Multi WAN/VPN/VOIP/IDS/MeshWiFi pfSence setup

I am looking for an idea of how much we can do in a single pfSence box, and what are the limitations. Below is our current configuration just imagined down to a single box. It is currently is made up of ISP modems, ISP managed VOIP system, off the shelf routers, managed switches, DVRs, and a two-building Mesh Wifi.

pfSence would be managing two WAN connections. One WAN connection with an active VPN connection having active directory authentication from a cloud-hosted AD server. Traffic going to the VPN from the first VLAN with ~30 users. A second VLAN for as many ISP hosted VOIP phones as users. They would be sharing a 100Mbps pipe. A second WAN connection with a 50Mbps pipe with two more VLANs. Other services we are looking for would be remote access for IT with up to two separate remote Open VPN sessions, Intrusion Detection and possibly pfblocker IP blocking features on the first VLAN, and the ability to route traffic not outbound to the VPN from the first VLAN to the second WAN connection for non VPN traffic. Can this be done in a single box?

Assuming pfSence can do it, we will build it with our hardware to test and configure the system. For the simplicity of receiving security updates that will not cause outages, we want to end up using Netgate equipment. As soon as we have everything laid out, what piece of Netgate hardware would you recommend we look to deploy?

The product stack seems to vary by how much bandwidth it can push and the port arrangement. We are not looking to push large amounts of data, but no numbers are given for slightly more complex setups. The SG-5100 is all I think we need when it comes to bandwidth needs and the VLAN/port mapping, but I am not sure abowhen it comes to the overhead of the two WAN connections, encrypted point to point VPN, VOIP traffic, OpenVPN connections, the unencrypted traffic, and IDS.

The port layout, I need one port for each WAN connection. One port for the first VLAN, 30 users. One port for the second VLAN, VOIP. I have several layer 3 managed switches, I could pass two of the VLAN through a single port. To have a route to both modems, could I then configure the LAN side of each modem to static on the same network, disable DHCP on them, and then access both from a small switch connected to a single port of the firewall? If so, that gets us access to manage the modems and a total port count of six. This would be the largest deployment of this box with a few other remote locations having the same list of service and port needs, but fewer VOIP phones and VPN users.

Feedback welcome.

Yes, all that can be done with pfsense on an SG-5100, but don’t use pfsense for DNS if the clients need Active Directory, in that case the AD server should be the DNS.

1 Like