Networking PfSense Index: Difference between revisions
Justinaquino (talk | contribs) Update Resource Estimates: Add Linux FOSS vs Windows stacks, 20% utilization target, container analysis, AI evaluation, exercise-limited deployment |
Justinaquino (talk | contribs) Add Dedicated Training Server Strategy: recommend separate machine instead of 200-core server; include mini-PC cluster, used server, desktop repurpose, ARM SBC options; cost-benefit analysis |
||
| Line 129: | Line 129: | ||
| '''C: Containers''' || 16 cores || 16 GB || 250 GB NVMe || 2x 1GbE || Old desktop + Intel NIC (~$100-200) | | '''C: Containers''' || 16 cores || 16 GB || 250 GB NVMe || 2x 1GbE || Old desktop + Intel NIC (~$100-200) | ||
|} | |} | ||
=== Dedicated Training Server Strategy (Recommended) === | |||
The 200-core / 1TB RAM machine is Comfac's primary production server (ERPNext, AI models, file services, build pipelines). Running training labs on it consumes resources that could be used for revenue-generating workloads. | |||
'''Recommendation: Do NOT run training on the 200-core server.''' Instead, deploy training on a dedicated, smaller machine. | |||
{| class="wikitable" | |||
! Option !! Hardware !! Cost (Used) !! Capacity (Stack A) !! Power !! Notes | |||
|- | |||
| '''A. Mini-PC Cluster''' || 3× Intel N100/N305 mini-PCs (4c/8t, 16GB RAM, 512GB SSD each) || ~$450 total || 12 students || ~45W total || Silent, no rack needed. One PC fails = 4 students affected. | |||
|- | |||
| '''B. Single Used Server''' || Dell R630 / HP DL360 Gen9 (2× E5-2680v4, 64GB RAM, 1TB NVMe) || ~$400-600 || 15-20 students || ~150W || Rackmount, redundant PSU, IPMI. | |||
|- | |||
| '''C. Desktop Repurpose''' || Old Comfac desktop (i5-8400, 32GB RAM, 500GB SSD) + Intel i350-T4 NIC || $0 + $50 NIC || 6-8 students || ~65W || Free if you have spare desktops. | |||
|- | |||
| '''D. ARM SBC Cluster''' || 4× Raspberry Pi 5 (4GB) + 1× Pi 5 (8GB as controller) || ~$300 total || 4-6 students || ~25W total || Cannot run x86 pfSense; must use Linux routers (Stack C only). | |||
|} | |||
'''Best choice for Comfac: Option B (Single Used Server) or Option C (Repurpose Desktop).''' | |||
* Option B gives headroom for growth to 20 students | |||
* Option C is free if you have retiring desktops from the Win2Lin migration | |||
* Both keep the 200-core server 100% free for production | |||
=== Cost-Benefit: 200-Core Server vs Dedicated Training Box === | |||
{| class="wikitable" | |||
! Factor !! Training on 200-Core Server !! Dedicated Training Server | |||
|- | |||
| '''Hardware Cost''' || $0 (already owned) || $0-$600 | |||
|- | |||
| '''Power Cost''' || Already running || +$10-30/month | |||
|- | |||
| '''Opportunity Cost''' || '''High''' — 20% of server unavailable for ERPNext/AI/builds || '''Zero''' — production server untouched | |||
|- | |||
| '''Risk''' || Training crashes could affect production VMs || Isolated; training issues contained | |||
|- | |||
| '''Noise/Location''' || Must stay in server room || Mini-PC or desktop can sit in training room | |||
|- | |||
| '''Maintenance Window''' || Must coordinate with production || Anytime; reboot freely | |||
|} | |||
'''Verdict:''' A $400 used server or a $0 repurposed desktop pays for itself in 1-2 months by keeping the 200-core machine fully available for production workloads. | |||
=== Cluster-in-a-Box: Old PC + Proxmox VE === | |||
For the absolute lowest cost (repurposed old PC): | |||
# Install Proxmox VE (Debian-based hypervisor with web GUI) | |||
# Create LXC templates for Alpine/Debian clients | |||
# Create KVM VMs for pfSense microVMs | |||
# Install NoVNC via Proxmox built-in console or add Kimchi/Guacamole | |||
# Students access via browser to the Proxmox web UI | |||
'''Specs needed for 8 students (Stack A):''' | |||
* CPU: 6-core / 12-thread (Intel 6th-gen i5 or better; AMD Ryzen 5) | |||
* RAM: 32 GB DDR4 | |||
* Storage: 500 GB NVMe or SSD | |||
* NIC: Intel i350-T4 quad-port (for VLANs and bridges) | |||
* Cost: $0 (old PC) + $50 (NIC) if you already have the PC | |||
This is the path of least resistance for Comfac given the Win2Lin migration will free up desktops. | |||
=== Exercise-Limited Deployment (Right-Sizing per Lab) === | === Exercise-Limited Deployment (Right-Sizing per Lab) === | ||
Latest revision as of 10:42, 23 April 2026
Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.
