PfSense 2.5 will only work with AES-NI capable CPUs
-
FYI:
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html -
well that's bizarre. why would they go out of their way to break the existing fallback mechanisms?
-
FYI:
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.htmlCorrect. That's the way I read it also.
So anyone that is now using systems that run on CPUs that do not have AES-NI, will either have to upgrade their CPU and possibly motherboard, or get a new system. OR don't plan on upgrading past 2.4.x
-
This is unfortunate for users.
Booo -
So our 5 PC Engines APU with the AMD G-T40E will become nice expensive paper weights? Well played, Netgate, well played, for trying to boost your own hardware sales.
After all I had read, OPNsense is not really an alternative if you want honest software developed by trustworthy people, but well, when there's a choice between throwing several hundred bucks out of the window or just installing a different software that will run fine … I will definitely not choose to buy new hardware. Heck, might as well install plain Debian or OpenWRT on our APUs.
Just my (expensive) 2ct.
Stefan
-
I don't think this is based on any of the implemented open source tools included in pfSense. openVPN and IPSEC will surely work without AES-NI.
It looks like pfSense will be more and more a commercial product… (i.e. read about planned feature of QuickAssist which is not clear when to be finalized and maybe only included in Netgate products).
Maybe I'll switch to opnSense then... -
This is Bull!
They're going to lose a lot of hobbyist users.
pfSense has enthusiasts to thank for its widespread advertising and use - NOT commercial users.
I bet every hobby user can account for ten pfSense installations at actual businesses.
Surely, AES-NI is only necessary for systems under heavy encryption loads.
I'll be switching to alternatives as my non AES-NI system aint dead yet!
-
Making it a requirement seems kinda silly all im looking to do is nat and a few fw rules but guess my i3 2100 is no longer fast enough for that.
-
The Devs have indicated that there are other reasons for this new requirement. And it's not about VPNS etc. I think in the long term users will appreciate all the effort that pfSense is implementing to make this a solid and secure platform. Please keep the pitchforks at home. ;)
-
I just happened to pop up on the forum to see what's up since my current j1900 celeron based "overkill" rig is running nicely. This really, really surprised me. People told me it was too much power, but now I'm lacking features of higher end cpus. LOL. I guess I can throw an old i5 3570k I have laying around at the issue & undervolt it. ::) No money out of pocket for me, but for most people, I totally understand the frustration.
-
I don't get the pullback.
I'm excited for this.
-
What is the predicted release date for 2.5? I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.
-
So our 5 PC Engines APU with the AMD G-T40E will become nice expensive paper weights? Well played, Netgate, well played, for trying to boost your own hardware sales.
Netgate is not the only vendor selling hardware with AES-NI.
-
@kpa:
What is the predicted release date for 2.5? I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.
2.5 will release in probably over a year. Depends when FreeBSD 12 is released. After pfSense 2.5 is released we will support 2.4 for about a year.
-
Funny english language. I wrote:
I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.
I meant that hardware that doesn't have an AES-NI capable CPU by the time 2.5 is released is likely to be obsolete at the time.
-
@kpa:
Funny english language. I wrote:
I bet all your shoeboxes that can't do AES-NI will be obsolete anyway by that time.
I meant that hardware that doesn't have an AES-NI capable CPU by the time 2.5 is released is likely to be obsolete at the time.
Oh yes, sorry. I will edit that part ;)
-
So when AES-NI is found to be a defective all users will be affected, instead of a subset of users.
Look at Intel ME experience for example. Is that what were going for? All racked servers affected.
Homogeneity is bad for security.
-
So when AES-NI is found to be a defective all users will be affected, instead of a subset of users.
Look at Intel ME experience for example. Is that what were going for? All racked servers affected.
Homogeneity is bad for security.
https://en.wikipedia.org/wiki/AES_instruction_set
-
After all I had read, OPNsense is not really an alternative if you want honest software developed by trustworthy people,
I think you need to chill. You're welcome to use any kind of software you want, but don't claim we are dishonest or not trustworthy.
There's a "not" in my sentence, and I stand by it. So yes, I do think pfSense is better than it's fork (at least as of <2.5).
On another note though, proclaiming 2 year old hardware obsolete in 1 years time - not my cup of tea. I have servers here that are more than 5 years old and there is no need to replace them. I don't see any reason to replace our APUs which are running our AES256 OpenVPN traffic just fine without hardware acceleration at less than 10% load only because suddenly AES-NI becomes a requirement.
Stefan
-
Push the AES-NI requirement to pfSense 3.0 roadmap.
Lots of people here have re-purposed older hardware which they have under-volted and under-clocked with the plan to dial it up as needs arise..
Dropping 32-bit support recently was understandable but this is ludicrous!
