What's new

pfsense 2.5 May Require Hardware Upgrade

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Right now - pfSense has the SG-1000 - which is a really nice little Cortex-A8 box -- it really is...

But if what I've been finding is right the Cortex-A8 won't support AES-NI or is my understanding wrong? The way I understand it, it has to be at lest an A10?

I ask because for the last couple of months or so I've been looking for an old computer to try pfSense on. I don't necessarily mind spending money on such a project, and I've SERIOUSLY considered building a box from the ground up, but I don't want to spend the money and next year loose support for it...

I've also considered buying that SG-1000 as well, but if it isn't going to support AES-NI like their going to require I'll probably just save up a little more and build a box with a processor that'll future proof the project which is what I'm really leaning towards. I want to use it as the primary router and branch off 2 for sure and maybe 3 sub-nets all the while maintaining a VPN tunnel for those sub-nets so I need a processor that can handle the load without taking to much of a loss on my overall bandwidth availability for said sub-nets. It's not a major load just 3 computers, 2 phones, a streaming box, 2 smart TVs, and 1 of the sub-nets is dedicated for IoT duty so it doesn't really need a VPN but would be routed through by default. I also have plans to eventually set it up to access my NAS while away from home at some point and I want that traffic routed through the VPN.

Right now I have PIA on an ASUS router that is one of my sub-nets and because of the hit I take on bandwidth using a VPN on a router, the other sub-nets computer (my computer) pulls VPN duty when needed for Torrents. The computer handles VPN duty much better than the router as I'm sure you know, even downloading large torrent files all the while surfing the internet there are no page loading issues and the torrents DL speed doesn't even suffer.

I want to use pfSense but with this new announcement I've just been trying to figure out which direction to go.
 
My appliance is less than 1 years old. After the purchase, I was reviewing the settings and saw the AES-NI setting. I asked the seller if my appliance supported it as I am always looking for a way to improve OpenVPN performance. He said "no, the CPU does not support it" and that AES-NI was not required for a home user. Primary use case is business with thousands of users. Now, I find out the future release of pfSense will only run on AES-NI supported CPUs so soon after my purchase makes me upset. I guess I will get a few more years out of it without being able to upgrade it then. Otherwise, the wife will get upset with me for spending money on a new router.
 
But if what I've been finding is right the Cortex-A8 won't support AES-NI or is my understanding wrong? The way I understand it, it has to be at lest an A10?

The TI Sitara chip in the SG-1000 has a hardware crypto accelerator - it's not enabled yet, pending a driver update in the BSD layers - there's an open issue on their bug tracker and it is assigned to a developer.
 
My pfSense appliance CPU specs are:

Intel(R) Atom(TM) CPU D525 @ 1.80GHz 4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads

I purchased the appliance from a pfSense partner in Bangkok last July. My contact there informed me that my CPU does not support AES-NI. It is started on the Atom Z3460. And that I could not swap out the CPU. Does the sound correct? @sfx2000 ?

The D525 is soldered down unfortunately...
 
My appliance is less than 1 years old. After the purchase, I was reviewing the settings and saw the AES-NI setting

The SG-2440 in your sigfile will be fine - HW support is there for AES-NI there
 
The SG-2440 in your sigfile will be fine - HW support is there for AES-NI there
There is a saying us expats have learned over time that live in Thailand called TIT. TIT stands for This is Thailand. So when things don't go quite like we expect them to go, or compare how things "should" work based on USA standards, we shrug our shoulders and say "well, TIT". One must learn not to get too upset about it. Or, one can tend to focus on the nuances which can take away from the many positive things there are about living here. My appliance was purchased at a pfSense partner in Bangkok. So even if my appliance looks and smells like a SG-2440, and was built by a certified pfSense partner, the CPU is not the same as on the pfSense website https://store.pfsense.org/SG-2440/. It is the ATOM D525 which does not support AES-NI. Well, TIT! ;)
 
The TI Sitara chip in the SG-1000 has a hardware crypto accelerator - it's not enabled yet, pending a driver update in the BSD layers - there's an open issue on their bug tracker and it is assigned to a developer.

So then the crypto accelerator would handle AES-NI when the time comes? If so I may just go ahead and buy the SG-1000...
 
I have slept on the idea of a hardware upgrade and might come around. I have been running a Xeon processor for 10 years. It was an old true Intel medium level server motherboard with high speed buses for the built-in NICs. I only run one processor which is a low voltage processor to keep the power usage down. I don't know what it would take to come up with a AES-NI version. But I may start looking in a couple of years. I will try to buy a used old server motherboard and mount it in my rack system.

Untangle may be an option for me since it will run on my old hardware. It is a little slower than pfsense and I do like the speed of pfsense. I also like pfsense support being a time server for my network.

So I guess we will have to see how streamline and fast the code becomes when they start using AES-NI built-in. Is it going to be a lot faster to support the high speed fiber pipes which are becoming available. It may warrant the expense for new hardware.

ATT contractors were installing fiber down my street last week. Maybe in 2 years I can install fiber.
 
Last edited:
So then the crypto accelerator would handle AES-NI when the time comes? If so I may just go ahead and buy the SG-1000...

To be honest - it's really up to the pfSense folks - but they seem to have a focus on ARM - and the ARM's they chose - TI Sitara and Marvell Armada 38x - these both have crypto-accelerators for AES...

