pfSense Home/Business Setup - Best Practices/Design for Installation?

  • Hi all,

    I'm new to pfSense but it seems like it would be the perfect way to centralise my upcoming project of designing my small home office network. I am looking to use pfSense at my network edge for firewall and internet access for the entire building, and then branch out the connection to my multiple systems, but as there are many ways to accomplish the same task, I'm looking for guidance on how to best set things up, so it turns my complexity somewhat simple, and any network engineers who may have to look at my system in future aren't confused with configuration "spaghetti".

    My network has three basic types, each one seperated into multiple VLAN's:

    1. Personal Network - (Personal PC/Laptops, WiFi, Smart Phones, Tablets, Smart TV's etc)
    2. Corporate Network - (Hypervisor Server - Multiple VM's, Windows AD/DC, Business Computers, Business WiFi, VOIP PBX etc)
    3. Guest Network - (Phones, Tablets, etc)

    All WiFi networks are delivered by a seperate WLC, so for simplicity sake, aside from needing access to the internet connection, that can be removed from the setup puzzle.

    As for my setup question, it really is just a case of architecture/design and also how things should best be handled for each type of network. I know the best and most obvious thing to do would be to handle all internet traffic in/out, as well as firewall and antivirus for all devices across all networks/VLAN's from the pfSense box.

    I am then assuming that DHCP and routing for my home and guest networks should come from the pfSense box on those VLAN's, whereas with my corporate stuff DHCP should be handled by my Windows DC to all of my computers/VM's? Should the routing between them, and my business server then still be handled by pfSense? When it comes to my VOIP traffic, I am planning to have my VOIP router handle DHCP and routing for the phones on the phone system, however the internet connection from the pfSense would still need to be passed to the VOIP router as well, so that SIP trunks for inbound and outbound calls could work on the two voice VLAN's.

    My only final piece of the puzzle is failover. I have the option to install a 4G wireless backup card in the VOIP router incase the main internet connection fails. It would be for the corporate network only. Is this simple to do in pfSense, as in, point the failover to an IP address on the VOIP router?

    If it helps, the planned architecture is: Internet connection > pfSense box > managed switch > all devices also plugged to switch.

    All in all, If this is too complex, am I better looking at another solution, or could this be made to work? As complex as it sounds the network is only small-medium, but due to business, has some more advanced elements. Overkill In my own home I know, but it's planned this way for three reasons;

    1. Simple expansion in the future if business growth occurs
    2. A learning experience in networking - think of it as a small lab environment as much as it's for an upcoming business venture.
    3. Because I can, so why not?

    Thanks in advance for any help received to nudge me in the right direction, it is greatly appreciated.

  • Netgate Administrator

    The only thing you have mentioned there that I wouldn't do is antivirus on the firewall. It is only available as clamav via the Squid package but it can only scan whatever Squid sees so to be of any use at all Squid had to proxy SSL traffic and that introduces a whole new level of complexity. YOu do get some level of protection from malware in general using Suricata/Snort as an alternative.

    You can add the VoIP router as an additional gateway and configure it as failover from WAN if required.

    Windows subnets usually work better when the DC is doing DHCP/DNS for clients on them so I would do that if possible.