Recommandations on a pfSense build


  • Hi guys,

    Looking to set up pfSense for a small office, between 10 to 15 users (including mobile phones, etc.)

    pfSense has to do the gateway part (DHCP, DNS, etc.) + OpenVPN

    • maybe SQUID + SQUID-GUARD

    I want hardware recommendations.

    Should I go with one of these?
    http://store.pfsense.org/appliances/
    (and which one)

    Or build from scratch?


  • will it be for home, office and etc etc.?
    How manu clients do you have ?
    what is your WAN speed?
    and mabey a budget rangewill be a good idear

    you need to give us some more informations to work  with :)


  • Bandwidth expectation with squid or vpn is the big question.

    Or if you have a very high speed link on the WAN that could also matter.

    Whats your expectations?


  • Looking to set up pfSense for a small office, between 10 to 15 users (including mobile phones, etc.)

    pfSense has to do the gateway part (DHCP, DNS, etc.) + OpenVPN

    • maybe SQUID + SQUID-GUARD

    So you would also being to use WiFi for the mobile clients, or?
    I can overexert an appliance together with 5 peoples and on the other side I can also work with 20
    peoples and the appliance will not be reaching 50% of its power. So I mean only you alone knows
    whats going on there really in your office.
    For Squid I suggest the usage of a SSD or mSATA.

    I want hardware recommendations.

    First be clear what you are using and needing really, power I mean.

    Should I go with one of these?
    http://store.pfsense.org/appliances/
    (and which one)

    This depends really hard on what you are really needing and how long it must be running for you!
    SG-2440 + WLE200NX + mSATA
    SG-4860 + WLE200NX + mSATA

    Or build from scratch?

    Hm, it mostly comes to nearly the same price range, but without a pre installation and
    the support on top and mostly not the WiFi inside! All in one box I mean.


  • @notaduck:

    will it be for home, office and etc etc.?
    How manu clients do you have ?
    what is your WAN speed?
    and mabey a budget rangewill be a good idear

    you need to give us some more informations to work  with :)

    Like I said it would be for a small office of right now 5 people, maybe within a year 10 people.

    Office is a very small Law firm so no big transfers or big files going on there.

    The WAN link is cable, at 20 down / 10 up, so relatively slow, but that's the kind of business connections we get here for decent pricing (Montreal area, Quebec, Canada)

    Budget will be what is needed I guess ;)

    @kejianshi:

    Bandwidth expectation with squid or vpn is the big question.

    Or if you have a very high speed link on the WAN that could also matter.

    Whats your expectations?

    I'm not sure what you mean by bandwidth expectation but i'll tell you this.

    The WAN link is cable, at 20 down / 10 up.

    VPN would be used to access files remotely (shared folders on a CIFS server) and the files are mainly Word or Excel files so small files.

    As for Squid, the goal here is content filtering.
    Squid is needed for SquidGuard or DansGuardian so that's why I was mentioning it.
    But this part (content filtering) is more of a nice to have than an absolute necessity.

    @BlueKobold:

    Looking to set up pfSense for a small office, between 10 to 15 users (including mobile phones, etc.)

    pfSense has to do the gateway part (DHCP, DNS, etc.) + OpenVPN

    • maybe SQUID + SQUID-GUARD

    So you would also being to use WiFi for the mobile clients, or?
    I can overexert an appliance together with 5 peoples and on the other side I can also work with 20
    peoples and the appliance will not be reaching 50% of its power. So I mean only you alone knows
    whats going on there really in your office.
    For Squid I suggest the usage of a SSD or mSATA.

    I want hardware recommendations.

    First be clear what you are using and needing really, power I mean.

    Should I go with one of these?
    http://store.pfsense.org/appliances/
    (and which one)

    This depends really hard on what you are really needing and how long it must be running for you!
    SG-2440 + WLE200NX + mSATA
    SG-4860 + WLE200NX + mSATA

    Or build from scratch?

    Hm, it mostly comes to nearly the same price range, but without a pre installation and
    the support on top and mostly not the WiFi inside! All in one box I mean.

    Well I was thinking of adding an access point for WiFi but if it was built-in, that'd be awesome!

