13 Apr Citizens Advice Scotland Builds an Auditable, Highly Available Network with pfSense and Netgate
Citizens Advice Scotland Builds an Auditable, Highly Available Network with pfSense and Netgate
Overview
Requirements:
- Resilient, highly available network across almost 60 bureaux and nearly 300 locations
- Clear network segmentation and control to evidence Cyber Essentials Plus
- Predictable, capital-friendly costs aligned with grant-based funding
- Architecture that CAS’s internal team could understand, operate, and extend confidently
Challenges:
- Patchwork legacy network that was hard to map, monitor, or defend
- Difficulty evidencing segregation and control under external audit
- Subscription-heavy firewall models misaligned with public-sector funding cycles
- Mission-critical case management and telephony systems at risk if the network failed
Solution:
- Dual-site pfSense architecture on Netgate appliances, designed with IT AND GENERAL
- High-availability firewalls at two primary sites (Glasgow and Edinburgh)
- Multi-layer failover across connectivity, hardware, core services, and site location
- Fully documented design so CAS can run and evolve the environment in-house
Darren Cairney, IT Infrastructure Manager at Citizens Advice Scotland:
We decided to go with a Netgate setup due to the simple licensing model and a good performance review that aligns with the CAS infrastructure targets. ITG was approached in order to ensure a good clean configuration from the get-go and they delivered exactly as promised.
Their technical expertise and professional approach resulted in a smooth deployment and reliable performance since go-live.
We would gladly work with them again on future projects.
Citizens Advice Scotland (CAS) is Scotland’s largest independent advice network, supporting almost 60 local bureaux across nearly 300 locations. Its teams rely on shared infrastructure and telephony to deliver free, impartial advice at moments of real vulnerability.
At the heart of this work sits a highly customised case management system, used daily by around 1,500 concurrent users. Because the application does not natively support modern resilience patterns, resilience had to be engineered into the network around it, if the network fails, bureaux cannot operate and people cannot get help.
Everything we do affects how people get help. If systems are down, people can’t get help.
Implementing a dual-site pfSense architecture
Working with IT AND GENERAL, CAS built a new pfSense-based architecture on Netgate appliances alongside the legacy network, enabling gradual migration and direct comparison. Two primary sites (Glasgow and Edinburgh) now host high‑availability firewall pairs, with failover engineered across connectivity, hardware, core services, and site location.
IT AND GENERAL handled detailed design and configuration, produced clear interface and connectivity documentation, and supported CAS through deployment and validation with a single senior engineer, Roberto, from start to finish.
Roberto, Certified pfSense Engineer
Impact on Security and Performance
CAS now runs its new and legacy networks side by side, giving external assessors a clear before-and-after view. External vulnerability scans report very few findings on the new side, and reviewers have greater confidence in the improved segregation and control model.
In performance testing, backing up two virtual machines totalling roughly 160 GB over the new network path took around eight minutes, compared with about 25 minutes over the legacy route, around three times faster. Early bureau migrations have completed with no operational complaints, building confidence ahead of full rollout.