Networking PfSense Index: Difference between revisions
Justinaquino (talk | contribs) Add Practical Training System (NoVNC Virtual Lab) section with phases, resource estimates, and ZTP/IaC strategy |
Justinaquino (talk | contribs) Add link to PfSense Training Project Tracker |
||
| Line 22: | Line 22: | ||
== Training & Skills == | == Training & Skills == | ||
* [[Skills and Competencies for IT Staff Trained in pfSense]] — Required competencies and certification path for pfSense-administering staff | * [[Skills and Competencies for IT Staff Trained in pfSense]] — Required competencies and certification path for pfSense-administering staff | ||
* [[PfSense Training Project Tracker]] — '''Implementation tracker''' for the NoVNC virtual lab, material conversion, and curriculum development | |||
== Practical Training System (NoVNC Virtual Lab) == | == Practical Training System (NoVNC Virtual Lab) == | ||
Revision as of 06:38, 23 April 2026
Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.
pfSense Core Guides
- pfSense Sales Training Material — Product knowledge and sales positioning for Netgate/pfSense hardware and software
- Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
- pfSense CE → pfSense Plus Upgrade Guide — Step-by-step migration from Community Edition to pfSense Plus
- SOP: Network Troubleshooting & pfSense Monitoring 251130 — Standard operating procedures for network diagnostics and pfSense health monitoring
Network Infrastructure & Equipment
- Tplink Mikrotik Equivalent — Cross-reference of TP-Link and MikroTik models for network deployments
- Controller Systems 251213-01 — Network and infrastructure controller systems
- Power Distribution Tree 251213 — Power architecture for network and server racks
- NPM Migration to Homelab VPS Relay 260401 — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy
DNS, Ad Blocking & Pi-hole
- Comfac Pi-hole Repository — GitHub repository for Pi-hole DNS sinkhole deployment
- How Pi-hole Works — Technical overview of the Pi-hole DNS filtering architecture
Training & Skills
- Skills and Competencies for IT Staff Trained in pfSense — Required competencies and certification path for pfSense-administering staff
- PfSense Training Project Tracker — Implementation tracker for the NoVNC virtual lab, material conversion, and curriculum development
Practical Training System (NoVNC Virtual Lab)
Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.
Training Architecture Vision
Each student gets an isolated virtual network sandbox containing:
- 2× pfSense VMs (HQ HA pair or HQ + Branch)
- 1–2× Client VMs (Windows/Linux desktop)
- 1× Server VM (web/DNS/target)
- 1× Simulated "Internet" router VM
Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.
Resource Estimates Per Student
| Component | vCPUs | RAM | Disk | Notes |
|---|---|---|---|---|
| pfSense VM | 2 | 1 GB | 8 GB | One per firewall; labs need 2–4 |
| Windows Client | 2 | 4 GB | 40 GB | Can be replaced with thin Linux client |
| Ubuntu Server | 1 | 1 GB | 10 GB | DNS/web/target server |
| "Internet" Router | 1 | 512 MB | 4 GB | Simulated upstream ISP |
| Total (minimal) | 6 | 6.5 GB | 62 GB | 2 firewalls + 1 client + 1 server + internet |
| Total (full lab) | 10 | 10.5 GB | 110 GB | 4 firewalls + 2 clients + 2 servers + internet |
Cluster capacity (200 core / 1 TB RAM):
- Conservative (10 cores + 10 GB per student): ~20 concurrent students
- Optimized (6 cores + 6.5 GB per student): ~30 concurrent students
- With memory overcommit and thin-provisioned disks: potentially 40+ students
Zero-Touch Provisioning / Infra-as-Code Strategy
Given constrained materials (old PCs, limited budget), the deployment stack should be:
Option A: KVM + Ansible (Recommended for Comfac)
- KVM/libvirt on Ubuntu host
- qcow2 base images for pfSense, Windows, Ubuntu
- Ansible playbooks per lab:
- Clone base images (linked clones for disk efficiency)
- Configure VLANs/internal networks via libvirt
- Start VMs in correct order
- Inject pfSense config.xml for each lab stage
- NoVNC via Kimchi or Apache Guacamole as the web portal
- Students get a unique URL + credentials; VMs are destroyed/re-created per session
Option B: Docker + GNS3/EVE-NG (Alternative)
- pfSense can run in QEMU inside Docker
- More complex networking; less stable than KVM
- Better for Cisco/Juniper labs, not ideal for pfSense web-GUI training
Option C: Proxmox VE Cluster (If hardware allows)
- Best UX but requires dedicated Proxmox host(s)
- Good for the 200-core machine, not for old PCs
Chosen Path for Comfac: Option A (KVM/Ansible)
- Old PCs become thin clients (any PC with a browser)
- Heavy lifting happens on the 200-core host
- Ansible manages:
- VM lifecycle (create/start/stop/destroy)
- Network topology (bridges, VLANs, isolated libvirt networks)
- Student access (NoVNC tokens, time limits)
- Snapshot/reset between sessions
Training Phases / Legs (1 Hour Per Day)
The FUND001 curriculum is broken into digestible daily modules.
