Barriers to Entry

This tutorial demonstrates how to use VMware Workstation and an OPNsense firewall to create a virtually segmented Kali Linux environment, but the concepts can be applied to any similar technology.

Workstations used used for penetration testing, malware analysis, or other potentially hazardous activities need to be segregated. This prevents activity from accidentally "leaking" to other hosts. It also keeps unauthorized users - including those that might be lurking on target domains, CTF networks, and training labs - out of the local network if the workstation is compromised.

Enterprise environments often have labs that include dedicated workstations, hardware firewalls, or air-gap segregation. Individual penetration testers and security researchers managing their own environments can leverage a bit of virtualization savvy to achieve similar results and protect their own workstations, devices, and small office or home networks.

Prerequisites

This setup won't work with remote or shared virtual machines, or in cases where the Kali machine needs to scan the local network.

Readers should have a basic understanding of virtualization, firewalls, and already be comfortable with installation of Kali Linux and OPNsense. The tutorial doesn't cover basic configuration, security or hardening techniques for any of the technologies mentioned. Disclaimer: nothing is 100% secure - use at your own risk!

Tutorial

To begin, create two virtual machines, one for Kali and one for the OPNsense firewall. In the tutorial, these will be referred to as kali01 and fw01.

Network Configuration

Create fw01 with two network adapters. The first adapter will be the internal (LAN) interface for the firewall.  Set the connection type to LAN Segment.  Click on "LAN Segments..." and create a new segment called kalinet (any name will work). Close the dialogue box and make sure that the LAN segment selected in the drop down is kalinet.

Set the second adapter to bridged mode. This will be the external (WAN) interface on the firewall and the IP address will need to be configured statically or using DHCP from the local network.

On kali01, create a single network adapter with connection set to LAN Segments and kalinet selected in the drop down.  Since the only other device available on the kalinet segment is the internal interface of fw01, all network traffic from kali01 will need to route through the fw01.

Initial Configuration

Install OPNsense, begin the initial configuration and assign interfaces, making sure the network adapter connected to kalinet is set as the internal interface.  

Select the option to set interface IP addresses.  The external (WAN) interface should match whatever standard is used on the rest of the local network, and the internal (LAN) interface can be set using any internal IP address scheme, as long as it differ from the IP range used on the WAN interface. Assuming that DHCP is configured for the WAN interface, the configuration should look something like this:

    WAN (em1)     -> v4/DHCP4: 192.168.2.100/24
    LAN (em0)     -> v4: 192.168.1.1/24

The IPs and ranges listed above will be used throughout the rest of the tutorial, but should be changed to match appropriately. The WAN netmask must accurately match the local network that needs to be isolated from kali01.

Firewall Rules

By default, OPNsense enables a DHCP server on the LAN interface. Build kali01 and configure the network interface for DHCP. It should then be possible to access the OPNsense admin portal by pointing a browser on kali01 to https://192.168.1.1.

From the admin portal, select Firewall from the menu on the left, then click LAN under the Rules section. Use the plus sign to create a single rule with action Block and configured with Quick mode turned on, for interface LAN, direction IN, for TCP/IP version IPv4+IPv6 and protocol any, from source LAN net to destination WAN net.

This will effectively block any traffic from kali01 to the VMware host network and anything else connected to the same network as the em1 (WAN) interface. However, traffic will still be able to flow past the local network and out to the internet.

FAQ

Q. Can I add another machine to kalinet or do I need to configure a new segment and install an additional firewall?

A. The same LAN segment and firewall can be leveraged by multiple machines. However, those machines won't be isolated from each other as network traffic between them will not need to traverse through the firewall.

Q. Does this work with the WAN interface on fw01 set to NAT or host-only?

A. Not really.  This would isolate kali01 from the host, but not from any of the other machines on the same network as the host.

Q. Why choose LAN Segments instead of a dedicated host-only or custom network?

A. LAN Segments are useful for complete host isolation, unlike host-only and other custom networks created with the VMware Workstation's virtual network editor, which create a VPN to the host machine. Also, LAN segments can be created and edited without root/admin privileges on the host OS!

Q. Anything else?

A. Snapshot VM's while they are in a clean state and return to previous snapshots after any risky activities.