Building a Cybersecurity Practice Homelab: Network Topology, Tools, and Troubleshooting

Setting up a comprehensive cybersecurity practice homelab has been an enriching learning experience for me. This post documents the entire network topology, key security tools deployed, and critical challenges I faced—especially with VirtualBox networking and pfSense firewall integration. If you want to get hands-on practice in cybersecurity, hopefully, this guide offers useful insights.

If anything here is unfamiliar to you, and you are wanting to get into Cybersecurity - GOOGLE IT. Google will be an invaluable resource in familiarizing yourself with the field. Shoot me an email, or fill out the contact form on the homepage if you want some help diving deeper into these topics, or want to know how these tools could be used in your environment.

Network Topology

• Bare Metal Ubuntu Host - Network: 192.168.1.0/24

  • VirtualBox Hypervisor

    • pfSense Firewall

      • Managing VLANs as detailed below

      • Security Apps and Services (10.10.1.0/24):

        • Kali Linux Host

        • Wazuh SIEM (Agents installed on Docker Host, Kali Host, and pfSense)

        • Nessus Vulnerability Scanner

        • Caldera Adversary Emulation Tool

        • Security Onion

      • Additional VLANs: 10.10.10.0/24 and 10.10.20.0/24

      • Ubuntu Server 22.04 (10.10.30.0/24):

        • Docker and Portainer

        • Vulnerable containers inside a macvlan network (10.10.30.128/27):

        • BWAPP Container

        • DVWA Container

        • WebGoat Container

This modular topology allows security tools to run isolated yet accessible within segmented VLANs, which mimics enterprise environment architecture.

Problems Solved

pfSense Syslog Forwarding to Security Onion

Configured log forwarding for enhanced visibility in the SIEM:

• Followed the Security Onion guide for configuring Elastic Fleet integration with pfSense: https://docs.securityonion.net/en/2.4/pfsense.html

• Followed Elastic documentation for configuring pfSense syslog forwarding on Port 9001: https://www.elastic.co/docs/reference/integrations/pfsense

pfSense Wazuh Agent Installation

pfSense runs on FreeBSD, which requires special handling to install the Wazuh agent.

Installation Overview

1. Enable SSH on the pfSense firewall before connecting.

2. Enable FreeBSD package repositories (disabled by default on pfSense).

3. Enable firewall logs (syslog forwarding already in place).

4. In Wazuh, create a group and enable the corresponding rules.

Enable FreeBSD Repos

By default, pfSense disables FreeBSD package repos. Enable them as follows:

• SSH into pfSense firewall and navigate to:

bash

cd /usr/local/etc/pkg/repos/

• Edit the pfsense.conf file:

bash

vi pfsense.conf

or use nano if preferred:

bash

pkg search nano
pkg install nano<version>

• Change the content to:

text

FreeBSD: { enabled: yes }

• Similarly, edit the FreeBSD.conf file:

bash

vi FreeBSD.conf

• Change to:

text

FreeBSD: { enabled: yes }

Install Wazuh Agent

Update package cache and install:

bash

pkg update
pkg search wazuh-agent
pkg install wazuh-agent-4.7.2

Start and Configure Wazuh Agent

• Copy the local timezone file:

bash

cp /etc/localtime /var/ossec/etc

• Edit the agent configuration:

bash

vi ossec.conf

• Add your Wazuh server address:

xml

<server>
	<address>10.10.1.51</address>
</server>

• Enable agent to start automatically:

bash

sysrc wazuh_agent_enable="YES"

• Create symbolic link and start the agent service:

bash

ln -s /usr/local/etc/rc.d/wazuh-agent /usr/local/etc/rc.d/wazuh-agent.sh

service wazuh-agent start

Enable Firewall Logs Monitoring in Wazuh

To monitor firewall logs, create a pfSense group in the Wazuh Manager and add:

xml

<localfile>
	<log_format>syslog</log_format>
	location>/var/log/filter.log</location>
</localfile>

Custom Rule for pfSense Firewall Drop Events

Create a new rule in Wazuh's rules management:

xml

<group name="pfsense,">
<rule id="87701" level="5" overwrite="yes">
	<if_sid>87700</if_sid>
	<action>block</action>
	<description>pfSense firewall drop event.</description>
	<group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
</rule>
</group>

NOTE: The "</group>" tag following the custom firewall rule should be typed IN-LINE with the firewall_block rule, at the end of the line - it only displays on the following line due to the lack of width in this display code snippet.

Add this rule to the pfSense group you created earlier to enhance threat detection coverage.

VirtualBox Networking Issue with VLAN3 macvlan Containers

While building containers on VLAN3 subnet using Portainer, I faced an issue where containers received IPs in the correct subnet but were unreachable.

Root Cause: Promiscuous Mode Not Enabled

• Macvlan networks require the parent network interface to be in promiscuous mode to process traffic destined for container MAC addresses.

• Without promiscuous mode, the physical NIC discards frames not addressed to its own MAC, hence containers never receive traffic.

Resolution Explained

1. Macvlan Networks and Promiscuous Mode

• Macvlan assigns unique MAC addresses to each container, providing direct Layer 2 connectivity.

• The parent interface (enp0s3.3 in this case) must accept traffic for multiple MACs - this requires promiscuous mode.

2. Promiscuous Mode Effect

• Enabling promiscuous mode allows the parent interface to:

  • Receive frames addressed to container MACs.

  • Forward them to respective macvlan sub-interfaces.

  • Resolve ARP properly, so routing tables get populated with container MACs.

3. Recreating the Macvlan Network

• After enabling promiscuous mode, the macvlan network was recreated in Portainer.

• This forced rebinding of interfaces, now correctly recognizing promiscuous mode.

4. Macvlan vs Bridge Networks

Summary

For macvlan Docker networks in VirtualBox-hosted environments, promiscuous mode on the parent interface is mandatory for container communication and proper network operation.

Closing Thoughts

Building this cybersecurity practice homelab has been an invaluable project. Configuring pfSense and Security Onion for centralized logging and SIEM analysis, integrating Wazuh agents on FreeBSD, and troubleshooting VirtualBox network nuances demonstrate the depth of real-world skills developed. I know this had a ton of technical jargon, and probably left you wondering, "How did we get here?" at points. That's okay. It took me a good while before working through problems like this was doable, even intuitive. If anything here interested you and you want to dive deeper - reach out!