Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Business Scenario for 6 port setup suggestions

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 771 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • burlinwaB
      burlinwa
      last edited by

      Hello,
      Can I ask for some professional opinions on the setup of the pfsense mini appliance with 6 NICS?
      I'm wondering how someone with experience would allocate the basic interfaces and why.
      I know there are different needs, business practices, etc... but just some general ideas would help.
      Based off common needs variables like:
      Corporate users
      maybe contractors, temps, interns, visitors
      Thinking about Phones, badge/security/access
      WIFI/Wireless, VPN, etc...
      and how you might choose your setup for the 6 NICS, and what you might put on each one on top of that or inconjunction like : Virtual IP's/ VLANS, etc...to get the most logical use out of your setup.
      I am very interested in what professionals would do, I also do not want to keep tearing down and rebuilding so I am trying to find out before-hand and continuing on with more detailed setup and training.
      I do have automated backups running and have been doing a manual backup before making changes.
      Currently, I have the all 6 NICS assigned, WAN w/default 2 rules, DMZ Doing and giving DHCP Addresses to client hosts, and Captive Portal w/Vouchers working.(I have not figured out how to isolate networks with dhcp servers to only give out IP to specific hosts. I am assuming VLANS which I have not started learning yet)
      The other 5 nics have: ICMP/DNS/80/443 from their subnet2any, except the DMZ Captive portal which has ipv4/any/any because I have not figured out what least ports to open to get it to work correctly. ( User Error I am sure)
      Sorry for the long question but I tried to give you enough information on the first go around so you have a bone to work with.I know there are multiple issues I mentioned, but the allocation of the 6 NICS is my main question in this post.

      Thank You, Wayne

      NollipfSenseN 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @burlinwa
        last edited by

        @burlinwa A layout of the corporate structure and how departments, users, contractors, temps, interns and visitors interact on the network would help to know which department belongs in the DMZ, etc.

        You will definitely want IDS/IPS with paid subscription. For Contractors, do you want them on a secure blockchain, etc? Then phone system on dedicated Sip Trunk with proprietor or open source platform, the type of business operation should be specified...your really asking a mouthful, indeed. The easiest part will be visitors WIFI use as it will be isolated from the company network. If I were you, I would contact Netgate directly for the professional help.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        burlinwaB 1 Reply Last reply Reply Quote 0
        • burlinwaB
          burlinwa @NollipfSense
          last edited by

          @nollipfsense Thank you for the reply Nolli. ๐Ÿ™ƒ Yes, quite a mouthful, I know. I really just wanted some thoughts from people that have experience with pfsense.๐Ÿ˜œ I'm not building an actual pay-to-play infrastructure.๐Ÿ˜Ž
          I wanted to glean some wisdom from others who have already built something that works in a corporate environment.โœ
          I'm not trying to "Tinker with pfsense"๐Ÿคก I have purchased 2 Udemy courses and 2 books, but still I find documentation ๐Ÿ‘จโ€๐Ÿ’ป and training is not as detailed or pervasive, as let's say Microsoft SCCM, imaging, etc... Which Desktop Support and mass deployments is more my current forte and skills.๐Ÿ‘ฉโ€๐ŸŽ“
          I just wanted to get a visual on how people with experience in networking and pfsense might lay out their plan with a 6 nic appliance.๐Ÿค”
          Someone experienced should be able to let me know in 1-2 paragraphs what I am asking though.๐Ÿค“ ๐ŸŽ“ ๐Ÿ•บ
          It's not a concrete answer or an "official network and design architect" answer I am looking for so I do not have a reason to contact Netegate support.๐Ÿค‘

          1 Reply Last reply Reply Quote 0
          • P
            Patch
            last edited by

            @burlinwa Imo your design approach is back to front. I suggest you start with the requirement then work back to the hardware required. For example

            1. What device classes and how many of each device class need to be connected?
            2. What bandwidth is required between local devices?
            3. What bandwidth between different device groups?
            4. What WAN bandwidth?
            5. What down time is acceptable. What redundancy will you need to achieve the reliability requirement.
            6. What is your organisations policy in in-house vs contracted services.
            burlinwaB stephenw10S 2 Replies Last reply Reply Quote 1
            • burlinwaB
              burlinwa @Patch
              last edited by

              @patch Patch, thank you for this information and it makes sense and seems like the needful thing to do before a deployment.
              You saw through my long-winded request and got to a root answer and deciphered what I needed to know or was trying to ask.
              I'll copy and keep these questions as a checklist to make sure I have these types of questions answered.
              I have just a home lab, and NO Network Load per-say, but the principles are useful and solid info.

              P 1 Reply Last reply Reply Quote 0
              • P
                Patch @burlinwa
                last edited by

                @burlinwa said in Business Scenario for 6 port setup suggestions:

                I have just a home lab

                For that

                1. Whatโ€™s the peak bandwidth to each LAN/WAN-> ie do you need lag to achieve that given the NICs you have.
                2. What network isolation / separate LANs do you need to implement that.
                3. For just switch ports, use a dedicated switch
                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator @Patch
                  last edited by

                  @patch said in Business Scenario for 6 port setup suggestions:

                  I suggest you start with the requirement then work back to the hardware required.

                  Yup, that^.

                  Though if that's not fully known I would probably go with using two ports a as LAGG to a switch and then add VLANs as required.
                  Use the other ports for WANs and maybe local management.

                  Steve

                  burlinwaB 1 Reply Last reply Reply Quote 0
                  • burlinwaB
                    burlinwa @stephenw10
                    last edited by

                    @stephenw10 Stephen / Patch I think I have some basic info now. I'll keep the documenting/requirements info for needed information and try learning more about devices/bandwidth calculations, etc...

                    Based on your tips I'll try out 4 ports ( Wan(locked down except a port forward to webserver), Lan, Dmz, VOIP), and 2 in a lagg.Captive portal and VPN but have not figured that part out yet.

                    I'm also trying to find out about NAC Network Access Control and getting user and device certificates installed on domain join or login via pfsense. We use NAC at the plant I work at and it really appears to be a great tool to use to limited what can be done by users without those certificates installed.

                    I think traffic shaping will definitely help the VOIP ( There is no traffic or load as I can only be on a few systems at a time, unless I can find some type of website or service that sends mock traffic)
                    if I can get it to work, I'll have set up a hyper-v SCCM / Domain DC deployment lab (About 3 servers and 5 workstations) connected to Azure and AAD, and Freepbx is on hyper-v as well.

                    1 Reply Last reply Reply Quote 0
                    • NollipfSenseN
                      NollipfSense @burlinwa
                      last edited by NollipfSense

                      @burlinwa said in Business Scenario for 6 port setup suggestions:

                      Thinking about Phones, badge/security/access

                      @burlinwa said in Business Scenario for 6 port setup suggestions:

                      and 5 workstations)

                      Glad to have gotten the conversation started. First, I thought it was some top secret corporate mission with the retina biometric security entry access...now I know it's a five person driven team.

                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.