pfSense Core Guides
- pfSense Sales Training Material — Product knowledge and sales positioning for Netgate/pfSense hardware and software
- Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
- pfSense CE → pfSense Plus Upgrade Guide — Step-by-step migration from Community Edition to pfSense Plus
- SOP: Network Troubleshooting & pfSense Monitoring 251130 — Standard operating procedures for network diagnostics and pfSense health monitoring
Network Infrastructure & Equipment
- Tplink Mikrotik Equivalent — Cross-reference of TP-Link and MikroTik models for network deployments
- Controller Systems 251213-01 — Network and infrastructure controller systems
- Power Distribution Tree 251213 — Power architecture for network and server racks
- NPM Migration to Homelab VPS Relay 260401 — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy
DNS, Ad Blocking & Pi-hole
- Comfac Pi-hole Repository — GitHub repository for Pi-hole DNS sinkhole deployment
- How Pi-hole Works — Technical overview of the Pi-hole DNS filtering architecture
Training & Skills
- Skills and Competencies for IT Staff Trained in pfSense — Required competencies and certification path for pfSense-administering staff
- PfSense Training Project Tracker — Implementation tracker for the NoVNC virtual lab, material conversion, and curriculum development
Practical Training System (NoVNC Virtual Lab)
Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.
Training Architecture Vision
Each student gets an isolated virtual network sandbox containing:
- 2× pfSense VMs (HQ HA pair or HQ + Branch)
- 1–2× Client VMs (Windows/Linux desktop)
- 1× Server VM (web/DNS/target)
- 1× Simulated "Internet" router VM
Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.
Resource Estimates Per Student
Stack A: Pure Linux / FOSS (Recommended for Comfac)
All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| pfSense VM | 1 | 512 MB | 4 GB | KVM microVM | FreeBSD requires KVM; use tiny QEMU args |
| Linux Client (LXC) | 0.5 | 256 MB | 1 GB | LXC container | Alpine or Debian with XFCE; NoVNC access |
| Linux Server (LXC) | 0.5 | 256 MB | 1 GB | LXC container | nginx, BIND, or simple Python HTTP |
| Internet Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC container | Static routes only; FRR optional |
| NoVNC Proxy (Docker) | 0.5 | 256 MB | 0.5 GB | Docker container | websockify + nginx |
| Total per student | 3 | 1.4 GB | 7 GB | — | Thin-provisioned; linked clones |
Stack B: Windows Client (Full Desktop Experience)
For trainees who need a Windows desktop for browser-based management or specific client software.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| pfSense VM | 2 | 1 GB | 8 GB | KVM | Standard qcow2 image |
| Windows Client | 2 | 4 GB | 40 GB | KVM | Windows 10/11 thin client; needs GPU if GUI-heavy |
| Ubuntu Server | 1 | 1 GB | 10 GB | KVM | Full VM for compatibility |
| Internet Router | 1 | 512 MB | 4 GB | KVM | Ubuntu with static routes |
| NoVNC Proxy | 0.5 | 256 MB | 0.5 GB | Docker | Shared across students |
| Total per student | 6.5 | 6.8 GB | 63 GB | — | Higher resource cost |
Stack C: Hybrid — Containers for Linux Router Exercises
For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers.
| Component | vCPUs | RAM | Disk | Virtualization | Notes |
|---|---|---|---|---|---|
| Linux Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC | Alpine + iptables/nftables + WireGuard |
| Linux Client (LXC) | 0.5 | 256 MB | 1 GB | LXC | Alpine or Debian |
| Linux Server (LXC) | 0.5 | 256 MB | 1 GB | LXC | nginx, BIND |
| Internet Router (LXC) | 0.5 | 128 MB | 0.5 GB | LXC | Static routes |
| Total per student | 2 | 768 MB | 3 GB | — | Cannot teach pfSense GUI; teaches concepts only |
Important: pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B.
