PfSense 2.5 will only work with AES-NI capable CPUs
-
This is going to hurt me.
I manage about 40 sites which are mainly using re-purposed Dell small form factor desktops and APU devices with the AMD G-T40E CPU. None of them use VPN (except me to log in to them remotely) and I have no interest in using cloud management either. Even my home firewall is running on a Dell Optiplex 780 with Intel Core 2 Duo E7500 which does not have AES-NI but is plenty powerful for what I use it for. There are no socket 775 CPU's with AES-NI so a complete hardware upgrade will be required.
I can understand the need to have good encryption between the cloud service and remote firewalls, but I imagine the vast majority of "home" users will not ever use the cloud service.
Can't you consider some other options, such as only making AES-NI a requirement IF you want to use the cloud service? Or perhaps consider ChaCha20, which has higher performance than AES on devices without AES-NI? It works well enough for Wikipedia and Cloudflare.
My business is primarily providing low cost networking to SOHO environments. I'm sure you can understand how pfSense and older/cheaper hardware plays a part in this. Things will be much more difficult from 2.5 onward because I won't simply be able to use $50 refurbished hardware, and will instead need to spend 5x as much on Netgate stuff.
I appreciate the long advance warning, but please consider my points above.
Thank you, and keep up the great work.
-
This is going to hurt me.
I manage about 40 sites which are mainly using re-purposed Dell small form factor desktops and APU devices with the AMD G-T40E CPU. None of them use VPN (except me to log in to them remotely) and I have no interest in using cloud management either. Even my home firewall is running on a Dell Optiplex 780 with Intel Core 2 Duo E7500 which does not have AES-NI but is plenty powerful for what I use it for. There are no socket 775 CPU's with AES-NI so a complete hardware upgrade will be required.
I can understand the need to have good encryption between the cloud service and remote firewalls, but I imagine the vast majority of "home" users will not ever use the cloud service.
Can't you consider some other options, such as only making AES-NI a requirement IF you want to use the cloud service? Or perhaps consider ChaCha20, which has higher performance than AES on devices without AES-NI? It works well enough for Wikipedia and Cloudflare.
My business is primarily providing low cost networking to SOHO environments. I'm sure you can understand how pfSense and older/cheaper hardware plays a part in this. Things will be much more difficult from 2.5 onward because I won't simply be able to use $50 refurbished hardware, and will instead need to spend 5x as much on Netgate stuff.
I appreciate the long advance warning, but please consider my points above.
Thank you, and keep up the great work.
I'm sorry but AES-NI is not exclusive to Netgate appliances.
-
This is going to hurt me.
I manage about 40 sites which are mainly using re-purposed Dell small form factor desktops and APU devices with the AMD G-T40E CPU. None of them use VPN (except me to log in to them remotely) and I have no interest in using cloud management either. Even my home firewall is running on a Dell Optiplex 780 with Intel Core 2 Duo E7500 which does not have AES-NI but is plenty powerful for what I use it for. There are no socket 775 CPU's with AES-NI so a complete hardware upgrade will be required.
I can understand the need to have good encryption between the cloud service and remote firewalls, but I imagine the vast majority of "home" users will not ever use the cloud service.
Can't you consider some other options, such as only making AES-NI a requirement IF you want to use the cloud service? Or perhaps consider ChaCha20, which has higher performance than AES on devices without AES-NI? It works well enough for Wikipedia and Cloudflare.
My business is primarily providing low cost networking to SOHO environments. I'm sure you can understand how pfSense and older/cheaper hardware plays a part in this. Things will be much more difficult from 2.5 onward because I won't simply be able to use $50 refurbished hardware, and will instead need to spend 5x as much on Netgate stuff.
I appreciate the long advance warning, but please consider my points above.
Thank you, and keep up the great work.
Actually, it might help you, and my reasoning has nothing to do with AES-NI.
One of the strengths of pfSense and other router distributions is that you can use them on nearly any hardware or in virtual systems. Lots of people use pfSense on old, junk, surplus hardware that was otherwise just sitting in a pile on the floor. It's 'free'.
Surprise, your free hardware is costing buckets of cash in electricity. Do a little math with your kw cost and some of those free firewalls probably cost $20 - $50 a year to use in electricity cost. Obviously, $50 is extreme but right now, power costs are low and not everyone pays extremely high prices per kwh. My little j1900 based router costs perhaps $1 a month to run/ or $12 per year. An old relic that uses 5x the electricity costs $60 per year. How could you consider that a favor for someone on a budget?
the final changeover won't happen for a couple of years at the earliest. More likely, it will be 3 - 4. By then, hardware costs will be even lower while capabilities will be higher. A wealth of options will be available for router duty. Used hardware will be almost a gift in cost. I got pfSense running on a tiny laptop with AES-NI and two usb network adapters in few minutes. It supported the entire house for a while. The processor used 8 watts.
Or, just load up another distro. I tried that for experimental purpose. There's lots of good ones. If you don't need openvpn that widens the field because most don't support openvpn so grandly. Geoblocking is iffy and most don't appear to support supplemental list blocking such as iblock lists. User certificates are hit or miss. IPS/IDS is supported by many but exceptions are not intuitive in many and none I looked into appear to be as granular as snort can be in pfSense. One likely candidate could support all of the above but had a fatal installer problems. After several install attempts I gave up on it, considering the install issues to be a measure of overall software quality.
Good luck to you – coming from a former changeover hater.
-
So you, ivor, don't respond to direct and yes relevant questions and then chastise people for making assumptions about those questions and what silence says.
Whatever.
