Jump to content

Networking PfSense Index: Difference between revisions

From MediawikiCIT
← Older editNewer edit →
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
VisualWikitext
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
Add link to PfSense Training Project Tracker
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
Update Resource Estimates: Add Linux FOSS vs Windows stacks, 20% utilization target, container analysis, AI evaluation, exercise-limited deployment
Line 37: Line 37:


=== Resource Estimates Per Student ===
=== Resource Estimates Per Student ===
==== Stack A: Pure Linux / FOSS (Recommended for Comfac) ====
All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required.
{| class="wikitable"
{| class="wikitable"
! Component !! vCPUs !! RAM !! Disk !! Notes
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes
|-
|-
| pfSense VM || 2 || 1 GB || 8 GB || One per firewall; labs need 2–4
| pfSense VM || 1 || 512 MB || 4 GB || KVM microVM || FreeBSD requires KVM; use tiny QEMU args
|-
|-
| Windows Client || 2 || 4 GB || 40 GB || Can be replaced with thin Linux client
| Linux Client (LXC) || 0.5 || 256 MB || 1 GB || LXC container || Alpine or Debian with XFCE; NoVNC access
|-
|-
| Ubuntu Server || 1 || 1 GB || 10 GB || DNS/web/target server
| Linux Server (LXC) || 0.5 || 256 MB || 1 GB || LXC container || nginx, BIND, or simple Python HTTP
|-
|-
| "Internet" Router || 1 || 512 MB || 4 GB || Simulated upstream ISP
| Internet Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC container || Static routes only; FRR optional
|-
|-
| '''Total (minimal)''' || '''6''' || '''6.5 GB''' || '''62 GB''' || 2 firewalls + 1 client + 1 server + internet
| NoVNC Proxy (Docker) || 0.5 || 256 MB || 0.5 GB || Docker container || websockify + nginx
|-
|-
| '''Total (full lab)''' || '''10''' || '''10.5 GB''' || '''110 GB''' || 4 firewalls + 2 clients + 2 servers + internet
| '''Total per student''' || '''3''' || '''1.4 GB''' || '''7 GB''' || — || Thin-provisioned; linked clones
|}
|}


'''Cluster capacity (200 core / 1 TB RAM):'''
==== Stack B: Windows Client (Full Desktop Experience) ====
* Conservative (10 cores + 10 GB per student): ~20 concurrent students
For trainees who need a Windows desktop for browser-based management or specific client software.
* Optimized (6 cores + 6.5 GB per student): ~30 concurrent students
* With memory overcommit and thin-provisioned disks: potentially 40+ students
 
=== Zero-Touch Provisioning / Infra-as-Code Strategy ===
Given constrained materials (old PCs, limited budget), the deployment stack should be:
 
'''Option A: KVM + Ansible (Recommended for Comfac)'''
* KVM/libvirt on Ubuntu host
* qcow2 base images for pfSense, Windows, Ubuntu
* Ansible playbooks per lab:
** Clone base images (linked clones for disk efficiency)
** Configure VLANs/internal networks via libvirt
** Start VMs in correct order
** Inject pfSense config.xml for each lab stage
* NoVNC via '''Kimchi''' or '''Apache Guacamole''' as the web portal
* Students get a unique URL + credentials; VMs are destroyed/re-created per session
 
'''Option B: Docker + GNS3/EVE-NG (Alternative)'''
* pfSense can run in QEMU inside Docker
* More complex networking; less stable than KVM
* Better for Cisco/Juniper labs, not ideal for pfSense web-GUI training
 
'''Option C: Proxmox VE Cluster (If hardware allows)'''
* Best UX but requires dedicated Proxmox host(s)
* Good for the 200-core machine, not for old PCs
 
'''Chosen Path for Comfac: Option A (KVM/Ansible)'''
* Old PCs become thin clients (any PC with a browser)
* Heavy lifting happens on the 200-core host
* Ansible manages:
** VM lifecycle (create/start/stop/destroy)
** Network topology (bridges, VLANs, isolated libvirt networks)
** Student access (NoVNC tokens, time limits)
** Snapshot/reset between sessions
 
=== Training Phases / Legs (1 Hour Per Day) ===
The FUND001 curriculum is broken into digestible daily modules.


