Cisco vs Pfsense preformance for VPN

Jason

How would the performance compare on a hardware cisco router (like the 2911) vs using Pfsense in a VM? we need to bring up a temporary one to support about 200 users. Already have the router and licensing just not sure how the two will compare. I would think the 2911 would do much better.

They will be doing VPN only, nothing else.

scottalanmiller

I would expect far better performance from a pfSense VPN. FreeBSD is screaming fast on its own, especially good for networking performance and in a VM can easily get many times the resources than the appliance would provide.

Dashrender

I think it will all depend on how many resources you give it.

stacksofplates

Any reason for pfsense over Vyatta?

scottalanmiller

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Dashrender

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

stacksofplates

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

Just download the ISO and install it.

Jason

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

stacksofplates

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure.

bbigford

One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Having said that, I'd take Pfsense... or M0n0wall, or Smoothwall.

scottalanmiller

@BBigford said in Cisco vs Pfsense preformance for VPN:

One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance.

Kind of. While that's true, it's like old arcade machines, designed to do one task well, not to scale up. The thing that this causes is for them to push low end hardware to its limits. So because Cisco can design for the device, they do. Because they do, they can spend less on having less hardware power.

This is why Ubiquiti does for $95 what Cisco struggles to do at $3,000. Cisco hardware gets expensive to be able to handle the throughput needs. The hardware advantages of generic commodity hardware is orders of magnitude faster than the custom Cisco ASICs at the same prices. And VyOS, pfSense and others are written to that commodity hardware pretty heavily, it's not likely they are being emulated. The software advantage here is only 20% at most. But the hardware advantage is easily 10,000% or more.

Jason

@BBigford said in Cisco vs Pfsense preformance for VPN:

One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Having said that, I'd take Pfsense... or M0n0wall, or Smoothwall.

Don't know about optimal preformance. The CPU is nothing special..

When were talking of routing there is no difference in it or a computer. The difference would be in Encrtpyion offload, and DSP you might have in the router for SIP, PRIs, Analog lines etc.

Jason

@johnhooks said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure.

Looks like it can do a loop back like Cisco IOS for this.
http://vyos.net/wiki/NAT_Before_VPN

Stupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users..

Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though..

coliver

@Jason said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure.

Looks like it can do a loop back like Cisco IOS for this.
http://vyos.net/wiki/NAT_Before_VPN

Stupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users..

Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though..

Would sticking something like HAProxy in front of them work? It should be able to proxy VPN connections and be able to load-balance / fail over what you need.

JaredBusch

@Jason said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure.

Looks like it can do a loop back like Cisco IOS for this.
http://vyos.net/wiki/NAT_Before_VPN

Stupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users..

Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though..

Would the failover not just be the DNS name updating?

Jason

@JaredBusch said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

@Jason said in Cisco vs Pfsense preformance for VPN:

@Dashrender said in Cisco vs Pfsense preformance for VPN:

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@johnhooks said in Cisco vs Pfsense preformance for VPN:

Any reason for pfsense over Vyatta?

That would be my first choice. VyOS.

Does anyone make a VM appliance.

VyOS has an OVF. Pfsense doesn't.

Quick and dirty was the main reason I was considering Pfsense over VyOS

Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one..

I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure.

Looks like it can do a loop back like Cisco IOS for this.
http://vyos.net/wiki/NAT_Before_VPN

Stupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users..

Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though..

Would the failover not just be the DNS name updating?

That's what I'm wondering, as in will is there a DNS server that can swap them if a host is down automatically? We currently are using Network Solutions for external DNS.

bbigford

@scottalanmiller said in Cisco vs Pfsense preformance for VPN:

@BBigford said in Cisco vs Pfsense preformance for VPN:

One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance.

Kind of. While that's true, it's like old arcade machines, designed to do one task well, not to scale up. The thing that this causes is for them to push low end hardware to its limits. So because Cisco can design for the device, they do. Because they do, they can spend less on having less hardware power.

This is why Ubiquiti does for $95 what Cisco struggles to do at $3,000. Cisco hardware gets expensive to be able to handle the throughput needs. The hardware advantages of generic commodity hardware is orders of magnitude faster than the custom Cisco ASICs at the same prices. And VyOS, pfSense and others are written to that commodity hardware pretty heavily, it's not likely they are being emulated. The software advantage here is only 20% at most. But the hardware advantage is easily 10,000% or more.

That explanation was better than mine. Considering I failed to include any backing content.

Dashrender

Who provides auto changing on the fly DNS updates like that for failover? Wouldn't something like CloudFlare be more the norm?

As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list?

JaredBusch

@Dashrender said in Cisco vs Pfsense preformance for VPN:

Who provides auto changing on the fly DNS updates like that for failover? Wouldn't something like CloudFlare be more the norm?

As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list?

The $60/year plan does it.
http://wwwdemo.dnsmadeeasy.com/pricing/

Jason

@Dashrender said in Cisco vs Pfsense preformance for VPN:

As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list?

Not likely. when you do that it is basically two seperate VPNs.