Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense 2.5 will only work with AES-NI capable CPUs

    General pfSense Questions
    46
    169
    47335
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      athurdent last edited by

      FYI:
      https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

      1 Reply Last reply Reply Quote 0
      • V
        VAMike last edited by

        well that's bizarre. why would they go out of their way to break the existing fallback mechanisms?

        1 Reply Last reply Reply Quote 0
        • D
          dhoffman98 last edited by

          @athurdent:

          FYI:
          https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

          Correct. That's the way I read it also.

          So anyone that is now using systems that run on CPUs that do not have AES-NI, will either have to upgrade their CPU and possibly motherboard, or get a new system. OR don't plan on upgrading past 2.4.x

          1 Reply Last reply Reply Quote 0
          • F
            FranciscoFranco last edited by

            This is unfortunate for users.
            Booo

            1 Reply Last reply Reply Quote 0
            • S
              seidler2547 last edited by

              So our 5 PC Engines APU with the AMD G-T40E will become nice expensive paper weights? Well played, Netgate, well played, for trying to boost your own hardware sales.

              After all I had read, OPNsense is not really an alternative if you want honest software developed by trustworthy people, but well, when there's a choice between throwing several hundred bucks out of the window or just installing a different software that will run fine … I will definitely not choose to buy new hardware. Heck, might as well install plain Debian or OpenWRT on our APUs.

              Just my (expensive) 2ct.

              Stefan

              1 Reply Last reply Reply Quote 0
              • Z
                zanthos last edited by

                I don't think this is based on any of the implemented open source tools included in pfSense. openVPN and IPSEC will surely work without AES-NI.
                It looks like pfSense will be more and more a commercial product… (i.e. read about planned feature of QuickAssist which is not clear when to be finalized and maybe only included in Netgate products).
                Maybe I'll switch to opnSense then...

                1 Reply Last reply Reply Quote 0
                • K
                  kolpinkb last edited by

                  This is Bull!

                  They're going to lose a lot of hobbyist users.

                  pfSense has enthusiasts to thank for its widespread advertising and use - NOT commercial users.

                  I bet every hobby user can account for ten pfSense installations at actual businesses.

                  Surely, AES-NI is only necessary for systems under heavy encryption loads.

                  I'll be switching to alternatives as my non AES-NI system aint dead yet!

                  1 Reply Last reply Reply Quote 0
                  • J
                    janbanan last edited by

                    Making it a requirement seems kinda silly all im looking to do is nat and a few fw rules but guess my i3 2100 is no longer fast enough for that.

                    1 Reply Last reply Reply Quote 0
                    • BBcan177
                      BBcan177 Moderator last edited by

                      The Devs have indicated that there are other reasons for this new requirement. And it's not about VPNS etc. I think in the long term users will appreciate all the effort that pfSense is implementing to make this a solid and secure platform. Please keep the pitchforks at home.  ;)

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • S
                        Synthetickiller last edited by

                        I just happened to pop up on the forum to see what's up since my current j1900 celeron based "overkill" rig is running nicely. This really, really surprised me. People told me it was too much power, but now I'm lacking features of higher end cpus. LOL. I guess I can throw an old i5 3570k I have laying around at the issue & undervolt it. ::) No money out of pocket for me, but for most people, I totally understand the frustration.

                        1 Reply Last reply Reply Quote 0
                        • W
                          W4RH34D last edited by

                          I don't get the pullback.

                          I'm excited for this.

                          Did you really check your cables?

                          1 Reply Last reply Reply Quote 0
                          • K
                            kpa last edited by

                            What is the predicted release date for 2.5? I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.

                            1 Reply Last reply Reply Quote 0
                            • ivor
                              ivor last edited by

                              @seidler2547:

                              So our 5 PC Engines APU with the AMD G-T40E will become nice expensive paper weights? Well played, Netgate, well played, for trying to boost your own hardware sales.

                              Netgate is not the only vendor selling hardware with AES-NI.

                              Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                              1 Reply Last reply Reply Quote 0
                              • ivor
                                ivor last edited by

                                @kpa:

                                What is the predicted release date for 2.5? I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.

