Building an 18-node security research lab

It started simple. I wanted to practice penetration testing without breaking real systems. One Kali VM, one vulnerable target. Easy.

Then I realized I needed to see the network traffic. Added Security Onion. Now I needed a proper network. Added pfSense. Now I needed segmentation. Added VLANs. Now I needed more targets. Added 12 more VMs.

The result is a comprehensive security research environment perfect for learning and testing.

In this article, I'll show you exactly how to replicate my setup.

Hardware Requirements

You'll need a decent hypervisor to run 18 VMs. I'm using a salvaged Dell PowerEdge R720 with 128GB RAM and dual Xeon E5-2670 processors. Cost me about $300 on eBay.

Minimum specs for this lab:

CPU: 8+ cores (16+ threads recommended)
RAM: 64GB minimum, 128GB recommended
Storage: 500GB SSD for VMs
Network: 2x Gigabit NICs (one for WAN, one for management)

Install Proxmox VE as your hypervisor. It's free, stable, and handles VLANs beautifully.

Step 1: Install Proxmox VE

Download Proxmox VE ISO from proxmox.com and flash it to a USB drive:

dd if=proxmox-ve_*.iso of=/dev/sdX bs=1M status=progress

Boot from USB, follow the installer. Set a static IP for the management interface. Access the web UI at https://your-ip:8006

Step 2: Configure VLANs in Proxmox

Create a Linux Bridge with VLAN awareness. In Proxmox web UI, go to your node → Network → Create → Linux Bridge:

Name: vmbr1
VLAN aware: Yes
Bridge ports: (leave empty for internal-only network)

Here's the VLAN breakdown:

VLAN 10: Management (pfSense, admin access)
VLAN 20: Security Monitoring (Security Onion, span port)
VLAN 30: Attack Infrastructure (Kali, Metasploit, C2 servers)
VLAN 40: Victim Network (vulnerable Windows boxes, web servers)
VLAN 50: Logging (Splunk, centralized log aggregation)
VLAN 60: Malware Sandbox (air-gapped, fake DNS/C2)

Step 3: Deploy pfSense Firewall

Download pfSense ISO and create a VM in Proxmox:

CPU: 2 cores
RAM: 2GB
Disk: 20GB
Network: 
  - net0: vmbr0 (WAN - bridged to your physical network)
  - net1: vmbr1, VLAN tag 10 (LAN/Management)

Boot the VM, install pfSense. Configure WAN on the first interface, LAN on the second. Set LAN IP to 192.168.10.1/24.

In pfSense web UI, create additional interfaces for each VLAN:

Interfaces → Assignments → VLANs → Add
Parent Interface: vtnet1 (your LAN interface)
VLAN Tag: 20, 30, 40, 50, 60
Description: SECURITY, ATTACK, VICTIM, LOGGING, SANDBOX

Enable each VLAN interface and assign IP ranges:

VLAN 10 (Management): 192.168.10.0/24
VLAN 20 (Security): 192.168.20.0/24
VLAN 30 (Attack): 192.168.30.0/24
VLAN 40 (Victim): 192.168.40.0/24
VLAN 50 (Logging): 192.168.50.0/24
VLAN 60 (Sandbox): 192.168.60.0/24

Step 4: Deploy Security Onion

Download Security Onion ISO. Create a VM with two network interfaces:

CPU: 4 cores
RAM: 16GB
Disk: 200GB
Network:
  - net0: vmbr1, VLAN tag 20 (management interface)
  - net1: vmbr1, no VLAN tag (monitoring interface - span port)

Install Security Onion in standalone mode. Configure the management interface with IP 192.168.20.10. The monitoring interface should have no IP (promiscuous mode).

In Proxmox, configure the monitoring interface to receive all VLAN traffic. SSH into your Proxmox host:

# Enable promiscuous mode on the bridge
ip link set vmbr1 promisc on

# Configure port mirroring (span port)
ovs-vsctl -- --id=@m create mirror name=span \
  -- add bridge vmbr1 mirrors @m \
  -- --id=@vnet1 get port vnet1 \
  -- set mirror span select-all=true output-port=@vnet1

This mirrors all traffic on vmbr1 to Security Onion's monitoring interface.

