How to do proper calculation to supports 10,000 VPN Users
-
Hi Team,
I need advise.
Currently I need to check which pfsense hardware is capable to manage 10,000 VPN users.
I need to use IPSec IKEV2 mobile VPN in pfsense.
Can you help me to provide some options or Can you help me to do proper calculation ? -
@prabath-anuradha 10,000 VPNs? I'm not sure this is something pfSense is going to be great at handling, I've personally never ran more than like 50-100 mobile VPNs off one instance so maybe I'm wrong but that is a huge amount.
It's not an apples to apples comparison by any means, but for example Fortinet requires you use their 500E series for 10k VPN clients which is a $30k firewall.
Are they all going to be connected at the same time?
-
I would agree with that. I have never tested (or even seen) that number of IPSec users but I would expect some parts of the GUI to be completely unusable with that defined.
I would not attempt more than, say, 500 users with a VPN setup like that.Steve
-
@planedrop
Thank you for the update.
Are they all going to be connected at the same time? - Yes, we are assuming they will connect at the same time.What we trying to get the exact picture is what are the Maximum number of concurrent users IPSec IKEV2 Users are supported in pfsense Hardware products such as "NETGATE 1541 BASE PFSENSE".
-
There is no hard limit in software. As far as I know you could upload a config with that enabled and it should work. However the IPSec status page would almost certainly not function.
You would need to use an external authentication server. It would probably make managing the firewall impractical IMO. -
@stephenw10 - Thank you very much for the information.
Let's assume we are using RADIUS as external authentication. so we do not want to list VPN users in pfsense GUI from time to time. also, we can avoid using the Online Users widget in pfsense that shows the online von user list. ( these two best practices I can propose the GUI unresponsive related concern)
Other than that I believe there are no Artificial limits defined by the pfsense product itself.
What could be to max VPN users can be achievable with "NETGATE 1541 BASE PFSENSE" model?
-
@prabath-anuradha I mean I still think 10,000 is a huge amount, I mean even if you have a 10 gigabit WAN connection, if they are all using it concurrently then that's 1 megabit per second per connection, that's almost nothing and IMO would make the VPN not very useful.
How fast is the WAN connection going to be at this site?
I think 1,000 might be more reasonable, still a lot even on a 1541 I think, but more reasonable to achieve.
