Jump to content

Networking PfSense Index: Difference between revisions

From MediawikiCIT
Newer edit →
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
VisualWikitext
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
Create consolidated Networking PfSense Index
 
Justinaquino (talk | contribs)
Bots, Bureaucrats, Check users, editor, Interface administrators, Users who may use two-factor authentication, ojteditor, Suppressors, Administrators
133 edits
Add Practical Training System (NoVNC Virtual Lab) section with phases, resource estimates, and ZTP/IaC strategy
Line 6: Line 6:
== pfSense Core Guides ==
== pfSense Core Guides ==
* [[pfSense Sales Training Material]] — Product knowledge and sales positioning for Netgate/pfSense hardware and software
* [[pfSense Sales Training Material]] — Product knowledge and sales positioning for Netgate/pfSense hardware and software
* [[Modern Guide: pfSense Captive Portal with FreeRADIUS \
* [[Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME]] — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
* [[pfSense CE → pfSense Plus Upgrade Guide]] — Step-by-step migration from Community Edition to pfSense Plus
* [[SOP: Network Troubleshooting & pfSense Monitoring 251130]] — Standard operating procedures for network diagnostics and pfSense health monitoring
 
== Network Infrastructure & Equipment ==
* [[Tplink Mikrotik Equivalent]] — Cross-reference of TP-Link and MikroTik models for network deployments
* [[Controller Systems 251213-01]] — Network and infrastructure controller systems
* [[Power Distribution Tree 251213]] — Power architecture for network and server racks
* [[NPM Migration to Homelab VPS Relay 260401]] — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy
 
== DNS, Ad Blocking & Pi-hole ==
* [https://github.com/Comfac-Global-Group/pi-hole Comfac Pi-hole Repository] — GitHub repository for Pi-hole DNS sinkhole deployment
* [https://github.com/Comfac-Global-Group/pi-hole/blob/master/How%20this%20Works.md How Pi-hole Works] — Technical overview of the Pi-hole DNS filtering architecture
 
== Training & Skills ==
* [[Skills and Competencies for IT Staff Trained in pfSense]] — Required competencies and certification path for pfSense-administering staff
 
== Practical Training System (NoVNC Virtual Lab) ==
'''Goal:''' Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.
 
=== Training Architecture Vision ===
Each student gets an isolated virtual network sandbox containing:
* 2× pfSense VMs (HQ HA pair or HQ + Branch)
* 1–2× Client VMs (Windows/Linux desktop)
* 1× Server VM (web/DNS/target)
* 1× Simulated "Internet" router VM
 
Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.
 
=== Resource Estimates Per Student ===
{| class="wikitable"
! Component !! vCPUs !! RAM !! Disk !! Notes
|-
| pfSense VM || 2 || 1 GB || 8 GB || One per firewall; labs need 2–4
|-
| Windows Client || 2 || 4 GB || 40 GB || Can be replaced with thin Linux client
|-
| Ubuntu Server || 1 || 1 GB || 10 GB || DNS/web/target server
|-
| "Internet" Router || 1 || 512 MB || 4 GB || Simulated upstream ISP
|-
| '''Total (minimal)''' || '''6''' || '''6.5 GB''' || '''62 GB''' || 2 firewalls + 1 client + 1 server + internet
|-
| '''Total (full lab)''' || '''10''' || '''10.5 GB''' || '''110 GB''' || 4 firewalls + 2 clients + 2 servers + internet
|}
 
'''Cluster capacity (200 core / 1 TB RAM):'''
* Conservative (10 cores + 10 GB per student): ~20 concurrent students
* Optimized (6 cores + 6.5 GB per student): ~30 concurrent students
* With memory overcommit and thin-provisioned disks: potentially 40+ students
 
=== Zero-Touch Provisioning / Infra-as-Code Strategy ===
Given constrained materials (old PCs, limited budget), the deployment stack should be:
 
'''Option A: KVM + Ansible (Recommended for Comfac)'''
* KVM/libvirt on Ubuntu host
* qcow2 base images for pfSense, Windows, Ubuntu
* Ansible playbooks per lab:
** Clone base images (linked clones for disk efficiency)
** Configure VLANs/internal networks via libvirt
** Start VMs in correct order
** Inject pfSense config.xml for each lab stage
* NoVNC via '''Kimchi''' or '''Apache Guacamole''' as the web portal
* Students get a unique URL + credentials; VMs are destroyed/re-created per session
 
'''Option B: Docker + GNS3/EVE-NG (Alternative)'''
* pfSense can run in QEMU inside Docker
* More complex networking; less stable than KVM
* Better for Cisco/Juniper labs, not ideal for pfSense web-GUI training
 
'''Option C: Proxmox VE Cluster (If hardware allows)'''
* Best UX but requires dedicated Proxmox host(s)
* Good for the 200-core machine, not for old PCs
 
'''Chosen Path for Comfac: Option A (KVM/Ansible)'''
* Old PCs become thin clients (any PC with a browser)
* Heavy lifting happens on the 200-core host
* Ansible manages:
** VM lifecycle (create/start/stop/destroy)
** Network topology (bridges, VLANs, isolated libvirt networks)
** Student access (NoVNC tokens, time limits)
** Snapshot/reset between sessions
 
=== Training Phases / Legs (1 Hour Per Day) ===
The FUND001 curriculum is broken into digestible daily modules.
 
