pfSense Consultant · Ireland · Senior network engineering

pfSense done properly — by an engineer who can actually open the rule editor.

pfSense / Netgate consultant for Irish hotels, SMEs, food producers and equestrian operators. Firewall design, VLAN segmentation, captive portal, multi-WAN failover, VPN, IDS/IPS. Senior-led delivery. Tipperary, Cashel, Galway, Portlaoise and the Midlands.

pfSense / Netgate VLAN segmentation Multi-WAN failover IPsec / WireGuard VPN

Discuss a pfSense engagement →

Why operators end up calling a pfSense consultant

A box that someone installed and nobody understands

There's a Netgate appliance in the comms cupboard. The MSP that installed it is hard to reach. The rule set has grown organically over three years. Nobody can confidently say what's actually allowed. We come in, document the existing state, simplify the ruleset, and hand you back something legible.

Guest WiFi and POS on the same VLAN

We routinely walk into hospitality sites where the guest WiFi, the POS terminals, the property-management system, and the IoT devices are all on one flat /24. From a security and PCI-DSS perspective, that's a problem. We re-architect the network into clean VLANs and write the firewall rules between them.

Multi-WAN that doesn't actually fail over

Two ISPs, two cables into the building, an expensive monthly bill — but when the primary drops, traffic doesn't move to the secondary. Or it does, but the VPN re-establishes badly and the PMS loses its database connection. We tune the failover so it actually works on a Tuesday at 6pm.

VPN setups that are slow, brittle or insecure

Old IPsec configs with weak ciphers, OpenVPN setups that drop daily, road-warrior VPN that needs a fresh certificate generated by hand every onboarding. We modernise the VPN to WireGuard where it makes sense, IPsec where it must, and write the runbook so onboarding new users is a 5-minute job.

What a pfSense engagement covers

Network design & VLAN architecture

Site survey, traffic mapping, segmentation plan. We design the VLAN layout against your actual business — PMS / POS / payments / staff / guest / IoT / management — with documented inter-VLAN rules. PCI-DSS-friendly by default for hospitality clients.

Documented VLAN inventory with purpose, IP plan and authorised devices.
Inter-VLAN firewall policy — least privilege, written down.
PCI-DSS scope reduction for hospitality / retail clients.
DHCP, DNS, NTP services centralised on pfSense (or pushed to dedicated infra).

Captive portal & guest-WiFi sign-on

Branded captive portal with T&Cs, optional email capture, optional voucher / paid access for events. SSO with the PMS for room-keyed access on hotel sites. Bandwidth shaping so one guest can't drown a wedding floor.

Branded splash page with your hotel / venue identity.
T&Cs page (GDPR-aware, in plain English).
Optional email capture for marketing, with double opt-in.
Voucher / paid access for events and conferences.
Bandwidth shaping per device / per VLAN.

Multi-WAN failover & traffic shaping

Two-WAN (or three-WAN) failover that actually works. Health-check tuning, packet-loss thresholds, latency budgets. Policy routing for VoIP / payments. QoS so a backup upload doesn't crater a Friday booking spike.

Active-active or active-passive multi-WAN with documented behaviour.
Tuned gateway health-checks (latency, loss, jitter) so failover isn't twitchy.
Policy routing — VoIP / payments stick to the cleaner line.
QoS / CoDel so backups, updates and streaming don't drown business traffic.
4G / Starlink tertiary fail-over for rural sites.

IPsec & WireGuard VPN — site-to-site and road-warrior

Modern VPN setups. Site-to-site IPsec to head office / cloud. WireGuard for road-warrior users and developers. Documented onboarding runbook so adding a new user is a 5-minute job, not a half-day for the network engineer.

Site-to-site IPsec with current ciphers (no SHA-1, no 3DES, no IKEv1 unless forced).
WireGuard road-warrior with key-rotation runbook.
Split-tunnel vs. full-tunnel design depending on policy and bandwidth.
Documented onboarding — generate a config, scan a QR, done.
DNS-leak protection and kill-switch behaviour where required.

IDS / IPS, threat intel & traffic visibility

Suricata IDS/IPS deployed with curated rule sets — emerging-threats, GeoIP, abuse.ch, our own tuned policies. Logs shipped to a SIEM (Wazuh / Graylog / Elastic) so you have searchable visibility, not a black-box appliance.

Suricata IDS with tuned rule sets (no alert-tsunami).
GeoIP blocking for traffic from regions you have no business reason to talk to.
DNS-over-HTTPS / DNS filtering for malicious-domain blocking.
Log shipping to your SIEM with retention aligned to NIS2 / cyber-insurance requirements.
Quarterly review — what's the IDS actually firing on?

Documentation, handover & retainer

Every engagement ends with a written network diagram, VLAN inventory, firewall ruleset map, VPN onboarding runbook and a backup of the pfSense config. Optional monthly retainer for ongoing changes, monitoring and quarterly tune-ups.

Network diagram (Lucidchart / Mermaid) — yours to keep.
VLAN + IP inventory with authorised devices.
Firewall ruleset summary in plain English.
VPN onboarding runbook for new staff and contractors.
Monthly retainer (from €350/mo) — config changes, monitoring, quarterly review.

Where we work

pfSense engagements delivered with on-site work across Ireland (typically from our Thurles office) and remote-first delivery elsewhere.

Ireland — Tipperary (Cashel, Thurles, Clonmel, Cahir, Nenagh, Roscrea), Galway, Limerick, Cork
Irish Midlands — Portlaoise, Athlone, Mullingar, Tullamore
Kilkenny, Waterford, Kildare and surrounding counties on arrangement
United Kingdom — Cambridge, Suffolk, London by arrangement
Remote pfSense / Netgate support for any EU-jurisdiction client

pfSense consultant Ireland — Tipperary, Cashel, Thurles, Galway, Limerick, Portlaoise and the Midlands. Hospitality, food, equestrian and SME networks.

Why operators pick Intellix for pfSense work

We know the box. Years of pfSense and Netgate deployments across hospitality, food, equestrian and SME networks. Not a generalist MSP guessing at the rule editor.
You get the docs. Network diagrams, VLAN inventory, ruleset summary, VPN runbook — all yours. No 'call us to find out what's in your network'.
Senior-led delivery. The engineer designing your network is the engineer writing the rules and answering the phone if something goes sideways.
On-site for the boring parts. Cabling, rack work, site surveys — we do the physical work too. Especially valuable for hospitality clients where the network engineer needs to walk the building.
No vendor lock-in. pfSense Community Edition or Netgate Plus — we recommend what's right for your scale and risk profile, not what gets us the biggest reseller margin.

Discuss a pfSense engagement

Email [email protected] with a paragraph describing the site, the current setup (or the chaos), and the goal — or use the form on the live page. We come back within two working days with whether we're a fit and a fixed-price scoping proposal.

← Back to Intellix snapshot · Cybersecurity audit · Hospitality & hotel IT · sitemap

Generated 2026-05-16 13:18 UTC