    About those :
    SG-2440
    SG-4860

    Why would I choose one or the other..?

    I mean I understand the SG-4860 has more CPU power and cores, and also double RAM, so which requirements would make me want to go for that one?

    Believe me I want to be clear about what I need, i just don't know what info I need to provide!


  • I mean I understand the SG-4860 has more CPU power and cores, and also double RAM, so which requirements would make me want to go for that one?

    • 5 lawers that must all connect via OpenVPN at the midmorning from the court.
    • mSATA for running Squid
    • WiFi for connecting with the smartphones

    Believe me I want to be clear about what I need, i just don't know what info I need to provide!

    For sure, who wants not to be clear.
    I want to go by the SG-4860 + mSATA + WiFi + Console Cable
    then you will get all in one box and you will be having support on top also.


  • I have an SG-2440 running squid and squidguard at a motorcycle dealership with 50+ users and free customer Wifi.  50+Mb of bandwidth (upgrading to 100+ soon).  Hacks the load just fine.  An VK-T40E (APU) would work for you too.

    I'd do the external wifi.  I've read (but not tried it) that pfSense is much better at being a firewall than an access point.  When I install a business network, I put in open-mesh access points.

    And don't neglect to connect your firewall to a UPS.  The file system doesn't take kindly to repeated power events.


  • I have an SG-2440 running squid and squidguard at a motorcycle dealership with 50+ users and free customer Wifi.  50+Mb of bandwidth (upgrading to 100+ soon).  Hacks the load just fine.  An VK-T40E (APU) would work for you too.

    The SG-2440 ok this would go, but the Alix APU based solution for 10 - 15 employees using VPN?
    I really would go by Alix APU for home usage for around three peoples, ok.

    I'd do the external wifi.  I've read (but not tried it) that pfSense is much better at being a firewall than an access point.  When I install a business network, I put in open-mesh access points.

    Fir the stability as I see it right it would be really better to set it up outside, but I also knows peoples
    they are using the WiFi internally and be happy with this and the Captive Portal is one of the best
    I´ve seen out there.

    And don't neglect to connect your firewall to a UPS.  The file system doesn't take kindly to repeated power events.

    An very old method but trust me it works great, is really often to take backups!


  • I have APUs pushing 20Mb of openVPN without breaking (much of) a sweat.  They handle it just fine.  Sure, the processor takes a beating, but it works just fine.

    My 2c…buy an APU or VK-T40E now, and then do an upgrade to a rangley platform when you get the additional users.  The backup and restore functionality works exceptionally well for hardware upgrades on devices you purchase from the pfsense store.

    You'll get much better wireless performance using an external wifi AP.  And seriously, if you haven't looked at open mesh, you should.  Check out the MR900.  There's an open mesh var in Canada too, which helps with VAT.


  • Alright I thank you for your recommendations.

    I have to choose between the SG-2440 + mSATA or the SG-4860 + mSATA.

    I feel better with an external access point, which takes load off pfSense, and since there is enough ethernet ports, I could even have two wifi access point, one dedicated to being a captive portal for occasional customers.
    On the other hand I've heard some access points can broadcast multiple SSIDs so you can have one access point, which will have two SSIDs, one for employees, one for guests, and so somehow I guess you can manage that in pfSense one is password-less captive portal, and the other one requires passwords (and connect to a RADIUS server) and gives access to the network.
    Can anyone suggest reading material about this? My Google searches have been taking me nowhere.

    On the other hand, I have absolutely no idea what the hell is an "open-mesh".
    I checked out http://www.open-mesh.com and from what I understand, the primary objective is to have several access points working together to improve coverage…right? I don't really need that for an office so what other benefits are there?
    Apart from the cloud management thing, which I really don't see the point... I mean basically you get a web interface that maps your open-mesh devices and probably gives you an idea of the coverage? Again for a small office I don't think I need that.
    I guess it's really cool for large offices or houses but for my small office... bah.

    Given the hype around this open-mesh thing there must be something I'm missing?


  • If you are looking for a solid AP that can do multiple SSIDs and vlan tagging and the like I would recommend the Unifi AP line. The basic single band N model is less than $70.


