pfSense to require AES-NI from 2.5: how it affects you
September 08, 2017
Earlier this year Netgate - the maintainers of pfSense, the popular open source firewall/router distribution based on FreeBSD - announced that they would be dropping support for CPUs without AES-NI starting from version 2.5.
AES-NI is an extension to the x86 instruction set used to hardware-accelerate AES encryption and decryption.
Desktop CPUs have supported AES-NI for several years, though the lower power consumption Atom and Celeron CPUs used in many Mini-ITX boards and appliances have not until more recently.
How does this affect my existing Mini-ITX pfSense Firewall?
It won't, unless you want to upgrade. If your CPU has AES-NI, you can continue upgrading to 2.5 and beyond. If your CPU does not support AES-NI then you will be able to go no further than 2.4, which will still be available for download. Support for 2.4 will continue for many months afterwards and of course your firewall will continue to function, though without any features introduced from 2.5 onwards.
If your motherboard has a CPU from the following list it has AES-NI:
N3050, N3150, N3160, N3350, N3450 and later
If your motherboard has a CPU from this list it does NOT have AES-NI:
D510, D525, D2550, N2600, N2800, 845, 1047, J1800, J1900, N2807, N2930
If you don't know your CPU type it will show in your pfSense dashboard. We can't list every CPU here. Intel owners can check on ARK whether their processor supports AES-NI: type "ark" followed by the CPU name into Google and look for "AES" on the first resulting page. AMD owners may want to try their luck with cpu-world.com
When will this happen?
At the time of writing, 2.3.4 is still the official release and later versions are still in beta. pfSense 2.5 will be built on FreeBSD 12 - which won't be released until early/mid 2018. A pfSense 2.5 release is most likely much later in 2018.
Are there any alternatives to pfSense?
There are many. VyOS, Untangle, IPFire, Sophos UTM, ZeroShell, Shorewall, DDR-WRT to name but a few... or plain old IPTables.
pfSense 2.5 AES-NI announcement and Roadmap
Relevant comment thread on reddit
Mini PCs we supply that support AES-NI
Motherboards we supply that support AES-NI
ZOTAC introduces two new ZBOX Mini PCs 14 Sep 17
pfSense to require AES-NI from 2.5: how it affects you 08 Sep 17
Gigabyte's GTX 1080 Mini ITX OC 8G Graphics Card 06 Sep 17
ASRock launches DeskMini GTX/RX mini PC with GTX 1080 05 Sep 17
Gigabyte's Denverton MA10 Mini-ITX motherboards 05 Sep 17
Guide: Choosing the right DC-DC PSU 05 Sep 17
Video: JBC313 and JBC323 Mini PCs with Dual Intel LAN and AES-NI 24 Oct 16
Gigabyte and Zotac first out of the blocks with Mini-ITX sized GTX 1070 and GTX 1060 13 Jul 16
Mini-STX (5x5) Roundup 05 Apr 16
Intel introduce 5x5 boards: Socket CPUs supported up to 65W TDP, Smaller than Mini-ITX, Larger than NUC 02 Sep 15
|*Advert* World's Smallest 12V DC-DC ATX|
Power Supply now at the Mini-ITX store! *Advert*
The picoPSU is now available at the Mini-ITX.com Online Store. We serve the UK, Europe, USA and beyond. Order in-stock items before 7.30PM GMT and we'll ship same day! *Not Built Systems
* Back to Mini-ITX.com *