Sign in Subscribe

Build a Proxmox Cybersecurity Lab at Home (My Complete, Practical Setup)

Last updated on 

If you want a repeatable, quiet, and expandable homelab for red/blue teaming, traffic analysis, SIEM/IDS, AD labs, honeypots, and safe malware testing, this post gives you a ready-to-run blueprint. It’s hardware-agnostic enough to adapt, but concrete enough that you can buy parts today and be hands-on tonight.

Goals

  • One reliable Proxmox VE host that runs many VMs/containers concurrently.
  • Clean network isolation: management, attack/target, and monitoring.
  • Easy packet capture via switch port mirroring (SPAN).
  • Robust power protection and recoverable backups.
  • Sensible upgrade path to more RAM, 10GbE, and additional nodes.

Host (best all-rounder): Dell Pro Tower

  • CPU: Intel Core Ultra 7 265 (20 cores) or i5-14500 vPro (best value).
  • RAM: 64 GB DDR5 to start → 128 GB later.
  • Storage:
    • NVMe #1 (system): 1 TB (P5 Plus / 980/990) – Proxmox only.
    • NVMe #2 (data): 1–2 TB – VM disks/containers.
    • (Optional) SATA SSD 1–2 TB – pcap & SIEM indices.
  • NICs:
    • Intel i350-T4 (quad 1GbE) for routing/monitoring/segmentation.
    • (Optional) Mellanox ConnectX-3/4 10GbE SFP+ + DAC/optics.
  • Why this tower? Full-height PCIe expansion, quiet cooling, and easy power headroom. vPro/AMT helps with remote recovery.
Lenovo alternatives: ThinkCentre M920 Tower (not SFF) or a used ThinkStation P520. SFF boxes are fine as light nodes, not as the primary hypervisor.

Networking Topology (3-Bridge Model)

  • vmbr0 – Management: connects to your home/office LAN (Proxmox UI, SSH, backup/NAS).
  • vmbr1 – Lab/Target: isolated segment for AD, Windows clients, Kali, etc.
  • vmbr2 – Monitor: plugged into the switch’s SPAN/mirror port for Zeek/Suricata sniffing.
flowchart LR
  Internet((Internet))
  Router[Gateway/Router]
  Switch[Managed Switch\nVLAN + SPAN]
  PVE[Proxmox Host\nvmbr0 / vmbr1 / vmbr2]
  IDS[Zeek/Suricata VM]
  ELK[ELK/Splunk VM]
  AD[AD/DC VM]
  Kali[Kali VMs]
  Victim[Windows/Linux Targets]

  Internet --- Router --- Switch
  Switch ---|Access| PVE
  PVE ---|vmbr0 (Mgmt)| Switch
  PVE ---|vmbr1 (Lab)| AD
  PVE ---|vmbr1 (Lab)| Kali
  PVE ---|vmbr1 (Lab)| Victim
  Switch --|SPAN → vmbr2| PVE
  PVE ---|vmbr2| IDS
  IDS --- ELK

Switch: any managed 8/16-port Gigabit with SPAN (and VLAN support). If you expect heavy capture/ingest, choose a model with 1–2 × SFP+ uplinks for future 10GbE.

Peripherals You Actually Need

Must-haves

  • Managed switch (with SPAN).
  • Cat6/6A patch cables.
  • 32 GB USB stick (Proxmox installer; Ventoy works great).
  • Keyboard/monitor (only for first boot or emergency).

Strongly recommended

  • UPS 600–1000 VA with USB (use apcupsd or NUT for graceful shutdown).
  • External SSD/HDD or NAS for backups (NFS/SMB or Proxmox Backup Server target).
  • Cable ties & labels for airflow and sanity.

Optional

  • SFP+ DAC/optics & OM3 fiber for 10GbE.
  • USB-to-Serial cable for switch/router console.
  • Secondary AP/router for an isolated Wi-Fi “lab” SSID.

BIOS & Install Checklist (5 Minutes)

  1. Enable Intel VT-x/VT-d, UEFI (disable CSM/Legacy).
  2. If available, initialize Intel AMT/vPro for remote recovery.
  3. AHCI for SATA; disable fake RAID.
  4. Install Proxmox VE to NVMe #1 (use LVM/ext4 for simplicity).
  5. After first login:
apt update && apt -y full-upgrade
pveversion
  1. Run memtest86 (overnight) and quick iperf3/fio smoke tests.

Network Bridges (example)

Edit /etc/network/interfaces (adjust NIC names via ip a):

auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
  address 192.168.1.50/24
  gateway 192.168.1.1
  bridge-ports enp2s0
  bridge-stp off
  bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
  bridge-ports none
  bridge-stp off
  bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
  bridge-ports enp3s0
  bridge-stp off
  bridge-fd 0
  up ip link set dev enp3s0 promisc on

Apply: ifreload -a.

