Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5.0 will not require AES-NI

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    16 Posts 8 Posters 10.7k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      Ragtag_fleet
      last edited by

      There is great news or a bit of a lifeline and extension to non-AES-NI hardware as 2.5.0 will not require a hardware AES-NI or equivalent support based on Netgate's Development snapshot:

      The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.

      Source: https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html

      Original announcements on pfSense 2.5 and AES-NI https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html https://www.netgate.com/blog/more-on-aes-ni.html

      Great to see pfSense team and Netgate listening to the community and modifying their approach!

      1 Reply Last reply Reply Quote 0
      • JeGrJ Offline
        JeGr LAYER 8 Moderator
        last edited by

        @Ragtag_fleet said in pfSense 2.5.0 will not require AES-NI:

        Great to see pfSense team and Netgate listening to the community and modifying their approach!

        Sorry but that's nonsense. It has nothing to do with "listening to the community". It is as you cited a simple thing of the planned RESTCONF API not coming with 2.5.0 because of the work, that has to go into porting pfSense to FreeBSD 12 etc.
        I won't say that for some small group that may come in handy but really: come on. AES-NI is old news and any halfway current CPU should have no problem with it. It was introduced in 2008, so I'm sorry but I never ever understood that artificial outcry as that was introduced almost 2 years ago. So even if they actually had that requirement now, with 2.5 release not even on the near horizon, that would make it round about 3 years from telling the community until the real introduction - that now is even further postponed. Every business I know plans for ~3 to max 5 years. Afterwards it's new hardware. Even at home it's around 5-7y normally. So a 10y old CPU instruction set becoming mandatory (in the future) is a problem? Sorry I can't see the drama in there. :)

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 3
        • M Offline
          marian78
          last edited by

          For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.

          pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

          JeGrJ 1 Reply Last reply Reply Quote 0
          • JeGrJ Offline
            JeGr LAYER 8 Moderator @marian78
            last edited by JeGr

            @marian78 said in pfSense 2.5.0 will not require AES-NI:

            For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.

            Don't take me wrong, if you already have hardware and can use that a little while longer: have fun and happiness to you. May it last long :)
            But I simply don't get the attitude of "Yeah they dropped the required AES-NI BS, now let's buy some dirt cheap decade old crap for 5$ and run it to death for another 10years and cry a river when that requirement will come back later, because you 'just bought new hardware' et al." Totally can't make heads or tails of it 😵
            Looking for a new box/VM/anything in 2019/2020 I'd get some decent thing and be done with it - saves so much time and headaches later on :)

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            R 1 Reply Last reply Reply Quote 2
            • Raffi_R Offline
              Raffi_
              last edited by

              I actually like the new AES-NI requirement that's coming down the road. Aside from the obvious benefits of better performance and security, it gives me an excuse to change out our old hardware in the office. If I were a home user, yea I probably wouldn't want to change out my hardware unless it's needed. Would I be mad about it? No. pfSense is free and awesome. New hardware is going to cost money, but pfSense has more than paid for itself already compared to some alternatives.

              1 Reply Last reply Reply Quote 1
              • R Offline
                Ragtag_fleet @JeGr
                last edited by

                @JeGr I understand the benefits of AES-NI but for most users and especially home users a non-AES-NI option would be great. Users will continue to use non-AES-NI CPU if they have or might even buy now but there are plenty of alternatives if they want to go down the route. I think pfsense is a great tool sad to see it might go down a path that might not be up to everyone's needs :(

                JeGrJ 1 Reply Last reply Reply Quote 1
                • JeGrJ Offline
                  JeGr LAYER 8 Moderator @Ragtag_fleet
                  last edited by

                  @Ragtag_fleet I beg to differ. It has already clearly been stated, why the need for AES-NI is beyond just "useful". It's just a thing in the mind of most people, that this has only sth. to do with "crypto" thingies and VPN stuff. If it is wider known and accepted, that the things AES-NI does and can do not only accelerate crypto "thingies" but protect against CPU "baddies", too coupled with more and more "mishaps" like spectre and meltdown happening, my hope is, that people will get the grasp, that this requirement comes from making communication and other tasks more secure and not only "just make VPNs faster".

