Pfsense build for church with around 30-50 users

I'm trying to build a system to run pfsense for a church to run the DHCP and dns with maybe some caching. The pastor already bought a Ruckus R500 which from what I see should cover most of the area, but I know that the SOHO routers won't cut it for that number of users.

I will post links if that is OK because I can't find the mico pc on PC part picker.
Main system, Shuttle DS81
Specs: 1150 Socket with H81 north bridge, 2x204 sodimm ddr3, 2x realtek RTL8111G 10/100/1000 nics.
Ram I am looking at one 8 gig stick for the time being. Leaves room for upgrading if I need and keeps cost down for now.
The CPU power is where I am not so sure, I am looking at the Intel Celeron G1840, I can't tell if this is enough for what I am trying to do or if it will choke.

One last thing is I am looking at getting a gigabit switch with 8 ports and POE. This place has two distinct levels with some weird stairs in between. I'm not so concerned about the in between, but for future expansion and coverage, I think this is better that POE injectors, Is this line of thinking off or is there a better solution?

Thanks for any help!

Not familiar with that model, but it looks okay. With 30-50 people on wireless, you're going to want multiple AP's. My recommendation is to go Unifi. Any of these will suffice.

EDIT: To expand on wireless limits, In my experience, a single Unifi AP will top out at about 12 to 15 people on it. I have a single AP in my home, and this was more or less tested during a lan party when everyone had phones connected. This doesn't scale linearly. If you have 3 ap's, you don't get 36 to 45 people. It's heavily dependant on where they are.

If you can get blueprints (or a sketch, relatively to scale) of the building, I can recommend where and how many.

Looks good, as long as they don't have a rack. I like the Shuttle boxes. :D

EDIT: let me expand. 8GB is probably fine for 50 people. PfSense doesn't need tons of ram. I'm not super familiar with the quality of those NIC's, you may want to get an intel pro/1000 dual-port like this one. A good idea would be to run a squid caching server on it, so you can reduce the overall load out to the internet. You'll probably want a 250GB SSD for that. for caching, allocating about 170GB should be enough and in my experience, that's going to be bordering on where diminishing returns start to be seriously noticed.

dual core 2.8GHz should be good enough for the church.

questions to give you a better response:

What's their internet speed?

Are you going to be doing any advanced routing?

Are they hosting any services from the church (like a website or Exchange)

Always get a POE switch for your AP's. It's going to save you trouble later. Injectors are okay for your home, but for a business or client, a POE switch will help you diagnose problems more easily.

If you're going with the Ubiquiti AP's, I'd get one of their switches as well. This is an 8-port, POE with 2x SFP. It's a bit expensive at (US) $200, but it's a solid switch.

The other option for a switch would be something like this linksys, which is actually a bit less expensive at $159, but you're missing out on the nice integration with the Unifi controller that that the Ubiquiti switch has, as well as it's unmanaged, so no 802.3ad or VLAN. (it shouldn't drop vlan tags though, so you should be fine to that end)

There aren't a whole lot of options for 8 port POE and a 16 port switch will give you room to upgrade.

EDIT: for those interested, you can run the unifi controller on PfSense: github to the rescue!


Internet speed I'm guessing is around 80/40. No hosting as of yet. And what do you mean by advanced routing? I'm working on a blueprint right now so you can see (Not super to scale, but best guess.)

Internet speed is going to be noticed before and after services.

With that internet speed, you're best off setting up rate-limiting and configuring two different SSID's, one for staff and one guest. Throttle guest to 150kbps, throttle staff to 2.25mbps and you should be good.

Advanced routing like VLAN and whatnot. This is probably going to be a firm "no" if there's no hosting planned for the building.

Doesn't need to be super to scale, as long as the lobby doesn't wind up smaller than the janitors closet. (unless it is, in which case, the guy who planned it should be talked at)

1 Like

Some VLan work will be done, I need to make a separate business network, and vlans would provide some security for that.

Okay, in that case, you'll want to ensure that you've got a managed switch so you can handle VLAN and LACP on the switch.

Definitely get an additional dual or quad nic HBA so you can trunk the packets back to pfsense.


Very interesting, I run my Unifi Controller on a Raspberry Pi B2 but I may have to try this, would make more sense to have it on one machine and it'll likely run better on my pfSense box.

1 Like

For what I am trying to do, is building a router my best bet? Or should I buy one, or buy a used server for 200 or so and run it off of that?

Damn interesting building design.

I would go with 3 APs. two in the sanctuary, one in the lobby, maybe 1/3 of the distance from the wall closer to the entrance.

Did you say there are two levels? Is it like a first-floor, second floor sorta thing or more like a half-flight sort of thing? If there's a second floor, you'll have to put one AP on each floor.

What sort of material is it constructed from? Steel or concrete walls? If so, you're going to have problems with signals going through walls.

Well, it depends what you want to do. If it's just routing, I'd do something like an edgerouter or sonicwall. If you need to run a full OS, keep running it.

For now, yeah routing is the main thing.

In that case, I'd check out a specialty router. The edgerouter has a few different hardware options. 3 port, 5 port and 8 port. I've linked the 8 port variant.

It's a pretty robust system. I use one at home and two offices.

1 Like

Ok, I will check it out. Thanks man.

For ease of use, and configuration - management of "guests", staff and so on... take a real close look at ubiquity unifi - the whole eco system - the accesspoints, managed switch, and the security gateway + a controller

You than can set up the whole net through the controller - even give out temporary access like for 1h, 6h, and so on

You can do the rate limiting, load balancing per client, per group, per accesspoint ... it is actually a very robust "enterprise" level system - which could make it realy easy for you to maintain that network at a satisfactory level.

That is the product line frontpage

Edgerouter vs. UnifiGateway:


It does, right now I am just trying to do the top level.

The edge router seems more use able then the usg.

That is true, the edge router has much more granular control over the routing in the GUI - on the CLI both are actually the same - the hardware even is the same. ^^

But if you do not need PGP routing, and all the backbone specific stuff - I mean you run a single internet connection with a many clients - I would go for the USG just for the ease of use - because the more serious stuff you have to do on the CLI at the EdgeRouter as well.

I have the EdgeRouter Lite at home and at a view clients who do not have massive wireless infrastructure - but now that I am about to replace my old HP switches, I am realy thinking hard about going USG + UnifiSwitches to compliment the three access-points I have (European house, concrete, brick + steel - so many access-points needed for somewhat decent coverage)

You once dig into the controller UI - set up the networks, the SSIDs and it does the rest for you.

The ease of use will probably better if I can't stick around. That way I can tell someone else to go press X button and that should fix it.

As long as the internet connection itself is working you will be able to remotely access the controller =) and yes, when you are familiar with the system yourself you can blind-talk a noob through the process =)

Which isn't as given with the EdgeRouter Lite - btw you can create different levels of users - eg. your churches staff can add users for guests - but can not switch the routing around and stuff like that =)

You e.g. can enable/disable the guest wifi during the ceremony (what ever is more wanted ;) ) and after it enable it only for registered guests, so maybe the piggypacker on the street wont surf down your connection... all stuff that is possible with easy voucher codes you give to your community