• Hi Everyone,

    I wish to use pfSense as a VPN concentrator in our data center for all of our managed customers. We use Xen to provide to managed virtual machines which remote customer offices will have access to.

    I would like to put each customer in a VLAN of its own meaning I can prevent inter-customer communication. How many VLANs does pfSense 2.0 support? Does it scale well? Would the GUI "mess up"?

    If pfSense can't handle a large amount of VLANs, I could put all customer VMs on the same subnet, and use iptables on the Xen hosts to prevent inter-customer communication. While this would work, it means I couldn't use the nice pfSense GUI.

    Any help or advise is appreciated


  • 1.2.3 doesn't scale all that well there (you wouldn't want to use > 50 or so interfaces), but lots of things were enhanced performance-wise in 2.0 to accommodate that. We've done production 2.0 deployments with hundreds, and a test setup proof of concept with 4000 VLANs.

  • 4000 VLANs?! That's more than enough for me :D

    Yes, this would be deployed under 2.0 anyway. Given the current good stability of 2.0, I think the extra features added (that we need) outweigh the risk. Nonetheless we have a box in testing set up yesterday. Hasn't skipped a beat yet!

    And provided that the ports on the switch (or bridge ports in my case as this is a Xen setup) that connect to the servers are not VLAN aware and have a PVID of the respective VLAN they are supposed to be on, does that provide a secure solution?

    I've read a lot of nasty things regarding VLANs, however they seem to be used everywhere. For exmaple, most colocation providers use VLANs for their customers.