pfsense 2.4.4 with AES-NI, no difference?



  • Hello,
    So I've got a pfsense box running on a Super Micro A1SAi-2550F with the Atom C2550 cpu, which support AES-NI.

    I've recently purchased NordVPN, and one of the things I'm noticing is very long "pauses" in all internet traffic while the vpn is active (this doesn't happen when the vpn is disabled).

    I'm trying to optimize my pfsense (2.4.4) setup to make sure its taking advantage of the hardware where possible.

    So one of the things I thought I'd try is enabling hardware en/decryption using the AES-NI function.
    I found this article:
    https://www.netgate.com/docs/pfsense/hardware/cryptographic-accelerator-support.html

    Which says I can run the following commands and see a with and without hardware acceleration:

    openssl speed -evp aes-128-cbc (without):
    Doing aes-128-cbc for 3s on 16 size blocks: 656390 aes-128-cbc's in 0.58s
    Doing aes-128-cbc for 3s on 64 size blocks: 631111 aes-128-cbc's in 0.46s
    Doing aes-128-cbc for 3s on 256 size blocks: 549567 aes-128-cbc's in 0.48s
    Doing aes-128-cbc for 3s on 1024 size blocks: 371926 aes-128-cbc's in 0.32s
    Doing aes-128-cbc for 3s on 8192 size blocks: 90283 aes-128-cbc's in 0.10s

    Then if I run:
    openssl speed -evp aes-128-cbc -engine -cryptodev (with):
    Doing aes-128-cbc for 3s on 16 size blocks: 652138 aes-128-cbc's in 0.63s
    Doing aes-128-cbc for 3s on 64 size blocks: 632779 aes-128-cbc's in 0.45s
    Doing aes-128-cbc for 3s on 256 size blocks: 550560 aes-128-cbc's in 0.39s
    Doing aes-128-cbc for 3s on 1024 size blocks: 373063 aes-128-cbc's in 0.28s
    Doing aes-128-cbc for 3s on 8192 size blocks: 90256 aes-128-cbc's in 0.04s

    As you can see, it actually seems to run slower than without it (which makes no sense at all).

    results of my crypto support:
    /usr/bin/openssl engine -t -c
    (cryptodev) BSD cryptodev engine
    [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
    [ available ]
    (rdrand) Intel RDRAND engine
    [RAND]
    [ available ]
    (dynamic) Dynamic engine loading support
    [ unavailable ]

    As you can see it seems supported (NordVPN uses AES-256-CBC, which is also supported).

    I'm stumped as to why it doesn't seem to be working.



  • Hi,

    Add one more test : reboot your system, access the BIOS and see if you can disable the AES-NI hardware support.
    Test again.


  • Netgate Administrator

    It's not really a good test in current pfSense/FreeBSD. OpenSSL will use AES-NI instructions directly if they are enabled. Running through the crypto framework can actually be slower as you have found.

    Disabling AES-NI in the BIOS and repeating that should reveal it.

    Steve



  • There is a method to artificially disable the AES-NI detection of openssl by setting OPENSSL_ia32cap="~0x200000200000000" to disable AES-NI usage for testing.

    ## Automatic AES-NI detection
    $ openssl speed -elapsed -evp aes-128-cbc
    
    ## Disable AES-NI detection
    $ OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc