SG-2440 for small school



  • Hi All,

    I'm want to use pfSense as a firewall for our small school. Current connection is 15/3Mbps, and that might be upgraded to 25/5. A max of 250 simultaneous devices can access the network. We have about 180 staff and students using a combination of macs, iPads, and smart phones. Two VLANs are setup, one for our IP phones, and the other for is for computing devices. A lightly used Xserve serves a public web dashboard for students and parents, and I use remote desktop occasionally to remotely access another xserve and fix issues when I'm away from campus. Gigabit fiber connects our existing router to three different campus building areas.

    Will the SG-2440 be enough for our network? At this point, I'm planning to run Snort/Suricata, but plan to keep the existing DNS/DHCP server in place. And I'll likely use iBoss for our content filter. I attached a basic map of our network.

    ![GSA Network Topology - Page 1.png](/public/imported_attachments/1/GSA Network Topology - Page 1.png)
    ![GSA Network Topology - Page 1.png_thumb](/public/imported_attachments/1/GSA Network Topology - Page 1.png_thumb)



  • For basic internet and firewalling, yes! That would be plenty! However when you add IDS/IPS and some of the monitoring you can do and other options you may be tempted to use one you have them, I would move to the SG-4860. I have one in a large dental office with 160+ machines, 4 VLANS, Snort, IPsec site to site, OpenVPN end user access, and ntopng. It runs exceptionally well, gives great visibility into the network and best of all, has no license restrictions like the old ASA 5505 had. This is all on a 50/50 fiber connection.



  • @curtisgrice:

    For basic internet and firewalling, yes! That would be plenty! However when you add IDS/IPS and some of the monitoring you can do and other options you may be tempted to use one you have them, I would move to the SG-4860. I have one in a large dental office with 160+ machines, 4 VLANS, Snort, IPsec site to site, OpenVPN end user access, and ntopng. It runs exceptionally well, gives great visibility into the network and best of all, has no license restrictions like the old ASA 5505 had. This is all on a 50/50 fiber connection.

    Thanks, Curtis! I think I will go with the 4860. Does the SSD only really help with logging? Could I skip adding it and send the logs to one of my xserves?


  • Galactic Empire Netgate

    Yes, that will do! However that way you can't do Squid content caching as it might wear out the built-in eMMC storage.



  • @ivor:

    Yes, that will do! However that way you can't do Squid content caching as it might wear out the built-in eMMC storage.

    Good point. Is anyone actually doing Squid caching anymore? I thought it wasn't worth it given the dominance of https and dynamic content.


  • Galactic Empire Netgate

    Still very valuable, even more so when it comes to schools!