Networking PfSense Index: Difference between revisions
Justinaquino (talk | contribs) Create consolidated Networking PfSense Index |
Justinaquino (talk | contribs) Add Dedicated Training Server Strategy: recommend separate machine instead of 200-core server; include mini-PC cluster, used server, desktop repurpose, ARM SBC options; cost-benefit analysis |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
== pfSense Core Guides == | == pfSense Core Guides == | ||
* [[pfSense Sales Training Material]] — Product knowledge and sales positioning for Netgate/pfSense hardware and software | * [[pfSense Sales Training Material]] — Product knowledge and sales positioning for Netgate/pfSense hardware and software | ||
* [[Modern Guide: pfSense Captive Portal with FreeRADIUS | * [[Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME]] — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL | ||
* [[pfSense CE → pfSense Plus Upgrade Guide]] — Step-by-step migration from Community Edition to pfSense Plus | |||
* [[SOP: Network Troubleshooting & pfSense Monitoring 251130]] — Standard operating procedures for network diagnostics and pfSense health monitoring | |||
== Network Infrastructure & Equipment == | |||
* [[Tplink Mikrotik Equivalent]] — Cross-reference of TP-Link and MikroTik models for network deployments | |||
* [[Controller Systems 251213-01]] — Network and infrastructure controller systems | |||
* [[Power Distribution Tree 251213]] — Power architecture for network and server racks | |||
* [[NPM Migration to Homelab VPS Relay 260401]] — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy | |||
== DNS, Ad Blocking & Pi-hole == | |||
* [https://github.com/Comfac-Global-Group/pi-hole Comfac Pi-hole Repository] — GitHub repository for Pi-hole DNS sinkhole deployment | |||
* [https://github.com/Comfac-Global-Group/pi-hole/blob/master/How%20this%20Works.md How Pi-hole Works] — Technical overview of the Pi-hole DNS filtering architecture | |||
== Training & Skills == | |||
* [[Skills and Competencies for IT Staff Trained in pfSense]] — Required competencies and certification path for pfSense-administering staff | |||
* [[PfSense Training Project Tracker]] — '''Implementation tracker''' for the NoVNC virtual lab, material conversion, and curriculum development | |||
== Practical Training System (NoVNC Virtual Lab) == | |||
'''Goal:''' Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine. | |||
=== Training Architecture Vision === | |||
Each student gets an isolated virtual network sandbox containing: | |||
* 2× pfSense VMs (HQ HA pair or HQ + Branch) | |||
* 1–2× Client VMs (Windows/Linux desktop) | |||
* 1× Server VM (web/DNS/target) | |||
* 1× Simulated "Internet" router VM | |||
Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM. | |||
=== Resource Estimates Per Student === | |||
==== Stack A: Pure Linux / FOSS (Recommended for Comfac) ==== | |||
All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required. | |||
{| class="wikitable" | |||
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes | |||
|- | |||
| pfSense VM || 1 || 512 MB || 4 GB || KVM microVM || FreeBSD requires KVM; use tiny QEMU args | |||
|- | |||
| Linux Client (LXC) || 0.5 || 256 MB || 1 GB || LXC container || Alpine or Debian with XFCE; NoVNC access | |||
|- | |||
| Linux Server (LXC) || 0.5 || 256 MB || 1 GB || LXC container || nginx, BIND, or simple Python HTTP | |||
|- | |||
| Internet Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC container || Static routes only; FRR optional | |||
|- | |||
| NoVNC Proxy (Docker) || 0.5 || 256 MB || 0.5 GB || Docker container || websockify + nginx | |||
|- | |||
| '''Total per student''' || '''3''' || '''1.4 GB''' || '''7 GB''' || — || Thin-provisioned; linked clones | |||