Switch SPAN: mirror your “interesting” access/uplink port → the port cabled to vmbr2.

First Wave of VMs (64 GB RAM baseline)

Role vCPU / RAM Notes
AD/DC + DNS 4–8 vCPU / 10–12 GB Group Policy, log forwarding.
Kali/Parrot ×2–3 2–4 vCPU / 4–8 GB Offensive tools.
Windows 10/11 Targets ×2–3 4 vCPU / 8–12 GB Office-like images; install agents/beats.
Zeek/Suricata 6–8 vCPU / 8–16 GB Attach to vmbr2; write pcaps to dedicated SSD.
ELK or Splunk 8–12 vCPU / 16–24 GB Indexes on data/log SSD; rollover policies.
OpenVAS / MISP / Honeypots as needed Start/stop per scenario.

Going to 128 GB dramatically improves concurrency and SIEM comfort.

Backups, Power, and Day-2 Ops

Backups

  • Target: external SSD/HDD or NAS (NFS/SMB).
  • Recommend Proxmox Backup Server (PBS) (can run on a NAS/small box) for dedupe/versioning.
  • Schedule full + incremental with retention (7–14 days), and test restores monthly.

UPS

  • Connect via USB; configure apcupsd/NUT for graceful shutdown (VMs → host).

Monitoring

  • Proxmox node metrics + smartctl.
  • Centralize host/VM logs in ELK/Splunk (Filebeat/Winlogbeat/OSQuery as needed).

Performance & Stability Tips

  • Prefer matched pairs/quads of RAM (2×32 → 4×32). Avoid mixing sizes/brands.
  • Don’t chase XMP on OEM boards; buy JEDEC DDR5-5600 UDIMM (non-ECC) kits.
  • Keep OS on NVMe #1, VM disks on NVMe #2, logs/pcaps on separate SSD.

If you choose ZFS, set ARC limits (e.g., 16–32 GB):

# /etc/modprobe.d/zfs.conf
options zfs zfs_arc_max=34359738368   # 32 GB

For log/pcap datasets: primarycache=metadata, atime=off; run zpool scrub monthly.

Security Hygiene

  • Isolate management (vmbr0) from the lab (vmbr1).
  • Limit management access to your jump host(s); enable 2FA where possible.
  • Use snapshots, read-only base images, NAT egress, and frequent resets for risky malware work.

Upgrade Path

  • 128 GB RAM → more concurrent Windows/Kali/ELK.
  • 10GbE / SFP+ → faster captures and ingest.
  • Dedicated PBS → robust, deduplicated backups.
  • Edge nodes (e.g., 2× low-power mini PCs with 2.5GbE) → distributed honeypots, routing, collectors.

BOM (Shopping List)

  • Host: Dell Pro Tower (Ultra 7 265 or i5-14500 vPro).
  • RAM: Crucial CT2K32G56C46U5 (64 GB to start); add same kit later for 128 GB.
  • NVMe #1: 1 TB (Samsung 980/990 or Crucial P5 Plus).
  • NVMe #2: 1–2 TB (VMs/containers).
  • SATA SSD (optional): 1–2 TB (pcap/index).
  • NICs: Intel i350-T4; (optional) Mellanox ConnectX-3/4 10GbE.
  • Switch: 8/16-port managed with VLAN + SPAN (optionally 1–2 × SFP+).
  • UPS: 600–1000 VA with USB.
  • Cables: Cat6/6A; (10GbE) SFP+ DAC/optics + OM3.
  • USB sticks: 32 GB ×2; ties/labels.

Acceptance Checklist (Done = Green)

  • BIOS: VT-d/UEFI/AMT configured.
  • Proxmox up-to-date; vmbr0/1/2 working; NTP synced.
  • Switch SPAN mirrors to vmbr2; Zeek/Suricata sees traffic.
  • Core VMs (AD/Kali/Targets/IDS/SIEM) boot and talk as expected.
  • Backup job runs and restore test completes.
  • UPS triggers graceful shutdown in a pull-the-plug drill.
  • iperf3, fio, small capture/replay tests pass without drops.

TL;DR

Start with a Dell Pro Tower, 64–128 GB DDR5, dual NVMe, i350-T4, and a managed switch with SPAN. Use the 3-bridge design (management / lab / monitor). Add a UPS and PBS/NAS for resilience. From there, scale to 128 GB and SFP+ if you need more speed. This balances cost, silence, expandability, and real-world cybersecurity workflows.

