PfSense 2.5 and AES-NI

This is quite obviously an attempt to cut out the flood of cheap embedded PCs which are ideal for pfSense and steer more sales to their own hardware. Systems such as &quot;The vault&quot; sold by protectli.com are completely adequate for the home network (I am capable of pushing &gt; 100Mbit&#x2F;s over OpenVPN at ~35% CPU). These run older celeron processors and are dirt cheap.<p>Hints:<p>1) The post implies this restriction will only be for the community (free) edition. &quot;pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI&quot;<p>2) There is zero reason to <i>require</i> AES-NI, as running with a software fallback will simply yield lower performance. Taking this option away makes no sense unless you want to encourage those who don&#x27;t pay for software support to buy your hardware, while those already paying for support are free to use their existing gear.

TL, DR: If you are building a pfSense box with an x86 chip made in the past ~7 years [1], stop reading and carry on.<p>Those of you on a power budget, and want e.g. VPN support at closer to wire speeds, you&#x27;re being advised to select a CPU with AES-NI to get hardware crypto offload. It&#x27;s great we have software crypto in the first place, but under load it&#x27;s likely to put a cap on your max throughput.<p>Kudos to pfSense&#x2F;Netgate announcing this ahead of time.<p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;AES_instruction_set#Supporting_x86_CPUs" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;AES_instruction_set#Supporting...</a>

Lots of bans going on over at &#x2F;r&#x2F;pfsense where users are asking straightforward questions and the staff are just banning them. Read the edits made to the posts there crazy....<p>Seeming more and more like this is a cash grab thing to get people to upgrade to their hardware.

Isn&#x27;t a linux headless box a great alternative to pfsense for non-commercial use? The problem here seems to be that home users now have to shell out more.<p>If you&#x27;re going to use OpenVPN and other common software, why not just move to linux side of things? It seems that for home use you wouldn&#x27;t need any enterprise grade software which I feel is the big advantage of pfSense. Sure pf is great but iptables isn&#x27;t terrible either.<p>I find that the BSDs are becoming increasingly reluctant to any change that goes against their principles which I sometimes find a tad misplaced.

I have to say, the way that the pfense team is handling it, and the moderators over on reddit, while I had been considering using it, I think I&#x27;ll use ubiquiti when I upgrade the network

Sounds like a move to sell more hardware. My pfsense barely does any crypto. This will push me over to openbsd.

If I had to guess, I&#x27;d say Netgate is working on an SD-WAN service of sorts. Many players in this market are displacing the edge firewall, and offering a built-in service of their own or in partnership with a third-party might be a smart move.

I look after a pfsense box for a school on a 9 year old E2200 that is obsolete by this.<p>On one hand I cannot complain because the server is 9 years old and lasted well, but on the other hand, why not an option for those just needing a packet filter to bypass this?<p>Am I missing something?

This is a real shame. I am going to have to find a different solution, as it turns out that pfSense is one of those projects that happily moves on without you, and I just can&#x27;t understand why.<p>My Atom board has been perfect, but there is no hardware upgrade option.<p>I guess I&#x27;ll have to find another project. And, yes, I used to recommend this project to everyone I know, even donated. Oh, well.

A further attempt at explanation. I&#x27;ll probably clean this up and write another blog post.<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PFSENSE&#x2F;comments&#x2F;68nd6y&#x2F;pfsense_25_and_aesni&#x2F;dh0qi53&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PFSENSE&#x2F;comments&#x2F;68nd6y&#x2F;pfsense_25_...</a>

This may be a good time to try a new relative open source product. OPNSense is a fork of PFSense with some philosophical and practical differences. Here are some notes on what and why <a href="https:&#x2F;&#x2F;docs.opnsense.org&#x2F;fork&#x2F;thefork.html" rel="nofollow">https:&#x2F;&#x2F;docs.opnsense.org&#x2F;fork&#x2F;thefork.html</a>

I was just banned from the pfSense subreddit for arguing about this change. <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;1051KOl.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;1051KOl.png</a><p>My comments are visible here: <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;8oZVSJO.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;8oZVSJO.png</a><p>Lovely. Due to this behaviour by pfSense employees I no longer want to use pfSense. Had no issues with the software and was considering purchasing their hardware.<p>Not any more.<p>archived view of the thread: <a href="https:&#x2F;&#x2F;archive.fo&#x2F;pBoAY" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;pBoAY</a>