PfSense 2.5 will only work with AES-NI capable CPUs

athurdent

Some additional info:
https://www.reddit.com/r/PFSENSE/comments/68nd6y/pfsense_25_and_aesni/dh0qi53/

mudmanc4

@ivor:

Now I feel stupid. I am sorry as I have misread your initial comment. I have fixed it. Please note that we will be supporting pfSense 2.4 for around a year once 2.5 is out. 2.5 won't be out for over a year (really depends from FreeBSD 12 release date).

Actually, if this ~2 year timeline on 2.4 viability is even close, this announcement should be very well taken by everyone. 24 months is a professional notice time period.

Maybe some could use to think about this for a moment before jumping in and venting in a negative manner.

bennyc

Wow, that (full) reddit post kind of threw me of my chair  ::)
Amazed by the anger/frustration.  If they put equal effort in coding as they do in trying to clarifying their motivations, hats off…
Interesting read of Gonzo's post though, that's probably the best part (for me) as I learned new things.

So I just got an actual legit reason to go looking for a new home router in the near future -> life is good ;D

VAMike

@W4RH34D:

@thehammer86:

Push the AES-NI requirement to pfSense 3.0 roadmap.

Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

Dropping 32-bit support recently was understandable but this is ludicrous!

Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

The first one.

stephenw10

@Gram:

You guys chose a hell of a week to announce a baked in Intel requirement!

The timing was indeed unfortunate! However AES-NI is not exclusive to Intel:

https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture

Steve

Gram

@stephenw10:

@Gram:

You guys chose a hell of a week to announce a baked in Intel requirement!

The timing was indeed unfortunate! However AES-NI is not exclusive to Intel:

https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture

Steve

That's a good point. Also some good points in the Reddit post.

For most users, hardware, and companies, this requirement will probably go by practically unnoticed. And if Intel's (or AMD's) implementation of AES-NI is flawed, unintentionally or otherwise, it's going to affect more than just pfSense.

Regardless of whether or not I trust the code in Intel's chips, I do have confidence that Netgate is making the decision for good reasons. The advanced notice is appreciated too.

W4RH34D

@VAMike:

@W4RH34D:

@thehammer86:

Push the AES-NI requirement to pfSense 3.0 roadmap.

Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

Dropping 32-bit support recently was understandable but this is ludicrous!

Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

The first one.

Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

VAMike

@W4RH34D:

@VAMike:

@W4RH34D:

@thehammer86:

Push the AES-NI requirement to pfSense 3.0 roadmap.

Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

Dropping 32-bit support recently was understandable but this is ludicrous!

Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

The first one.

Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

I see you've gone from the ludicrous to the absurd. The strength of your argument is clear.

W4RH34D

@VAMike:

@W4RH34D:

@VAMike:

@W4RH34D:

@thehammer86:

Push the AES-NI requirement to pfSense 3.0 roadmap.

Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

Dropping 32-bit support recently was understandable but this is ludicrous!

Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

The first one.

Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

I see you've gone from the ludicrous to the absurd. The strength of your argument is clear.

We may as well be walking on the Sun, right?

You guys thinking of forking off here at 2.4?  Ya'll can call it PFsenseless.  ;D

fredfox_uk

YAY !!!!

Excuse for me to buy more kit to "test" :D

Seriously though, 2 years notice? I'll take that.

My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

athurdent

Well, feel terribly sorry for you…  :)

CPU: AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI

ivor

@fredfox_uk:

YAY !!!!

Excuse for me to buy more kit to "test" :D

Seriously though, 2 years notice? I'll take that.

My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

APU2C4 has AES-NI

ivor

A bit more on AES-NI https://www.netgate.com/blog/more-on-aes-ni.html

fredfox_uk

@ivor:

@fredfox_uk:

YAY !!!!

Excuse for me to buy more kit to "test" :D

Seriously though, 2 years notice? I'll take that.

My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

APU2C4 has AES-NI

I know - don't tell the wife though ;)

doktornotor

Hmmm… This

the new, pure JS GUI (client) architected as a single page web application.

seems much more disturbing than the AES-NI requirement. (Just recovering from a complete JS fiasco experience, only a couple of days old.)

jwt

JS (on the GUI, not the backend like Ubuquiti attempted via NodeBB) compared to PHP?

I'll take JS, every time.

p.s.  false equivalence, dude.

BBcan177

@doktornotor:

Hmmm… This

the new, pure JS GUI (client) architected as a single page web application.

seems much more disturbing than the AES-NI requirement. (Just recovering from a complete JS fiasco experience, only a couple of days old.)

No fear when Dok is part of the testing team!!  :P

apple4ever

@ivor:

A bit more on AES-NI https://www.netgate.com/blog/more-on-aes-ni.html

I don't think that makes any more sense. Changing the interface isn't a good reason to drop devices without AES-NI.

I'm definitely not happy, as I just bought a nice box 6 months ago without AES-NI support that works great. I was hoping to get a second for HA, and then have these for 4ish years. That's not going to happen now.

If this was coming in 3.0 which would be 3-4 years out, I'd understand. But not a year out. I was planning to buy pfSense Gold, but not now.

ivor

@apple4ever:

I was planning to buy pfSense Gold, but not now.

Is that supposed to make us feel bad? You are using our product for free. You don't have to use it. I understand you are not happy but don't be disrespectful, please.

jahonix

@apple4ever:

I was hoping to get a second for HA, and then have these for 4ish years.

If your goal is to have an HA cluster then go for it now.
If your goal is to mainly fiddle with a piece of software then maybe not.

You don't have to update a system once a new version is available, you know. "High availability" systems don't need to run the latest release, they need to perform without interruption. No doubt, you can have that with the current release already. For free.