pfSense Home/Business Setup - Best Practices/Design for Installation?


  • Hi all,

    I'm new to pfSense but it seems like it would be the perfect way to centralise my upcoming project of designing my small home office network. I am looking to use pfSense at my network edge for firewall and internet access for the entire building, and then branch out the connection to my multiple systems, but as there are many ways to accomplish the same task, I'm looking for guidance on how to best set things up, so it turns my complexity somewhat simple, and any network engineers who may have to look at my system in future aren't confused with configuration "spaghetti".

    My network has three basic types, each one seperated into multiple VLAN's:

    1. Personal Network - (Personal PC/Laptops, WiFi, Smart Phones, Tablets, Smart TV's etc)
    2. Corporate Network - (Hypervisor Server - Multiple VM's, Windows AD/DC, Business Computers, Business WiFi, VOIP PBX etc)
    3. Guest Network - (Phones, Tablets, etc)

    All WiFi networks are delivered by a seperate WLC, so for simplicity sake, aside from needing access to the internet connection, that can be removed from the setup puzzle.

    As for my setup question, it really is just a case of architecture/design and also how things should best be handled for each type of network. I know the best and most obvious thing to do would be to handle all internet traffic in/out, as well as firewall and antivirus for all devices across all networks/VLAN's from the pfSense box.

    I am then assuming that DHCP and routing for my home and guest networks should come from the pfSense box on those VLAN's, whereas with my corporate stuff DHCP should be handled by my Windows DC to all of my computers/VM's? Should the routing between them, and my business server then still be handled by pfSense? When it comes to my VOIP traffic, I am planning to have my VOIP router handle DHCP and routing for the phones on the phone system, however the internet connection from the pfSense would still need to be passed to the VOIP router as well, so that SIP trunks for inbound and outbound calls could work on the two voice VLAN's.

    My only final piece of the puzzle is failover. I have the option to install a 4G wireless backup card in the VOIP router incase the main internet connection fails. It would be for the corporate network only. Is this simple to do in pfSense, as in, point the failover to an IP address on the VOIP router?

    If it helps, the planned architecture is: Internet connection > pfSense box > managed switch > all devices also plugged to switch.

    All in all, If this is too complex, am I better looking at another solution, or could this be made to work? As complex as it sounds the network is only small-medium, but due to business, has some more advanced elements. Overkill In my own home I know, but it's planned this way for three reasons;

    1. Simple expansion in the future if business growth occurs
    2. A learning experience in networking - think of it as a small lab environment as much as it's for an upcoming business venture.
    3. Because I can, so why not?

    Thanks in advance for any help received to nudge me in the right direction, it is greatly appreciated.

  • Netgate Administrator

    The only thing you have mentioned there that I wouldn't do is antivirus on the firewall. It is only available as clamav via the Squid package but it can only scan whatever Squid sees so to be of any use at all Squid had to proxy SSL traffic and that introduces a whole new level of complexity. YOu do get some level of protection from malware in general using Suricata/Snort as an alternative.

    You can add the VoIP router as an additional gateway and configure it as failover from WAN if required.

    Windows subnets usually work better when the DC is doing DHCP/DNS for clients on them so I would do that if possible.

    Steve


  • @stephenw10 Thank you for the helpful advice! From a hardware standpoint given my above situation, what would you recommend? Would I need more LAN ports than the standard 1 out for current use or redundancy, or is my setup small enough to only need the one port? Furthermore I know pfSense is very little hardware intensive, but would you recommend 8GB RAM as bare minimum to handle multiple VLAN's and traffic? Size of hard drive, etc? I was thinking about repurposing a 1U rackmount firewall and flashing with pfSense software, such as a WatchGuard or Trend.

    Thanks!

  • Netgate Administrator

    It sounds like you have enough subnets that having a separate port for each may not be practical. That would be my first choice for maximum bandwidth between them. If not then I would want more that one connection, probably configured as a lagg to the switch with the VLANs running over it. That gives you more space if you're having to route between the internal subnets as well as some redundancy.

    The hardware required will really depend on how much traffic is has to push. That's probably going to be highest between internal subnets rather than in/out the WAN.
    Then if you are going to be running Squid that bumps it up as would anything like Snort/Suricata.
    If you need to run a VPN that will be the most CPU intensive task so whatever bandwidth your need over that would set the limit.

    For just firewalling and NAT with internal VLANs RAM requirements are not high, 2GB would be fine.

    Local storage is really only required for logs and caching. If your WAN is relatively fast you will probably find caching doesn't help much anyway.

    Steve


  • The combined home and office is a small environment, less than 30 devices across all subnets, so I am hoping with this in mind I won't need too much horsepower, but can place home stuff on one LAN connection and Business on the other if needed. All connecting into the same managed switch. My internet connection is a single fibre line terminated as standard Cat 6, 100 mpbs download, 50 mbps upload (150mbps total), so from a WAN perspective I won't be needing a lot of horsepower, though future-proofing would always be helpful. The plan would be to use a VPN for connection to other company sites on the business side, and a VPN such as PIA for the home side, to provide privacy, as well as ad blocking, firewall, Squid, Snort, etc.

    Nic.

  • Netgate Administrator

    Ok, well at 100Mbps a VPN can potentially completely saturate that without huge processing power. Our SG-3100 will pass close to that with OpenVPN and much more than that with IPSec. The SG-5100 would give you plenty in hand for a WAN upgrade later. Both will pass 1Gbps between internal interfaces.

    One thing you can do here is just try it on any random hardware you might have with two NICs. Just use all VLANs internally. That will give you a good feel for what is required before you purchase dedicated hardware.

    Steve