If you’re reading this, you’re probably tired of spinning up “test” VMs that leak into production, or you’ve been burned by a flat network where a misconfigured DHCP server takes down the whole lab. I’ve been there. After 20 years in Tier 3 SOCs, I’ve learned that a solid Proxmox VE SOC infrastructure isn’t just about virtualization—it’s about engineering isolation, performance, and repeatability.
This is the first in a three‑part series where we build an enterprise‑grade security operations platform from the bare metal up. We’ll start with the hypervisor and OS layer, move to network visibility with Suricata, and finish with a distributed Wazuh XDR cluster. Every command, every config file, and every architecture diagram is pulled from a live deployment. Let’s get to work.
Why Proxmox? Why Debian 13?
I’ve used VMware, Hyper‑V, and even KVM from scratch. Proxmox sits in the sweet spot: open‑source, enterprise‑ready, and with a web UI that doesn’t make you want to throw your laptop. For SOC work, we need snapshotting, easy backups, and the ability to simulate complex networks without bleeding money.
Debian 13 (Trixie) was chosen because it’s the latest stable release with a modern kernel (6.12.73) that plays nicely with modern hardware and VirtIO drivers. It’s also what we’ll use for all our VM guests—consistency matters.
Let’s look at the physical host we’re building on. This is a Dell PowerEdge with an Intel Xeon Silver 4310 and 15 GB RAM. Plenty for a lab, but we’ll treat it like production.
bash
root@proxmox:~# cat /proc/cpuinfo | grep "model name" | head -1
model name : Intel(R) Xeon(R) Silver 4310 CPU @ 2.10GHz
root@proxmox:~# free -h
total used free shared buff/cache available
Mem: 15Gi 1.2Gi 13Gi 123Mi 1.5Gi 13Gi
Swap: 8.0Gi 0B 8.0GiThe host has six network interfaces—two on one controller (nic0/nic1) and four on another (nic2‑nic5). We’ll use one for management (nic2) and one dedicated for SPAN traffic (nic3). The rest are spares.
Network Isolation: VLANs, Bridges, and the SPAN Port
The biggest mistake I see in SOC labs is running everything on a single bridge. That’s fine for learning, but when you’re mirroring production traffic, you want absolute separation. We’ll use two bridges:
vmbr0– management and general VM traffic (connected to nic2)vmbr1– dedicated SPAN bridge (connected to nic3) that will feed our Suricata sensor.
We also configured a SPAN session on the upstream switch to copy traffic from the core uplink port to port 24, which is physically wired to nic3. No VLAN tagging is involved—the mirror port sends raw Ethernet frames, which is exactly what we want for IDS.
Here’s how the interfaces look after configuration:
Bash
auto lo
iface lo inet loopback
iface nic2 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.0.36.147/16
gateway 10.0.0.1
bridge-ports nic2
bridge-stp off
bridge-fd 0
auto nic3
iface nic3 inet manual
auto vmbr1
iface vmbr1 inet manual
bridge_ports nic3
bridge_stp off
bridge_fd 0The SPAN bridge has no IP address—it’s a pure passthrough. The VM that will run Suricata will have its capture interface connected to this bridge, also without an IP. That’s how we stay invisible.
Hardening the Hypervisor
Before we create any VMs, we need to lock down Proxmox itself. Debian 13 ships with a fairly tight default configuration, but we’ll go further:
- Disable unused services – We’re not running a mail server, so
postfixis removed. - Set up firewall rules – Only allow SSH from management VLAN and restrict Proxmox web GUI.
- Enable automatic security updates – Because nobody wants to wake up to a zero‑day.
I won’t bore you with a complete STIG checklist, but here’s a snippet of the iptables rules we applied on the host:
bash
# Allow SSH only from management network (10.0.36.0/24) iptables -A INPUT -p tcp --dport 22 -s 10.0.36.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP # Allow Proxmox web UI (8006) from management iptables -A INPUT -p tcp --dport 8006 -s 10.0.36.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 8006 -j DROP
We also set net.ipv4.ip_forward=1 because later we might need to route between bridges, but for now it’s just a precaution.
Virtual Machines: Minimal but Purpose‑Built
We’ll deploy four Debian 13 VMs, each with a specific role. I like to keep them lean: 2 vCPUs, 4 GB RAM for the heavy ones, 2 GB for the dashboard. All use VirtIO for disk and network for best performance.
Here’s the inventory we built from the ground up:
| Role | VM Name | IP Address | vCPU | RAM | Disk |
|---|---|---|---|---|---|
| Wazuh Indexer | xdr-indexer-01 | 10.0.68.2 | 2 | 4 GB | 100 GB |
| Wazuh Manager | xdr-manager-01 | 10.0.155.183 | 2 | 4 GB | 50 GB |
| Wazuh Dashboard | wzh-dash-01 | 10.0.254.239 | 2 | 2 GB | 20 GB |
| Suricata IDS | srv-ids-01 | 10.0.167.154 | 2 | 4 GB | 50 GB |
Each VM gets a static IP via DHCP reservation (or manual config) and is hardened similarly to the host.
The Infrastructure Blueprint
Visualizing the logical separation helps new team members understand the topology. Here’s a Graphviz diagram of our current setup (all VMs on one physical host for now, but ready for HA).

The SPAN bridge (vmbr1) is not connected to anything else—it only talks to the Suricata VM’s capture interface. That way, no management traffic leaks onto the mirror port.
Next: From Hypervisor to Network Visibility
With the infrastructure layer hardened and the VMs ready, we’re set to deploy Suricata and ingest traffic from the SPAN port. That’s the focus of the next article. But before we close, let’s ensure our Proxmox host is ready for the future HA cluster. We installed corosync and pacemaker but kept them disabled—we’ll enable them when the second node joins.
If you’re following along, your Proxmox VE SOC infrastructure now has:
- A hardened hypervisor with separate bridges for management and mirroring.
- Four purpose‑built Debian VMs with static IPs.
- A clear separation of duties.
In the next article, we’ll turn this infrastructure into a network detection engine. We’ll map the physical SPAN port to the Suricata VM, configure IDS rules, and verify that traffic is flowing.
Discover more from Solide Info | The Engineer’s Authority on Cyber Defense
Subscribe to get the latest posts sent to your email.



