Goal: stand up a self‑contained practice environment for defensive skills, tool familiarization, and reporting — without touching production networks. Everything here focuses on authorized, ethical practice.
Bill of Materials (Target: ≤ $500)
Core Compute
- 🖥️ Mini PC (Intel N100 / Ryzen 5xxxU) 16GB RAM — runs multiple VMs. Check options
- 💾 NVMe SSD 512GB–1TB — fast VM storage. View NVMe
Tip: If you already own a gaming PC or server, you can skip the mini PC and save.
If you’re careful on deals, this comes in around $350–$500. You can scale down RAM/SSD to cut cost, then upgrade later.
Reference Topology
A simple, flexible layout that fits on one desk:
[Home Router] ─── (Isolated VLAN or separate switch) ─── [Lab Switch]
├─ pfSense VM (router/firewall/DNS)
├─ AD DS VM (Windows Server eval)
├─ Win10/11 Client VM
├─ Linux Server VM (Ubuntu/Debian)
└─ Security Workstation VM (Kali/Parrot)
Isolation options: use a dedicated switch with no uplink, or create a VLAN on your home router (lab VLAN with no internet) and trunk only what you need to your mini PC.
Software Stack (Free/License‑Friendly)
Host & Hypervisor
- Proxmox VE or VirtualBox / VMware Workstation Player (non‑commercial use).
- Snapshots enabled; separate VM storage on NVMe.
Network & Services
- pfSense CE (routing, firewall, DNS, DHCP, captive portal).
- Pi‑hole (DNS sinkhole) on a small Linux VM.
Endpoints & Domain
- Windows Server evaluation (AD DS, DNS, optionally WSUS).
- Windows 10/11 evaluation client for hardening practice.
- Ubuntu/Debian server for logs, web app, and agents.
- Kali/Parrot VM for tool familiarization (use legally/ethically).
Build Steps (High Level)
- Prep the host: update BIOS, enable virtualization (VT‑x/AMD‑V), install Proxmox or your hypervisor, update to latest stable.
- Create storage pools: NVMe for VMs; separate (if possible) for ISOs/backups.
- Networking: create two virtual networks:
LAN(10.10.0.0/24) andMGMT(10.99.0.0/24). Map them to your physical NICs or VLANs as needed. - pfSense VM: assign WAN (optional) + LAN; enable DHCP on LAN; set DNS to pfSense → Pi‑hole.
- Core services: deploy Pi‑hole; create Windows Server (AD), join client VM to the domain; create a Linux server (syslog, web app).
- Security workstation: import Kali/Parrot VM. Limit its NICs to the lab networks only.
- Snapshots & backups: snapshot each VM baseline; schedule hypervisor backups or export OVA weekly.
Practice Exercises (Defensive‑First)
Foundational
- Harden Windows client with local policies, firewall profiles, and ASR‑style rules. Document before/after.
- Configure pfSense aliases, basic NAT, segmented rules, and DNS filtering. Add logging and explain hits.
- Set up central logging (e.g.,
rsyslog/filebeat) to your Linux server and visualize with Grafana/Loki or ELK.
Intermediate
- Join devices to the domain, enforce password policy and LAPS. Create a standard user and test access.
- Deploy a simple vulnerable training web app inside the lab only (e.g., DVWA) and practice secure configurations, not exploitation steps.
- Write a short incident playbook for “suspicious outbound DNS” and rehearse steps using your logs.
Ethics: Avoid instructions that enable real‑world harm. Focus on detection, hardening, and reporting quality.
Quick Shopping Links
As an Amazon Associate, SurfaceVector may earn from qualifying purchases.
Upgrade Paths
- RAM to 32GB+ for heavier labs and SIEM trials.
- Second NIC or USB 2.5GbE for more realistic routing/VLANs.
- Dedicated SSD for logs and long‑running PCAPs.
- Swap Pi‑hole for full DNS security stack; try Suricata on pfSense.
FAQ
Is this legal?
Yes — when confined to systems you control or have written permission to use. Keep the lab isolated and never target external networks.
Do I need Proxmox?
No. VirtualBox or VMware Workstation Player are fine for a starter lab. Proxmox shines as you scale.
Will this work without internet?
Yes. Download ISOs first. For realistic updates, temporarily allow the pfSense WAN and then disable it.