Server Capacity: 20% Utilization Target
The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services).
20% of available resources:
- 40 vCPUs (20% of 200)
- 200 GB RAM (20% of 1 TB)
- ~2 TB SSD (assuming 10 TB array, 20% = 2 TB)
Concurrent student capacity at 20% utilization:
| Stack | Per-Student Resources | Students at 20% CPU | Students at 20% RAM | Limiting Factor |
|---|---|---|---|---|
| A: Pure Linux | 3 vCPU / 1.4 GB | 13 | 142 | CPU: 13 students |
| B: Windows | 6.5 vCPU / 6.8 GB | 6 | 29 | CPU: 6 students |
| C: Containers | 2 vCPU / 0.8 GB | 20 | 250 | CPU: 20 students |
Recommendation: Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously).
Smaller Server: What Hardware for 10 Students?
If buying a dedicated training server instead of using the 200-core machine:
| Stack | CPU | RAM | Storage | NICs | Example Hardware |
|---|---|---|---|---|---|
| A: Pure Linux | 32 cores | 32 GB | 500 GB NVMe | 2x 1GbE | Used Dell R630/R640 (~$300-500) |
| B: Windows | 64 cores | 96 GB | 1 TB NVMe | 2x 1GbE | Used Dell R740 / HP DL360 (~$600-900) |
| C: Containers | 16 cores | 16 GB | 250 GB NVMe | 2x 1GbE | Old desktop + Intel NIC (~$100-200) |
Dedicated Training Server Strategy (Recommended)
The 200-core / 1TB RAM machine is Comfac's primary production server (ERPNext, AI models, file services, build pipelines). Running training labs on it consumes resources that could be used for revenue-generating workloads.
Recommendation: Do NOT run training on the 200-core server. Instead, deploy training on a dedicated, smaller machine.
| Option | Hardware | Cost (Used) | Capacity (Stack A) | Power | Notes |
|---|---|---|---|---|---|
| A. Mini-PC Cluster | 3× Intel N100/N305 mini-PCs (4c/8t, 16GB RAM, 512GB SSD each) | ~$450 total | 12 students | ~45W total | Silent, no rack needed. One PC fails = 4 students affected. |
| B. Single Used Server | Dell R630 / HP DL360 Gen9 (2× E5-2680v4, 64GB RAM, 1TB NVMe) | ~$400-600 | 15-20 students | ~150W | Rackmount, redundant PSU, IPMI. |
| C. Desktop Repurpose | Old Comfac desktop (i5-8400, 32GB RAM, 500GB SSD) + Intel i350-T4 NIC | $0 + $50 NIC | 6-8 students | ~65W | Free if you have spare desktops. |
| D. ARM SBC Cluster | 4× Raspberry Pi 5 (4GB) + 1× Pi 5 (8GB as controller) | ~$300 total | 4-6 students | ~25W total | Cannot run x86 pfSense; must use Linux routers (Stack C only). |
Best choice for Comfac: Option B (Single Used Server) or Option C (Repurpose Desktop).
- Option B gives headroom for growth to 20 students
- Option C is free if you have retiring desktops from the Win2Lin migration
- Both keep the 200-core server 100% free for production
Cost-Benefit: 200-Core Server vs Dedicated Training Box
| Factor | Training on 200-Core Server | Dedicated Training Server |
|---|---|---|
| Hardware Cost | $0 (already owned) | $0-$600 |
| Power Cost | Already running | +$10-30/month |
| Opportunity Cost | High — 20% of server unavailable for ERPNext/AI/builds | Zero — production server untouched |
| Risk | Training crashes could affect production VMs | Isolated; training issues contained |
| Noise/Location | Must stay in server room | Mini-PC or desktop can sit in training room |
| Maintenance Window | Must coordinate with production | Anytime; reboot freely |
Verdict: A $400 used server or a $0 repurposed desktop pays for itself in 1-2 months by keeping the 200-core machine fully available for production workloads.
Cluster-in-a-Box: Old PC + Proxmox VE
For the absolute lowest cost (repurposed old PC):
- Install Proxmox VE (Debian-based hypervisor with web GUI)
- Create LXC templates for Alpine/Debian clients
- Create KVM VMs for pfSense microVMs
- Install NoVNC via Proxmox built-in console or add Kimchi/Guacamole
- Students access via browser to the Proxmox web UI
Specs needed for 8 students (Stack A):
- CPU: 6-core / 12-thread (Intel 6th-gen i5 or better; AMD Ryzen 5)
- RAM: 32 GB DDR4
- Storage: 500 GB NVMe or SSD
- NIC: Intel i350-T4 quad-port (for VLANs and bridges)
- Cost: $0 (old PC) + $50 (NIC) if you already have the PC
This is the path of least resistance for Comfac given the Win2Lin migration will free up desktops.