                                2.5 will release in probably over a year. Depends when FreeBSD 12 is released. After pfSense 2.5 is released we will support 2.4 for about a year.

                                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kpa last edited by

                                  Funny english language. I wrote:

                                  I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.

                                  I meant that hardware that doesn't have an AES-NI capable CPU by the time 2.5 is released is likely to be obsolete at the time.

                                  1 Reply Last reply Reply Quote 0
                                  • ivor
                                    ivor last edited by

                                    @kpa:

                                    Funny english language. I wrote:

                                    I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.

                                    I meant that hardware that doesn't have an AES-NI capable CPU by the time 2.5 is released is likely to be obsolete at the time.

                                    Oh yes, sorry. I will edit that part ;)

                                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      FranciscoFranco last edited by

                                      So when AES-NI is found to be a defective all users will be affected, instead of a subset of users.

                                      Look at Intel ME experience for example. Is that what were going for? All racked servers affected.

                                      Homogeneity is bad for security.

                                      1 Reply Last reply Reply Quote 0
                                      • ivor
                                        ivor last edited by

                                        @FranciscoFranco:

                                        So when AES-NI is found to be a defective all users will be affected, instead of a subset of users.

                                        Look at Intel ME experience for example. Is that what were going for? All racked servers affected.

                                        Homogeneity is bad for security.

                                        https://en.wikipedia.org/wiki/AES_instruction_set

                                        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          seidler2547 last edited by

                                          @ivor:

                                          @seidler2547:

                                          After all I had read, OPNsense is not really an alternative if you want honest software developed by trustworthy people,

                                          I think you need to chill. You're welcome to use any kind of software you want, but don't claim we are dishonest or not trustworthy.

                                          There's a "not" in my sentence, and I stand by it. So yes, I do think pfSense is better than it's fork (at least as of <2.5).

                                          On another note though, proclaiming 2 year old hardware obsolete in 1 years time - not my cup of tea. I have servers here that are more than 5 years old and there is no need to replace them. I don't see any reason to replace our APUs which are running our AES256 OpenVPN traffic just fine without hardware acceleration at less than 10% load only because suddenly AES-NI becomes a requirement.

                                          Stefan

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kolpinkb last edited by

                                            Push the AES-NI requirement to pfSense 3.0 roadmap.

                                            Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                            Dropping 32-bit support recently was understandable but this is ludicrous!

                                            1 Reply Last reply Reply Quote 0
                                            • W
                                              W4RH34D last edited by

                                              @thehammer86:

                                              Push the AES-NI requirement to pfSense 3.0 roadmap.

                                              Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                              Dropping 32-bit support recently was understandable but this is ludicrous!

                                              Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.  Is it not common knowledge that most hardware is designed with planned obsolescence?  This isn't a slap in the face to anyone IMO.

                                              Did you really check your cables?

                                              1 Reply Last reply Reply Quote 0
                                              • ivor
                                                ivor last edited by

                                                @seidler2547:

                                                @ivor:

                                                @seidler2547:

                                                After all I had read, OPNsense is not really an alternative if you want honest software developed by trustworthy people,

                                                I think you need to chill. You're welcome to use any kind of software you want, but don't claim we are dishonest or not trustworthy.

                                                There's a "not" in my sentence, and I stand by it. So yes, I do think pfSense is better than it's fork (at least as of <2.5).

                                                On another note though, proclaiming 2 year old hardware obsolete in 1 years time - not my cup of tea. I have servers here that are more than 5 years old and there is no need to replace them. I don't see any reason to replace our APUs which are running our AES256 OpenVPN traffic just fine without hardware acceleration at less than 10% load only because suddenly AES-NI becomes a requirement.

                                                Stefan

                                                Now I feel stupid. I am sorry as I have misread your initial comment. I have fixed it. Please note that we will be supporting pfSense 2.4 for around a year once 2.5 is out. 2.5 won't be out for over a year (really depends from FreeBSD 12 release date).

                                                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                                1 Reply Last reply Reply Quote 0
                                                • jahonix
                                                  jahonix last edited by

                                                  Come on, just because a new version is out sometime in the future it doesn't mean the version you currently run (or that will be released in the foreseeable future, aka 2.3.4) is rendered useless.
                                                  Same with 32bit hardware and v2.4 in the future. Just keep using 2.3.x on that.

