PfSense Training Project Tracker: Difference between revisions

Convert all Netgate FUND001 training PDFs into CITWiki pages with detailed summaries. Each wiki page should include: learning objectives, key concepts, step-by-step lab instructions adapted for virtual environment, and troubleshooting tips.

• [x] SEG1 — Introduction to pfSense → Training: pfSense Introduction
• [x] SEG2 — Interfaces, VIPs, and Rules → Training: Interfaces and Firewall Rules
• [x] SEG3 — NAT and VIPs → Training: NAT and Virtual IPs
• [x] SEG4 — pfSense Services → Training: pfSense Services
• [x] SEG5 — VPNs and IPsec → Training: IPsec VPN
• [x] SEG6 — OpenVPN → Training: OpenVPN
• [x] SEG7 — WireGuard → Training: WireGuard
• [x] SEG8 — Multi-WAN → Training: Multi-WAN
• [x] SEG9 — Traffic Shaping → Training: Traffic Shaping
• [x] SEG10 — High Availability → Training: High Availability
• [x] SEG11 — Other Features → Training: Monitoring and Packages

• [x] Lab 1 — Intro, Getting Started, Backup/Restore → Training Lab 1: Introduction and Backup Restore
• [x] Lab 2 — Interfaces, Firewall Rules, Aliases → Training Lab 2: Firewall Rules and Aliases
• [x] Lab 3 — Virtual IPs and NAT → Training Lab 3: NAT and Virtual IPs
• [x] Lab 4 — Services and Branch Network Setup → Training Lab 4: Services and Branch Network
• [x] Lab 5 — IPsec → Training Lab 5: IPsec VPN
• [x] Lab 6 — OpenVPN → Training Lab 6: OpenVPN
• [x] Lab 7 — WireGuard → Training Lab 7: WireGuard
• [x] Lab 8 — Multi-WAN → Training Lab 8: Multi-WAN
• [x] Lab 9 — Traffic Shaping → Training Lab 9: Traffic Shaping
• [x] Lab 10 — High Availability → Training Lab 10: High Availability

• [x] Introduction Training (Module 0) → Training: Setting Up a Firewall for Yourself — Personal/small business firewall
• [ ] the-pfsense-documentation.pdf → Summarize into Training: pfSense Complete Reference or link as external reference
• [ ] WindowsTrainingSupportFiles.zip → Extract and document client software requirements (Training: Client Software Requirements)
• [ ] Training Videos (4× .mkv) → Catalog timestamps and link from relevant wiki pages

Build the virtual training environment on a dedicated training machine — NOT the 200-core / 1TB RAM production server. The 200-core machine should remain fully available for ERPNext, AI workloads, and production services.

• [x] R.1 Compare Pure Linux (FOSS) vs Windows stacks -> Networking PfSense Index#Resource Estimates Per Student
• [x] R.2 Calculate 20% server utilization targets -> 13 students (Linux), 6 students (Windows)
• [x] R.3 Analyze container-based alternatives -> LXC for Linux routers; KVM still required for pfSense
• [x] R.4 Define exercise-limited deployment model -> Right-size per lab; 0-4 vCPUs per student
• [x] R.5 Specify smaller server options for 10 students -> Dell R630 (Linux) / R740 (Windows)
• [x] R.6 Design AI evaluation pipeline -> Qwen 3.5 Coder 9GB + DeepSeek + OpenCode for automated readiness
• [x] R.7 Decide against using 200-core server -> Training will run on dedicated used server or repurposed desktop

• [ ] H.1 Audit retiring desktops from Win2Lin migration for reuse as training server
• [ ] H.2 If no suitable desktop: procure used Dell R630/R640 (32c/64GB) or HP DL360 Gen9
• [ ] H.3 If rack space/noise is issue: procure 3x Intel N100 mini-PCs for silent cluster
• [ ] H.4 Install Intel i350-T4 quad-port NIC if machine only has 1 Ethernet port
• [ ] H.5 Label machine as CIT-TRAINING-01; document in asset inventory

• [ ] A.1 Install Ubuntu Server LTS 22.04/24.04 on training hardware
• [ ] A.2 Configure KVM/libvirt with storage pools (NVMe for golden images, SSD for ephemeral clones)
• [ ] A.3 Set up network bridges: br-mgmt, br-lan, br-wan, br-dmz, br-internet
• [ ] A.4 Configure VLANs for student isolation (one VLAN per student or per lab)
• [ ] A.5 Install and configure Ansible controller (host or Docker container)
• [ ] A.6 Verify training machine has no dependency on 200-core server (standalone)

• [ ] B.1 Download pfSense CE ISO and create qcow2 golden image (1 vCPU, 512 MB RAM, 4 GB disk - microVM)
• [ ] B.2 Create Alpine Linux LXC golden image (0.5 vCPU, 256 MB RAM, 1 GB disk)
• [ ] B.3 Create Debian XFCE LXC golden image for NoVNC client (0.5 vCPU, 256 MB RAM, 2 GB disk)
• [ ] B.4 Create Ubuntu Server LXC golden image (0.5 vCPU, 256 MB RAM, 1 GB disk)
• [ ] B.5 Create "Internet Router" LXC golden image (0.5 vCPU, 128 MB RAM, 0.5 GB disk)
• [ ] B.6 Test each golden image boots and functions correctly

