Networking PfSense Index

Consolidated index for all networking infrastructure guides, pfSense documentation, DNS/ad-blocking resources, and network equipment references at Comfac IT.

pfSense Core Guides

pfSense Sales Training Material — Product knowledge and sales positioning for Netgate/pfSense hardware and software
Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME — Enterprise Wi-Fi captive portal with RADIUS authentication and Let's Encrypt SSL
pfSense CE → pfSense Plus Upgrade Guide — Step-by-step migration from Community Edition to pfSense Plus
SOP: Network Troubleshooting & pfSense Monitoring 251130 — Standard operating procedures for network diagnostics and pfSense health monitoring

Network Infrastructure & Equipment

Tplink Mikrotik Equivalent — Cross-reference of TP-Link and MikroTik models for network deployments
Controller Systems 251213-01 — Network and infrastructure controller systems
Power Distribution Tree 251213 — Power architecture for network and server racks
NPM Migration to Homelab VPS Relay 260401 — Nginx Proxy Manager migration; VPS as iptables/ZeroTier relay with homelab redundancy

DNS, Ad Blocking & Pi-hole

Comfac Pi-hole Repository — GitHub repository for Pi-hole DNS sinkhole deployment
How Pi-hole Works — Technical overview of the Pi-hole DNS filtering architecture

Training & Skills

Skills and Competencies for IT Staff Trained in pfSense — Required competencies and certification path for pfSense-administering staff

Practical Training System (NoVNC Virtual Lab)

Goal: Build a self-hosted, virtualized pfSense training environment where Comfac trainees can learn hands-on without physical hardware. All labs run via NoVNC in a browser, orchestrated on Comfac's 200-core / 1TB RAM machine.

Training Architecture Vision

Each student gets an isolated virtual network sandbox containing:

2× pfSense VMs (HQ HA pair or HQ + Branch)
1–2× Client VMs (Windows/Linux desktop)
1× Server VM (web/DNS/target)
1× Simulated "Internet" router VM

Access is through a NoVNC web portal. Students click a lab, and their environment is provisioned automatically via Ansible/Terraform or Docker/KVM.

Resource Estimates Per Student

Component	vCPUs	RAM	Disk	Notes
pfSense VM	2	1 GB	8 GB	One per firewall; labs need 2–4
Windows Client	2	4 GB	40 GB	Can be replaced with thin Linux client
Ubuntu Server	1	1 GB	10 GB	DNS/web/target server
"Internet" Router	1	512 MB	4 GB	Simulated upstream ISP
Total (minimal)	6	6.5 GB	62 GB	2 firewalls + 1 client + 1 server + internet
Total (full lab)	10	10.5 GB	110 GB	4 firewalls + 2 clients + 2 servers + internet

Cluster capacity (200 core / 1 TB RAM):

Conservative (10 cores + 10 GB per student): ~20 concurrent students
Optimized (6 cores + 6.5 GB per student): ~30 concurrent students
With memory overcommit and thin-provisioned disks: potentially 40+ students

Zero-Touch Provisioning / Infra-as-Code Strategy

Given constrained materials (old PCs, limited budget), the deployment stack should be:

Option A: KVM + Ansible (Recommended for Comfac)

KVM/libvirt on Ubuntu host
qcow2 base images for pfSense, Windows, Ubuntu
Ansible playbooks per lab:
- Clone base images (linked clones for disk efficiency)
- Configure VLANs/internal networks via libvirt
- Start VMs in correct order
- Inject pfSense config.xml for each lab stage
NoVNC via Kimchi or Apache Guacamole as the web portal
Students get a unique URL + credentials; VMs are destroyed/re-created per session

Option B: Docker + GNS3/EVE-NG (Alternative)

pfSense can run in QEMU inside Docker
More complex networking; less stable than KVM
Better for Cisco/Juniper labs, not ideal for pfSense web-GUI training

Option C: Proxmox VE Cluster (If hardware allows)

Best UX but requires dedicated Proxmox host(s)
Good for the 200-core machine, not for old PCs

Chosen Path for Comfac: Option A (KVM/Ansible)

Old PCs become thin clients (any PC with a browser)
Heavy lifting happens on the 200-core host
Ansible manages:
- VM lifecycle (create/start/stop/destroy)
- Network topology (bridges, VLANs, isolated libvirt networks)
- Student access (NoVNC tokens, time limits)
- Snapshot/reset between sessions

Training Phases / Legs (1 Hour Per Day)

The FUND001 curriculum is broken into digestible daily modules.