{| class="wikitable"
{| class="wikitable"
! Phase !! Day !! Topic !! Slide !! Lab !! VMs Required
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes
|-
| pfSense VM || 2 || 1 GB || 8 GB || KVM || Standard qcow2 image
|-
| Windows Client || 2 || 4 GB || 40 GB || KVM || Windows 10/11 thin client; needs GPU if GUI-heavy
|-
|-
| rowspan="3" | '''Phase 1: Foundations''' || 1 || Intro to pfSense: What, Why, History, Certifications || SEG1 || ||
| Ubuntu Server || 1 || 1 GB || 10 GB || KVM || Full VM for compatibility
|-
|-
| 2 || Interfaces, IPs, VLANs, Virtual IPs || SEG2 || Lab 1 (Intro + Backup/Restore) || 1 pfSense + 1 client
| Internet Router || 1 || 512 MB || 4 GB || KVM || Ubuntu with static routes
|-
|-
| 3 || Firewall Rules, Aliases, Best Practices || SEG2 || Lab 2 (Rules + Aliases) || 1 pfSense + 1 client + 1 server
| NoVNC Proxy || 0.5 || 256 MB || 0.5 GB || Docker || Shared across students
|-
|-
| rowspan="3" | '''Phase 2: NAT & Services''' || 4 || NAT Overview: Outbound, Port Forwards, 1:1 NAT || SEG3 || Lab 3 (NAT + VIPs) || 1 pfSense + 1 server + internet
| '''Total per student''' || '''6.5''' || '''6.8 GB''' || '''63 GB''' || || Higher resource cost
|}
 
==== Stack C: Hybrid — Containers for Linux Router Exercises ====
For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers.
 
{| class="wikitable"
! Component !! vCPUs !! RAM !! Disk !! Virtualization !! Notes
|-
|-
| 5 || DHCP, DNS Resolver, Dynamic DNS, NTP || SEG4 || Lab 4 (Services + Branch Setup) || 2 pfSense + 2 clients + 1 server
| Linux Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC || Alpine + iptables/nftables + WireGuard
|-
|-
| 6 || Package System, Common Packages (pfBlocker, Suricata intro) || SEG11 || || 1 pfSense
| Linux Client (LXC) || 0.5 || 256 MB || 1 GB || LXC || Alpine or Debian
|-
|-
| rowspan="4" | '''Phase 3: VPNs''' || 7 || VPN Concepts: IPsec, OpenVPN, WireGuard compared || SEG5 || || —
| Linux Server (LXC) || 0.5 || 256 MB || 1 GB || LXC || nginx, BIND
|-
|-
| 8 || IPsec Site-to-Site + Mobile Remote Access || SEG5 || Lab 5 (IPsec) || 2 pfSense + 2 clients
| Internet Router (LXC) || 0.5 || 128 MB || 0.5 GB || LXC || Static routes
|-
|-
| 9 || OpenVPN Site-to-Site + Remote Access with Client Export || SEG6 || Lab 6 (OpenVPN) || 2 pfSense + 2 clients
| '''Total per student''' || '''2''' || '''768 MB''' || '''3 GB''' || || Cannot teach pfSense GUI; teaches concepts only
|}
 
'''Important:''' pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B.
 
=== Server Capacity: 20% Utilization Target ===
The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services).
 
'''20% of available resources:'''
* 40 vCPUs (20% of 200)
* 200 GB RAM (20% of 1 TB)
* ~2 TB SSD (assuming 10 TB array, 20% = 2 TB)
 
'''Concurrent student capacity at 20% utilization:'''
 