|} | |||
==== Stack B: Windows Client (Full Desktop Experience) ==== | |||
For trainees who need a Windows desktop for browser-based management or specific client software. | |||
{| class="wikitable" | |||
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes | |||
|- | |||
| pfSense VM || 2 || 1 GB || 8 GB || KVM || Standard qcow2 image | |||
|- | |||
| Windows Client || 2 || 4 GB || 40 GB || KVM || Windows 10/11 thin client; needs GPU if GUI-heavy | |||
|- | |||
| Ubuntu Server || 1 || 1 GB || 10 GB || KVM || Full VM for compatibility | |||
|- | |||
| Internet Router || 1 || 512 MB || 4 GB || KVM || Ubuntu with static routes | |||
|- | |||
| NoVNC Proxy || 0.5 || 256 MB || 0.5 GB || Docker || Shared across students | |||
|- | |||
| '''Total per student''' || '''6.5''' || '''6.8 GB''' || '''63 GB''' || — || Higher resource cost | |||
|} | |||
==== Stack C: Hybrid — Containers for Linux Router Exercises ==== | |||
For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers. | |||
{| class="wikitable" | |||
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes | |||
|- | |||
| Linux Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC || Alpine + iptables/nftables + WireGuard | |||
|- | |||
| Linux Client (LXC) || 0.5 || 256 MB || 1 GB || LXC || Alpine or Debian | |||
|- | |||
| Linux Server (LXC) || 0.5 || 256 MB || 1 GB || LXC || nginx, BIND | |||
|- | |||
| Internet Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC || Static routes | |||
|- | |||
| '''Total per student''' || '''2''' || '''768 MB''' || '''3 GB''' || — || Cannot teach pfSense GUI; teaches concepts only | |||
|} | |||
'''Important:''' pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B. | |||
=== Server Capacity: 20% Utilization Target === | |||
The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services). | |||
'''20% of available resources:''' | |||
* 40 vCPUs (20% of 200) | |||
* 200 GB RAM (20% of 1 TB) | |||
* ~2 TB SSD (assuming 10 TB array, 20% = 2 TB) | |||
'''Concurrent student capacity at 20% utilization:''' | |||
{| class="wikitable" | |||
! Stack !! Per-Student Resources !! Students at 20% CPU !! Students at 20% RAM !! Limiting Factor | |||
|- | |||
| '''A: Pure Linux''' || 3 vCPU / 1.4 GB || 13 || 142 || '''CPU: 13 students''' | |||
|- | |||
| '''B: Windows''' || 6.5 vCPU / 6.8 GB || 6 || 29 || '''CPU: 6 students''' | |||
|- | |||
| '''C: Containers''' || 2 vCPU / 0.8 GB || 20 || 250 || '''CPU: 20 students''' | |||
|} | |||
'''Recommendation:''' Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously). | |||
=== Smaller Server: What Hardware for 10 Students? === | |||
If buying a dedicated training server instead of using the 200-core machine: | |||
{| class="wikitable" | |||
! Stack !! CPU !! RAM !! Storage !! NICs !! Example Hardware | |||
|- | |||
| '''A: Pure Linux''' || 32 cores || 32 GB || 500 GB NVMe || 2x 1GbE || Used Dell R630/R640 (~$300-500) | |||
|- | |||
| '''B: Windows''' || 64 cores || 96 GB || 1 TB NVMe || 2x 1GbE || Used Dell R740 / HP DL360 (~$600-900) | |||
|- | |||
| '''C: Containers''' || 16 cores || 16 GB || 250 GB NVMe || 2x 1GbE || Old desktop + Intel NIC (~$100-200) | |||
|} | |||
=== Dedicated Training Server Strategy (Recommended) === | |||
The 200-core / 1TB RAM machine is Comfac's primary production server (ERPNext, AI models, file services, build pipelines). Running training labs on it consumes resources that could be used for revenue-generating workloads. | |||
'''Recommendation: Do NOT run training on the 200-core server.''' Instead, deploy training on a dedicated, smaller machine. | |||
{| class="wikitable" | |||
! Option !! Hardware !! Cost (Used) !! Capacity (Stack A) !! Power !! Notes | |||
|- | |||
| '''A. Mini-PC Cluster''' || 3× Intel N100/N305 mini-PCs (4c/8t, 16GB RAM, 512GB SSD each) || ~$450 total || 12 students || ~45W total || Silent, no rack needed. One PC fails = 4 students affected. | |||
|- | |||
| '''B. Single Used Server''' || Dell R630 / HP DL360 Gen9 (2× E5-2680v4, 64GB RAM, 1TB NVMe) || ~$400-600 || 15-20 students || ~150W || Rackmount, redundant PSU, IPMI. | |||
|- | |||
| '''C. Desktop Repurpose''' || Old Comfac desktop (i5-8400, 32GB RAM, 500GB SSD) + Intel i350-T4 NIC || $0 + $50 NIC || 6-8 students || ~65W || Free if you have spare desktops. | |||
|- | |||
| '''D. ARM SBC Cluster''' || 4× Raspberry Pi 5 (4GB) + 1× Pi 5 (8GB as controller) || ~$300 total || 4-6 students || ~25W total || Cannot run x86 pfSense; must use Linux routers (Stack C only). | |||
|} | |||
'''Best choice for Comfac: Option B (Single Used Server) or Option C (Repurpose Desktop).''' | |||
* Option B gives headroom for growth to 20 students | |||
* Option C is free if you have retiring desktops from the Win2Lin migration | |||
* Both keep the 200-core server 100% free for production | |||
=== Cost-Benefit: 200-Core Server vs Dedicated Training Box === | |||
{| class="wikitable" | |||
! Factor !! Training on 200-Core Server !! Dedicated Training Server | |||
|- | |||
| '''Hardware Cost''' || $0 (already owned) || $0-$600 | |||
|- | |||
| '''Power Cost''' || Already running || +$10-30/month | |||
|- | |||
| '''Opportunity Cost''' || '''High''' — 20% of server unavailable for ERPNext/AI/builds || '''Zero''' — production server untouched | |||
|- | |||
| '''Risk''' || Training crashes could affect production VMs || Isolated; training issues contained | |||
|- | |||
| '''Noise/Location''' || Must stay in server room || Mini-PC or desktop can sit in training room | |||
|- | |||
| '''Maintenance Window''' || Must coordinate with production || Anytime; reboot freely | |||
|} | |||
'''Verdict:''' A $400 used server or a $0 repurposed desktop pays for itself in 1-2 months by keeping the 200-core machine fully available for production workloads. | |||
=== Cluster-in-a-Box: Old PC + Proxmox VE === | |||
For the absolute lowest cost (repurposed old PC): | |||
# Install Proxmox VE (Debian-based hypervisor with web GUI) | |||
# Create LXC templates for Alpine/Debian clients | |||
# Create KVM VMs for pfSense microVMs | |||
# Install NoVNC via Proxmox built-in console or add Kimchi/Guacamole | |||
# Students access via browser to the Proxmox web UI | |||
'''Specs needed for 8 students (Stack A):''' | |||
* CPU: 6-core / 12-thread (Intel 6th-gen i5 or better; AMD Ryzen 5) | |||
* RAM: 32 GB DDR4 | |||
* Storage: 500 GB NVMe or SSD | |||
* NIC: Intel i350-T4 quad-port (for VLANs and bridges) | |||
* Cost: $0 (old PC) + $50 (NIC) if you already have the PC | |||
This is the path of least resistance for Comfac given the Win2Lin migration will free up desktops. | |||
=== Exercise-Limited Deployment (Right-Sizing per Lab) === | |||
Not every lab needs the full sandbox. Deploy only what is needed: | |||
{| class="wikitable" | |||
! Lab !! Stack A Deployed !! vCPUs Used !! RAM Used !! Disk Used | |||
|- | |||
| Day 1 — Theory only || None (wiki only) || 0 || 0 || 0 | |||
|- | |||
| Lab 1 (Intro/Backup) || 1 pfSense + 1 client || 1.5 || 768 MB || 5 GB | |||
|- | |||
| Lab 2 (Rules) || 1 pfSense + 1 client + 1 server || 2 || 1 GB || 6 GB | |||
|- | |||
| Lab 3 (NAT) || 1 pfSense + 1 server + router || 2 || 900 MB || 5.5 GB | |||
|- | |||
| Lab 4 (Services) || 2 pfSense + 2 clients + 1 server || 4 || 2.1 GB || 11 GB | |||
|- | |||
| Lab 5-7 (VPNs) || 2 pfSense + 2 clients || 3 || 1.5 GB || 10 GB | |||
|- | |||
| Lab 8 (Multi-WAN) || 1 pfSense + 1 client + router || 2 || 900 MB || 5.5 GB | |||
|- | |||
| Lab 9 (Shaping) || 1 pfSense + 2 clients || 2.5 || 1.3 GB || 6 GB | |||
|- | |||
| Lab 10 (HA) || 2 pfSense + 1 client || 2.5 || 1.3 GB || 9 GB | |||
|} | |||
'''Scheduling strategy:''' If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially). | |||
=== Phase 1: Resource Setup Validation === | |||
Before full student rollout, validate the resource model with these tests: | |||
{| class="wikitable" | |||
! Test !! Purpose !! Command / Method !! Pass Criteria | |||
|- | |||
| '''T1: MicroVM Boot''' || Verify pfSense runs in 512MB/1vCPU || qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2 || Boots to login in < 120s | |||
|- | |||
| '''T2: LXC Container Spawn''' || Verify sub-1GB containers work || lxc launch images:alpine/3.19 client || Starts in < 10s; SSH reachable | |||
|- | |||
| '''T3: NoVNC Session''' || Verify one student can access console || websockify + TigerVNC || 640x480 responsive; < 500ms latency | |||
|- | |||
| '''T4: 5 Concurrent Students''' || Validate 20% CPU/RAM budget || Ansible: deploy 5x Stack A || Total < 8 vCPU, < 7 GB RAM | |||
|- | |||
| '''T5: Lab 4 Full Deploy''' || Heaviest lab (2 pfSense + 2 clients + server) || ansible-playbook lab4.yml || Deploys in < 5 min; all VMs pingable | |||
|- | |||
| '''T6: Snapshot Reset Speed''' || Time to reset between students || virsh snapshot-revert + virsh start || < 60 seconds total | |||
|- | |||
| '''T7: AI Evaluation Readiness''' || Validate environment for automated testing || See AI Evaluation section below || All labs pass synthetic health checks | |||
|} | |||
=== AI Evaluation: Automated Readiness Testing === | |||
Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing. | |||
'''Evaluation Stack:''' | |||
* '''Qwen 3.5 Instruct Coder (9GB)''' — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity. | |||
* '''DeepSeek Coder (optional)''' — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math. | |||
* '''OpenCode (local agent)''' — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc. | |||
'''Automated Test Sequence (per lab):''' | |||
# Deploy lab environment via Ansible | |||
# AI agent logs into pfSense (admin credentials) | |||
# Screenshot/check each configured page matches expected state | |||
# Run connectivity tests from client VMs | |||
# Verify services are listening on correct ports | |||
# Generate pass/fail report with specific error details | |||
# Destroy lab environment | |||
'''Benefits:''' | |||
* Catch broken base images before students arrive | |||
* Validate that config.xml injections work correctly | |||
* Ensure network isolation between students | |||
* Measure actual resource usage vs. estimates | |||
* Generate readiness dashboard for instructors | |||
'''Implementation:''' | |||
* Python + Selenium/Playwright for pfSense GUI testing | |||
* Paramiko/fabric for SSH-based VM tests | |||
* pytest framework for test organization | |||
* GitHub Actions or local Cron for scheduled runs | |||
* Output: Markdown report posted to wiki or sent via Matrix/Email | |||
== Related Infrastructure == | |||
* [[System Hardening Strategy: Win2Lin Migration & Infrastructure 251129]] — Server migration and infrastructure hardening | |||
* [[Introduction: Why Self-Host Your Email?]] — Self-hosted email infrastructure context | |||
* [[Mailcow + Thunderbird Setup Guide (Email + Calendar)]] — Email server deployment | |||
* [[Portainer to Docker Compose Migration Guide]] — Container orchestration for network services | |||
---- | |||
''This index consolidates networking resources previously scattered across the [[Main Page]]. Last updated: 260423.'' | |||
Latest revision as of 10:42, 23 April 2026
Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.
