Skip to content
setup.md

Virtual Machines

The first VM you deploy is an important one, this VM is responsible for the networking of all our other VMs that will eventually get spun up in this environment.

Our steps are heavily based on the documentation provided by OVH for pfSense, you can follow their full guide here if that solution suits you better.

Router VM

Uploading the ISO

This VM MUST be placed on the same host server as your failover IP otherwise you won’t have a connection to the public internet

First thing to complete is the uploading of the ISO, select ‘Datacentre’ > ‘VS01’ > ‘Local (VS01)‘

In this page you will see a button that says ‘Upload ISO’, you will need to upload the ISO for your desired firewall platform here.

Creating the VM

  • Select the blue ‘Create VM’ button, as we need to upload an ISO we cannot use an LXC container for this device.
  • Ensure the following settings have been adjusted
    • Node - ‘(Host with F.O. IP attached)‘
    • Name - ‘(Identifiable virtual machine name)‘
      • Press the ‘Advanced’ checkbox to get access to the below settings
    • Start at boot - ‘Enable’
    • Start / Shutdown order - ‘1’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Use CD/DVD disc image file (iso) - ‘Enable’
      • Storage - ‘local’
      • ISO image - ‘SW-19.0.1_MR-1-365.iso’
    • Guest OS
      • Type - ‘Linux’
      • Version - ‘5.x - 2.6 Kernel’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Graphic card - ‘VirtIO-GPU’
    • Machine - ‘Default (i440fx)‘
    • Firmware - ‘Default (SeaBIOS)‘
    • SCSI Controller - ‘VirtIO SCSI’
      • Both TPM and the QEMU agents are not required / supported by this image
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Bus/Device - ‘VirtIO Block, (0)‘
    • Storage - ‘local’
    • Disk size (GiB) - ‘20’
    • Format - ‘QEMU image format’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Cores - ‘2’
    • Type - ‘host’
    • Extra CPU Flags
      • AES - ‘Enabled’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Memory (MiB) - ‘4096’
    • Ballooning Device - ‘Untick’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Bridge - ‘vmbr1’
    • Firewall - ‘Untick’
    • Model - ‘VirtIO (paravirtualized)‘
  • Select ‘Next’
  • Select ‘Finish’
Do not start the VM just yet, we need to configure the WAN network adapter

You now need to select the newly created VM and go to the hardware tab.

  • Select ‘Add’
  • Select ‘Network device’ from the dropdown
  • Ensure the following settings have been adjusted
    • Bridge - ‘vmbr0’
    • Firewall - ‘Untick’
    • Model - ‘VirtIO (paravirtualized)‘
    • MAC Address - ‘(Paste from OVH IP Manager)‘
  • Select ‘Done’

Save changes and you should now be able to boot the VM.

Installation of Sophos XG

When you power on the VM you will see nothing for a short period of time, this is fine as in the background it’s doing system checks to ensure minimum spec and you will eventually be asked to press Y to complete the installation. Once this has completed the VM will reboot and you will be presented with a password login box, from here head on over to your ‘Jumpbox VM’ to complete the out of box setup via the web interface.

Out of Box setup

You must complete this step from a VM inside of your new virtual lan environment (vmbr1)

  • Open an internet browser and navigate to https://172.16.16.16:4444
  • Accept the invalid SSL certs (this is because we use a self-signed certificate)
  • Accept the EULA
  • Set an admin password
    • Untick install latest firmware during installation
  • Select ‘Continue’
  • Select ‘Manual Configuration’
  • Ensure the following settings have been adjusted
    • Interface Type - ‘Static IP’
    • IP Address - ‘(Input OVH Failover IP)‘
    • Subnet - ‘/30’
    • Gateway Name - ‘OVH_GWIP’
    • Gateway IP - ‘(Same as public IP but change the numbers after the 4th . to 254)‘
    • DNS Server 1 / 2 - ‘1.1.1.1, 1.0.0.1’
  • Select ‘Continue’
  • Firewall Name - ‘(XGFW)‘
  • Date & Time - ‘(Set your date & time)‘
  • Select ‘Continue’
  • Untick the customer experience program box
  • Select ‘Continue’
  • Leave the remaining network settings as default
    • Optional: You will see options for network protection, you can turn these on but in a personal lab environment it’s not essential
  • You will be presented with a summary screen, select ‘Finish’

The firewall will reboot, ensure you remove the ISO from the proxmox VM to prevent it booting back into the installer.

You can now navigate back to the admin URL https://172.16.16.16:4444 and login with the username of ‘admin’ and the password you set during installation.

Advanced Sophos configuration(s)

The Sophos XG firewall is so in-depth that it could easily be a whole new tutorial environment in it’s own right. At this time we will only cover how to gain internet connectivity for the LAN, the default configuration is secure but there are further steps you can take to harden / improve your experience. You can use this guide to harden your installation.

Jumpbox VM

The ‘jumpbox’ is a VM that sits within our virtual environment and allows us to act as if we are actually connected to the ‘LAN’ port of the Sophos. When creating this VM there’s less that we have to change in order to get things functional, this guide will deploy Ubuntu desktop however Windows will work you will just need the ‘VirtIO for Windows’ driver pack.

Uploading the ISO

First thing to complete is the uploading of the ISO, select ‘Datacentre’ > ‘VS01’ > ‘Local (VS01)‘

In this page you will see a button that says ‘Upload ISO’, you will need to upload the ISO for your desired jumpbox os here.

Creating the VM

  • Select the blue ‘Create VM’ button, as we need to upload an ISO we cannot use an LXC container for this device.
  • Ensure the following settings have been adjusted
    • Node - ‘(select any node)‘
    • Name - ‘(Identifiable virtual machine name)‘
      • Press the ‘Advanced’ checkbox to get access to the below settings
    • Start at boot - ‘Enable’
    • Start / Shutdown order - ‘2’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Use CD/DVD disc image file (iso) - ‘Enable’
      • Storage - ‘local’
      • ISO image - ‘ubuntu-22.04.1-desktop-amd64.iso’
    • Guest OS
      • Type - ‘Linux’
      • Version - ‘5.x - 2.6 Kernel’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Graphic card - ‘VirtIO-GPU’
    • Machine - ‘Default (i440fx)‘
    • Firmware - ‘Default (SeaBIOS)‘
    • SCSI Controller - ‘VirtIO SCSI’
      • Both TPM and the QEMU agents are not required
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Bus/Device - ‘VirtIO Block, (0)‘
    • Storage - ‘local’
    • Disk size (GiB) - ‘20’
    • Format - ‘QEMU image format’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Cores - ‘2’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Memory (MiB) - ‘4096’
    • Ballooning Device - ‘Untick’
  • Select ‘Next’
  • Ensure the following settings have been adjusted
    • Bridge - ‘vmbr1’
    • Firewall - ‘Untick’
    • Model - ‘VirtIO (paravirtualized)‘
  • Select ‘Next’
  • Select ‘Finish’

Power on the VM and complete the default installation steps.

You will now need to set a static IP to be able to reach the installer UI.

Once you’re at the desktop complete the following steps

  • Select the ‘Network’ icon in the top right hand corner
  • Select ‘Wired Network’
  • Select ‘Wired Settings’
  • Select ‘Settings’ icon
  • Select ‘IPv4’ from the new window that’s appeared
  • Select ‘Manual’
  • Ensure the following settings have been adjusted
    • Address - ‘172.16.16.17’
    • Netmask - ‘255.255.255.254’
    • Gateway - ‘Blank’
  • DNS - ‘Blank’

Once you have setup the firewall you can come back to this page and change the settings back to Automatic (DHCP).