Khoji InfosolutionKhoji InfosolutionpfSense · Netgate · Network Security
Home/Use Cases
pfSense Solutions

6 real-world deployments we build every week

Each use case below is a pfSense feature stack we have deployed for Indian customers — with the network topology, the Netgate hardware it runs on, and the pfSense modules involved.

/ Use Case 01

SD-WAN Site-to-Site Connectivity via OpenVPN / IPsec

Connect 2-50 branch offices over the public internet with encrypted tunnels, automatic failover, and centrally managed routing — at a fraction of the MPLS cost.

INTERNET public IPs HQ Office Netgate 4200 192.168.1.0/24 Branch A Netgate 2100 10.10.1.0/24 Branch B Netgate 2100 10.10.2.0/24 Branch C Netgate 1100 10.10.3.0/24 OpenVPN IPsec OpenVPN OpenVPN encrypted tunnel full-mesh & hub-spoke

Ideal for

  • Multi-branch businesses replacing MPLS / leased lines
  • Retail chains with 5-50 outlets needing central HQ access
  • Companies with remote data centre replication

pfSense features used

OpenVPN IPsec IKEv2 OSPF Static routes CARP (HA)

Recommended hardware

1100 (branches) 2100 (branches) 4200 (HQ) 6100 (HQ, HA)
/ Use Case 02

Remote Worker VPN — WireGuard & OpenVPN

Modern road-warrior VPN for laptops and phones. WireGuard for speed, OpenVPN for legacy compatibility. Supports up to 500+ concurrent users on a single Netgate 6100.

HQ pfSense Netgate 4200 / 6100 LAN 10.0.0.0/16 Internal Servers File · ERP · CRM · Intranet Laptop WireGuard client 10.99.0.12 iPhone / Android WireGuard app 10.99.0.24 Home Worker OpenVPN client 10.99.0.45 WG encrypted WG tunnel OpenVPN ChaCha20 end-to-end encryption

Ideal for

  • Companies with field sales / work-from-home staff
  • BYOD environments needing secure access to intranet apps
  • Consultants who travel and need permanent office connectivity

pfSense features used

WireGuard OpenVPN IPsec Mobile LDAP / RADIUS MFA (TOTP)

Recommended hardware

2100 (50 users) 4200 (250 users) 6100 (500+ users)
/ Use Case 03

Multi-WAN Failover & Load Balancing

Bond two or more ISP links for zero-downtime internet. Policy-based routing sends VoIP over the stable line, bulk downloads over the fat pipe, and everything fails over automatically.

ISP 1 — Airtel Fibre 200 Mbps ISP 2 — Jio 5G 100 Mbps (backup) pfSense Firewall Netgate 2100 / 4200 Multi-WAN gateway group weighted failover Office LAN Users · VoIP · CCTV primary backup / failover

Ideal for

  • Retail / e-commerce with no tolerance for ISP outages
  • Offices running VoIP calls (auto-switch mid-call)
  • BPOs / contact centres on critical SLAs

pfSense features used

Gateway groups Policy-based routing Dpinger monitoring Tier weights Sticky connections

Recommended hardware

2100 4200 6100
/ Use Case 04

High-Availability Cluster — CARP + pfsync

Two firewalls, one virtual IP. If the primary fails, the standby takes over in under a second with session state preserved — users don't even notice.

Internet Virtual IP (CARP) 203.0.113.10 Firewall A (ACTIVE) Netgate 8200 MAX prio 100 Firewall B (STANDBY) Netgate 8200 MAX prio 50 pfsync / 10G Protected LAN zero-downtime failover traffic idle

Ideal for

  • Banks, NBFCs and regulated industries requiring 99.99% uptime
  • Data-centre perimeter with production workloads
  • E-commerce / SaaS businesses where downtime = lost revenue

pfSense features used

CARP pfsync XMLRPC sync Virtual IPs Dedicated sync link

Recommended hardware

6100 (pair) 8200 MAX (pair) 8300 MAX (pair)
/ Use Case 05

Intrusion Detection & Prevention — Suricata

Inline deep-packet inspection on every flow. Block known CVEs, malware C2 traffic, suspicious outbound connections — with Emerging Threats Open & Snort rulesets.

Internet mixed traffic pfSense Firewall Netgate 4200 / 6100 Suricata IDS/IPS ET Open + Snort VRT ✓ clean → allow ✕ match → block + log Office LAN users · servers BLOCKED exfil / CVE / C2 allow drop LIVE STATS alerts: 1,284 blocked: 1,284

Ideal for

  • Any business exposed to the public internet
  • Compliance requirements: ISO 27001, SOC 2, PCI DSS
  • Organisations targeted by ransomware / phishing campaigns

pfSense features used

Suricata ET Open ruleset Snort VRT pfBlockerNG DNS blocklists

Recommended hardware

4200 (QAT accel) 6100 8200 MAX
/ Use Case 06

Captive Portal — Guest WiFi with Voucher / SMS Auth

Hotels, cafes, hospitals, malls: monetise or secure your guest WiFi. SMS OTP, voucher codes, time-limited sessions, AUP acceptance, bandwidth caps.

Internet pfSense Captive Portal enabled SMS OTP · Vouchers WiFi AP SSID: Guest-WiFi VLAN 20 Auth page phone → OTP or voucher code Laptop guest Phone guest Per-user policy 10 Mbps · 60 min · AUP log MAC + phone

Ideal for

  • Hotels / resorts — room-based voucher WiFi
  • Cafes, co-working spaces — SMS OTP guest login
  • Hospitals, airports, malls — AUP + session limits
  • Event venues — voucher-based paid WiFi

pfSense features used

Captive Portal RADIUS (freeRADIUS) Voucher generator Bandwidth limit VLAN isolation

Recommended hardware

2100 (small venue) 4200 (hotel / mall) 6100 (campus)
/ Custom Solution

Don't see your exact setup?

Every network is different. Tell us your requirements and we'll design a pfSense deployment tailored to you — no obligation, same-day response.

Custom solution request

Describe your network topology, user count, compliance needs, and timelines. We'll come back with a tailored architecture and quote within 24 hours.

Prefer to chat? WhatsApp us or call +91 98032 34383.