pfSense Core Guides
- pfSense Sales Training Material — Product knowledge and sales positioning for Netgate/pfSense hardware and software
- Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
- pfSense CE → pfSense Plus Upgrade Guide — Step-by-step migration from Community Edition to pfSense Plus
- SOP: Network Troubleshooting & pfSense Monitoring 251130 — Standard operating procedures for network diagnostics and pfSense health monitoring
Network Infrastructure & Equipment
- Tplink Mikrotik Equivalent — Cross-reference of TP-Link and MikroTik models for network deployments
- Controller Systems 251213-01 — Network and infrastructure controller systems
- Power Distribution Tree 251213 — Power architecture for network and server racks
- NPM Migration to Homelab VPS Relay 260401 — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy
DNS, Ad Blocking & Pi-hole
- Comfac Pi-hole Repository — GitHub repository for Pi-hole DNS sinkhole deployment
- How Pi-hole Works — Technical overview of the Pi-hole DNS filtering architecture
Training & Skills
- Skills and Competencies for IT Staff Trained in pfSense — Required competencies and certification path for pfSense-administering staff
- PfSense Training Project Tracker — Implementation tracker for the NoVNC virtual lab, material conversion, and curriculum development
Practical Training System (NoVNC Virtual Lab)
Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.
Training Architecture Vision
Each student gets an isolated virtual network sandbox containing:
- 2× pfSense VMs (HQ HA pair or HQ + Branch)
- 1–2× Client VMs (Windows/Linux desktop)
- 1× Server VM (web/DNS/target)
- 1× Simulated "Internet" router VM
Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.
Resource Estimates Per Student
Stack A: Pure Linux / FOSS (Recommended for Comfac)
All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| pfSense VM | 1 | 512 MB | 4 GB | KVM microVM | FreeBSD requires KVM; use tiny QEMU args |
| Linux Client (LXC) | 0.5 | 256 MB | 1 GB | LXC container | Alpine or Debian with XFCE; NoVNC access |
| Linux Server (LXC) | 0.5 | 256 MB | 1 GB | LXC container | nginx, BIND, or simple Python HTTP |
| Internet Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC container | Static routes only; FRR optional |
| NoVNC Proxy (Docker) | 0.5 | 256 MB | 0.5 GB | Docker container | websockify + nginx |
| Total per student | 3 | 1.4 GB | 7 GB | — | Thin-provisioned; linked clones |
Stack B: Windows Client (Full Desktop Experience)
For trainees who need a Windows desktop for browser-based management or specific client software.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| pfSense VM | 2 | 1 GB | 8 GB | KVM | Standard qcow2 image |
| Windows Client | 2 | 4 GB | 40 GB | KVM | Windows 10/11 thin client; needs GPU if GUI-heavy |
| Ubuntu Server | 1 | 1 GB | 10 GB | KVM | Full VM for compatibility |
| Internet Router | 1 | 512 MB | 4 GB | KVM | Ubuntu with static routes |
| NoVNC Proxy | 0.5 | 256 MB | 0.5 GB | Docker | Shared across students |
| Total per student | 6.5 | 6.8 GB | 63 GB | — | Higher resource cost |
Stack C: Hybrid — Containers for Linux Router Exercises
For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| Linux Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC | Alpine + iptables/nftables + WireGuard |
| Linux Client (LXC) | 0.5 | 256 MB | 1 GB | LXC | Alpine or Debian |
| Linux Server (LXC) | 0.5 | 256 MB | 1 GB | LXC | nginx, BIND |
| Internet Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC | Static routes |
| Total per student | 2 | 768 MB | 3 GB | — | Cannot teach pfSense GUI; teaches concepts only |
Important: pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B.
Server Capacity: 20% Utilization Target
The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services).
20% of available resources:
- 40 vCPUs (20% of 200)
- 200 GB RAM (20% of 1 TB)
- ~2 TB SSD (assuming 10 TB array, 20% = 2 TB)
Concurrent student capacity at 20% utilization:
| Stack | Per-Student Resources | Students at 20% CPU | Students at 20% RAM | Limiting Factor |
|---|---|---|---|---|
| A: Pure Linux | 3 vCPU / 1.4 GB | 13 | 142 | CPU: 13 students |
| B: Windows | 6.5 vCPU / 6.8 GB | 6 | 29 | CPU: 6 students |
| C: Containers | 2 vCPU / 0.8 GB | 20 | 250 | CPU: 20 students |
Recommendation: Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously).
