Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5.0 will not require AES-NI

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    16 Posts 8 Posters 9.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Raffi_R
      Raffi_
      last edited by

      I actually like the new AES-NI requirement that's coming down the road. Aside from the obvious benefits of better performance and security, it gives me an excuse to change out our old hardware in the office. If I were a home user, yea I probably wouldn't want to change out my hardware unless it's needed. Would I be mad about it? No. pfSense is free and awesome. New hardware is going to cost money, but pfSense has more than paid for itself already compared to some alternatives.

      1 Reply Last reply Reply Quote 1
      • R
        Ragtag_fleet @JeGr
        last edited by

        @JeGr I understand the benefits of AES-NI but for most users and especially home users a non-AES-NI option would be great. Users will continue to use non-AES-NI CPU if they have or might even buy now but there are plenty of alternatives if they want to go down the route. I think pfsense is a great tool sad to see it might go down a path that might not be up to everyone's needs :(

        JeGrJ 1 Reply Last reply Reply Quote 1
        • JeGrJ
          JeGr LAYER 8 Moderator @Ragtag_fleet
          last edited by

          @Ragtag_fleet I beg to differ. It has already clearly been stated, why the need for AES-NI is beyond just "useful". It's just a thing in the mind of most people, that this has only sth. to do with "crypto" thingies and VPN stuff. If it is wider known and accepted, that the things AES-NI does and can do not only accelerate crypto "thingies" but protect against CPU "baddies", too coupled with more and more "mishaps" like spectre and meltdown happening, my hope is, that people will get the grasp, that this requirement comes from making communication and other tasks more secure and not only "just make VPNs faster".

          With that in mind while buying new hardware in 2019 it should a) be a no-brainer and b) come to most as not that expensive, as even small(est) SOCs can already handle AES-NI. :)

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          J 1 Reply Last reply Reply Quote 1
          • J
            jwt Netgate @JeGr
            last edited by

            @jegr two years later, (some four years after the initial announcement), and 2.5 is ready to drop.

            Meanwhile, last year COVID happened and WFH as a direct result. VPNs from home became much more of a requirement, and AES-NI is very useful for VPN. This seems to have covered the "but I don't use VPN from home" objection voiced by @Ragtag_fleet and many others quite effectively.

            Hindsight is 20/20, right?

            Oh well, who could have known? ¯_(ツ)_/¯

            What I learned is that no good deed goes unpunished. My attempt to let the community know of a upcoming requirement some 4 years in advance of their earliest ability to act on that requirement (and it's not like 2.4.5 just stops working) resulted in a ton of noise and pushback.

            Far more heat that light, all because I said "if you're replacing hardware, get something that supports AES-NI".

            I am reticent to repeat the experience.

            JKnottJ R 2 Replies Last reply Reply Quote 0
            • JKnottJ
              JKnott @jwt
              last edited by

              @jwt

              Even though I now have hardware that supports AES-NI, I'm still glad it's optional. Certainly the business end of the VPN should use it, but the user end might not require the performance improvement.

              BTW, as per other discussion, it appears the Netgate gear, with an ARM CPU, doesn't support hardware instructions. What happens with them, as they're more likely to be found in a business.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              J 1 Reply Last reply Reply Quote 0
              • J
                jwt Netgate @JKnott
                last edited by jwt

                @jknott with 21.02, every ARM appliance we've shipped that is not EOL supports crypto offload, aka a crypto accelerator.

                Also, the arm64 appliances we ship do support the equivalent of AES-NI instructions, but we've chosen to focus on the hw offload for now.

                1 Reply Last reply Reply Quote 1
                • R
                  Ragtag_fleet @jwt
                  last edited by Ragtag_fleet

                  @jwt Actually I use VPN from a VPN provider but I also have my work computer on which I have their corporate VPN... For me, as the user end, I still don't need AES-NI function for my VPN use. I guess you or others use it but still good to have as an option

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @Ragtag_fleet
                    last edited by

                    @ragtag_fleet

                    Even if you don't use a VPN, it's still a good idea to run hardware that supports those instructions. A lot of software uses encryption.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      Ragtag_fleet @JKnott
                      last edited by

                      @jknott Yeap but only when I am looking to upgrade my equipment. ATM I don't see the need or have any bottlenecks so for me it's not useful to upgrade with AES-NI equipped hardware...

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Ragtag_fleet
                        last edited by

                        And did you buy said hardware over 4 years ago?

                        Then there is nothing to see here. Now if you bought your say 3 years ago after you had been warned well in advance that 2.5 could/would require aes-ni.

                        And now it doesn't - hey you dodged a bullet. But don't say you were not warned..

                        Waiting to see all the posts - Gawd Daggit @jwt you said I needed aes-ni, and I bought new hardware that week in prep for 2.5 - which is just now coming out and doesn't need it.. WTF!

                        no good deed goes unpunished.

                        Words to live by for sure ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • ?
                          A Former User
                          last edited by

                          Just read this entire thread. That's 4 minutes of my life I'll never have back.

                          MacOS 11 doesn't run on my Mac SE/30. Apple doesn't listen to the community. 😢

                          johnpozJ 1 Reply Last reply Reply Quote 2
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @A Former User
                            last edited by

                            Yeah I'm about ready to write MS a nasty email (that will teach them) I can't get windows 10 installed on my trs-80..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.