Exercise-Limited Deployment (Right-Sizing per Lab)
Not every lab needs the full sandbox. Deploy only what is needed:
| Lab | Stack A Deployed | vCPUs Used | RAM Used | Disk Used |
|---|---|---|---|---|
| Day 1 — Theory only | None (wiki only) | 0 | 0 | 0 |
| Lab 1 (Intro/Backup) | 1 pfSense + 1 client | 1.5 | 768 MB | 5 GB |
| Lab 2 (Rules) | 1 pfSense + 1 client + 1 server | 2 | 1 GB | 6 GB |
| Lab 3 (NAT) | 1 pfSense + 1 server + router | 2 | 900 MB | 5.5 GB |
| Lab 4 (Services) | 2 pfSense + 2 clients + 1 server | 4 | 2.1 GB | 11 GB |
| Lab 5-7 (VPNs) | 2 pfSense + 2 clients | 3 | 1.5 GB | 10 GB |
| Lab 8 (Multi-WAN) | 1 pfSense + 1 client + router | 2 | 900 MB | 5.5 GB |
| Lab 9 (Shaping) | 1 pfSense + 2 clients | 2.5 | 1.3 GB | 6 GB |
| Lab 10 (HA) | 2 pfSense + 1 client | 2.5 | 1.3 GB | 9 GB |
Scheduling strategy: If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially).
Phase 1: Resource Setup Validation
Before full student rollout, validate the resource model with these tests:
| Test | Purpose | Command / Method | Pass Criteria |
|---|---|---|---|
| T1: MicroVM Boot | Verify pfSense runs in 512MB/1vCPU | qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2 | Boots to login in < 120s |
| T2: LXC Container Spawn | Verify sub-1GB containers work | lxc launch images:alpine/3.19 client | Starts in < 10s; SSH reachable |
| T3: NoVNC Session | Verify one student can access console | websockify + TigerVNC | 640x480 responsive; < 500ms latency |
| T4: 5 Concurrent Students | Validate 20% CPU/RAM budget | Ansible: deploy 5x Stack A | Total < 8 vCPU, < 7 GB RAM |
| T5: Lab 4 Full Deploy | Heaviest lab (2 pfSense + 2 clients + server) | ansible-playbook lab4.yml | Deploys in < 5 min; all VMs pingable |
| T6: Snapshot Reset Speed | Time to reset between students | virsh snapshot-revert + virsh start | < 60 seconds total |
| T7: AI Evaluation Readiness | Validate environment for automated testing | See AI Evaluation section below | All labs pass synthetic health checks |
AI Evaluation: Automated Readiness Testing
Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing.
Evaluation Stack:
- Qwen 3.5 Instruct Coder (9GB) — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity.
- DeepSeek Coder (optional) — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math.
- OpenCode (local agent) — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc.
Automated Test Sequence (per lab):
- Deploy lab environment via Ansible
- AI agent logs into pfSense (admin credentials)
- Screenshot/check each configured page matches expected state
- Run connectivity tests from client VMs
- Verify services are listening on correct ports
- Generate pass/fail report with specific error details
- Destroy lab environment
Benefits:
- Catch broken base images before students arrive
- Validate that config.xml injections work correctly
- Ensure network isolation between students
- Measure actual resource usage vs. estimates
- Generate readiness dashboard for instructors
Implementation:
- Python + Selenium/Playwright for pfSense GUI testing
- Paramiko/fabric for SSH-based VM tests
- pytest framework for test organization
- GitHub Actions or local Cron for scheduled runs
- Output: Markdown report posted to wiki or sent via Matrix/Email
Related Infrastructure
- System Hardening Strategy: Win2Lin Migration & Infrastructure 251129 — Server migration and infrastructure hardening
- Introduction: Why Self-Host Your Email? — Self-hosted email infrastructure context
- Mailcow + Thunderbird Setup Guide (Email + Calendar) — Email server deployment
- Portainer to Docker Compose Migration Guide — Container orchestration for network services
This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.