PFSense for lots of VPN connections?

K

Karandras

[H]ard|Gawd
Joined
Feb 16, 2001
Messages
1,873
Now when I say lots, I'm not thinking thousands. But between 50-100 connections. Was going to build an ESXi box with three servers:

1- pfsense for firewall and VPN connections
2- Windows 2016 - Domain controller
3- Windows 2016 - File and database storage server

This is all just thoughts right now but have a friend who is looking to having his friends connect up for their company and wanted something built.
What kind of CPU and memory would pfsense require for that many tunnels?

Thanks!
 
No?

The biggest issue that I don't know if they fixed was LDAP integration. If you're setting up a VPN appliance for 100+ people you probably have some type of AD / LDAP solution. As is always, cpu / memory will be highly dependent upon bandwidth requirements. What kind of connection is the server going to have? 100mbit, gig, 10 gig? What type of encryption do you plan on using for the tunnel? Trying to size an appliance without knowing your workload is going to prove to be difficult.
 
This for a business? What is the budget, and have you ruled out a commercially sold product? Fortigate might have something affordable for you.

Is this 50-100 VPN endpoints on one encryption domain? Or are we talking multiple encryption domains with a couple dozen endpoints per?
 
Thanks for the replies!
I haven't set anything like this up before. So all info is much appreciated!
Yes this is for a company. I've only priced out the sophosXG at about 5k USD is pretty pricey.
The client doesn't have a budget since they have no idea on a cost for something like this.
Was going to host it in a shared colo location local to me. Connection would be 100mb.
The client has informed me that they want 40 VPN connections but if I double that it'll make sure that I'm covered if they want more.
It'll be for one domain only. One connection per user.
The client has indicated that they will have a premavera dBASE on the server as well as up to 1tb of storage. Not sure how big the files are. They would like to work on them directly on the server with the files. Currently any file updates are emailed to the person working on the file...So my guess is the files are less than 25mb.

So pfsense isn't a good idea for a project like this?
 
PFsense could work in that scenario, if you have the right pieces in place.

It sounds like you really, really want to have AES-NI instruction set in order to handle the encryption overhead.
https://forum.pfsense.org/index.php?topic=69073.0

Comments on ensuring AES-NI in a vm
https://communities.vmware.com/thread/541879

It sounds like most cpus you'd run these days should have it. It was added back in 2010. You'd just have to make sure if you're trying to do it in a VM you might need to have 2 - 4 cores available for the encryption, and that AES-NI is in fact working.

I do see a way to integrate with AD via RADIUS to PFsense, but I'd probably want to make sure that it's locked down as I'm not sure how secure that implementation is:
https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

I don't think that using the VPN is going to add a lot of memory overhead, it just depends upon the amount of traffic. Tossing 4GB - 8GB of memory could very well be more than enough if you don't have extra features enabled. (I can't tell you on that one because it's going to be largely dependent on how many connections are made per client)

So if you have a 100mbps line, 40 open connections would mean each user gets ~2.5mbps of bandwidth. To account for overhead and what not, let's say 2mbps. If you have a 25MB file, that means it will take a user 100 seconds to open said file over the VPN. That obviously worse case assuming all 40 people are using the pipe at the same time, but you if people are hopping in and out of files it could be possible that people are capping out the connection. In reality from what I've seen, if you just have word docs out there, a 100 mbit line should be a ton of bandwidth to handle it. Same for DBs where you are just downloading small parts of the database at a time.

Before you build a solution, you'll want to get a BASELINE!! from them to get a general idea of what a user might be using currently. It's pretty trivial to setup performance monitor or something on a port to get an idea of how much traffic is flowing through those servers. Maybe setup a test solution for 1 or two users and have them VPN into that and see what kind of bandwidth needs you have. You might be able to throw plenty of hardware at a vpn appliance that can handle > 100mbit, but you might only be able to handle 20 connections if they are resource heavy and saturate your connection. You might realize that each client really only averages 500kbits (Likely) then figure out that you don't need to spec a system that can handle 100mbits of traffic because in reality peak load is only ~20mbit, which means that you can account for growth by building something that only needs to handle 50mbit.
 
Ugh, busy weekend :-/
Thanks for the reply bman, very informative. I was going to setup an ESXi box at home with all the requirements (Since there would be no cost on that). Monitor the traffic that he is pushing with a couple of the files that he would need, and go from there building the appliances as needed based on the traffic that he was generating with one user.
I'll see if I can get ESX6.5 to see the AEX-NI for pfsense. If so looks like I would be good to go.

Thanks again for all your help!
 
Im curious as to what they are trying to actually accomplish. You gave a vague small brief of kind of what they are looking at, but not doing. Based on the above, you could get a nice QNAP device with redundant storage, power, networking that can run multiple VMs directly onboard with lots of storage, options, snapshots, and backups. Paired with a nice Fortigate or Cisco router could accomplish the above.


Edit-- The option i mention above also has the added benefit reducing software licensing cost. The Standard version of Windows Server is around $6-700 with out the Per User Client Access License. With the QNAP, you can conenct virtual storage from the storage side to the server as the File and Database storage. You can cut down even more on costs if they are looking for authentication and DNS by using the built-in LDAP and DNS server of the QNAP Device.

I do not work for QNAP or actually own one. I actually use a Synology device that has similar features, but I do like that QNAP has better options for CPUs that are more cost friendly than Synology. QNAP has better options for CPUs vs Synology's small/home user to top of the line enterprise line.
 
Last edited:
Have done the pfSense on ESXi thing for my home a while, worked ok but actually moved it now to a dedicated box. Simple to be independent from the availability of the ESXi box and also to isolate the FW from the rest. I run it now of a low energy Celeron N with one one or two VPN for myself.

In your case I would go similar and use ESXi for the AD/Server stuff and have a dedicated pizza box for pfSense. I think easier to setup and upgrade/change in case required.
 
You must log in or register to reply here.
Back
Top