Smaller Server: What Hardware for 10 Students?
If buying a dedicated training server instead of using the 200-core machine:
| Stack | CPU | RAM | Storage | NICs | Example Hardware |
|---|---|---|---|---|---|
| A: Pure Linux | 32 cores | 32 GB | 500 GB NVMe | 2x 1GbE | Used Dell R630/R640 (~$300-500) |
| B: Windows | 64 cores | 96 GB | 1 TB NVMe | 2x 1GbE | Used Dell R740 / HP DL360 (~$600-900) |
| C: Containers | 16 cores | 16 GB | 250 GB NVMe | 2x 1GbE | Old desktop + Intel NIC (~$100-200) |
Dedicated Training Server Strategy (Recommended)
The 200-core / 1TB RAM machine is Comfac's primary production server (ERPNext, AI models, file services, build pipelines). Running training labs on it consumes resources that could be used for revenue-generating workloads.
Recommendation: Do NOT run training on the 200-core server. Instead, deploy training on a dedicated, smaller machine.
| Option | Hardware | Cost (Used) | Capacity (Stack A) | Power | Notes |
|---|---|---|---|---|---|
| A. Mini-PC Cluster | 3× Intel N100/N305 mini-PCs (4c/8t, 16GB RAM, 512GB SSD each) | ~$450 total | 12 students | ~45W total | Silent, no rack needed. One PC fails = 4 students affected. |
| B. Single Used Server | Dell R630 / HP DL360 Gen9 (2× E5-2680v4, 64GB RAM, 1TB NVMe) | ~$400-600 | 15-20 students | ~150W | Rackmount, redundant PSU, IPMI. |
| C. Desktop Repurpose | Old Comfac desktop (i5-8400, 32GB RAM, 500GB SSD) + Intel i350-T4 NIC | $0 + $50 NIC | 6-8 students | ~65W | Free if you have spare desktops. |
| D. ARM SBC Cluster | 4× Raspberry Pi 5 (4GB) + 1× Pi 5 (8GB as controller) | ~$300 total | 4-6 students | ~25W total | Cannot run x86 pfSense; must use Linux routers (Stack C only). |
Best choice for Comfac: Option B (Single Used Server) or Option C (Repurpose Desktop).
- Option B gives headroom for growth to 20 students
- Option C is free if you have retiring desktops from the Win2Lin migration
- Both keep the 200-core server 100% free for production
Cost-Benefit: 200-Core Server vs Dedicated Training Box
| Factor | Training on 200-Core Server | Dedicated Training Server |
|---|---|---|
| Hardware Cost | $0 (already owned) | $0-$600 |
| Power Cost | Already running | +$10-30/month |
| Opportunity Cost | High — 20% of server unavailable for ERPNext/AI/builds | Zero — production server untouched |
| Risk | Training crashes could affect production VMs | Isolated; training issues contained |
| Noise/Location | Must stay in server room | Mini-PC or desktop can sit in training room |
| Maintenance Window | Must coordinate with production | Anytime; reboot freely |
Verdict: A $400 used server or a $0 repurposed desktop pays for itself in 1-2 months by keeping the 200-core machine fully available for production workloads.
Cluster-in-a-Box: Old PC + Proxmox VE
For the absolute lowest cost (repurposed old PC):
- Install Proxmox VE (Debian-based hypervisor with web GUI)
- Create LXC templates for Alpine/Debian clients
- Create KVM VMs for pfSense microVMs
- Install NoVNC via Proxmox built-in console or add Kimchi/Guacamole
- Students access via browser to the Proxmox web UI
Specs needed for 8 students (Stack A):
- CPU: 6-core / 12-thread (Intel 6th-gen i5 or better; AMD Ryzen 5)
- RAM: 32 GB DDR4
- Storage: 500 GB NVMe or SSD
- NIC: Intel i350-T4 quad-port (for VLANs and bridges)
- Cost: $0 (old PC) + $50 (NIC) if you already have the PC
This is the path of least resistance for Comfac given the Win2Lin migration will free up desktops.