{| class="wikitable"
! Phase !! Day !! Topic !! Slide !! Lab !! VMs Required
|-
| rowspan="3" | '''Phase 1: Foundations''' || 1 || Intro to pfSense: What, Why, History, Certifications || SEG1 || — || —
|-
| 2 || Interfaces, IPs, VLANs, Virtual IPs || SEG2 || Lab 1 (Intro + Backup/Restore) || 1 pfSense + 1 client
|-
| 3 || Firewall Rules, Aliases, Best Practices || SEG2 || Lab 2 (Rules + Aliases) || 1 pfSense + 1 client + 1 server
|-
| rowspan="3" | '''Phase 2: NAT & Services''' || 4 || NAT Overview: Outbound, Port Forwards, 1:1 NAT || SEG3 || Lab 3 (NAT + VIPs) || 1 pfSense + 1 server + internet
|-
| 5 || DHCP, DNS Resolver, Dynamic DNS, NTP || SEG4 || Lab 4 (Services + Branch Setup) || 2 pfSense + 2 clients + 1 server
|-
| 6 || Package System, Common Packages (pfBlocker, Suricata intro) || SEG11 || — || 1 pfSense
|-
| rowspan="4" | '''Phase 3: VPNs''' || 7 || VPN Concepts: IPsec, OpenVPN, WireGuard compared || SEG5 || — || —
|-
| 8 || IPsec Site-to-Site + Mobile Remote Access || SEG5 || Lab 5 (IPsec) || 2 pfSense + 2 clients
|-
| 9 || OpenVPN Site-to-Site + Remote Access with Client Export || SEG6 || Lab 6 (OpenVPN) || 2 pfSense + 2 clients
|-
| 10 || WireGuard Site-to-Site || SEG7 || Lab 7 (WireGuard) || 2 pfSense + 2 clients
|-
| rowspan="2" | '''Phase 4: Resilience''' || 11 || Multi-WAN: Failover, Load Balancing, Gateway Groups || SEG8 || Lab 8 (Multi-WAN) || 1 pfSense + 2 WANs + client
|-
| 12 || Traffic Shaping & Limiters (ALTQ + dummynet) || SEG9 || Lab 9 (Traffic Shaping) || 1 pfSense + multiple clients
|-
| rowspan="2" | '''Phase 5: Advanced''' || 13 || High Availability: CARP, XMLRPC, pfsync || SEG10 || Lab 10 (HA) || 2 pfSense (HA pair) + client
|-
| 14 || Monitoring, SNMP, RRD, Log Aggregation, Packages || SEG11 || — || 1 pfSense + monitoring target
|-
| '''Phase 6: Capstone''' || 15 || Build Your Own Firewall: Design, Implement, Present || — || Capstone || Full lab (4 pfSense + clients + servers)
|}
 
=== Sub-Phases for Comfac Internal Use (ZTP/IaC Focus) ===
These are shorter, targeted sessions for staff who will build and maintain the training platform.
 
{| class="wikitable"
! Sub-Phase !! Topic !! Duration !! Deliverable
|-
| A.1 || KVM/libvirt Setup on 200-Core Host || 2 hrs || Host provisioned with bridges and storage pools
|-
| A.2 || Base Image Creation: pfSense, Windows, Ubuntu || 2 hrs || qcow2 golden images ready for cloning
|-
| A.3 || Ansible Playbook: Lab 1 Environment || 3 hrs || `ansible-playbook lab1.yml --extra-vars student_id=01`
|-
| A.4 || NoVNC Portal: Kimchi or Guacamole Integration || 3 hrs || Browser-based console access working
|-
| A.5 || Automated Cleanup & Snapshot Reset || 2 hrs || VMs destroyed/recreated between sessions
|-
| A.6 || Monitoring & Quota: Per-Student Resource Limits || 2 hrs || cgroups/libvirt quotas enforced
|}
 