  • Last night I successfully used my Apple Airport Extreme to use Guest network with pfSense, so now one AP can be used for internal use + external with captive portal


  • I have APUs pushing 20Mb of openVPN without breaking (much of) a sweat.  They handle it just fine.  Sure, the processor takes a beating, but it works just fine.

    But he is talking for 10+ employees and then it will be something around 5 MBit/s!

    My 2c…buy an APU or VK-T40E now, and then do an upgrade to a rangley platform when you get the additional users.  The backup and restore functionality works exceptionally well for hardware upgrades on devices you purchase from the pfsense store.

    Then more a "big one" and having silence for 5 years really!
    So $1.000 / 5 years = $200 / 12 = ~17 / 10 employees = $1,70 a month per each nose!
    Not to expensive or?

    You'll get much better wireless performance using an external wifi AP.  And seriously, if you haven't looked at open mesh, you should.

    It might be totally different from here where I am living, in Germany, but in my eyes it could be
    really not the same if someone is reading your clients data on the pastbin or his clients data.
    So I really thing a radius server to protect the employees mobile devices and also the entire
    network would make really sense to me. But if he wants to set up WiFi also for the his clients
    it would be better in his case to work this out over an Captive Portal with voucher system.

    I feel better with an external access point, which takes load off pfSense, and since there is enough ethernet ports, I could even have two wifi access point, one dedicated to being a captive portal for occasional customers.

    Over a smaller VLAN capable switch you can also attach more then one WiFi AP for sure.

    Can anyone suggest reading material about this? My Google searches have been taking me nowhere.

    Using the Captive Portal as a HotSpot
    Sending the Voucher ID over a Website automatically over SMS to a mobile phone!
    Very detailed and thousand times installed, because easy to copy, but only in German language!
    WLAN oder LAN Gastnetz einrichten mit einem Captive Portal (Hotspot Funktion)

    Given the hype around this open-mesh thing there must be something I'm missing?

    You are a law office or chamber as I read this right, so it could be very useful if you hire someone to
    set it all up right with no whole in the box or firewall. Your hour have to paid much, his hour not!


  • On the open mesh hardware…

    Disclaimer:
    I'm not hyping them.  I don't work for them. I don't get paid by them.  A customer of mine had me install them for him, and I was blown away by the whole package.  Since then, I have installed them in retail stores, restaurants, a Pathology lab, my house, other people's houses, motorcycle dealerships, all over the state I live in with great results.

    Bottom line is they work, and work VERY well.

    The access points get their settings from the cloud portal, which makes configuration quick and easy.  You add the MAC to the network on the portal, and then plug the AP into a PoE switch, and that's it.  No screwing with settings, just plug it in and turn it on. 
    Clients can seamlessly roam between access points, which works great for phones and tablets.

    They support vouchers, captive portal, pay for access portal, radius, etc.
    They support 2 separate SSIDs for a public/private side. 
    The cloud management portal is great for me, because I can see what's going on with customer networks under my care.

    The throughput and coverage are both excellent.
    They're small, unobtrusive access points.  They don't look like something from a sci-fi movie, with 14 antennas going in every direction.

    When I install them at a customer location, I have zero wireless issue afterwards...ZERO.

    The guys that started the project came from Merikai, which was bought by Cisco.  They started open mesh after they saw that Cisco was going to take Merikai from a low cost service and price it out of the reach for SMBs.

    Anyway...The products are great and just work.  If you want a wireless network you have to screw with, get something else.  If you want one that just works, I recommend open mesh.


  • Quick question, if i'd go with a built-in wifi in SG-4860 or SG-2440, would I be able to have two SSID, one giving access to the network and have a radius authentication, and the other being a captive portal with clients just for internet access?


  • Create two SSIDs and then put them in two different VLANs (employees & guests or closed & open)
    one for Internet connection only and the other for the corporate network and Internet and after this
    activate WiFi client isolation on both.


  • I hate to harp on it, but I still highly recommend you use an external wifi AP. 
    The biggest reason is you can place the AP where you can get the best coverage.  You don't have to hide it in a telecom closet with your firewall.

    The doctors and lawyers I have done IT work for just want their stuff to work and work well…all the time.  Wifi from a closet is not going to work well.