PfSense appliance questions



  • Hi all,

    I am going to be rebuilding a multi-location business network from the ground up, and I have a couple questions regarding the pre-built appliances.  I have been using pfSense on a Firebox x550e for years now, and have sold them to other small customers with very few relatively minor issues, but this is a massive undertaking for me where availability is critical and downtime costs money, and I don't want any of the Firebox related issues that occasionally pop up in new releases to bite me in the ass - especially with branches scattered across hundreds of miles - so I'm going to go with store bought and officially supported versus homebrewed where issues fall mostly on me.

    Let me paint you a picture.  This is going to be for a retail company with 10 locations (with further expansion planned) plus a head office. It will have two Windows 10 Pro POS workstations and a Windows 2012R2 Active Directory Domain Controller/file server at each location and the head office running the main Domain Controller and a decentralized (but interconnected) VoIP PBX.  The head office has a static IP on 50/50Mbps fiber (with symmetrical 100Mbps and gigabit available if necessary), while each remote location has various service levels determined by what is available from the local ISP - ranging anywhere from 5/5 to 25/10Mbps. Each branch will have a permanent, dedicated VPN back to the head office and its own FQDN subdomain. The PBX will have QoS priority, and since each branch has its own DC that only syncs with the master DC every few hours, traffic during business hours should be minimal. Sync of the file servers and the nightly backups to the head office storage and cloud will only occur overnight and will be staggered so they don't all try to sync at the same time.

    I intend to use the XG-2758 at the head office and a SG-2440 at each branch. Would you say the XG-2758 would be able to handle the 10 simultaneous permanent VPN connections - plus there will be other available "as-needed" slots for the owner and the general manager so they can work from home or the road, and one for myself in case I need to remote in for troubleshooting - as far as processing power for the encryption while still having enough left over to handle the normal routing/firewall functions?

    The two workstations at each location will be locked down via GPO, but the employees at the branches do have to use the internet for legit purposes. I am torn between funneling all of it through the head office versus allowing it to go straight out the WAN - if that's possible (if it is, I'd love to hear how, since I've never played with separating traffic originating from one IP between WAN and VPN).  I have a Pi-hole myself (running on a VM on a powerful server, not a Pi, so the Pi's limitations are not an issue), and I have verified that it works with my own domain (it is set in ADDS as a forwarder, so I know it does not interfere even if the Pi-hole goes down) - and they may want that too, to provide centralized ad and NSFW blocking versus relying on browser extensions or trying to get a Pi working at each branch (where it can be easily unplugged and bypassed).  If the XG-2758 CPU can handle it, I will do it.  There will be an AP at each location that employees can use for their phones and customer laptops, but that will be isolated from the internal network by the pfSense appliance and routed to the WAN.

    The Gold support that comes with each appliance, does that 1 year start from the date of purchase or from the time the code is registered?  Since I will be buying 11 units, it doesn't make a lot of sense for me to have 22 tickets that will expire in 1 year..  Can they be redeemed as needed?  Do the codes themselves expire?

    Which reminds me, is there any volume and/or reseller discount available?

    I got a call while I was typing this so I know I'm forgetting something but if you could answer that for me I'd be grateful!

    Thanks!



  • Uhm, hello?  :o



  • sales@pfsense.org is your best bet for sales questions.

    The hardware is fine for the kind of usage you're talking about, it's more than capable of that.

    The support incidents all expire after a year. Yes you'll have a bunch of them in the first year, so make the most of them in that time. :)

    There are discounts available as part of the partner program if you want to join there. I believe that's the only way you'll get a discount short of considerably higher volumes. But sales@ can further clarify that. Generally those of us here are tech people, not sales.

    From a technical perspective, you're in fine shape with what you describe. sales@ can help fill in the blanks on the other things.



  • Great, thanks!