Exercise-Limited Deployment (Right-Sizing per Lab)
Not every lab needs the full sandbox. Deploy only what is needed:
| Lab | Stack A Deployed | vCPUs Used | RAM Used | Disk Used |
|---|---|---|---|---|
| Day 1 — Theory only | None (wiki only) | 0 | 0 | 0 |
| Lab 1 (Intro/Backup) | 1 pfSense + 1 client | 1.5 | 768 MB | 5 GB |
| Lab 2 (Rules) | 1 pfSense + 1 client + 1 server | 2 | 1 GB | 6 GB |
| Lab 3 (NAT) | 1 pfSense + 1 server + router | 2 | 900 MB | 5.5 GB |
| Lab 4 (Services) | 2 pfSense + 2 clients + 1 server | 4 | 2.1 GB | 11 GB |
| Lab 5-7 (VPNs) | 2 pfSense + 2 clients | 3 | 1.5 GB | 10 GB |
| Lab 8 (Multi-WAN) | 1 pfSense + 1 client + router | 2 | 900 MB | 5.5 GB |
| Lab 9 (Shaping) | 1 pfSense + 2 clients | 2.5 | 1.3 GB | 6 GB |
| Lab 10 (HA) | 2 pfSense + 1 client | 2.5 | 1.3 GB | 9 GB |
Scheduling strategy: If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially).
Phase 1: Resource Setup Validation
Before full student rollout, validate the resource model with these tests:
| Test | Purpose | Command / Method | Pass Criteria |
|---|---|---|---|
| T1: MicroVM Boot | Verify pfSense runs in 512MB/1vCPU | qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2 | Boots to login in < 120s |
| T2: LXC Container Spawn | Verify sub-1GB containers work | lxc launch images:alpine/3.19 client | Starts in < 10s; SSH reachable |
| T3: NoVNC Session | Verify one student can access console | websockify + TigerVNC | 640x480 responsive; < 500ms latency |
| T4: 5 Concurrent Students | Validate 20% CPU/RAM budget | Ansible: deploy 5x Stack A | Total < 8 vCPU, < 7 GB RAM |
| T5: Lab 4 Full Deploy | Heaviest lab (2 pfSense + 2 clients + server) | ansible-playbook lab4.yml | Deploys in < 5 min; all VMs pingable |
| T6: Snapshot Reset Speed | Time to reset between students | virsh snapshot-revert + virsh start | < 60 seconds total |
| T7: AI Evaluation Readiness | Validate environment for automated testing | See AI Evaluation section below | All labs pass synthetic health checks |
AI Evaluation: Automated Readiness Testing
Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing.
Evaluation Stack:
- Qwen 3.5 Instruct Coder (9GB) — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity.
- DeepSeek Coder (optional) — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math.
- OpenCode (local agent) — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc.
Automated Test Sequence (per lab):
- Deploy lab environment via Ansible
- AI agent logs into pfSense (admin credentials)
- Screenshot/check each configured page matches expected state
- Run connectivity tests from client VMs
- Verify services are listening on correct ports
- Generate pass/fail report with specific error details
- Destroy lab environment
Benefits:
- Catch broken base images before students arrive
- Validate that config.xml injections work correctly
- Ensure network isolation between students
- Measure actual resource usage vs. estimates
- Generate readiness dashboard for instructors
Implementation:
- Python + Selenium/Playwright for pfSense GUI testing
- Paramiko/fabric for SSH-based VM tests
- pytest framework for test organization
- GitHub Actions or local Cron for scheduled runs
- Output: Markdown report posted to wiki or sent via Matrix/Email
Related Infrastructure
- System Hardening Strategy: Win2Lin Migration & Infrastructure 251129 — Server migration and infrastructure hardening
- Introduction: Why Self-Host Your Email? — Self-hosted email infrastructure context
- Mailcow + Thunderbird Setup Guide (Email + Calendar) — Email server deployment
- Portainer to Docker Compose Migration Guide — Container orchestration for network services
This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.