This project is about building a complex, multi-site enterprise network in a nested virtual environment. The entire architecture is designed to run on a single personal computer using VMware Workstation, which hosts two separate Proxmox VE hypervisors to simulate a primary Hauptquartier (HQ) site and a secondary Desaster-Recovery (DR) site.
The core of the project involves using pfSense as the firewall and router for both sites.
The architecture is broken down into several key areas:
-
Foundation: The entire lab is nested. VMware Workstation provides the base "physical" network segments (VMnets). Two Proxmox VE virtual machines are installed on VMware to act as the hypervisors for the HQ and DR sites.
-
Site Principal (HQ): This is the main production site and includes:
-
Internal LAN: Hosts core services like a primary Active Directory Domain Controller, DNS, and a NPS/RADIUS server.
-
DMZ: A separate, secured Demilitarized Zone that hosts an Apache Guacamole bastion host. This provides secure, browser-based remote access (RDP/SSH) to all other servers in the lab.
-
Services: Contains primary file servers and placeholders for business applications.
-
-
Site Secondaire (DR): This site is built for business continuity and hosts:
- Replicated Services: A secondary Active Directory domain controller and replicated file servers to take over if the HQ site fails.
The project places a strong emphasis on secure networking:
-
Site-to-Site VPN: The HQ and DR sites are securely linked using an IPsec VPN tunnel configured between their respective pfSense firewalls. This tunnel is used for all inter-site traffic, including Active Directory and file server replication.
-
Remote Client VPN: An OpenVPN server is configured on the HQ's pfSense firewall. This allows remote users (like administrators) to connect securely to the HQ network. For enhanced security, it is integrated with the RADIUS (NPS) server to authenticate users against their Active Directory credentials.
-
Intrusion Detection (IDS): The Suricata IDS package is installed and configured on the pfSense firewalls. This monitors network traffic for malicious activity and provides a layer of threat detection for the entire network.
In short, this project is about building a complete, enterprise-style lab for learning and testing advanced networking, Active Directory, and cybersecurity concepts.
This section provides the visual diagrams for the network architecture and key flows.
This diagram shows the complete topology, including the nested Proxmox hosts, VMware VMnets, pfSense firewalls, and all server VMs for both the HQ and DR sites.