{| class="wikitable"
! Stack !! Per-Student Resources !! Students at 20% CPU !! Students at 20% RAM !! Limiting Factor
|-
|-
| 10 || WireGuard Site-to-Site || SEG7 || Lab 7 (WireGuard) || 2 pfSense + 2 clients
| '''A: Pure Linux''' || 3 vCPU / 1.4 GB || 13 || 142 || '''CPU: 13 students'''
|-
|-
| rowspan="2" | '''Phase 4: Resilience''' || 11 || Multi-WAN: Failover, Load Balancing, Gateway Groups || SEG8 || Lab 8 (Multi-WAN) || 1 pfSense + 2 WANs + client
| '''B: Windows''' || 6.5 vCPU / 6.8 GB || 6 || 29 || '''CPU: 6 students'''
|-
|-
| 12 || Traffic Shaping & Limiters (ALTQ + dummynet) || SEG9 || Lab 9 (Traffic Shaping) || 1 pfSense + multiple clients
| '''C: Containers''' || 2 vCPU / 0.8 GB || 20 || 250 || '''CPU: 20 students'''
|}
 
'''Recommendation:''' Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously).
 
=== Smaller Server: What Hardware for 10 Students? ===
If buying a dedicated training server instead of using the 200-core machine:
 
{| class="wikitable"
! Stack !! CPU !! RAM !! Storage !! NICs !! Example Hardware
|-
|-
| rowspan="2" | '''Phase 5: Advanced''' || 13 || High Availability: CARP, XMLRPC, pfsync || SEG10 || Lab 10 (HA) || 2 pfSense (HA pair) + client
| '''A: Pure Linux''' || 32 cores || 32 GB || 500 GB NVMe || 2x 1GbE || Used Dell R630/R640 (~$300-500)
|-
|-
| 14 || Monitoring, SNMP, RRD, Log Aggregation, Packages || SEG11 || || 1 pfSense + monitoring target
| '''B: Windows''' || 64 cores || 96 GB || 1 TB NVMe || 2x 1GbE || Used Dell R740 / HP DL360 (~$600-900)
|-
|-
| '''Phase 6: Capstone''' || 15 || Build Your Own Firewall: Design, Implement, Present || || Capstone || Full lab (4 pfSense + clients + servers)
| '''C: Containers''' || 16 cores || 16 GB || 250 GB NVMe || 2x 1GbE || Old desktop + Intel NIC (~$100-200)
|}
|}


=== Sub-Phases for Comfac Internal Use (ZTP/IaC Focus) ===
=== Exercise-Limited Deployment (Right-Sizing per Lab) ===
These are shorter, targeted sessions for staff who will build and maintain the training platform.
Not every lab needs the full sandbox. Deploy only what is needed:


{| class="wikitable"
{| class="wikitable"
! Sub-Phase !! Topic !! Duration !! Deliverable
! Lab !! Stack A Deployed !! vCPUs Used !! RAM Used !! Disk Used
|-
|-
| A.1 || KVM/libvirt Setup on 200-Core Host || 2 hrs || Host provisioned with bridges and storage pools
| Day 1 — Theory only || None (wiki only) || 0 || 0 || 0
|-
|-
| A.2 || Base Image Creation: pfSense, Windows, Ubuntu || 2 hrs || qcow2 golden images ready for cloning
| Lab 1 (Intro/Backup) || 1 pfSense + 1 client || 1.5 || 768 MB || 5 GB
|-
|-
| A.3 || Ansible Playbook: Lab 1 Environment || 3 hrs || `ansible-playbook lab1.yml --extra-vars student_id=01`
| Lab 2 (Rules) || 1 pfSense + 1 client + 1 server || 2 || 1 GB || 6 GB
|-
|-
| A.4 || NoVNC Portal: Kimchi or Guacamole Integration || 3 hrs || Browser-based console access working
| Lab 3 (NAT) || 1 pfSense + 1 server + router || 2 || 900 MB || 5.5 GB
|-
|-
| A.5 || Automated Cleanup & Snapshot Reset || 2 hrs || VMs destroyed/recreated between sessions
| Lab 4 (Services) || 2 pfSense + 2 clients + 1 server || 4 || 2.1 GB || 11 GB
|-
|-
| A.6 || Monitoring & Quota: Per-Student Resource Limits || 2 hrs || cgroups/libvirt quotas enforced
| Lab 5-7 (VPNs) || 2 pfSense + 2 clients || 3 || 1.5 GB || 10 GB
|-
| Lab 8 (Multi-WAN) || 1 pfSense + 1 client + router || 2 || 900 MB || 5.5 GB
|-
| Lab 9 (Shaping) || 1 pfSense + 2 clients || 2.5 || 1.3 GB || 6 GB
|-
| Lab 10 (HA) || 2 pfSense + 1 client || 2.5 || 1.3 GB || 9 GB
|}
|}


=== Required Containers / VMs Summary ===
'''Scheduling strategy:''' If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially).
'''Per-Lab VM Inventory'''
 
=== Phase 1: Resource Setup Validation ===
Before full student rollout, validate the resource model with these tests:
 
{| class="wikitable"
{| class="wikitable"
! Lab !! pfSense !! Clients !! Servers !! Internet Router !! Total vCPUs !! Total RAM
! Test !! Purpose !! Command / Method !! Pass Criteria
|-
| Lab 1 (Intro) || 1 || 1 || 0 || 0 || 4 || 5 GB
|-
| Lab 2 (Rules) || 1 || 1 || 1 || 0 || 5 || 6 GB
|-
| Lab 3 (NAT/VIP) || 1 || 0 || 1 || 1 || 5 || 6.5 GB
|-
| Lab 4 (Services) || 2 || 2 || 1 || 0 || 10 || 13 GB
|-
|-
| Lab 5 (IPsec) || 2 || 2 || 0 || 0 || 10 || 12 GB
| '''T1: MicroVM Boot''' || Verify pfSense runs in 512MB/1vCPU || qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2 || Boots to login in < 120s
|-
|-
| Lab 6 (OpenVPN) || 2 || 2 || 0 || 0 || 10 || 12 GB
| '''T2: LXC Container Spawn''' || Verify sub-1GB containers work || lxc launch images:alpine/3.19 client || Starts in < 10s; SSH reachable
|-
|-
| Lab 7 (WireGuard) || 2 || 2 || 0 || 0 || 10 || 12 GB
| '''T3: NoVNC Session''' || Verify one student can access console || websockify + TigerVNC || 640x480 responsive; < 500ms latency
|-
|-
| Lab 8 (Multi-WAN) || 1 || 1 || 0 || 1 || 5 || 6.5 GB
| '''T4: 5 Concurrent Students''' || Validate 20% CPU/RAM budget || Ansible: deploy 5x Stack A || Total < 8 vCPU, < 7 GB RAM
|-
|-
| Lab 9 (Shaping) || 1 || 2+ || 0 || 0 || 6+ || 9+ GB
| '''T5: Lab 4 Full Deploy''' || Heaviest lab (2 pfSense + 2 clients + server) || ansible-playbook lab4.yml || Deploys in < 5 min; all VMs pingable
|-
|-
| Lab 10 (HA) || 2 || 1 || 0 || 0 || 6 || 7 GB
| '''T6: Snapshot Reset Speed''' || Time to reset between students || virsh snapshot-revert + virsh start || < 60 seconds total
|-
|-
| '''Capstone''' || '''4''' || '''2''' || '''2''' || '''1''' || '''18''' || '''21 GB'''
| '''T7: AI Evaluation Readiness''' || Validate environment for automated testing || See AI Evaluation section below || All labs pass synthetic health checks
|}
|}


'''Containerization Notes:'''
=== AI Evaluation: Automated Readiness Testing ===
* pfSense runs on FreeBSD; must use full KVM virtualization (not containers)
Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing.
* Clients can be Linux containers (LXC) if only CLI/SSH access needed; Windows requires KVM
 
* NoVNC proxy can run in Docker for easy deployment
'''Evaluation Stack:'''
* Ansible controller can be a Docker container or the host itself
* '''Qwen 3.5 Instruct Coder (9GB)''' — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity.
* '''DeepSeek Coder (optional)''' — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math.
* '''OpenCode (local agent)''' — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc.
 
