Subnet load/traffic... one or many pfSense boxes?

  • At school we have 2 pfSense boxes acting as gateways, routers, DHCP, DNS res., etc. Originally one was dedicated to student traffic (WiFi, computer lab PCs, etc.) with 500 users and max 300 connected devices.
    The other one was dedicated to admin and all staff... typically 100 users and 150 devices.

    I have about 10 subnets, each in a different VLAN. We have two independent internet providers, one for each pfSense box.

    Following several threads here I was able to interconnect the two pfSense routers with a transit LAN. There are a few services that needed to be available to all users.

    My question is: in the long run, as we keep expanding and adding capabilities... is it better to centralize all routing to one beefed up dedicated pfSense router (with the option of setting a 2nd machine for failsafe/HA ) or have multiple pfSense routers with transit interfaces interconnecting them?

    If it is better to separate the load with different pfSense boxes, I think I could probably do:

    1. Student access (WiFi, computer labs, etc.) with independent WAN
      | Transit
    2. Services (IIS, SQL, DNS, printers, infrastructure GUIs, etc.) with independent WAN
      | Transit
    3. Staff access (WiFi, PCs) with independent WAN

    Right now, my pfSense boxes are running at about 10% capacity max.


  • @ruben-rothermel

    From a security standpoint, you're not gaining much, as the two networks are connected. However, you might have some fallback capability, should one ISP fail.

  • On an earlier post, one user suggested a single box handling everything. Multiple pfSense routers would be complicated to setup in HA mode. If one ISP comes down, I can still grab bandwidth from the other as I'm setting up my WANs as dual-failover. They are both independent and dedicated fiber links with multiple IPs each.

    Before I decide to move all routing to ONE beefed-up pfSense machine with 6~8 1GB ethernet ports managing 10 subnets, I just want to be really sure if that is the right direction OR if spreading the load between multiple physical machines interconnected with transit networks is a better approach for performance and future growth.

    I think the one pfSense box handling the 500 students runs at about 10% loading on its 6-core FX AMD CPU and its 16GB of RAM would easily handle the traffic for rest of the 100 staff and services.

    Again, this is for a ~500 student + ~100 staff boarding school with BYOD WiFi access that will need to be managed by level (secondary, junior-college) on a schedule, 50 & 30 Mbps WANs, multiple buildings on a 50+ acre campus interconnected by 1 GB fiber or 100 Mbps point-point wireless links, HP1920 switches, etc.

  • Netgate Administrator

    I would certainly go with one firewall for that setup. It's just far more flexible if you need to re-route traffic or filter stuff.
    That firewall could certainly be an HA pair though.


  • I guess I'd make that call based on how reliable the hardware is, but generally I try to go for just one box no matter the size. Just because it's an easier setup, easier planning, documentation etc. And usually less money. But there's really nothing wrong with doing your setup.

    If your main concern is uptime, I'd put one box as central router with multi-WAN and put the other one as HA to automatically take over if the first one fails. I would make a LAN network (VLAN1) for devices such as switches, AP's etc, then two or more VLAN's for users. In the past when I've built large networks I have sometimes created a 22-network ( subnet mask) just to get a few extra IP's, and sometimes I've limited them to about 50 devices per network, depending on the type of traffic. Smartphones and such is good to keep down in numbers as they broadcast a lot of traffic, but if there's *nix devices it doesn't matter as much.

    The main thing I go for is to try and keep as much as possible with software, since it's easier to replace one box and restore config than to troubleshoot and replace several boxes. Correctly done, you can even replace a router on remote with a novice customer moving a cable or two.

Log in to reply