                  With that in mind while buying new hardware in 2019 it should a) be a no-brainer and b) come to most as not that expensive, as even small(est) SOCs can already handle AES-NI. :)

                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  J 1 Reply Last reply Reply Quote 1
                  • J Offline
                    jwt Netgate @JeGr
                    last edited by

                    @jegr two years later, (some four years after the initial announcement), and 2.5 is ready to drop.

                    Meanwhile, last year COVID happened and WFH as a direct result. VPNs from home became much more of a requirement, and AES-NI is very useful for VPN. This seems to have covered the "but I don't use VPN from home" objection voiced by @Ragtag_fleet and many others quite effectively.

                    Hindsight is 20/20, right?

                    Oh well, who could have known? ¯_(ツ)_/¯

                    What I learned is that no good deed goes unpunished. My attempt to let the community know of a upcoming requirement some 4 years in advance of their earliest ability to act on that requirement (and it's not like 2.4.5 just stops working) resulted in a ton of noise and pushback.

                    Far more heat that light, all because I said "if you're replacing hardware, get something that supports AES-NI".

                    I am reticent to repeat the experience.

                    JKnottJ R 2 Replies Last reply Reply Quote 0
                    • JKnottJ Online
                      JKnott @jwt
                      last edited by

                      @jwt

                      Even though I now have hardware that supports AES-NI, I'm still glad it's optional. Certainly the business end of the VPN should use it, but the user end might not require the performance improvement.

                      BTW, as per other discussion, it appears the Netgate gear, with an ARM CPU, doesn't support hardware instructions. What happens with them, as they're more likely to be found in a business.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      J 1 Reply Last reply Reply Quote 0
                      • J Offline
                        jwt Netgate @JKnott
                        last edited by jwt

                        @jknott with 21.02, every ARM appliance we've shipped that is not EOL supports crypto offload, aka a crypto accelerator.

                        Also, the arm64 appliances we ship do support the equivalent of AES-NI instructions, but we've chosen to focus on the hw offload for now.

                        1 Reply Last reply Reply Quote 1
                        • R Offline
                          Ragtag_fleet @jwt
                          last edited by Ragtag_fleet

                          @jwt Actually I use VPN from a VPN provider but I also have my work computer on which I have their corporate VPN... For me, as the user end, I still don't need AES-NI function for my VPN use. I guess you or others use it but still good to have as an option

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ Online
                            JKnott @Ragtag_fleet
                            last edited by

                            @ragtag_fleet

                            Even if you don't use a VPN, it's still a good idea to run hardware that supports those instructions. A lot of software uses encryption.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            R 1 Reply Last reply Reply Quote 0
                            • R Offline
                              Ragtag_fleet @JKnott
                              last edited by

                              @jknott Yeap but only when I am looking to upgrade my equipment. ATM I don't see the need or have any bottlenecks so for me it's not useful to upgrade with AES-NI equipped hardware...

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator @Ragtag_fleet
                                last edited by

                                And did you buy said hardware over 4 years ago?

                                Then there is nothing to see here. Now if you bought your say 3 years ago after you had been warned well in advance that 2.5 could/would require aes-ni.

                                And now it doesn't - hey you dodged a bullet. But don't say you were not warned..

                                Waiting to see all the posts - Gawd Daggit @jwt you said I needed aes-ni, and I bought new hardware that week in prep for 2.5 - which is just now coming out and doesn't need it.. WTF!

                                no good deed goes unpunished.

                                Words to live by for sure ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                1 Reply Last reply Reply Quote 1
                                • ? Offline
                                  A Former User
                                  last edited by

                                  Just read this entire thread. That's 4 minutes of my life I'll never have back.

                                  MacOS 11 doesn't run on my Mac SE/30. Apple doesn't listen to the community. 😢

                                  johnpozJ 1 Reply Last reply Reply Quote 2
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator @Guest
                                    last edited by

                                    Yeah I'm about ready to write MS a nasty email (that will teach them) I can't get windows 10 installed on my trs-80..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.