How many simultaneous L2TP connections can pfSense handle?

  • following on from a question i asked over at m0n0walls forum (,598.0.html)

    I appreciate that this is a bit of a 'how long os a piece of string' question, but assuming reasonable hardware (say, P4 3200 with 1-2GB ram) could pfSense (OpenVPN) go up against, say a cisco VPN 3020 ( and win? (it does about 750 IPSEC connections)

    Or am i missing something important here? The cisco does LDAP integration, but pfSense can do the same with RADIUS -> IAS -> AD

    I guess load balancing / failover (for VPN access) would have to be done with clever DNS or VPN Client software

    I just dont see why ppl pay $$$$$ for cisco concentrators if this is a reasonable alternative. Does anyone have any experience with OpenVPN in a large scale VPN deployment?

    Maybe it is the client software. I know cisco's client is very good (from an admins point of view at least), hmmmm. Undecided

  • And the same person answers here.  :)

    OpenVPN in pfsense isn't quite up to enterprise-class just yet. It'll work fine if you can manually manage the certificates, and don't need multi-factor authentication (certificates plus say a username/password authenticating against AD). There are planned OpenVPN improvements to make it a truly enterprise class and easy to use VPN solution, but none of that work has started yet.

    How scalable will it be? Well, as scalable as the hardware you throw at it. If you give us some sort of idea how many simultaneous users you expect, maybe we can toss out an idea on what you may need specs wise. There are a number of big OpenVPN deployments, I'm not aware of any really big ones using pfsense and OpenVPN at this time but there are bunches of smaller deployments.

  • lol, cheers cmb.  ;)

    We are looking to provide terminal services access to remote users, approx 100ish simultaneous connections.

    I notice that astaro use strongswan as well as openvpn. Do you know anything about the benefits of stongswan over openvpn?


  • I'm not a Linux guru, and never heard of strongswan until you mentioned it. From a quick Google, it's IPsec for remote access.

    The issue with IPsec is, unless you have a commercial solution that comes with a client (Cisco, probably others), there are issues getting client software on Windows machines (and I assume that's the majority of what you'll need to support). There is the Shrew Soft client, and I know the author hangs out on our mailing list and people do use it with pfsense.

    OpenVPN is more convenient, IMO, because you can use a single client across every platform you need to support (Windows, OS X, BSD, Linux). With IPsec, you would have a different client from a different source for every platform (again, unless you had a commercial solution).

    If I was going with a large scale open source deployment, I would go with OpenVPN in most environments.

    For around 100 simultaneous connections, I would go with a Pentium 4 or better box. That should leave you plenty of power to spare.