Built zero trust for 40-person company using pfSense + MikroTik. Replaced $12,000/year Zscaler with $1,300 hardware. Annual savings $10,700.
Zero Trust Architecture
Never trust, always verify — every connection authenticated regardless of source. Old network perimeter died with remote work. You can build zero trust without expensive proprietary tools.
The Stack: pfSense + MikroTik
pfSense at perimeter: Suricata IDS, pfBlockerNG DNS blocking, WireGuard remote access.
MikroTik RB5009 behind it: inter-VLAN routing, QoS, WiFi via CAPsMAN.
Trunk link between them with strict VLAN segmentation.
Layer 1: pfSense Perimeter
Dual WAN failover. Suricata intrusion detection. pfBlockerNG DNS threat blocking. WireGuard VPN for remote workers. VLAN interfaces per network segment. Each remote worker gets unique WireGuard key pair for individual revocation capability.
Layer 2: MikroTik Internal Routing
VLANs: corporate, servers, IoT, guest, management. Servers accept only specific ports from corporate VLAN. IoT and guest completely blocked from corporate and server networks. MikroTik firewall rules enforce this at wire speed.
Layer 3: Corporate WiFi
CAPsMAN centralized management. RADIUS auth to pfSense for corporate WiFi. Guest WiFi isolated with captive portal. Enterprise WiFi capability without enterprise cost.
Layer 4: Identity via Authentik
Open source SSO and MFA. Integrates with pfSense VPN auth and WiFi RADIUS. Free enterprise-grade identity provider replacing expensive commercial IAM solutions.
Pros and Cons
Pros: 85% cost savings. Full security control. No cloud dependency. Open source throughout. Enterprise-grade features.
Cons: Complex setup requiring networking skill. Two platforms to manage and learn. No unified dashboard. Community support only, no SLA.
Bottom Line
Enterprise zero trust at small business price. The $10,700 annual savings funds training, consulting, and still leaves money. Keeps security infrastructure under your control.
No comments:
Post a Comment