pfSense to require AES-NI from 2.5: how it affects you
September 08, 2017

pfSense Logo

March 2019 update - pfSense 2.5 will no longer require AES-NI.

Earlier this year Netgate - the maintainers of pfSense, the popular open source firewall/router distribution based on FreeBSD - announced that they would be dropping support for CPUs without AES-NI starting from version 2.5.

AES-NI is an extension to the x86 instruction set used to hardware-accelerate AES encryption and decryption.

Desktop CPUs have supported AES-NI for several years, though the lower power consumption Atom and Celeron CPUs used in many Mini-ITX boards and appliances have not until more recently.

Netgate plan to remove the monolithic PHP layer in pfSense 3.0 altogether and expose the configuration instead as a REST API. An all-new javascript based GUI will talk to the back-end of the local device or to a cloud-based back-end to orchestrate (potentially) multiple instances. This will absolutely require strong end-to-end encryption. When AES is implemented in software it is much more susceptible to side-channel attacks. From this point of view it makes a lot of sense to reduce the risk of thousands of pfSense instances being compromised.

How does this affect my existing Mini-ITX pfSense Firewall?

It won't, unless you want to upgrade. If your CPU has AES-NI, you can continue upgrading to 2.5 and beyond. If your CPU does not support AES-NI then you will be able to go no further than 2.4, which will still be available for download. Support for 2.4 will continue for many months afterwards and of course your firewall will continue to function, though without any features introduced from 2.5 onwards.

If your motherboard has a CPU from the following list it has AES-NI:
N3050, N3150, N3160, N3350, N3450 and later

If your motherboard has a CPU from this list it does NOT have AES-NI:
D510, D525, D2550, N2600, N2800, 845, 1047, J1800, J1900, N2807, N2930

If you don't know your CPU type it will show in your pfSense dashboard. We can't list every CPU here. Intel owners can check on ARK whether their processor supports AES-NI: type "ark" followed by the CPU name into Google and look for "AES" on the first resulting page. AMD owners may want to try their luck with

When will this happen?

At the time of writing, 2.3.4 is still the official release and later versions are still in beta. pfSense 2.5 will be built on FreeBSD 12 - which won't be released until early/mid 2018. A pfSense 2.5 release is most likely much later in 2018.

Are there any alternatives to pfSense?

There are many. VyOS, Untangle, IPFire, Sophos UTM, ZeroShell, Shorewall, DDR-WRT to name but a few... or plain old IPTables.

pfSense 2.5 AES-NI announcement and Roadmap
Relevant comment thread on reddit

Store Links:
Mini PCs we supply that support AES-NI
Motherboards we supply that support AES-NI

m Permalink | mini-link

Recent Stories

AMD’s Ryzen 8000G CPUs - the perfect choice for smaller Mini-ITX builds? 17 Jan 24
Intel Hands Over the NUC Reins to ASUS 06 Sep 23
NA500 Network Appliances now available 24 May 23
Expanded range of Dynatron Coolers now available from 08 Feb 23
The Commodore 64x - modern Mini-ITX inside a retro enclosure 07 Jul 22
The Turing Pi V2 - now on Kickstarter 16 May 22
AMD announce Ryzen 4000 "G " Series with Integrated Graphics 21 Jul 20
ASRock built a Mini-ITX sized RX 570 with Thunderbolt 3 11 Jun 19
ASRock fills out range of 8th Gen Core Intel 'Coffee Lake' Mini-ITX boards 26 Apr 18
Intel Atom C3958 gets benchmarked on GIGABYTE's MA10 motherboard 09 Oct 17

News Archives

January 2024
September 2023
Full Archive

* Back to *