Networking PfSense Index

Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.

pfSense Core Guides

pfSense Sales Training Material — Product knowledge and sales positioning for Netgate/pfSense hardware and software
Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
pfSense CE → pfSense Plus Upgrade Guide — Step-by-step migration from Community Edition to pfSense Plus
SOP: Network Troubleshooting & pfSense Monitoring 251130 — Standard operating procedures for network diagnostics and pfSense health monitoring

Network Infrastructure & Equipment

Tplink Mikrotik Equivalent — Cross-reference of TP-Link and MikroTik models for network deployments
Controller Systems 251213-01 — Network and infrastructure controller systems
Power Distribution Tree 251213 — Power architecture for network and server racks
NPM Migration to Homelab VPS Relay 260401 — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy

DNS, Ad Blocking & Pi-hole

Comfac Pi-hole Repository — GitHub repository for Pi-hole DNS sinkhole deployment
How Pi-hole Works — Technical overview of the Pi-hole DNS filtering architecture

Training & Skills

Skills and Competencies for IT Staff Trained in pfSense — Required competencies and certification path for pfSense-administering staff
PfSense Training Project Tracker — Implementation tracker for the NoVNC virtual lab, material conversion, and curriculum development

Practical Training System (NoVNC Virtual Lab)

Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.

Training Architecture Vision

Each student gets an isolated virtual network sandbox containing:

2× pfSense VMs (HQ HA pair or HQ + Branch)
1–2× Client VMs (Windows/Linux desktop)
1× Server VM (web/DNS/target)
1× Simulated "Internet" router VM

Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.

Resource Estimates Per Student

Stack A: Pure Linux / FOSS (Recommended for Comfac)

All components run on open-source software. Clients are lightweight Linux VMs or LXC containers. No Windows licensing required.

Component	vCPUs	RAM	Disk	Virtualization	Notes
pfSense VM	1	512 MB	4 GB	KVM microVM	FreeBSD requires KVM; use tiny QEMU args
Linux Client (LXC)	0.5	256 MB	1 GB	LXC container	Alpine or Debian with XFCE; NoVNC access
Linux Server (LXC)	0.5	256 MB	1 GB	LXC container	nginx, BIND, or simple Python HTTP
Internet Router (LXC)	0.5	128 MB	0.5 GB	LXC container	Static routes only; FRR optional
NoVNC Proxy (Docker)	0.5	256 MB	0.5 GB	Docker container	websockify + nginx
Total per student	3	1.4 GB	7 GB	—	Thin-provisioned; linked clones

Stack B: Windows Client (Full Desktop Experience)

For trainees who need a Windows desktop for browser-based management or specific client software.

Component	vCPUs	RAM	Disk	Virtualization	Notes
pfSense VM	2	1 GB	8 GB	KVM	Standard qcow2 image
Windows Client	2	4 GB	40 GB	KVM	Windows 10/11 thin client; needs GPU if GUI-heavy
Ubuntu Server	1	1 GB	10 GB	KVM	Full VM for compatibility
Internet Router	1	512 MB	4 GB	KVM	Ubuntu with static routes
NoVNC Proxy	0.5	256 MB	0.5 GB	Docker	Shared across students
Total per student	6.5	6.8 GB	63 GB	—	Higher resource cost

Stack C: Hybrid — Containers for Linux Router Exercises

For basic routing/firewall concept labs only (not pfSense-specific), replace pfSense with Linux routers in containers.

Component	vCPUs	RAM	Disk	Virtualization	Notes
Linux Router (LXC)	0.5	128 MB	0.5 GB	LXC	Alpine + iptables/nftables + WireGuard
Linux Client (LXC)	0.5	256 MB	1 GB	LXC	Alpine or Debian
Linux Server (LXC)	0.5	256 MB	1 GB	LXC	nginx, BIND
Internet Router (LXC)	0.5	128 MB	0.5 GB	LXC	Static routes
Total per student	2	768 MB	3 GB	—	Cannot teach pfSense GUI; teaches concepts only

Important: pfSense is FreeBSD-based and cannot run in Linux containers (Docker/LXC). Stack C is suitable for teaching routing/VPN concepts using Linux tools (iptables, nftables, WireGuard, strongSwan), but not for teaching the pfSense web interface. For pfSense GUI training, use Stack A or B.

Server Capacity: 20% Utilization Target

The goal is to run the training environment using only 20% of the 200-core / 1TB RAM server, leaving 80% for other Comfac workloads (ERPNext, AI models, file services).

20% of available resources:

40 vCPUs (20% of 200)
200 GB RAM (20% of 1 TB)
~2 TB SSD (assuming 10 TB array, 20% = 2 TB)

Concurrent student capacity at 20% utilization:

Stack	Per-Student Resources	Students at 20% CPU	Students at 20% RAM	Limiting Factor
A: Pure Linux	3 vCPU / 1.4 GB	13	142	CPU: 13 students
B: Windows	6.5 vCPU / 6.8 GB	6	29	CPU: 6 students
C: Containers	2 vCPU / 0.8 GB	20	250	CPU: 20 students

Recommendation: Use Stack A (Pure Linux) for all labs. This yields ~13 concurrent students within the 20% budget, or up to ~30 students if spread across time slots (not everyone needs a lab simultaneously).