'''Automated Test Sequence (per lab):'''
# Deploy lab environment via Ansible
# AI agent logs into pfSense (admin credentials)
# Screenshot/check each configured page matches expected state
# Run connectivity tests from client VMs
# Verify services are listening on correct ports
# Generate pass/fail report with specific error details
# Destroy lab environment
 
'''Benefits:'''
* Catch broken base images before students arrive
* Validate that config.xml injections work correctly
* Ensure network isolation between students
* Measure actual resource usage vs. estimates
* Generate readiness dashboard for instructors
 
'''Implementation:'''
* Python + Selenium/Playwright for pfSense GUI testing
* Paramiko/fabric for SSH-based VM tests
* pytest framework for test organization
* GitHub Actions or local Cron for scheduled runs
* Output: Markdown report posted to wiki or sent via Matrix/Email
 


== Related Infrastructure ==
== Related Infrastructure ==

Revision as of 10:10, 23 April 2026

Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.

pfSense Core Guides

Network Infrastructure & Equipment

DNS, Ad Blocking & Pi-hole

Training & Skills

Practical Training System (NoVNC Virtual Lab)

Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.

Training Architecture Vision

Each student gets an isolated virtual network sandbox containing:

  • 2× pfSense VMs (HQ HA pair or HQ + Branch)
  • 1–2× Client VMs (Windows/Linux desktop)
  • 1× Server VM (web/DNS/target)
  • 1× Simulated "Internet" router VM

Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.

Resource Estimates Per Student

Stack A: Pure Linux / FOSS (Recommended for Comfac)

All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required.

Component vCPUs RAM Disk Virtualization Notes
pfSense VM 1 512 MB 4 GB KVM microVM FreeBSD requires KVM; use tiny QEMU args
Linux Client (LXC) 0.5 256 MB 1 GB LXC container Alpine or Debian with XFCE; NoVNC access
Linux Server (LXC) 0.5 256 MB 1 GB LXC container nginx, BIND, or simple Python HTTP
Internet Router (LXC) 0.5 128 MB 0.5 GB LXC container Static routes only; FRR optional
NoVNC Proxy (Docker) 0.5 256 MB 0.5 GB Docker container websockify + nginx
Total per student 3 1.4 GB 7 GB Thin-provisioned; linked clones

Stack B: Windows Client (Full Desktop Experience)

For trainees who need a Windows desktop for browser-based management or specific client software.

Component vCPUs RAM Disk Virtualization Notes
pfSense VM 2 1 GB 8 GB KVM Standard qcow2 image
Windows Client 2 4 GB 40 GB KVM Windows 10/11 thin client; needs GPU if GUI-heavy
Ubuntu Server 1 1 GB 10 GB KVM Full VM for compatibility
Internet Router 1 512 MB 4 GB KVM Ubuntu with static routes
NoVNC Proxy 0.5 256 MB 0.5 GB Docker Shared across students
Total per student 6.5 6.8 GB 63 GB Higher resource cost

Stack C: Hybrid — Containers for Linux Router Exercises

For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers.

Component vCPUs RAM Disk Virtualization Notes
Linux Router (LXC) 0.5 128 MB 0.5 GB LXC Alpine + iptables/nftables + WireGuard
Linux Client (LXC) 0.5 256 MB 1 GB LXC Alpine or Debian
Linux Server (LXC) 0.5 256 MB 1 GB LXC nginx, BIND
Internet Router (LXC) 0.5 128 MB 0.5 GB LXC Static routes
Total per student 2 768 MB 3 GB Cannot teach pfSense GUI; teaches concepts only

Important: pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B.

Server Capacity: 20% Utilization Target

The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services).

20% of available resources:

  • 40 vCPUs (20% of 200)
  • 200 GB RAM (20% of 1 TB)
  • ~2 TB SSD (assuming 10 TB array, 20% = 2 TB)

Concurrent student capacity at 20% utilization:

Stack Per-Student Resources Students at 20% CPU Students at 20% RAM Limiting Factor
A: Pure Linux 3 vCPU / 1.4 GB 13 142 CPU: 13 students
B: Windows 6.5 vCPU / 6.8 GB 6 29 CPU: 6 students
C: Containers 2 vCPU / 0.8 GB 20 250 CPU: 20 students

Recommendation: Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously).

