Latest revision as of 11:59, 23 April 2026

pfSense Sales Training Material

Reference: Full Session Log

1. Introduction

Objective: Provide a clear, layman-friendly explanation of what a firewall is, why pfSense is a powerful solution, and how its key features protect networks.

Audience: Sales teams, marketing, and non-technical staff who need to explain the technology to potential customers — non-technical decision-makers, IT managers, and SMB owners.

2. Network Basics

Definition: Networking is the ability to connect computers and systems together. It occurs when more than one device communicates with another device or group of devices.

Networking Disciplines

ECE (Electronics and Communication Engineering)

Focuses on how electronic devices work and on designing/building network hardware from basic components.
In the Philippines, a PRC ECE license is required to sign off plans for CCTV installations — the only legally mandated network designs (CCTV and phone lines).
Sales Note: Clients needing custom electronic solutions (for automation or high-security requirements) will require ECE expertise.

IT (Information Technology)

Specializes in deploying and integrating off-the-shelf networking equipment.
Advanced configurations improve reliability, scalability (hundreds to thousands of users), and automation for convenience.
Sales Note: Larger-scale deployments and convenience features command higher-level IT skills and corresponding investment.

Networking Functions

Function	What This Means for Your Business	Technical Role
Connecting to the Internet (WAN — Wide Area Network)	Your business's door to the outside world — controls what comes in and what goes out.	Connects the facility to external networks (Internet or other sites).
Connecting Your Devices Together (LAN — Local Area Network)	Lets computers, printers, servers, and phones talk to each other inside your office.	Connects devices within the facility for internal communications.
Staying Online Even When Hardware Fails (High Availability)	Prevents downtime — if one device fails, another takes over automatically.	Builds redundancy and resilience so services stay online despite failures.
Controlling Who Can Access What (User Management)	Staff, guests, and contractors each see only what they're supposed to see.	Implements captive portals, LDAP, RADIUS to organize users by roles and privileges.
Protecting Against Attacks and Breaches (Security)	Keeps threats out and sensitive data in — separates risky zones from critical systems.	Establishes hardened systems using DMZs (buffer zones) and proxy servers.
Wireless Connectivity (Wi-Fi)	Lets staff and devices connect without cables — can be segmented by department or role.	Deploys mesh or enterprise Wi-Fi for convenient, flexible connectivity.
Wired Connectivity (Ethernet/LAN Cabling)	High-speed, reliable connections for servers, workstations, and critical equipment.	Provides high-bandwidth, low-latency connections for critical systems.

3. Key Myths & Objections

Understanding and countering these objections is critical in every sales conversation.

Myth 1: "We're too small — we don't need a firewall"

Reality: Small and medium businesses are the most targeted precisely because attackers know they have weak defenses. Anyone hosting a web server, NAS, ERP system, or remote workers needs a firewall. Size is not protection.

Myth 2: "Our ISP router/modem is enough"

Reality: ISP-provided routers are consumer-grade equipment with no intrusion detection, no network segmentation, no VPN capability, and no traffic monitoring. They are designed for convenience, not security.

Myth 3: "Firewalls only block traffic"

Reality: Modern firewalls do far more — they segment your network into zones, prioritize critical traffic (e.g., video calls over casual browsing), detect intrusions in real time, and enable secure VPN access for remote workers.

Myth 4: "A VPN is all the security I need"

Reality: A VPN only encrypts traffic between two points. It does nothing to protect your internal network from threats already inside, compromised devices, or unauthorized users on-site.

Myth 5: "The cloud handles our security"

Reality: Cloud providers secure their own infrastructure. Your office network, on-site devices, servers, and traffic between locations remain entirely your responsibility.

Myth 6: "Hardware firewalls are different from software firewalls"

Reality: All firewalls are computers running software. A "hardware firewall" is simply dedicated hardware optimized to run firewall software. Performance scales by upgrading network interface cards: 100 Mbps → 1 Gbps → 10 Gbps → 100 Gbps.

Myth 7: "Competitor products are better out-of-the-box"

Reality: Competitors like Fortinet and Cisco lock key features behind annual licenses that expire. When you stop paying, features stop working. pfSense delivers enterprise-grade features permanently — only updates and support require payment.

4. Why pfSense?

Open Source: No recurring feature licenses; you pay only for support and updates. When support lapses, pfSense continues to work — only security updates stop.
Enterprise Features:
- LAN/WAN routing and segmentation
- VPN (remote access and site-to-site)
- IDS/IPS (intrusion detection and prevention)
- High Availability & Load Balancing
- DHCP, DNS, and user Authentication
No License Lock-in: Other vendors "rent" features that expire with licenses. pfSense features remain available indefinitely.

5. Core Functions & Features

Primary Functions

Function	Explanation
LAN	Segments and protects internal network traffic to enforce security zones.
WAN	Controls access to the Internet; filters inbound/outbound traffic.
VPN	Creates encrypted tunnels for secure remote access or site-to-site links.
IDS/IPS	Monitors traffic for threats and automatically blocks or alerts on intrusions.

Secondary Features

Authentication: Integrates with Active Directory, LDAP, RADIUS for user-based firewall policies.
DHCP: Assigns IP addresses automatically to devices on the network.
DNS: Acts as resolver or forwarder to improve name lookup speed and security.
Load Balancer / HA: Distributes traffic across multiple WAN links or appliances and provides failover.