=== Required Containers / VMs Summary ===
'''Per-Lab VM Inventory'''
{| class="wikitable"
! Lab !! pfSense !! Clients !! Servers !! Internet Router !! Total vCPUs !! Total RAM
|-
| Lab 1 (Intro) || 1 || 1 || 0 || 0 || 4 || 5 GB
|-
| Lab 2 (Rules) || 1 || 1 || 1 || 0 || 5 || 6 GB
|-
| Lab 3 (NAT/VIP) || 1 || 0 || 1 || 1 || 5 || 6.5 GB
|-
| Lab 4 (Services) || 2 || 2 || 1 || 0 || 10 || 13 GB
|-
| Lab 5 (IPsec) || 2 || 2 || 0 || 0 || 10 || 12 GB
|-
| Lab 6 (OpenVPN) || 2 || 2 || 0 || 0 || 10 || 12 GB
|-
| Lab 7 (WireGuard) || 2 || 2 || 0 || 0 || 10 || 12 GB
|-
| Lab 8 (Multi-WAN) || 1 || 1 || 0 || 1 || 5 || 6.5 GB
|-
| Lab 9 (Shaping) || 1 || 2+ || 0 || 0 || 6+ || 9+ GB
|-
| Lab 10 (HA) || 2 || 1 || 0 || 0 || 6 || 7 GB
|-
| '''Capstone''' || '''4''' || '''2''' || '''2''' || '''1''' || '''18''' || '''21 GB'''
|}
 
'''Containerization Notes:'''
* pfSense runs on FreeBSD; must use full KVM virtualization (not containers)
* Clients can be Linux containers (LXC) if only CLI/SSH access needed; Windows requires KVM
* NoVNC proxy can run in Docker for easy deployment
* Ansible controller can be a Docker container or the host itself
 
== Related Infrastructure ==
* [[System Hardening Strategy: Win2Lin Migration & Infrastructure 251129]] — Server migration and infrastructure hardening
* [[Introduction: Why Self-Host Your Email?]] — Self-hosted email infrastructure context
* [[Mailcow + Thunderbird Setup Guide (Email + Calendar)]] — Email server deployment
* [[Portainer to Docker Compose Migration Guide]] — Container orchestration for network services
 
----
''This index consolidates networking resources previously scattered across the [[Main Page]]. Last updated: 260423.''

Revision as of 06:36, 23 April 2026

Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.

pfSense Core Guides

Network Infrastructure & Equipment

DNS, Ad Blocking & Pi-hole

Training & Skills

Practical Training System (NoVNC Virtual Lab)

Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.

Training Architecture Vision

Each student gets an isolated virtual network sandbox containing:

  • 2× pfSense VMs (HQ HA pair or HQ + Branch)
  • 1–2× Client VMs (Windows/Linux desktop)
  • 1× Server VM (web/DNS/target)
  • 1× Simulated "Internet" router VM

Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.

Resource Estimates Per Student

Component vCPUs RAM Disk Notes
pfSense VM 2 1 GB 8 GB One per firewall; labs need 2–4
Windows Client 2 4 GB 40 GB Can be replaced with thin Linux client
Ubuntu Server 1 1 GB 10 GB DNS/web/target server
"Internet" Router 1 512 MB 4 GB Simulated upstream ISP
Total (minimal) 6 6.5 GB 62 GB 2 firewalls + 1 client + 1 server + internet
Total (full lab) 10 10.5 GB 110 GB 4 firewalls + 2 clients + 2 servers + internet

Cluster capacity (200 core / 1 TB RAM):

  • Conservative (10 cores + 10 GB per student): ~20 concurrent students
  • Optimized (6 cores + 6.5 GB per student): ~30 concurrent students
  • With memory overcommit and thin-provisioned disks: potentially 40+ students

Zero-Touch Provisioning / Infra-as-Code Strategy

Given constrained materials (old PCs, limited budget), the deployment stack should be:

Option A: KVM + Ansible (Recommended for Comfac)

  • KVM/libvirt on Ubuntu host
  • qcow2 base images for pfSense, Windows, Ubuntu
  • Ansible playbooks per lab:
    • Clone base images (linked clones for disk efficiency)
    • Configure VLANs/internal networks via libvirt
    • Start VMs in correct order
    • Inject pfSense config.xml for each lab stage
  • NoVNC via Kimchi or Apache Guacamole as the web portal
  • Students get a unique URL + credentials; VMs are destroyed/re-created per session

Option B: Docker + GNS3/EVE-NG (Alternative)

  • pfSense can run in QEMU inside Docker
  • More complex networking; less stable than KVM
  • Better for Cisco/Juniper labs, not ideal for pfSense web-GUI training

Option C: Proxmox VE Cluster (If hardware allows)

  • Best UX but requires dedicated Proxmox host(s)
  • Good for the 200-core machine, not for old PCs

Chosen Path for Comfac: Option A (KVM/Ansible)

  • Old PCs become thin clients (any PC with a browser)
  • Heavy lifting happens on the 200-core host
  • Ansible manages:
    • VM lifecycle (create/start/stop/destroy)
    • Network topology (bridges, VLANs, isolated libvirt networks)
    • Student access (NoVNC tokens, time limits)
    • Snapshot/reset between sessions

Training Phases / Legs (1 Hour Per Day)

The FUND001 curriculum is broken into digestible daily modules.