                                                  The goal of each and every pfSense installation I have out there is to do its job. And it does exactly that, otherwise I would have chosen a different solution. That won't change with a new release.
                                                  My job is not to update all systems just because a new version is available. Is yours?

                                                  Only if you want to run the latest version with all new bells and whistles you'll need moderatly new hardware for that. So what?

                                                  This discussion reminds me of a crying kid whom you've taken away the favorite toy. With the exception that it is only an announcement due in 12+ months to get you prepared (with a new toy).
                                                  So you're mourning a year or so in advance. Really?

                                                  1 Reply Last reply Reply Quote 0
                                                  • G
                                                    Gram last edited by

                                                    I have pfSense running in SOHO environment using ATOM (Cedarview), with VPN, and no resource constraints whatsoever under light to moderate load. I've recommended the platform to others who've used it for ICS, and through AWS. I won't be able to, in good conscience, recommend the product with these restrictions. I won't be upgrading my hardware. I find AES-NI requirement more of a security weakness than enhancement, and will likely begin going with plain old *BSD.

                                                    Bullrun aside, a 7 year old critical remote exploit was just disclosed in Intel's AMT. The CVE was published today: https://nvd.nist.gov/vuln/detail/CVE-2017-5689

                                                    You guys chose a hell of a week to announce a baked in Intel requirement!

                                                    1 Reply Last reply Reply Quote 0
                                                    • A
                                                      athurdent last edited by

                                                      Some additional info:
                                                      https://www.reddit.com/r/PFSENSE/comments/68nd6y/pfsense_25_and_aesni/dh0qi53/

                                                      1 Reply Last reply Reply Quote 0
                                                      • mudmanc4
                                                        mudmanc4 last edited by

                                                        @ivor:

                                                        Now I feel stupid. I am sorry as I have misread your initial comment. I have fixed it. Please note that we will be supporting pfSense 2.4 for around a year once 2.5 is out. 2.5 won't be out for over a year (really depends from FreeBSD 12 release date).

                                                        Actually, if this ~2 year timeline on 2.4 viability is even close, this announcement should be very well taken by everyone. 24 months is a professional notice time period.

                                                        Maybe some could use to think about this for a moment before jumping in and venting in a negative manner.

                                                        1 Reply Last reply Reply Quote 0
                                                        • B
                                                          bennyc last edited by

                                                          Wow, that (full) reddit post kind of threw me of my chair  ::)
                                                          Amazed by the anger/frustration.  If they put equal effort in coding as they do in trying to clarifying their motivations, hats off…
                                                          Interesting read of Gonzo's post though, that's probably the best part (for me) as I learned new things.

                                                          So I just got an actual legit reason to go looking for a new home router in the near future -> life is good ;D

                                                          4x XG-7100 (2xHA)
                                                          1x SG-4860
                                                          1x PC Engines APU2C4
                                                          1x PC Engines APU1C4

                                                          1 Reply Last reply Reply Quote 0
                                                          • V
                                                            VAMike last edited by

                                                            @W4RH34D:

                                                            @thehammer86:

                                                            Push the AES-NI requirement to pfSense 3.0 roadmap.

                                                            Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                                            Dropping 32-bit support recently was understandable but this is ludicrous!

                                                            Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

                                                            The first one.

                                                            1 Reply Last reply Reply Quote 0
                                                            • stephenw10
                                                              stephenw10 Netgate Administrator last edited by

                                                              @Gram:

                                                              You guys chose a hell of a week to announce a baked in Intel requirement!

                                                              The timing was indeed unfortunate! However AES-NI is not exclusive to Intel:

                                                              https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture

                                                              Steve

                                                              1 Reply Last reply Reply Quote 0
                                                              • G
                                                                Gram last edited by

                                                                @stephenw10:

                                                                @Gram:

                                                                You guys chose a hell of a week to announce a baked in Intel requirement!

                                                                The timing was indeed unfortunate! However AES-NI is not exclusive to Intel:

                                                                https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture

                                                                Steve

                                                                That's a good point. Also some good points in the Reddit post.