Smaller Server: What Hardware for 10 Students?

If buying a dedicated training server instead of using the 200-core machine:

Stack	CPU	RAM	Storage	NICs	Example Hardware
A: Pure Linux	32 cores	32 GB	500 GB NVMe	2x 1GbE	Used Dell R630/R640 (~$300-500)
B: Windows	64 cores	96 GB	1 TB NVMe	2x 1GbE	Used Dell R740 / HP DL360 (~$600-900)
C: Containers	16 cores	16 GB	250 GB NVMe	2x 1GbE	Old desktop + Intel NIC (~$100-200)

Exercise-Limited Deployment (Right-Sizing per Lab)

Not every lab needs the full sandbox. Deploy only what is needed:

Lab	Stack A Deployed	vCPUs Used	RAM Used	Disk Used
Day 1 — Theory only	None (wiki only)	0	0	0
Lab 1 (Intro/Backup)	1 pfSense + 1 client	1.5	768 MB	5 GB
Lab 2 (Rules)	1 pfSense + 1 client + 1 server	2	1 GB	6 GB
Lab 3 (NAT)	1 pfSense + 1 server + router	2	900 MB	5.5 GB
Lab 4 (Services)	2 pfSense + 2 clients + 1 server	4	2.1 GB	11 GB
Lab 5-7 (VPNs)	2 pfSense + 2 clients	3	1.5 GB	10 GB
Lab 8 (Multi-WAN)	1 pfSense + 1 client + router	2	900 MB	5.5 GB
Lab 9 (Shaping)	1 pfSense + 2 clients	2.5	1.3 GB	6 GB
Lab 10 (HA)	2 pfSense + 1 client	2.5	1.3 GB	9 GB

Scheduling strategy: If students are scheduled in 1-hour slots and labs are provisioned on-demand, the same 40 vCPUs / 200 GB RAM can serve 40-60 student-slots per day (not concurrently, but sequentially).

Phase 1: Resource Setup Validation

Before full student rollout, validate the resource model with these tests:

Test	Purpose	Command / Method	Pass Criteria
T1: MicroVM Boot	Verify pfSense runs in 512MB/1vCPU	qemu-system-x86_64 -m 512 -smp 1 -drive file=pfsense.qcow2	Boots to login in < 120s
T2: LXC Container Spawn	Verify sub-1GB containers work	lxc launch images:alpine/3.19 client	Starts in < 10s; SSH reachable
T3: NoVNC Session	Verify one student can access console	websockify + TigerVNC	640x480 responsive; < 500ms latency
T4: 5 Concurrent Students	Validate 20% CPU/RAM budget	Ansible: deploy 5x Stack A	Total < 8 vCPU, < 7 GB RAM
T5: Lab 4 Full Deploy	Heaviest lab (2 pfSense + 2 clients + server)	ansible-playbook lab4.yml	Deploys in < 5 min; all VMs pingable
T6: Snapshot Reset Speed	Time to reset between students	virsh snapshot-revert + virsh start	< 60 seconds total
T7: AI Evaluation Readiness	Validate environment for automated testing	See AI Evaluation section below	All labs pass synthetic health checks

AI Evaluation: Automated Readiness Testing

Before students arrive, AI agents will validate that each lab environment is functional. This replaces manual smoke-testing.

Evaluation Stack:

Qwen 3.5 Instruct Coder (9GB) — Runs locally on the 200-core server or a dedicated GPU box. Evaluates: pfSense GUI accessibility, rule syntax, VPN handshake status, config.xml validity.
DeepSeek Coder (optional) — Cloud or local. Validates Ansible playbook correctness, network topology logic, resource allocation math.
OpenCode (local agent) — Executes shell commands inside VMs/containers via SSH/API. Performs end-to-end tests: ping, curl, ipsec status, wg show, etc.

Automated Test Sequence (per lab):

Deploy lab environment via Ansible
AI agent logs into pfSense (admin credentials)
Screenshot/check each configured page matches expected state
Run connectivity tests from client VMs
Verify services are listening on correct ports
Generate pass/fail report with specific error details
Destroy lab environment

Benefits:

Catch broken base images before students arrive
Validate that config.xml injections work correctly
Ensure network isolation between students
Measure actual resource usage vs. estimates
Generate readiness dashboard for instructors

Implementation:

Python + Selenium/Playwright for pfSense GUI testing
Paramiko/fabric for SSH-based VM tests
pytest framework for test organization
GitHub Actions or local Cron for scheduled runs
Output: Markdown report posted to wiki or sent via Matrix/Email

Related Infrastructure

System Hardening Strategy: Win2Lin Migration & Infrastructure 251129 — Server migration and infrastructure hardening
Introduction: Why Self-Host Your Email? — Self-hosted email infrastructure context
Mailcow + Thunderbird Setup Guide (Email + Calendar) — Email server deployment
Portainer to Docker Compose Migration Guide — Container orchestration for network services

This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.