| Phase | Day | Topic | Slide | Lab | VMs Required |
|---|---|---|---|---|---|
| Phase 1: Foundations | 1 | Intro to pfSense: What, Why, History, Certifications | SEG1 | — | — |
| 2 | Interfaces, IPs, VLANs, Virtual IPs | SEG2 | Lab 1 (Intro + Backup/Restore) | 1 pfSense + 1 client | |
| 3 | Firewall Rules, Aliases, Best Practices | SEG2 | Lab 2 (Rules + Aliases) | 1 pfSense + 1 client + 1 server | |
| Phase 2: NAT & Services | 4 | NAT Overview: Outbound, Port Forwards, 1:1 NAT | SEG3 | Lab 3 (NAT + VIPs) | 1 pfSense + 1 server + internet |
| 5 | DHCP, DNS Resolver, Dynamic DNS, NTP | SEG4 | Lab 4 (Services + Branch Setup) | 2 pfSense + 2 clients + 1 server | |
| 6 | Package System, Common Packages (pfBlocker, Suricata intro) | SEG11 | — | 1 pfSense | |
| Phase 3: VPNs | 7 | VPN Concepts: IPsec, OpenVPN, WireGuard compared | SEG5 | — | — |
| 8 | IPsec Site-to-Site + Mobile Remote Access | SEG5 | Lab 5 (IPsec) | 2 pfSense + 2 clients | |
| 9 | OpenVPN Site-to-Site + Remote Access with Client Export | SEG6 | Lab 6 (OpenVPN) | 2 pfSense + 2 clients | |
| 10 | WireGuard Site-to-Site | SEG7 | Lab 7 (WireGuard) | 2 pfSense + 2 clients | |
| Phase 4: Resilience | 11 | Multi-WAN: Failover, Load Balancing, Gateway Groups | SEG8 | Lab 8 (Multi-WAN) | 1 pfSense + 2 WANs + client |
| 12 | Traffic Shaping & Limiters (ALTQ + dummynet) | SEG9 | Lab 9 (Traffic Shaping) | 1 pfSense + multiple clients | |
| Phase 5: Advanced | 13 | High Availability: CARP, XMLRPC, pfsync | SEG10 | Lab 10 (HA) | 2 pfSense (HA pair) + client |
| 14 | Monitoring, SNMP, RRD, Log Aggregation, Packages | SEG11 | — | 1 pfSense + monitoring target | |
| Phase 6: Capstone | 15 | Build Your Own Firewall: Design, Implement, Present | — | Capstone | Full lab (4 pfSense + clients + servers) |
Sub-Phases for Comfac Internal Use (ZTP/IaC Focus)
These are shorter, targeted sessions for staff who will build and maintain the training platform.
| Sub-Phase | Topic | Duration | Deliverable |
|---|---|---|---|
| A.1 | KVM/libvirt Setup on 200-Core Host | 2 hrs | Host provisioned with bridges and storage pools |
| A.2 | Base Image Creation: pfSense, Windows, Ubuntu | 2 hrs | qcow2 golden images ready for cloning |
| A.3 | Ansible Playbook: Lab 1 Environment | 3 hrs | `ansible-playbook lab1.yml --extra-vars student_id=01` |
| A.4 | NoVNC Portal: Kimchi or Guacamole Integration | 3 hrs | Browser-based console access working |
| A.5 | Automated Cleanup & Snapshot Reset | 2 hrs | VMs destroyed/recreated between sessions |
| A.6 | Monitoring & Quota: Per-Student Resource Limits | 2 hrs | cgroups/libvirt quotas enforced |
Required Containers / VMs Summary
Per-Lab VM Inventory
| Lab | pfSense | Clients | Servers | Internet Router | Total vCPUs | Total RAM |
|---|---|---|---|---|---|---|
| Lab 1 (Intro) | 1 | 1 | 0 | 0 | 4 | 5 GB |
| Lab 2 (Rules) | 1 | 1 | 1 | 0 | 5 | 6 GB |
| Lab 3 (NAT/VIP) | 1 | 0 | 1 | 1 | 5 | 6.5 GB |
| Lab 4 (Services) | 2 | 2 | 1 | 0 | 10 | 13 GB |
| Lab 5 (IPsec) | 2 | 2 | 0 | 0 | 10 | 12 GB |
| Lab 6 (OpenVPN) | 2 | 2 | 0 | 0 | 10 | 12 GB |
| Lab 7 (WireGuard) | 2 | 2 | 0 | 0 | 10 | 12 GB |
| Lab 8 (Multi-WAN) | 1 | 1 | 0 | 1 | 5 | 6.5 GB |
| Lab 9 (Shaping) | 1 | 2+ | 0 | 0 | 6+ | 9+ GB |
| Lab 10 (HA) | 2 | 1 | 0 | 0 | 6 | 7 GB |
| Capstone | 4 | 2 | 2 | 1 | 18 | 21 GB |
Containerization Notes:
- pfSense runs on FreeBSD; must use full KVM virtualization (not containers)
- Clients can be Linux containers (LXC) if only CLI/SSH access needed; Windows requires KVM
- NoVNC proxy can run in Docker for easy deployment
- Ansible controller can be a Docker container or the host itself
Related Infrastructure
- System Hardening Strategy: Win2Lin Migration & Infrastructure 251129 — Server migration and infrastructure hardening
- Introduction: Why Self-Host Your Email? — Self-hosted email infrastructure context
- Mailcow + Thunderbird Setup Guide (Email + Calendar) — Email server deployment
- Portainer to Docker Compose Migration Guide — Container orchestration for network services
This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.