Cisco vs Pfsense preformance for VPN
- 
 @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. Just download the ISO and install it. 
- 
 @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. 
- 
 @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure. 
- 
 One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Having said that, I'd take Pfsense... or M0n0wall, or Smoothwall. 
- 
 @BBigford said in Cisco vs Pfsense preformance for VPN: One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Kind of. While that's true, it's like old arcade machines, designed to do one task well, not to scale up. The thing that this causes is for them to push low end hardware to its limits. So because Cisco can design for the device, they do. Because they do, they can spend less on having less hardware power. This is why Ubiquiti does for $95 what Cisco struggles to do at $3,000. Cisco hardware gets expensive to be able to handle the throughput needs. The hardware advantages of generic commodity hardware is orders of magnitude faster than the custom Cisco ASICs at the same prices. And VyOS, pfSense and others are written to that commodity hardware pretty heavily, it's not likely they are being emulated. The software advantage here is only 20% at most. But the hardware advantage is easily 10,000% or more. 
- 
 @BBigford said in Cisco vs Pfsense preformance for VPN: One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Having said that, I'd take Pfsense... or M0n0wall, or Smoothwall. Don't know about optimal preformance. The CPU is nothing special.. When were talking of routing there is no difference in it or a computer. The difference would be in Encrtpyion offload, and DSP you might have in the router for SIP, PRIs, Analog lines etc. 
- 
 @johnhooks said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure. Looks like it can do a loop back like Cisco IOS for this. 
 http://vyos.net/wiki/NAT_Before_VPNStupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users.. Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though.. 
- 
 @Jason said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure. Looks like it can do a loop back like Cisco IOS for this. 
 http://vyos.net/wiki/NAT_Before_VPNStupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users.. Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though.. Would sticking something like HAProxy in front of them work? It should be able to proxy VPN connections and be able to load-balance / fail over what you need. 
- 
 @Jason said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure. Looks like it can do a loop back like Cisco IOS for this. 
 http://vyos.net/wiki/NAT_Before_VPNStupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users.. Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though.. Would the failover not just be the DNS name updating? 
- 
 @JaredBusch said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @johnhooks said in Cisco vs Pfsense preformance for VPN: Any reason for pfsense over Vyatta? That would be my first choice. VyOS. Does anyone make a VM appliance. VyOS has an OVF. Pfsense doesn't. Quick and dirty was the main reason I was considering Pfsense over VyOS Can VyOS act as a VPN concentrator using a single interface (aka just internal no WAN). Does it work with the native Windows client? We don't want to deploy another one besides our Cisco AnyConnect we already use or use the built in Windows one.. I've set up Ubiquiti with the Windows L2TP client. As for the interface, not 100% sure. Looks like it can do a loop back like Cisco IOS for this. 
 http://vyos.net/wiki/NAT_Before_VPNStupid question, We are thinking about maybe replacing all of our Cisco VPN routers with VyOS since it will do it, instead of just this temp 200 user one. It will be more like 20,000 users.. Is there a way to do a failover between to VyOS VMs at two different locations (and two different public ips) users connect via DNS name though.. Would the failover not just be the DNS name updating? That's what I'm wondering, as in will is there a DNS server that can swap them if a host is down automatically? We currently are using Network Solutions for external DNS. 
- 
 @scottalanmiller said in Cisco vs Pfsense preformance for VPN: @BBigford said in Cisco vs Pfsense preformance for VPN: One thing Cisco has going for it is that the software is designed for that device, so that it can reach optimal performance. Kind of. While that's true, it's like old arcade machines, designed to do one task well, not to scale up. The thing that this causes is for them to push low end hardware to its limits. So because Cisco can design for the device, they do. Because they do, they can spend less on having less hardware power. This is why Ubiquiti does for $95 what Cisco struggles to do at $3,000. Cisco hardware gets expensive to be able to handle the throughput needs. The hardware advantages of generic commodity hardware is orders of magnitude faster than the custom Cisco ASICs at the same prices. And VyOS, pfSense and others are written to that commodity hardware pretty heavily, it's not likely they are being emulated. The software advantage here is only 20% at most. But the hardware advantage is easily 10,000% or more. That explanation was better than mine. Considering I failed to include any backing content.  
- 
 Who provides auto changing on the fly DNS updates like that for failover? Wouldn't something like CloudFlare be more the norm? As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list? 
- 
 @Dashrender said in Cisco vs Pfsense preformance for VPN: Who provides auto changing on the fly DNS updates like that for failover? Wouldn't something like CloudFlare be more the norm? As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list? The $60/year plan does it. 
 http://wwwdemo.dnsmadeeasy.com/pricing/
- 
 @Dashrender said in Cisco vs Pfsense preformance for VPN: As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list? Not likely. when you do that it is basically two seperate VPNs. 
- 
 @Jason said in Cisco vs Pfsense preformance for VPN: @Dashrender said in Cisco vs Pfsense preformance for VPN: As for failover VPN, wouldn't be better, easier to setup two DNS records, and have the VPN client try the default one first, and when it fails, failover over to the secondary one in it's list? Not likely. when you do that it is basically two seperate VPNs. I apparently did not read his entire post last night. This is correct, I know of now method to have the basic windows VPN service use multiuple DNS names. IPSEC just does not work that way. use a DNS failover service. like the one I linked above to handle it automatically. 
- 
 So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. ) Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step. 
- 
 @Jason said in Cisco vs Pfsense preformance for VPN: So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. ) Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step. I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer. 
- 
 @johnhooks said in Cisco vs Pfsense preformance for VPN: I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer. Haha.. I don't want to move most of our stuff. We still like our switches and edge routers from them. Their firewalls and VPNs suck though. We switched to Palo Alto for firewalls a good while back. 
- 
 what did you move to for VPN? 
- 
 @johnhooks said in Cisco vs Pfsense preformance for VPN: @Jason said in Cisco vs Pfsense preformance for VPN: So in our limited testing so far.. we've about tripled the throughput of the VPN by going away from the Cisco routers (Which was costing us tens of thousands in user licensing (Per year) for the vpn on top of the router and security bundle costs. ) Still need to setup the failover but so far it's been great. And since the IKEV2 can be fully deployed with a GPO we add them to the VPN AD group and everything from the root CA, to the vpn profile and access via NPS/Radius is all done with a single step. I wish I could get most of our networking equipment away from Cisco. I sadly I don't pull enough weight as a lowly systems engineer. Just point out that senior network engineer is just one rung of the ladder below junior system admin. 





