This page journals content related to SYS-350 milestone 7.

Table of Contents:

• Setting up new virtual networks

  • Setting up new interfaces

• Creating DMZ and MGMT VMs

• Setting up pfsense firewall rules for DMZ and MGMT

• Finishing DMZ and MGMT VMs configuration

• Final checks

• Sources

• Troubleshooting

  • Troubleshooting 1-pfsense has a moment

  • Troubleshooting 2-my ESXI won't come back pls help

Setting up new virtual networks

I had to setup 2 new networks for this assignment, they were the following:

• MGMT: 172.16.1.0/24 - OPT1

• DMZ: 172.16.2.0/24 - OPT2

To set them up the first thing I did was go to my ESXI host in vcenter > "Configure" > "Virtual switches":

Then I pressed "ADD NETWORKING..." > filled out the setup wizard with the following:

Selected "Virtual Machine Port Group for a Standard Switch":

Selected to make a "New standard switch":

Did not select any physical network adapters to add to the switch:

Named it "SYS-350-DMZ":

Final port group ready to complete:

I would repeat these steps but used the name "SYS-350-MGMT":

Then I added 2 new adapters to my GW01-WAN for the MGMT and DMZ:

After setting these my google remote session would cut out and I would need to do troubleshooting because for some reason some vmx's had shuffled. The steps to correct this are listed in Troubleshooting 1-pfsense has a moment. If I had not had this problem, all I would have had to do is the following:

In GW01-WAN used option 1:

Assigned the interfaces so that my previous WAN and LAN were set the same as before (see above image) and I assigned my new interfaces as well:

Set GW01-WAN:

I also used option 3 to reset the password :)

As well I restarted ad350 (not sure if this had to be done because of my pfsense issues or not!)

Setting up new interfaces

Then I went to https://10.0.17.2/ > Interfaces > selected OPT1:

Then I setup the OPT1 interface like the following (NOTE: Originally didn't set name but went back later and named the interface!):

Pressed "Save" then "Apply Changes":

Then I setup OPT2, accessed from interfaces dropdown (NOTE: Originally didn't set name but went back later and named the interface!):

Then save and apply

I also had another troubleshooting problem with my vcenter disconnecting repeatedly with my ESXI, this was solved in Troubleshooting 2-my ESXI won't come back pls help. I believe this problem to be related to having to change my pfsense and possibly due to restarting my ad350 - if I did not run into issues then I could skip straight to the following:

After setting my interfaces I created the following folder structure for this lab in vcenter:

Creating DMZ and MGMT VMs

Then I right clicked on my rocky.base.template > new vm from template named "web01-oliver":

Set the following settings for the VM:

Set IP (172.16.2.100):

Made sure to put the VM on the DMZ:

And setup VM from the ubuntu.base.template named "backup01-oliver":

Set IP (172.16.2.100):

Made sure to put the VM on the MGMT:

Setting up pfsense firewall rules for DMZ and MGMT

I went to my pfsense web console > then "Firewall" > "Rules":

I then went to my MGMT interface:

Pressed Add (with the up arrow) > added the following rule to allow MGMT to the internet:

Saved and pressed the apply changes button:

Then on the DMZ interface I setup the same rule but for the DMZ interface:

Then I used the add button with the up arrow to add the following rules blocking the DMZ from going to LAN or MGMT:

Block DMZ to LAN:

Block DMZ to MGMT:

I then applied the rules (ignore the statues columns as when these were freshly made no bytes had passed through):

With these set in this order pfsense will block any connections from the DMZ going to the LAN or MGMT BUT still allow DMZ to reach the internet (BTW PFSENSE FIREWALL RULES ARE ONLY FOR TRAFFIC LEAVING THAT INTERFACE).

(Fun fact: pfsense automatically sets up outbound NAT so that the address spaces from non-WAN interfaces NAT to the WAN address.)

Finishing DMZ and MGMT VMs configuration

I went to my web01-oliver > used the command nmtui > "Edit a connection" > selected "ens33" > edited the interface to use a different DNS server so it doesn't interact with LAN:

After pressing "OK" > "Back" > "Activate a connection" > deactivated and activated the interface:

Then I used the back and exit button to exit out of nmtui. I would check that the connectivity was as expected with nmcli and ping:

Also checked that LAN could access the web01-oliver:

Then I installed nginx and created a custom webpage on web01-oliver:

sudo dnf update -y
sudo dnf install nginx -y
echo "web01-oliver" | sudo tee /usr/share/nginx/html/index.html

I would also setup web01-oliver's firewall:

sudo firewall-cmd --permanent --add-service=http --add-service=https
sudo firewall-cmd --reload