Phase Day Topic Slide Lab VMs Required
Phase 1: Foundations 1 Intro to pfSense: What, Why, History, Certifications SEG1
2 Interfaces, IPs, VLANs, Virtual IPs SEG2 Lab 1 (Intro + Backup/Restore) 1 pfSense + 1 client
3 Firewall Rules, Aliases, Best Practices SEG2 Lab 2 (Rules + Aliases) 1 pfSense + 1 client + 1 server
Phase 2: NAT & Services 4 NAT Overview: Outbound, Port Forwards, 1:1 NAT SEG3 Lab 3 (NAT + VIPs) 1 pfSense + 1 server + internet
5 DHCP, DNS Resolver, Dynamic DNS, NTP SEG4 Lab 4 (Services + Branch Setup) 2 pfSense + 2 clients + 1 server
6 Package System, Common Packages (pfBlocker, Suricata intro) SEG11 1 pfSense
Phase 3: VPNs 7 VPN Concepts: IPsec, OpenVPN, WireGuard compared SEG5
8 IPsec Site-to-Site + Mobile Remote Access SEG5 Lab 5 (IPsec) 2 pfSense + 2 clients
9 OpenVPN Site-to-Site + Remote Access with Client Export SEG6 Lab 6 (OpenVPN) 2 pfSense + 2 clients
10 WireGuard Site-to-Site SEG7 Lab 7 (WireGuard) 2 pfSense + 2 clients
Phase 4: Resilience 11 Multi-WAN: Failover, Load Balancing, Gateway Groups SEG8 Lab 8 (Multi-WAN) 1 pfSense + 2 WANs + client
12 Traffic Shaping & Limiters (ALTQ + dummynet) SEG9 Lab 9 (Traffic Shaping) 1 pfSense + multiple clients
Phase 5: Advanced 13 High Availability: CARP, XMLRPC, pfsync SEG10 Lab 10 (HA) 2 pfSense (HA pair) + client
14 Monitoring, SNMP, RRD, Log Aggregation, Packages SEG11 1 pfSense + monitoring target
Phase 6: Capstone 15 Build Your Own Firewall: Design, Implement, Present Capstone Full lab (4 pfSense + clients + servers)

Sub-Phases for Comfac Internal Use (ZTP/IaC Focus)

These are shorter, targeted sessions for staff who will build and maintain the training platform.

Sub-Phase Topic Duration Deliverable
A.1 KVM/libvirt Setup on 200-Core Host 2 hrs Host provisioned with bridges and storage pools
A.2 Base Image Creation: pfSense, Windows, Ubuntu 2 hrs qcow2 golden images ready for cloning
A.3 Ansible Playbook: Lab 1 Environment 3 hrs `ansible-playbook lab1.yml --extra-vars student_id=01`
A.4 NoVNC Portal: Kimchi or Guacamole Integration 3 hrs Browser-based console access working
A.5 Automated Cleanup & Snapshot Reset 2 hrs VMs destroyed/recreated between sessions
A.6 Monitoring & Quota: Per-Student Resource Limits 2 hrs cgroups/libvirt quotas enforced

Required Containers / VMs Summary

Per-Lab VM Inventory

Lab pfSense Clients Servers Internet Router Total vCPUs Total RAM
Lab 1 (Intro) 1 1 0 0 4 5 GB
Lab 2 (Rules) 1 1 1 0 5 6 GB
Lab 3 (NAT/VIP) 1 0 1 1 5 6.5 GB
Lab 4 (Services) 2 2 1 0 10 13 GB
Lab 5 (IPsec) 2 2 0 0 10 12 GB
Lab 6 (OpenVPN) 2 2 0 0 10 12 GB
Lab 7 (WireGuard) 2 2 0 0 10 12 GB
Lab 8 (Multi-WAN) 1 1 0 1 5 6.5 GB
Lab 9 (Shaping) 1 2+ 0 0 6+ 9+ GB
Lab 10 (HA) 2 1 0 0 6 7 GB
Capstone 4 2 2 1 18 21 GB

Containerization Notes:

  • pfSense runs on FreeBSD; must use full KVM virtualization (not containers)
  • Clients can be Linux containers (LXC) if only CLI/SSH access needed; Windows requires KVM
  • NoVNC proxy can run in Docker for easy deployment
  • Ansible controller can be a Docker container or the host itself

This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.

Retrieved from "https://mediawiki.comfac.net/index.php?title=Networking_PfSense_Index&oldid=222"