Proxmox 网络安全实验室建设方案(完整报告)

0. 目标与使用场景

  • 在一台可扩展、安静稳定的主机上,搭建 Proxmox VE 超级管理器,承载红蓝攻防、恶意流量分析、SIEM/IDS、域环境、蜜罐等实验。
  • 支持 端口镜像抓包、隔离靶网、可恢复备份、断电保护与远程维护。
  • 预算友好、可逐步扩展到万兆与更多内存/存储。

1. 最佳综合方案(主机与核心配置)

主机Dell Pro Tower(QCT1250)– Intel Core Ultra 7 265 / 或 i5-14500 vPro

两者都可,Ultra 7 265 核心更多并发更强;i5-14500 vPro 阶段性性价比更高、带 AMT 远程管控。

推荐装机配置

  • 内存:64 GB 起(Crucial CT2K32G56C46U5,DDR5-5600 JEDEC,非ECC UDIMM);后续加同型号到 128 GB(4×32)
  • 系统盘(NVMe#1):1 TB(Samsung 980/990 或 Crucial P5 Plus)——仅装 PVE
  • 数据盘(NVMe#2):1–2 TB(VM/容器数据)
  • 日志/抓包盘(可选 SATA SSD):1–2 TB(pcap、ELK 索引)
  • 网卡
    • 千兆多口:Intel i350-T4(全高)
    • 万兆扩展(可选):Mellanox ConnectX-3/4 10GbE SFP+ + DAC/光纤
  • 电源保护:UPS 600–1000 VA(支持 USB,配合 apcupsd/NUT)
  • 交换机:8/16 口 Managed Switch(具备 Port Mirroring/SPAN 与 VLAN;如需万兆,带 1–2×SFP+ 上行)
  • 其他:Cat6/6A 网线若干、32 GB U 盘×2(制作安装介质)、理线扎带与标签
备用/增量方案:若偏好联想,选 Lenovo ThinkCentre M920 Tower(非 SFF) 或二手 ThinkStation P520;SFF 机型仅适合轻量节点,不建议作为主力 Hypervisor。

2. 网络与拓扑设计

2.1 三桥模型(管理/靶网/监控)

  • vmbr0 – 管理网:接入家庭/办公室 LAN(访问 PVE Web、SSH、PBS/NAS)
  • vmbr1 – 靶网:完全隔离,仅供 AD/靶机/Kali 互联,由专用路由 VM 决定是否出网
  • vmbr2 – 监控网:接交换机 SPAN 镜像口,供 Zeek/Suricata 嗅探(混杂模式)

2.2 Mermaid 拓扑图

flowchart LR
  Internet((Internet))
  Router[家庭路由/网关]
  Switch[Managed Switch<br/>VLAN + SPAN]
  PVE[Proxmox Host<br/>vmbr0/1/2]
  IDS[Zeek/Suricata VM]
  ELK[ELK/Splunk VM]
  AD[AD/DC VM]
  Kali[Kali VMs]
  Victim[Windows/Linux 靶机 VMs]

  Internet --- Router --- Switch
  Switch ---|Access| PVE
  PVE ---|vmbr0 管理| Switch
  PVE ---|vmbr1 靶网| AD
  PVE ---|vmbr1 靶网| Kali
  PVE ---|vmbr1 靶网| Victim
  Switch --|SPAN→vmbr2| PVE
  PVE ---|vmbr2| IDS
  IDS --- ELK

3. 安装与基础配置

3.1 BIOS

  • 开启 VT-x/VT-d(IOMMU)UEFI(关闭 CSM/Legacy)
  • 如有 Intel AMT/vPro:初始化以便远程电源/控制台
  • SATA 模式 AHCI;如有主板 RAID 关闭

3.2 Proxmox 安装建议

  • 使用官方 ISO 安装到 NVMe#1(系统);文件系统建议 LVM/ext4(简洁稳定)。使用 ZFS 时设 ARC 上限(见 6.3)。
  • 稳定性验证:运行 memtest86(过夜)iperf3/fio 初步压测

首次登录后:

apt update && apt -y full-upgrade
pveversion

3.3 网络桥接(示例 /etc/network/interfaces)

网卡名按 ip a 实际修改
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
  address 192.168.1.50/24
  gateway 192.168.1.1
  bridge-ports enp2s0
  bridge-stp off
  bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
  bridge-ports none
  bridge-stp off
  bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
  bridge-ports enp3s0
  bridge-stp off
  bridge-fd 0
  up ip link set dev enp3s0 promisc on

应用:ifreload -a

3.4 交换机 SPAN

  • 将目标业务口或上行口 mirror 到一个空闲端口
  • 将该端口接入宿主的 vmbr2 所在物理口

4. 首批虚拟机编排(64 GB 起)

角色 建议配置 备注
AD/DC + DNS 4–8 vCPU / 10–12 GB RAM / 80–120 GB 磁盘 建立域、组策略、日志转发
Kali/Parrot ×2–3 2–4 vCPU / 4–8 GB / 40–80 GB 攻击/渗透工具集
Windows 10/11 靶机 ×2–3 4 vCPU / 8–12 GB / 80–120 GB 典型办公镜像、装 Agent 便于日志采集
Zeek/Suricata 6–8 vCPU / 8–16 GB / 60 GB 接 vmbr2;pcap 输出到日志盘
ELK 或 Splunk 8–12 vCPU / 16–24 GB / 150–300 GB 索引放数据/日志盘,设置热/冷索引策略
OpenVAS/MISP/蜜罐 视需启停 资源紧张时关闭以让位
升级到 128 GB 后,可同时开启更多 Win/Kali/蜜罐,ELK 更流畅。

5. 备份、恢复与运维

5.1 备份策略

  • 目标:外置 USB 盘或 NAS(NFS/SMB),推荐部署 Proxmox Backup Server(PBS)(可装在 NAS/小主机)
  • 作业:vzdump 定期全量 + 差异,保留最近 7–14 天
  • 恢复演练:每月随机恢复一台虚机做完整自检

5.2 电源与关机联动

  • UPS 连接宿主 USB,安装 apcupsdNUT
  • 设置掉电阈值与 优雅关机(先关虚机后关宿主)

5.3 监控与日志

  • Proxmox 本身 + pveperf + smartctl
  • ELK/Splunk 汇总 AD、Kali、靶机、IDS 日志;Filebeat/Winlogbeat/OSQuery 可选

6. 性能与稳定性建议

6.1 CPU/内存

  • 优先保证 双通道/四通道对称(2×32 → 4×32),避免混插不同容量/频率
  • 适度开启 KSM/内存压缩,但不要过度;内存吃紧优先加条而非压榨

6.2 I/O 分层

  • 系统盘仅放 PVE;VM/容器独立到数据盘
  • pcap/日志/索引尽量单独 SSD,减少与虚机系统盘争用

6.3 ZFS(如采用)

  • 设置 ARC 上限(例如 16–32 GB):
    /etc/modprobe.d/zfs.confoptions zfs zfs_arc_max=34359738368(32 GB)
  • 对仅存放日志/pcap 的数据集:primarycache=metadataatime=off
  • 周期性 zpool scrub

7. 安全与隔离

  • 管理面(vmbr0)与靶网(vmbr1)严格隔离;靶网仅通过专用路由/防火墙 VM 出网
  • 管理口仅允许你的管理终端/跳板机;开启双因素登录(PVE/ELK/Splunk 等)
  • 对攻击/恶意样本实验:使用快照、只读镜像、受限 NAT;定期重置靶机

8. 扩展路线图

  • 128 GB 内存 → 提升并发密度
  • 10GbE/SFP+ → 大流量回放/高吞吐 IDS
  • PBS 独立节点 → 去重/版本化/远程灾备
  • 分布式:增加 1–2 台低功耗 N100/1240P 迷你机作边缘节点(路由/蜜罐/采集)

9. 物料清单(BOM,可按库存替换等价型)

  • 主机:Dell Pro Tower(Ultra 7 265 或 i5-14500 vPro)
  • 内存:Crucial CT2K32G56C46U5 ×1(起步 64 GB);后续再 ×1(凑 128 GB)
  • NVMe#1:Samsung 980/990 / Crucial P5 Plus 1 TB
  • NVMe#2:Samsung 980/990 / Crucial P5 Plus 1–2 TB
  • (可选)SATA SSD:1–2 TB(pcap/索引)
  • 网卡:Intel i350-T4;(可选)Mellanox ConnectX-3/4 10GbE
  • 交换机:8/16 口 Managed(带 VLAN+SPAN;如需万兆,带 1–2×SFP+)
  • UPS:600–1000 VA(带 USB)
  • 线材:Cat6/6A 若干;(万兆)SFP+ DAC/光模块+OM3
  • U 盘:32 GB ×2;理线:扎带/标签

10. 验收清单(交付即测)

  1. BIOS:VT-d/UEFI/AMT 就绪
  2. PVE:版本最新、网络三桥可用、时钟 NTP 同步
  3. 交换机:SPAN 生效,vmbr2 抓包可见
  4. VM:AD/Kali/靶机/IDS/ELK 全部能启动并互通(按预期的网段)
  5. 备份:手动跑一次全量,验证恢复
  6. UPS:拔掉市电演练,自动关机生效
  7. 压测:iperf3fio、小规模流量回放无丢包/无拥塞

一句话总结

  • 一台塔式主机 + 三桥网络 + 受管交换机(SPAN) + 独立备份与 UPS,就能把你的 Proxmox 网络安全实验室搭到可长期运行、可扩展、可恢复的状态。
  • 先上 64 GB + 双 NVMe + i350-T4 开干,后续按需要平滑升级 128 GB/万兆/PBS