Then I started by ngninx web server on web01-oliver:

sudo systemctl start nginx

From my mgmt1 (LAN) box I can see the webserver is working:

I then booted up my backup01-oliver in vcenter:

Once booted in I checked that it could access the DMZ network:

I would then create web02-oliver using the same process as web01-oliver (cloned from template > installed nginx and setup its firewall) with the following changes:

In the cloning creation process, changed the name to "web02-oliver":

Set the IP and hostname accordingly:

MADE SURE IT WAS ON THE DMZ!:

Also had to change its DNS server/activate and deactivate the connection:

And setup nginx/firewall with a script called "script.sh" ran with sudo bash script.sh - contents included below as they were just commands I took from web01-oliver and put them in a script for ease of use:

sudo dnf update -y
sudo dnf install nginx -y
cat > /usr/share/nginx/html/index.html << EOF
web02-oliver
EOF
sudo firewall-cmd --permanent --add-service=http --add-service=https
sudo firewall-cmd --reload
sudo systemctl start nginx

(NOTE: Original ran the above using tee but that made my index.html look weird - reran the above script with a cat redirect and that solved the problem.)

Shown webpage working:

I would also create monitor01-oliver in the same way I created backup01-oliver (clone from ubuntu template) with the following changes:

Changed name:

Set the IP and hostname accordingly:

Made sure to use the MGMT interface:

Logged in and checked connectivity:

Then in an SSH session to my ad350 I setup new OUs for this milestone

New-ADOrganizationalUnit -Name "m7" -Path "OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADOrganizationalUnit -Name "webdev" -Path "OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADOrganizationalUnit -Name "sysadmin" -Path "OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"

Then I setup new security groups for the webdevs and sysadmins:

New-ADGroup -Name "webdevgroup" -SamAccountName webdevgroup -GroupCategory Security -GroupScope Global -DisplayName "webdevgroup" -Path "OU=webdev,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local" -Description "webdevgroup"
New-ADGroup -Name "sysadmingroup" -SamAccountName sysadmingroup -GroupCategory Security -GroupScope Global -DisplayName "sysadmingroup" -Path "OU=sysadmin,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local" -Description "sys350-power-user"

Afterwards I created some users:

$password = Read-Host -AsSecureString
New-ADUser -Name webdev1 -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=webdev,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADUser -Name webdev2 -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=webdev,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADUser -Name sysadmin1 -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=sysadmin,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADUser -Name sysadmin2 -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=sysadmin,OU=m7,OU=Accounts,OU=350,DC=oliver,DC=local"

And added them to the security groups:

Add-ADGroupMember -Identity "sysadmingroup" -Members @("sysadmin1","sysadmin2")
Add-ADGroupMember -Identity "webdevgroup" -Members @("webdev1","webdev2")

From my vcenter, I selected the DMZ folder > "Permissions" > "ADD":

Made the webdevgroup power users:

Then I selected m7 folder > "Permissions" > "ADD" > added the following permission in the same way as the webdevs:

Final checks

Web01/02 have IPs on DMZ and can ping the Internet and can't connect to LAN/MGMT servers

Backup01 and Monitor01 have IPs on MGMT and can ping the Internet as well as curl web01/02:

View from a sysadmin user:

View from a webdev user:

Sources

• https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-rocky-linux-9

• https://docs.netgate.com/pfsense/en/latest/nat/outbound.html

Troubleshooting

Below are troubleshooting steps taken throughout the lab

Troubleshooting 1-pfsense has a moment

This cut out my google remote session to my xubuntu box, so I need to go through ESXI to my pfsense:

I setup the adapter like the following using the option 1 (went through asking for WAN, LAN, then optional interfaces):

Then I used option 5 to reboot the pfsense host, but this didn't fix it so I reassigned the adapter with option 1. As it turns out pfsense changed the adapters on me so vmx1 was Champlain instead of vmx0

So I unadded and re-added the network adapters via the ESXI host:

Then in pfsense used option 1:

All working - from testing with other students seems that vcenter decided to shuffle the adapters (can be seen via the MAC addresses):

I also used option 3 to reset the password :)

Then I restarted the ad350 as DNS was not working as well due to the weird pfsense moment. With this set it began to work!!!

Troubleshooting 2-my ESXI won't come back pls help

Then I had to reconnect my ESXI in vcenter.

Then I created the following folder structure for this lab:

The ESXI host kept disconnecting - so I disconnected it from the ESXI FROM THE ESXI:

Then reconnected it with "Connect" (should be grayed out! Only was because I had already reconnected):

ESXI connected: