents cross-contamination)
- VLAN 10 ↔ VLAN 30: Blocked (isolates different attack surfaces)
- VLAN 20 ↔ VLAN 30: Blocked (maintains enterprise/application separation)
- All VLANs → Internet: Allowed (for updates and downloads)
Advanced Security Features
Intrusion Detection Integration: pfSense can integrate with Wazuh and Security Onion for real-time traffic analysis
Traffic Shaping: QoS policies to prioritize critical lab traffic
Logging & Monitoring: Comprehensive traffic logging for forensic analysis
Isolated Malware Environment: Hardware-Level Air-Gap
The malware analysis environment represents our most secure isolation implementation. Software / hardware-level isolation rather than network-based segmentation. Unlike the VLAN-based approach used for other lab segments, the malware analysis machines operate with the Software NIC removed from the Hardware of the machines removing any ability to connect to the network.
Hardware Isolation Implementation
- Network Interface Removal: Virtual network adapters completely removed from VM hardware configuration
- No Virtual Switching: No connection to any virtual switches or bridges within Proxmox
- Hypervisor-Level Isolation: Isolation enforced at the hardware abstraction layer
- Snapshot-Based Recovery: Rapid restoration to clean states for repeated analysis
- Controlled Execution Environment: REMnux and Flare VM configured for safe malware analysis
This hardware level isolation approach ensures that even the most malware cannot establish any form of network communication. There is always the capability of hypervisor escape. The malware we will be interacting with was not given to me by nation state actors and will be variants already well documented. The absence of network hardware at the VM level creates an barrier for malware attempting to communicate with external command-and-control infrastructure or perform lateral movement.
Network Topology Visualization
The accompanying network diagram illustrates our complete lab architecture:
- Internet Gateway: pfSense WAN interface providing controlled external access
- Central Firewall: pfSense managing all inter-VLAN communications
- Segmented Networks: Four distinct VLANs for different security functions
- Isolated Analysis: Completely disconnected malware environment
Each segment operates independently while maintaining connectivity to our security tools network, creating an ideal environment for comprehensive security testing and research.
Implementation Benefits
This architecture provides several operational advantages:
Realistic Simulation: Mirrors enterprise network segmentation practices
Containment Assurance: Limits blast radius of security incidents
Flexible Testing: Enables complex multi-network attack scenarios
Forensic Capability: Provides network-level visibility and logging
Scalable Design: Easily accommodates additional VLANs or security tools
Next Steps
With our robust network foundation established, we can now safely deploy and configure our security tools without risk of cross-contamination or uncontrolled lateral movement.
In our next post, we’ll focus on VLAN 1 deployment, covering:
- Parrot OS Pentesting Distribution and Caldera Threat Emulation
- Network monitoring tools (Wazuh, Security Onion, The Hive + Cortex)
- Forensic analysis workstation
- Vulnerability scanners (Nessus)
The network highways are built—now it’s time to populate them with the vehicles of our security research.
Continue following this series as we build out each component of our comprehensive cybersecurity laboratory environment.