                                                                For most users, hardware, and companies, this requirement will probably go by practically unnoticed. And if Intel's (or AMD's) implementation of AES-NI is flawed, unintentionally or otherwise, it's going to affect more than just pfSense.

                                                                Regardless of whether or not I trust the code in Intel's chips, I do have confidence that Netgate is making the decision for good reasons. The advanced notice is appreciated too.

                                                                1 Reply Last reply Reply Quote 0
                                                                • W
                                                                  W4RH34D last edited by

                                                                  @VAMike:

                                                                  @W4RH34D:

                                                                  @thehammer86:

                                                                  Push the AES-NI requirement to pfSense 3.0 roadmap.

                                                                  Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                                                  Dropping 32-bit support recently was understandable but this is ludicrous!

                                                                  Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

                                                                  The first one.

                                                                  Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

                                                                  Did you really check your cables?

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • V
                                                                    VAMike last edited by

                                                                    @W4RH34D:

                                                                    @VAMike:

                                                                    @W4RH34D:

                                                                    @thehammer86:

                                                                    Push the AES-NI requirement to pfSense 3.0 roadmap.

                                                                    Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                                                    Dropping 32-bit support recently was understandable but this is ludicrous!

                                                                    Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

                                                                    The first one.

                                                                    Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

                                                                    I see you've gone from the ludicrous to the absurd. The strength of your argument is clear.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • W
                                                                      W4RH34D last edited by

                                                                      @VAMike:

                                                                      @W4RH34D:

                                                                      @VAMike:

                                                                      @W4RH34D:

                                                                      @thehammer86:

                                                                      Push the AES-NI requirement to pfSense 3.0 roadmap.

                                                                      Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..

                                                                      Dropping 32-bit support recently was understandable but this is ludicrous!

                                                                      Is it?  Or is it ludicrous to be running any internet facing hardware that is 6 years after EOL.

                                                                      The first one.

                                                                      Well you could always go back to carrier pigeon, they don't have any of those ludicrous hardware acceleration instruction sets.

                                                                      I see you've gone from the ludicrous to the absurd. The strength of your argument is clear.

                                                                      We may as well be walking on the Sun, right?

                                                                      You guys thinking of forking off here at 2.4?  Ya'll can call it PFsenseless.  ;D

                                                                      Did you really check your cables?

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • F
                                                                        fredfox_uk last edited by

                                                                        YAY !!!!

                                                                        Excuse for me to buy more kit to "test" :D

                                                                        Seriously though, 2 years notice? I'll take that.

                                                                        My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • A
                                                                          athurdent last edited by

                                                                          Well, feel terribly sorry for you…  :)

                                                                          CPU: AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • ivor
                                                                            ivor last edited by

                                                                            @fredfox_uk:

                                                                            YAY !!!!

                                                                            Excuse for me to buy more kit to "test" :D

                                                                            Seriously though, 2 years notice? I'll take that.

                                                                            My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

                                                                            APU2C4 has AES-NI

                                                                            Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • ivor
                                                                              ivor last edited by

                                                                              A bit more on AES-NI https://www.netgate.com/blog/more-on-aes-ni.html

                                                                              Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • F
                                                                                fredfox_uk last edited by

                                                                                @ivor:

                                                                                @fredfox_uk:

                                                                                YAY !!!!

                                                                                Excuse for me to buy more kit to "test" :D

                                                                                Seriously though, 2 years notice? I'll take that.

                                                                                My wife bought me an APU2C4 for Christmas to run pfSense, I'll start speccing new hardware in 12 - 16 months time, ready for Christmas.

                                                                                APU2C4 has AES-NI

                                                                                I know - don't tell the wife though ;)

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • D
                                                                                  doktornotor Banned last edited by

                                                                                  Hmmm… This

                                                                                  the new, pure JS GUI (client) architected as a single page web application.

                                                                                  seems much more disturbing than the AES-NI requirement. (Just recovering from a complete JS fiasco experience, only a couple of days old.)

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • J
                                                                                    jwt Netgate last edited by

                                                                                    JS (on the GUI, not the backend like Ubuquiti attempted via NodeBB) compared to PHP?

                                                                                    I'll take JS, every time.

                                                                                    p.s.  false equivalence, dude.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post