They're decent choices... and good performers in Linux - but even there, depends on some driver support.

But I'll caution - ADI/Netgate/pfSense - they talked much about Intel QuickAssist with the Rangeley boxes - and at the end of the day - QAT 1.5 isn't going to be supported in pfSense due to a lack of support in FreeBSD, and no upstream interest in doing so... both with Intel and FreeBSD core...

C3000 and the QAT PCI cards, along with Xeon-D and later, perhaps as they support QAT 1.6.

To be clear, as far as I understand - X86-64 with AES-NI extensions is where 2.5 is headed...

2.4 kills off the 32-bit Intel chips, as X86-64 there is required...

Where ARM is - hmmm... one can look at the SG-1000, or the upcoming Armada box, but like I mentioned earlier, they might hit a brick wall at some point. I really do appreciate their taking on the ARM arch - but looking at where they're going with Intel, they probably should be going with ARMv8/Aarch64 up front...
 
I have slept on the idea of a hardware upgrade and might come around. I have been running a Xeon processor for 10 years. It was an old true Intel medium level server motherboard with high speed buses for the built-in NICs. I only run one processor which is a low voltage processor to keep the power usage down. I don't know what it would take to come up with a AES-NI version. But I may start looking in a couple of years. I will try to buy a used old server motherboard and mount it in my rack system.

Intel has had AES-NI since Sandy Bridge on the desktop - Westmere-EP/Clarkdale/Aarandale - which goes back a long time on the Xeon's... HP's DL380 G7, which dates back to 2011, or Dell's R710... AES-NI was there, but many folks disabled it in BIOS/UEFI, so check...

If not in the BIOS/UEFI that is current, then you might consider replacing an archaic Xeon with something a bit newer - not just for AES-NI, but just to be more power efficient and decom that old space heater...
 
So I guess we will have to see how streamline and fast the code becomes

Reading into pfsense's rationale - it's not about speed, it's about security - and the development code paths to ensure it in the middleware between the front-end and the backend...
 
There is a saying us expats have learned over time that live in Thailand called TIT. TIT stands for This is Thailand.

Having spent a couple of years in East Asia in my youth - I get it - it's a different way of doing business..

Not just Thailand...
 
Intel has had AES-NI since Sandy Bridge on the desktop - Westmere-EP/Clarkdale/Aarandale - which goes back a long time on the Xeon's... HP's DL380 G7, which dates back to 2011, or Dell's R710... AES-NI was there, but many folks disabled it in BIOS/UEFI, so check...

If not in the BIOS/UEFI that is current, then you might consider replacing an archaic Xeon with something a bit newer - not just for AES-NI, but just to be more power efficient and decom that old space heater...

My chip Xeon processor was hand picked by me. They were low voltage in there time which ran on blade servers. They cost $600 new in there day. I think I paid $50 used later. You can buy one now for $14. The problem with Xeons today for router software is there are too many slow cores which are unneeded. A faster 2 core is perfect for router software where as a slower multi core is not as good. I don't believe Intel makes any newer fast dual cores in Xeon processors today that is a thing of the past. So upgrading is not as easy today or tomorrow as in the past for pfsense.
 
Reading into pfsense's rationale - it's not about speed, it's about security - and the development code paths to ensure it in the middleware between the front-end and the backend...

I think having the code in hardware is always faster than running software. Security wise we will have to see as there have been a few problems with some of Intel's code like this.
 
I don't believe Intel makes any newer fast dual cores in Xeon processors today that is a thing of the past. So upgrading is not as easy today or tomorrow as in the past for pfsense.

Yes and no - there are Xeon-D boards for less that $500 for an initial buildup...

Checking on Newegg... ASRock D1521D4I Mini ITX Server Motherboard FCBGA1667 Soc

2 Intel GBe, and a dedicated IPMI... could be interesting... and fairly low power compared to an old 1U/2U Xeon box...
 
Yes and no - there are Xeon-D boards for less that $500 for an initial buildup...

Checking on Newegg... ASRock D1521D4I Mini ITX Server Motherboard FCBGA1667 Soc

2 Intel GBe, and a dedicated IPMI... could be interesting... and fairly low power compared to an old 1U/2U Xeon box...

The other thing which I think is important is the bus channels for the built-in NICs. The higher end server boards have better buses and we all know router software is all about IO. I don't think the entry level server boards have high speed buses. They are reserved for more the mid level and high level server boards. They all will work for my home but I hate lag.
 
The other thing which I think is important is the bus channels for the built-in NICs. The higher end server boards have better buses and we all know router software is all about IO

So are servers - which is why I mentioned this board...

Hehe - presently company included - most pfSense users these days - we do tend to overbuild ;)
 
It seems like a nice small home built pfsense machine. I guess they are trying to compete with the small commercial router boxes for sale. I am not sure it has AES-NI. What I want is a rack mount machine since I have a rack in the closet. It may burn a few watts more but I don't think I care other than buying a low voltage CPU. It is the way I have been doing it for years. I really like what I have but it does not support AES-NI.
 
Similar threads
Thread starter Title Forum Replies Date
C Pfsense wins awards Routers 34
F Question re: router that doesn't require compromising security Routers 4

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top