7 site clustered pfsense deployment sizing assistance



  • Hopefully the attached network diagram will make things clear.

    My Home Office site has fiber 10Mb up/down. Wireless site A, B, and C all connect now with a single wireless bridge (G) to each site. I'm going to double that for redundancy and speed. All four of these sites utilize the same fiber connection for outbound internet access (and public IPs). I also have 3 remote sites (A, B, C) that will connect via the internet. These are business class cable connections with 2 Mb upload and various download speeds. All remote sites will have site to site VPN to the home office. I also need to have VPN tunnels between all the various wireless sites, home office and a single remote site. This allows our IP phones to work with the phone system we have at the Home Office. I realize VPN tunnels are only available in 2.0 so I will have to have multiple VPNs linking the various sites. The wireless sites would load balance between the two wireless bridges. I would definitely run utm packages (snort, havp, squid, squidguard, etc) on the home office firewall as that is where the majority of staff are, although it probably wouldn't be a bad idea to run it at all sites. I'll also run QOS to give SIP priority.
    I currently have all these connected with Watchguard devices (X750e and X55e). I'm attempting to figure out sizing for a pfsense deployment.
    I was considering something like 2 PowerEdge R210 IIs at the home office and pairs of this Atom based unit at the wireless and remote sites. These would all utilize SSD drives and be run in a cluster so I wouldn't have to worry about hardware failures. As for RAM, I'm guessing I'd probably max out the Atom boxes at 2 GB and probably run 4 or 8 GB at the home office.

    Does this seem undersized/oversized? I'd obviously rather shoot for oversized than undersized. I don't want to get everything installed only to find out performance is abysmal. (But it can't be any worse than the Watchguards, right?) Am I overlooking anything?

    I run pfsense at home, so I have some familiarity with it, but I haven't dealt with it at this scale. I just don't feel like I'm getting my money's worth with the Watchguards and they clearly aren't as flexible. At the same time, I don't want to open myself up to pc hardware failures and get calls in the wee hours of the morning (although I realize the X750e is essentially a pc) so that's why I'm shooting for redundant boxes at every site.

    ![Pfsense Network Diagram.jpg](/public/imported_attachments/1/Pfsense Network Diagram.jpg)


Locked