Step 5: Deploy Attack Infrastructure

Create Kali Linux VM on VLAN 30:

CPU: 4 cores
RAM: 8GB
Disk: 80GB
Network: vmbr1, VLAN tag 30

Install Kali, set static IP 192.168.30.10. Install additional tools:

sudo apt update && sudo apt install -y \
  metasploit-framework \
  empire \
  covenant \
  bloodhound \
  crackmapexec \
  impacket-scripts

Step 6: Deploy Victim Network

Create vulnerable Windows VMs on VLAN 40. I use:

- Windows Server 2019 (Domain Controller)
- Windows 10 Pro x3 (domain-joined workstations)
- Windows Server 2016 (vulnerable web server with IIS)
- Ubuntu 20.04 (vulnerable web app - DVWA)

Each VM gets 2 cores, 4GB RAM, 60GB disk, on VLAN 40. Intentionally misconfigure them:

# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

# Enable SMBv1 (vulnerable to EternalBlue)
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Weak passwords for testing
net user Administrator Password123!

Step 7: Deploy Splunk for Logging

Create Ubuntu VM on VLAN 50 for Splunk:

CPU: 4 cores
RAM: 8GB
Disk: 100GB
Network: vmbr1, VLAN tag 50

Install Splunk Enterprise (free license for 500MB/day):

wget -O splunk.deb 'https://download.splunk.com/products/splunk/releases/9.1.0/linux/splunk-9.1.0-linux-2.6-amd64.deb'
sudo dpkg -i splunk.deb
sudo /opt/splunk/bin/splunk start --accept-license
sudo /opt/splunk/bin/splunk enable boot-start

Configure Splunk forwarders on all VMs to send logs to 192.168.50.10:9997.

Step 8: Deploy Malware Sandbox

Create Windows 10 VM on VLAN 60 (completely isolated):

CPU: 2 cores
RAM: 4GB
Disk: 60GB
Network: vmbr1, VLAN tag 60

In pfSense, create firewall rules to block VLAN 60 from accessing any other network. Set up fake DNS and fake C2 servers using INetSim:

sudo apt install inetsim
sudo systemctl start inetsim
sudo systemctl enable inetsim

Step 9: Configure Firewall Rules

In pfSense, create rules to control traffic between VLANs:

# Allow Attack VLAN to access Victim VLAN
Source: ATTACK net (192.168.30.0/24)
Destination: VICTIM net (192.168.40.0/24)
Action: Pass

# Allow all VLANs to access Logging VLAN
Source: any
Destination: LOGGING net (192.168.50.0/24)
Port: 9997 (Splunk forwarder)
Action: Pass

# Block Sandbox from everything
Source: SANDBOX net (192.168.60.0/24)
Destination: any
Action: Block

Step 10: Snapshot Everything

Before running any attacks, snapshot every VM in Proxmox:

# In Proxmox web UI, for each VM:
VM → Snapshots → Take Snapshot
Name: "clean-baseline"
Description: "Pre-attack baseline state"

Now you can break things and revert instantly.

The Reality Check

This lab costs about $15/month in electricity. The hardware was mostly salvaged from old servers and a very patient eBay seller. Total investment: maybe $300 over two years.

Compare that to cloud labs at $50-100/month with limited customization and you can't keep running 24/7. This lab is mine. I can break it, rebuild it, and run attacks at 3 AM without worrying about hourly billing.

The best part? I can practice MITRE ATT&CK techniques end-to-end. Initial access, privilege escalation, lateral movement, data exfiltration - all in a controlled environment where breaking things is the goal.

Would I recommend building one? Absolutely. Start small - one attacker, one target, one monitoring tool. Then grow it as you learn. The hands-on experience is worth more than any certification.

Just make sure you have adequate cooling and power for your setup.

That's it. A complete replication guide.

I hope it's helpful for your security research workflow :)

Have a productive day!