Hardware for 50/150 Mbps VPN traffic

  • Hi,

    does anyone here know what kind of hardware I'd need to push 50 Mbps of VPN (IPSEC or OpenVPN) traffic with pfSense? What about 150 Mbps?

  • Netgate Administrator

    In a quick and dirty test I did the other day I manged 50Mb/s between two boxes. The lower specced box is 1.3GHz Celeron (Pentium M core), 1GB Ram (probably not a factor) using Marvel Yukon Gigabit NICs.
    I used OpenVPN set at it's default AES-128bit. I imagine I could get better throughput with some tuning. Some Googling shows that this is well below par!  ::)
    It's also worth noting that hardware encryption will speed things up considerably. The VIA CPUs with PadLock seem especially good at it.


  • You should start with the hardware sizing guidance page, which includes sizing guidance for VPNs:

    VPN - Heavy use of any of the VPN services included in pfSense will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. A 266 MHz CPU will max out at around 4 Mbps of IPsec throughput, a 500 MHz CPU can push 10-15 Mbps of IPsec, and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare. Supported encryption cards, such as several from Hifn, are capable of significantly reducing CPU requirements.