• [ ] C.1 Write Ansible playbook: lab1-student-env.yml (1 pfSense microVM + 1 LXC client)
• [ ] C.2 Write Ansible playbook: lab2-student-env.yml (1 pfSense + 1 client + 1 server LXC)
• [ ] C.3 Write Ansible playbook: lab3-student-env.yml (1 pfSense + 1 server + internet router LXC)
• [ ] C.4 Write Ansible playbook: lab4-student-env.yml (2 pfSense + 2 clients + 1 server)
• [ ] C.5 Write Ansible playbooks for Labs 5-10 (VPNs, Multi-WAN, Shaping, HA)
• [ ] C.6 Write Ansible playbook: cleanup-student-env.yml (destroy VMs/LXCs, free resources)
• [ ] C.7 Write Ansible playbook: reset-student-env.yml (revert to snapshot/linked clone base)
• [ ] C.8 Test all playbooks end-to-end with a single student ID

• [ ] D.1 Evaluate Kimchi vs Apache Guacamole vs custom NoVNC proxy
• [ ] D.2 Install and configure chosen NoVNC solution
• [ ] D.3 Integrate NoVNC with student authentication (LDAP, local wiki accounts, or simple token-based)
• [ ] D.4 Build student dashboard: list of phases/labs, "Launch Lab" button, countdown timer
• [ ] D.5 Test 5 concurrent NoVNC sessions for stability
• [ ] D.6 Test 20 concurrent NoVNC sessions for performance

• [ ] E.1 Deploy Qwen 3.5 Instruct Coder 9GB on GPU box or 200-core host
• [ ] E.2 Build pytest + Selenium test suite for pfSense GUI validation
• [ ] E.3 Build SSH-based health check suite for VM/LXC connectivity
• [ ] E.4 Integrate DeepSeek or OpenCode for playbook syntax validation
• [ ] E.5 Create readiness dashboard (pass/fail per lab, resource usage graphs)
• [ ] E.6 Schedule automated nightly tests of all lab environments

Design the student-facing training program.

• [x] E.1 Define "Setting Up a Firewall for Yourself" scope: home office / small business
• [x] E.2 Write Module 0: Why You Need a Firewall (threats, NAT basics, basic topology)
• [x] E.3 Write Module 1: Install pfSense on Old PC or VM (hardware requirements, USB install, first boot wizard)
• [x] E.4 Write Module 2: Basic WAN + LAN Setup (DHCP, DNS, first internet connection)
• [x] E.5 Write Module 3: Essential Firewall Rules (block incoming, allow outgoing, ICMP)
• [x] E.6 Write Module 4: Port Forwarding for Common Services (game server, camera, NAS)
• [x] E.7 Write Module 5: VPN for Remote Access (WireGuard road warrior setup)
• [x] E.8 Write Module 6: Backup and Updates (config.xml backup, update schedule)
• [x] E.9 Create hands-on lab for Introduction Course (single pfSense + 1 client VM)
• [ ] E.10 Record or source video walkthroughs for each module

• [x] F.1 Map each SEG slide deck to a wiki training page with summary + key takeaways
• [x] F.2 Adapt Netgate labs from physical/virtualbox environment to KVM/Ansible environment
• [ ] F.3 Update IP addressing schema for Comfac virtual lab (avoid conflicts with production)
• [ ] F.4 Write pre-lab briefing pages (what you'll learn, expected outcomes)
• [ ] F.5 Write post-lab review pages (common mistakes, verification steps, "show me" checklist)
• [ ] F.6 Create quiz questions for each phase (5–10 questions, auto-graded if possible)

Run the training with a small group before full rollout.

• [ ] G.1 Recruit 3–5 internal Comfac IT staff as pilot students
• [ ] G.2 Run Phase 1 (Foundations) with pilot group — collect feedback
• [ ] G.3 Run Phase 2 (NAT & Services) with pilot group — collect feedback
• [ ] G.4 Run one VPN lab (IPsec or OpenVPN) with pilot group — test resource limits
• [ ] G.5 Document all bugs, confusion points, and timeouts
• [ ] G.6 Refine playbooks and wiki pages based on pilot feedback

• [ ] H.1 Measure actual CPU/RAM/disk usage per student during pilot
• [ ] H.2 Adjust VM specs if over- or under-provisioned
• [ ] H.3 Test memory overcommit ratios for safe concurrency scaling
• [ ] H.4 Document maximum safe concurrent student count

Prepare for regular training delivery.

• [ ] I.1 Create student onboarding guide (how to access portal, use NoVNC, reset lab)
• [ ] I.2 Create instructor guide (how to monitor progress, assist students, grade labs)
• [ ] I.3 Set up scheduling system (book lab time slots, prevent over-allocation)
• [ ] I.4 Create completion certificates or badges

• [ ] J.1 Set up host monitoring (Prometheus/Grafana or simple `libvirt` stats)
• [ ] J.2 Configure alerts for host resource exhaustion
• [ ] J.3 Schedule weekly base image updates (pfSense patches, OS updates)
• [ ] J.4 Document disaster recovery (rebuild host from Ansible, restore golden images)

Per-student minimum: 6 vCPUs, 6.5 GB RAM, 62 GB disk Per-student full lab: 10 vCPUs, 10.5 GB RAM, 110 GB disk 200-core / 1TB capacity: 20–40 concurrent students (conservative to optimized)

Next Actions (This Week):

1. Summarize the-pfsense-documentation.pdf into a reference page
2. Document WindowsTrainingSupportFiles.zip contents
3. Catalog training video timestamps
4. Begin Ansible playbook drafting for Lab 1 environment
5. Evaluate Kimchi vs Guacamole for NoVNC portal