6. The 5-Pillar Scoping Framework

Use this framework on every prospect conversation. Work through each pillar in order — each answer builds context for the next. The goal is to understand the client's situation before recommending any hardware or solution.

Pillar 1: Stakes

Budget equals stakes. Before pricing anything, establish what is at risk.

Key Questions: "What happens to your business if the network goes down for a full day?"; "What data do you store or process — customer records, financial data, health information?"; "Have you experienced a breach or outage before? What did it cost you?"

What It Tells You: The client's tolerance for risk and the true value of the protection being sold. A business that loses 50,000 PHP per hour of downtime has very different stakes than one running a small shared drive.

How It Maps to pfSense: High stakes → High Availability setup, IDS/IPS, VLAN segmentation, full TAC support.; Lower stakes → Single appliance, basic firewall rules, standard support.

Sales Note: This pillar justifies the budget. Never skip it — without establishing stakes, you are selling on price alone and will always lose to the cheapest option.

Pillar 2: Devices & Users

Knowing the scale determines the hardware tier.

Key Questions: "How many staff members use the network daily?"; "What devices are connected — computers, phones, tablets, IP cameras, printers, servers, POS terminals?"; "Do you have remote workers or multiple office locations?"

What It Tells You: Scale of deployment, number of network interfaces needed, and whether user management features (captive portal, RADIUS) are required.

How It Maps to pfSense: <10 users → Entry-level appliance.; 10–100 users → Mid-range (Netgate 4200 series).; 100–500 users → HA pair (2× Netgate 4200 MAX, ~120k PHP one-time).; 500+ users or ISP → Netgate 6100 series or higher.

Pillar 3: Bandwidth & Traffic

Traffic type matters as much as raw speed.

Key Questions: "What is your current internet plan speed (download/upload)?"; "What do people do on the network — video calls, large file transfers, cloud apps, IP cameras streaming 24/7?"; "Do you have peak hours where the network slows down noticeably?"

What It Tells You: WAN capacity requirements, whether QoS (Quality of Service) is needed to prioritize traffic types, and the processing load for IDS/IPS inspection.

How It Maps to pfSense: Heavy video/VoIP usage → QoS rules to prioritize real-time traffic.; Heavy cloud usage → WAN load balancing for redundancy and speed.; Many IP cameras → Dedicated VLAN and allocated bandwidth.

Pillar 4: Hardware Compatibility

Existing infrastructure must integrate — not be replaced.

Key Questions: "What servers do you have on-site — web servers, NAS, ERP, database?"; "Do you have CCTV systems, POS terminals, VoIP phones, or other specialty devices?"; "What network switches and access points are currently deployed?"

What It Tells You: VLAN design requirements, potential conflicts with existing devices, number of network interfaces needed, and whether any equipment requires a DMZ or special firewall rules.

How It Maps to pfSense: NAS or web server → DMZ or isolated VLAN with strict inbound rules.; CCTV system → Isolated VLAN with no internet access (security best practice).; POS terminals → Segmented from general office traffic (PCI-DSS compliance).; VoIP phones → Dedicated VLAN with QoS priority to prevent call drops.

Pillar 5: Features & Functions Needed

Match the pfSense feature set to the client's actual workflow.

Key Questions: "Do staff work remotely and need secure access to office systems?"; "Do you have a second office location that needs to connect to the main office?"; "Do guests or contractors need network access, separate from staff?"; "Are there compliance requirements — PCI, HIPAA, data privacy laws?"

What It Tells You: Which pfSense features to highlight in the proposal and configure in the deployment.

How It Maps to pfSense: Remote workers → VPN (OpenVPN or WireGuard).; Multiple sites → Site-to-site VPN.; Guest or contractor access → Captive portal with time or bandwidth limits.; Compliance requirements → IDS/IPS, logging, VLAN segmentation, audit trails.

7. Sizing & Total Cost of Ownership (TCO)

Sizing Guidelines

Company Size / Bandwidth	Recommended Model	Notes
Under 1 Gbps Internet	Netgate 6100 Series	Fits most small-to-medium offices
Up to 500 Users	2× Netgate 4200 MAX (HA setup)	~120k PHP one-time cost for both appliances
Large Networks / ISPs (>1 Gbps)	Netgate 6100+ or higher	Only ISPs or large enterprises need these models

Example: Makati Office (200 Users)

Hardware Cost: 2×4200 MAX for HA → 120,000 PHP (one-time)
Annual Costs:
- License Renewal: 7,500 PHP × 2 = 15,000 PHP/year
- TAC Support: 45,000 PHP/year (one needed in HA)
- Snort Subscription: 24,000 PHP × 2 = 48,000 PHP/year
- Total Annual: ~84,000 PHP/year

Template:Note

8. Next Steps for Sales

Work through the 5-Pillar Scoping Framework with the client before recommending any hardware.
Select the right appliance based on scoping output (6100 vs 4200 MAX vs higher models).
Prepare TCO comparison (pfSense vs competitor).
Send proposal template and service brochure.

PfSense Sales Training Material: Difference between revisions