Phase	Day	Topic	Slide	Lab	VMs Required
Phase 1: Foundations	1	Intro to pfSense: What, Why, History, Certifications	SEG1	—	—
	2	Interfaces, IPs, VLANs, Virtual IPs	SEG2	Lab 1 (Intro + Backup/Restore)	1 pfSense + 1 client
	3	Firewall Rules, Aliases, Best Practices	SEG2	Lab 2 (Rules + Aliases)	1 pfSense + 1 client + 1 server
Phase 2: NAT & Services	4	NAT Overview: Outbound, Port Forwards, 1:1 NAT	SEG3	Lab 3 (NAT + VIPs)	1 pfSense + 1 server + internet
	5	DHCP, DNS Resolver, Dynamic DNS, NTP	SEG4	Lab 4 (Services + Branch Setup)	2 pfSense + 2 clients + 1 server
	6	Package System, Common Packages (pfBlocker, Suricata intro)	SEG11	—	1 pfSense
Phase 3: VPNs	7	VPN Concepts: IPsec, OpenVPN, WireGuard compared	SEG5	—	—
	8	IPsec Site-to-Site + Mobile Remote Access	SEG5	Lab 5 (IPsec)	2 pfSense + 2 clients
	9	OpenVPN Site-to-Site + Remote Access with Client Export	SEG6	Lab 6 (OpenVPN)	2 pfSense + 2 clients
	10	WireGuard Site-to-Site	SEG7	Lab 7 (WireGuard)	2 pfSense + 2 clients
Phase 4: Resilience	11	Multi-WAN: Failover, Load Balancing, Gateway Groups	SEG8	Lab 8 (Multi-WAN)	1 pfSense + 2 WANs + client
Phase 4: Resilience	12	Traffic Shaping & Limiters (ALTQ + dummynet)	SEG9	Lab 9 (Traffic Shaping)	1 pfSense + multiple clients
Phase 5: Advanced	13	High Availability: CARP, XMLRPC, pfsync	SEG10	Lab 10 (HA)	2 pfSense (HA pair) + client
Phase 5: Advanced	14	Monitoring, SNMP, RRD, Log Aggregation, Packages	SEG11	—	1 pfSense + monitoring target
Phase 6: Capstone	15	Build Your Own Firewall: Design, Implement, Present	—	Capstone	Full lab (4 pfSense + clients + servers)

Sub-Phases for Comfac Internal Use (ZTP/IaC Focus)

These are shorter, targeted sessions for staff who will build and maintain the training platform.

Sub-Phase	Topic	Duration	Deliverable
A.1	KVM/libvirt Setup on 200-Core Host	2 hrs	Host provisioned with bridges and storage pools
A.2	Base Image Creation: pfSense, Windows, Ubuntu	2 hrs	qcow2 golden images ready for cloning
A.3	Ansible Playbook: Lab 1 Environment	3 hrs	`ansible-playbook lab1.yml --extra-vars student_id=01`
A.4	NoVNC Portal: Kimchi or Guacamole Integration	3 hrs	Browser-based console access working
A.5	Automated Cleanup & Snapshot Reset	2 hrs	VMs destroyed/recreated between sessions
A.6	Monitoring & Quota: Per-Student Resource Limits	2 hrs	cgroups/libvirt quotas enforced

Required Containers / VMs Summary

Per-Lab VM Inventory

Lab	pfSense	Clients	Servers	Internet Router	Total vCPUs	Total RAM
Lab 1 (Intro)	1	1	0	0	4	5 GB
Lab 2 (Rules)	1	1	1	0	5	6 GB
Lab 3 (NAT/VIP)	1	0	1	1	5	6.5 GB
Lab 4 (Services)	2	2	1	0	10	13 GB
Lab 5 (IPsec)	2	2	0	0	10	12 GB
Lab 6 (OpenVPN)	2	2	0	0	10	12 GB
Lab 7 (WireGuard)	2	2	0	0	10	12 GB
Lab 8 (Multi-WAN)	1	1	0	1	5	6.5 GB
Lab 9 (Shaping)	1	2+	0	0	6+	9+ GB
Lab 10 (HA)	2	1	0	0	6	7 GB
Capstone	4	2	2	1	18	21 GB

Containerization Notes:

pfSense runs on FreeBSD; must use full KVM virtualization (not containers)
Clients can be Linux containers (LXC) if only CLI/SSH access needed; Windows requires KVM
NoVNC proxy can run in Docker for easy deployment
Ansible controller can be a Docker container or the host itself

Related Infrastructure

System Hardening Strategy: Win2Lin Migration & Infrastructure 251129 — Server migration and infrastructure hardening
Introduction: Why Self-Host Your Email? — Self-hosted email infrastructure context
Mailcow + Thunderbird Setup Guide (Email + Calendar) — Email server deployment
Portainer to Docker Compose Migration Guide — Container orchestration for network services

This index consolidates networking resources previously scattered across the Main Page. Last updated: 260423.