(This Home Lab Post may get separated into different posts for each section when I come back to clean up and edit)
I’ve been working on putting a home lab together for awhile now. One of the main reasons is so that I have an environment to play with new technologies that I want to learn. My gear so far includes:
- 2x Lenovo M93p i5 8GBs (Upgrading to 16GBs)
- Dell Poweredge R410 with an Intel Xeon CPU X5667 and 32GBs of memory (Upgrading to a second CPU and more RAM)
- Meraki MX64 Security Appliance
- Meraki MS220-8P 8 Port Swtich
Eventually I’ll be getting a small rack with an enterprise switch and another R410 or R710 along with some shared storage. To start I’m getting it setup with ESXi 6.5 and vCenter 6.5 with the licenses I’ve gotten through the vmug advantage program. The fact that they only have one nic will probably end up being an issue down the line but I’m going to try and work around that with vlans/interface settings.
ESXi & vCenter:
Setting up ESXi on all hosts took a fair amount of trial and error with multiple re-installs. I’ve decided to dedicate one Lenovo for vCenter and the embedded PSC (Platform Services Controller). The other will be dedicated to an Active Directory Domain Controller and the PFSense VM. After ESXi was installed I found the single nics were not an problem and ESXi 6.5 didn’t have any issues handling management and traffic unlike I’ve seen in earlier versions. Setting up vCenter took a couple tries because I initially wanted to have an external PSC. I chose this for training purposes as well as because I plan on growing the environment with multiple VMware solutions. It’s suggested you deploy multiple PSCs in an HA setup for that type of setup. Due to current constraints though I’ll see about migrating at a later time when the resources are available. After setting up vCenter, running updates on all hosts, and confirming my SSO domain wouldn’t conflict with my AD domain. It was finally time to move on.
PFsense & OpenVPN:
The next on my list that needed to be setup was a VPN. I was able to use the Cisco Meraki Security devices new Client VPN feature briefly but it didn’t play well with server 2016 or Windows 10. I was able to quickly deploy and test an PFsense box to use it’s OpenVPN feature. I’ve briefly discussed with others about why I wouldn’t just setup a Linux server and install the openVPN server. My reasoning was that PFSense is built to be put in as a firewall externally and thus has the hardening already in place. It also has automatic updates and security configurations that I’m just not at a level with my Linux admin skills to trust yet.
While configuring OpenVPN there were a few things I ran into. You must first create a user within PFSense for the option for pulling client configs to populate. I deleted settings and certs multiple times before finding this advice. Eventually I’ll also be setting it up to authenticate through active directory. Once I had that in place forwarding ports with the Meraki Security device was a breeze. I tested the VPN internally and then externally. Don’t forget to check local Firewalls if it doesn’t work at first. I was then able to connect to my lab from from a VM to work on during downtime.
Active Directory & Domain
- Domain Controller
- DHCP / DNS
- Sites & Services
- Offline Root Cert
- Sub Certs
After getting started with a few of the VMware OVAs I had I instantly realized that I was going to begin running into certificate errors and decided that was what I needed to focus on. Based off the following blog by Aaron Parker I was able to get an Offline Root certificate authority along with a subordinate root authority setup. My goal once I clean up the servers a bit is to deploy GPOs to ensure all users and computers have certificates applied. From there I’ll move on the ensuring the ESXi hosts have certificates by replacing VMCA Root certificate with Custom Signing Certificate with the help of Adrian Costeas Blog.
Things to do:
- Active Directory
- Distributed vSwitch Followed by NSX
- Log Insight for centralized logging. (I may or may not use this for all logging or put in an ELK/Greylog/Splunk server for practice)
- Horizon to allow for VDI workstation access remotely.
- IDS & IPS
- Network Monitoring
- PXE Server to be able to boot new VMs/Workstations/ESXi hosts from
Article for running with less than 10GBs of memory. Only usable with embedded VCSA (as far as I could tell)