ITS7 Server+ — Capstone Lab
Network Topology
Three Proxmox Linux bridges segment the lab into management, DMZ, and private LAN zones — each with isolated IP space and controlled inter-zone routing via pfSense.
Topology diagram
┌─────────────────────────────────────────────────────────────────┐
│ Campus Network │
│ (external access) │
└───────────────────────────┬─────────────────────────────────────┘
│ physical NIC (eno1)
▼
┌─────────────────────────────────────────────────────────────────┐
│ vmbr0 — Management (10.10.10.0/16) │
│ │
│ Proxmox VE node ................... 10.10.10.10 │
│ HP iLO 4 (out-of-band mgmt) ....... 10.10.10.5 │
│ │
└───────────────────────────┬─────────────────────────────────────┘
│ KVM hypervisor
▼
┌─────────────────────────────────────────────────────────────────┐
│ vmbr1 — DMZ (172.16.0.0/24) [internal bridge] │
│ │
│ pfSense WAN ........................ 172.16.0.1 │
│ Jump Box / Bastion (Ubuntu) ........ 172.16.0.10 ← SSH :2222 │
│ │
└───────────────────────────┬─────────────────────────────────────┘
│ pfSense routing + NAT + firewall
▼
┌─────────────────────────────────────────────────────────────────┐
│ vmbr2 — Private LAN (192.168.0.0/24) [internal bridge] │
│ │
│ pfSense LAN ........................ 192.168.0.1 │
│ Windows Server 2022 (AD DS/DNS) .... 192.168.0.10 [static] │
│ Ubuntu Web Server (NGINX) .......... 192.168.0.20 [static] │
│ DHCP pool .......................... 192.168.0.100–200 │
│ │
└─────────────────────────────────────────────────────────────────┘
Bridge details
vmbr0Management
10.10.10.0/16
Proxmox VE (10.10.10.10)
iLO 4 management port
Connects to physical NIC. Campus network traffic, Proxmox web UI, iLO access. Default gateway 10.10.10.1 is campus router.
vmbr1DMZ
172.16.0.0/24
pfSense WAN (172.16.0.1)
Jump Box (172.16.0.10)
Internal-only bridge. Simulates the semi-trusted DMZ. pfSense WAN interface here routes traffic inbound from campus and outbound via NAT.
vmbr2Private LAN
192.168.0.0/24
pfSense LAN (192.168.0.1)
Windows Server AD DS (192.168.0.10)
Ubuntu Web Server (192.168.0.20)
DHCP pool: 192.168.0.100–200
Internal-only bridge. Isolated from campus. Only reachable through pfSense firewall rules from the DMZ. Hosts all backend services.
Traffic flows
How packets move between zones — following these flows during the lab validates that pfSense, DNAT, and firewall rules are working correctly.
External (campus)→Jump Box (172.16.0.10)
Campus → vmbr0 → vmbr1 → Jump Box
SSH to port 2222, key-only auth. Single entry point into lab.
Jump Box→Private LAN VMs
Jump Box → pfSense → vmbr2
pfSense allows SSH from vmbr1 to specific IPs on vmbr2.
Private LAN VM→Internet (outbound)
VM → pfSense LAN → NAT → vmbr1 → campus
iptables MASQUERADE / pfSense NAT on the WAN interface.
Windows client→AD DS (192.168.0.10)
vmbr2 → direct (same subnet)
Kerberos, LDAP, DNS all stay on vmbr2. No firewall hop needed.
Key pfSense / iptables rules
LAN → WAN NAT
Outbound NAT rule: LAN subnet → WAN interface (auto-add)Allows private LAN VMs to reach the internet via the campus uplink.
DNAT — SSH to Jump Box
iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to 172.16.0.10:22Port 2222 on the campus-facing IP forwards to Jump Box port 22.
Jump Box → LAN allow
pfSense firewall: allow TCP from 172.16.0.10 to 192.168.0.0/24 port 22,3389,5985Restricts DMZ access to Private LAN — only the bastion can initiate.
Default deny
pfSense: block all (implicit last rule)First-match wins. Any traffic not explicitly permitted is dropped.