Open source projects are a mixed blessing. The people doing the work are constantly getting bitched at by users they often see as technically inept free-loaders. Users get confused by poorly thought out public messages that throw into doubt what they thought they knew about the project. Raw attitudes and antagonistic cultures are just about inevitable. Unfortunately pfSense is no exception.
Have to agree. Great technical skills don't have anything to do with people skills. Back in my consulting days over a decade ago, many good communicators were phonies who talked their way into project management jobs without even a small technical skill set. They had numerous tricks to get others to do the job while they took the credit and maintained total control. Flunky types go along best with them. I never got along well with that type and most tried to 'get even with me'. I watched most get fired eventually. So the moral, if you see a technical person with good people skills, they might be like one of them. (I have poor people skills but great writing skills that cover it up.)
So, the next time some dick in the forum doesn't agree with you, they probably don't know any better. Let it go. These people obviously know what they are doing.
-
Quite a few moderators in this forum seem to be on Netgate's payroll nowadays. So they do not only represent an open source project but also a company.
-
Can we stay on topic please?
-
Quite a few moderators in this forum seem to be on Netgate's payroll nowadays. So they do not only represent an open source project but also a company.
As long as they offer a good free version and keep their hardware competitively priced, why does that matter? To a home user like me, I like the free stuff and it keeps people trying out their software. If I were buying hardware for a company, I wouldn't be using a junk server from the hall closet, I'd buy from someone who has as active base for quality control purposes, such as free software provides.
also, ivor, how can you be off topic in a general discussion … just asking.
-
also, ivor, how can you be off topic in a general discussion … just asking.
This thread is in the General Questions board, a child board of the English Support forum. GD is at the bottom of the main page.
-
As long as they offer a good free version
The distribution is free and if they decided to walk a way that is more safe then the other both ways, able to work,
this might be a real gain for me, and then I think this might be a good version, they do care on us, theirs customers and users.and keep their hardware competitively priced, why does that matter?
And if this hardware is to high in price, who is pressing you to buy it? No one? Ok what is to high in price
and what is "competitively priced"? If it is to high in price don´t buy it, spend some coin each year
or one times only what you can or you are willing to spend.To a home user like me, I like the free stuff and it keeps people trying out their software.
Who not!? or better me too, but if the developers get older and founding up a family they have mostly not
more time because they must work to get money to pay the bill! I don´t know how much pocket money
you have, but $5 each year might be possible to realize, or? Free means that software is free of charge
but not free of cost!If I were buying hardware for a company, I wouldn't be using a junk server from the hall closet,
Also even a start company is not sorted with the big cash for sure.
I'd buy from someone who has as active base for quality control purposes, such as free software provides.
If it might be really matching there are actual something around ~2 million active pfSense installations running! (world wide)
And if all of them spend only $2 a year, we can trust on it, that we have a long time future using pfSense.….also, ivor, how can you be off topic in a general discussion ... just asking.
ivor was perhaps provided snitching (revealing) one or more things about the future way of pfSense
and now he is in pain, because others may told him not to repeat it and many of yours are asking
exactly for that manner again and again and again. Perhaps he is only trying to tell you that in a
friendly way and you might be not able to read this between the lines, are you? -
jailer, welcome to the forum police. Please excuse me if I ignore you.
BlueKobold, I admire the way you parsed something rather innocuous into a Russian conspiracy. Please excuse me if I regard you as being somewhat less credible than someone who is fact oriented. You should try getting out of your mom's basement a little more often. Sunlight is nice.
-
jailer, welcome to the forum police. Please excuse me if I ignore you.
You asked a question, I answered it. No need to be a dick about it.
-
jailer, welcome to the forum police. Please excuse me if I ignore you.
You asked a question, I answered it. No need to be a dick about it.
Yes, sometimes there is a need. Like I said, I lack people skills but make up for it in other ways. The forum police are my god give enemy. Smite them all to hades. Then laugh at them while relieving myself on the dirt. Curse the snowflakes who complain about my bad example. Your safe space is made of tissue. Pardon me while I use it for my most elemental needs.
<scene>Just a scene I imagined in a video game. Bye now. Having too much fun with this.</scene>
-
So you, ivor, don't respond to direct and yes relevant questions and then chastise people for making assumptions about those questions and what silence says.
Whatever.
I have no idea what you are talking about. I suggest you cool down.
You suggest I cool down from that?
Wow, these requests for clarification of statements in the official blog must really be hitting some nerves.
-
jailer, welcome to the forum police. Please excuse me if I ignore you.
BlueKobold, I admire the way you parsed something rather innocuous into a Russian conspiracy. Please excuse me if I regard you as being somewhat less credible than someone who is fact oriented. You should try getting out of your mom's basement a little more often. Sunlight is nice.
jailer, welcome to the forum police. Please excuse me if I ignore you.
You asked a question, I answered it. No need to be a dick about it.
Yes, sometimes there is a need. Like I said, I lack people skills but make up for it in other ways. The forum police are my god give enemy. Smite them all to hades. Then laugh at them while relieving myself on the dirt. Curse the snowflakes who complain about my bad example. Your safe space is made of tissue. Pardon me while I use it for my most elemental needs.
<scene>Just a scene I imagined in a video game. Bye now. Having too much fun with this.</scene>
I think you should stop. There's no need to insult others or be passive aggressive. Jailer and BlueKobold have right to participate in this discussion just as you do. I happen to agree with them, no need to be rude about it.
-
I think it's time to lock this thread. I did my best to keep it open for discussion however certain individuals do not appreciate that and would rather go off-topic. Thanks Jailer and BlueKobold (and few others) for trying to help! :)