Smaller Server: What Hardware for 10 Students?

If buying a dedicated training server instead of using the 200-core machine:

Stack CPU RAM Storage NICs Example Hardware
A: Pure Linux 32 cores 32 GB 500 GB NVMe 2x 1GbE Used Dell R630/R640 (~$300-500)
B: Windows 64 cores 96 GB 1 TB NVMe 2x 1GbE Used Dell R740 / HP DL360 (~$600-900)
C: Containers 16 cores 16 GB 250 GB NVMe 2x 1GbE Old desktop + Intel NIC (~$100-200)

Exercise-Limited Deployment (Right-Sizing per Lab)

Not every lab needs the full sandbox. Deploy only what is needed:

Lab Stack A Deployed vCPUs Used RAM Used Disk Used
Day 1 — Theory only None (wiki only) 0 0 0
Lab 1 (Intro/Backup) 1 pfSense + 1 client 1.5 768 MB 5 GB
Lab 2 (Rules) 1 pfSense + 1 client + 1 server 2 1 GB 6 GB
Lab 3 (NAT) 1 pfSense + 1 server + router 2 900 MB 5.5 GB
Lab 4 (Services) 2 pfSense + 2 clients + 1 server 4 2.1 GB 11 GB
Lab 5-7 (VPNs) 2 pfSense + 2 clients 3 1.5 GB 10 GB
Lab 8 (Multi-WAN) 1 pfSense + 1 client + router 2 900 MB 5.5 GB
Lab 9 (Shaping) 1 pfSense + 2 clients 2.5 1.3 GB 6 GB
Lab 10 (HA) 2 pfSense + 1 client 2.5 1.3 GB 9 GB

Scheduling strategy: If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially).

Phase 1: Resource Setup Validation

Before full student rollout, validate the resource model with these tests:

Test Purpose Command / Method Pass Criteria
T1: MicroVM Boot Verify pfSense runs in 512MB/1vCPU qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2 Boots to login in < 120s
T2: LXC Container Spawn Verify sub-1GB containers work lxc launch images:alpine/3.19 client Starts in < 10s; SSH reachable
T3: NoVNC Session Verify one student can access console websockify + TigerVNC 640x480 responsive; < 500ms latency
T4: 5 Concurrent Students Validate 20% CPU/RAM budget Ansible: deploy 5x Stack A Total < 8 vCPU, < 7 GB RAM
T5: Lab 4 Full Deploy Heaviest lab (2 pfSense + 2 clients + server) ansible-playbook lab4.yml Deploys in < 5 min; all VMs pingable
T6: Snapshot Reset Speed Time to reset between students virsh snapshot-revert + virsh start < 60 seconds total
T7: AI Evaluation Readiness Validate environment for automated testing See AI Evaluation section below All labs pass synthetic health checks

AI Evaluation: Automated Readiness Testing

Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing.

Evaluation Stack:

  • Qwen 3.5 Instruct Coder (9GB) — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity.
  • DeepSeek Coder (optional) — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math.
  • OpenCode (local agent) — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc.

Automated Test Sequence (per lab):

  1. Deploy lab environment via Ansible
  2. AI agent logs into pfSense (admin credentials)
  3. Screenshot/check each configured page matches expected state
  4. Run connectivity tests from client VMs
  5. Verify services are listening on correct ports
  6. Generate pass/fail report with specific error details
  7. Destroy lab environment

Benefits:

  • Catch broken base images before students arrive
  • Validate that config.xml injections work correctly
  • Ensure network isolation between students
  • Measure actual resource usage vs. estimates
  • Generate readiness dashboard for instructors

Implementation:

  • Python + Selenium/Playwright for pfSense GUI testing
  • Paramiko/fabric for SSH-based VM tests
  • pytest framework for test organization
  • GitHub Actions or local Cron for scheduled runs
  • Output: Markdown report posted to wiki or sent via Matrix/Email


This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.

Retrieved from "https://mediawiki.comfac.net/index.php?title=Networking_PfSense_Index&oldid=249"