1) The post implies this restriction will only be for the community (free) edition.
"pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI"
2) There is zero reason to require AES-NI, as running with a software fallback will simply yield lower performance. Taking this option away makes no sense unless you want to encourage those who don't pay for software support to buy your hardware, while those already paying for support are free to use their existing gear.
This is mainly due to AES relying heavily on substitution boxes, i.e. small arrays that are indexed with secrets, which is easy to implement safely in hardware, but difficult in software that runs on a processor with caches and such.
Those of you on a power budget, and want e.g. VPN support at closer to wire speeds, you're being advised to select a CPU with AES-NI to get hardware crypto offload. It's great we have software crypto in the first place, but under load it's likely to put a cap on your max throughput.
Kudos to pfSense/Netgate announcing this ahead of time.
Intel started in 2010 with Westmere, but kept it out of the lower-end models like Pentium, Celeron, and i3 for several generations. Only since Skylake (2015) is it included in every model produced from a supporting architecture. At least for Intel processors, the generalization above, absent other disclaimers, does not apply.
Actual lookup tables are linked in other posts like this one .
In addition, the Netgate SG-2220 uses an Atom C2338, which was susceptible to the LPC bus failure  . So as of right now, I would also be extremely hesitant to purchase the Netgate SG-2220 without some sort of assurance that the router I got is not affected by it.
EDIT: Interestingly enough, someone from Netgate said that the PC Engines APU is unaffected: https://www.reddit.com/r/PFSENSE/comments/68nd6y/pfsense_25_...
EDIT2: Seems they edited that, the APU1d won't be compatible.
Do newer, but still cheap CPU's work with AES-NI?
However, the poor I/O capabilities of most/all toy SoCs rule use as a high-bandwidth router out; you can't do Gigabit routing with just one built-in MAC and the other connected to a USB 2.0 port or somesuch.
It sells for $49 on Amazon. https://www.amazon.com/dp/B06Y3V2FBK
AES-GCM runs quite well on ARMv8:
We have a 3 port ARM board (one port has a switch on it) being announced on Thursday.
I'm certainly not ruling anything out. I simply want to be able to get a working PFSense instance up and running.
Seeming more and more like this is a cash grab thing to get people to upgrade to their hardware.
You told me to "Chill for 30 days". Maybe you need to chill instead of damaging your brand by lashing out at people?
Was there a third user you banned?
If you're going to use OpenVPN and other common software, why not just move to linux side of things? It seems that for home use you wouldn't need any enterprise grade software which I feel is the big advantage of pfSense. Sure pf is great but iptables isn't terrible either.
I find that the BSDs are becoming increasingly reluctant to any change that goes against their principles which I sometimes find a tad misplaced.
> I find that the BSDs are becoming increasingly reluctant to
> any change that goes against their principles which I
> sometimes find a tad misplaced.
Running a properly configured, headless linux box as a firewall would indeed be a fine choice for those technically capable, similarly so would a FreeBSD or OpenBSD install.
If things are completely same from a management/security perspective, then I'd be wrong but it does make a difference when it comes to management, updates, and compatibility etc.
Your definition of technically capable is a bit vague. What can a technically capable user do? It can vary from barely being able to use the cli and minimal understanding of basic networking, to being able to compile/tune the kernel by themselves and write drivers in case they are missing.
“in order to support the increased cryptographic loads that we see as part of pfSense verison 2.5, pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI”
You may disagree with that but it's intellectually dishonest to argue as if they didn't provide clear, technically defensible rationale, especially at a time when much of the industry has been moving to hardware offload.
Since we don't even attempt same, my point stands.
This really feels like a long con to get people to upgrade their hardware to a pfSense unit.
Edit: /s ... ?!
Why are you surprised? If you are trying to make a point that AES-NI is common, just say so. Trying to do so by saying the opposite and expecting people will pick up on the sarcasm through a pure text medium without necessarily sharing the same knowledge to know whether that statement is true or not just adds confusion to the conversation.
The point itself is useful, but the manner in which you expressed it emphasizes the delivery over the content, to the degree the content is sometimes obscured.
My desktop and laptop have them and they're mid-high end but not upper high end.
With AES-NI: http://ark.intel.com/Search/FeatureFilter?productType=proces...
Both are smart strategies and well within your core competency. As long as you're not building your own SD-WAN service you're golden.
Thanks! Running our own SD-WAN service seems a lot like opening a cute little coffee shop: A fine way to spend a lot of money with no result.
There is a third option, which is also customer-centric: Allow the customer to run their own SD-WAN.
My Atom board has been perfect, but there is no hardware upgrade option.
I guess I'll have to find another project. And, yes, I used to recommend this project to everyone I know, even donated. Oh, well.
On one hand I cannot complain because the server is 9 years old and lasted well, but on the other hand, why not an option for those just needing a packet filter to bypass this?
Am I missing something?
I guess I might still use pfSense when I need a _firewall_. I'd immediately grab VyOS whenever I need a router. Both can do routing and firewalling, though.
- code theft
- copyright abuse
- attempt to steal pfSense trademark in Europe
- toxic project members who publicly attack anyone who dares to point out issues (including assault on all major pfSense developers).
- hiding serious vulnerabilities
- downplaying serious vulnerabilities
Oh yes, that's a very different project. I documented most of it here https://www.reddit.com/r/OPNscam/
My comments are visible here: https://i.imgur.com/8oZVSJO.png
Lovely. Due to this behaviour by pfSense employees I no longer want to use pfSense. Had no issues with the software and was considering purchasing their hardware.
Not any more.
archived view of the thread: https://archive.fo/pBoAY
We detached this subthread from https://news.ycombinator.com/item?id=14240207 and marked it off-topic.
Their employees are major tripping. I asked them a simple question, why do we need AES-NI hardware crypto if we don't use VPN's or anything that uses AES? And he refused to answer then banned.
Honestly I do not want to use it anymore and I shant be recommending it anymore to anyone.
You don't gain anything by further antagonizing users at this point. And from your stance here - you don't actually want these people as users, correct? Essentially you've decided that these users are so-called "devil customers" - they're not profitable and you want them out of your clientele.
That's why you're essentially hardforking away from their hardware. So their opinions are no longer relevant to you, are they? As such this is literally a no-win move for you, the only thing it can do is hurt your business's image.
Just walk away, this isn't a good look for you guys.
Here it is: https://i.imgur.com/FlF8E1Q.png
You deleted your own posts. This is the archive of some of them: https://archive.fo/pBoAY
I don't have an archive of the deeper posts, but they weren't particularly pleasant.
We detached this comment from https://news.ycombinator.com/item?id=14242458 and marked it off-topic.