pfSense to require AES-NI from 2.5: how it affects you
September 08, 2017

pfSense Logo

March 2019 update - pfSense 2.5 will no longer require AES-NI.

Earlier this year Netgate - the maintainers of pfSense, the popular open source firewall/router distribution based on FreeBSD - announced that they would be dropping support for CPUs without AES-NI starting from version 2.5.

AES-NI is an extension to the x86 instruction set used to hardware-accelerate AES encryption and decryption.

Desktop CPUs have supported AES-NI for several years, though the lower power consumption Atom and Celeron CPUs used in many Mini-ITX boards and appliances have not until more recently.

Netgate plan to remove the monolithic PHP layer in pfSense 3.0 altogether and expose the configuration instead as a REST API. An all-new javascript based GUI will talk to the back-end of the local device or to a cloud-based back-end to orchestrate (potentially) multiple instances. This will absolutely require strong end-to-end encryption. When AES is implemented in software it is much more susceptible to side-channel attacks. From this point of view it makes a lot of sense to reduce the risk of thousands of pfSense instances being compromised.

How does this affect my existing Mini-ITX pfSense Firewall?

It won't, unless you want to upgrade. If your CPU has AES-NI, you can continue upgrading to 2.5 and beyond. If your CPU does not support AES-NI then you will be able to go no further than 2.4, which will still be available for download. Support for 2.4 will continue for many months afterwards and of course your firewall will continue to function, though without any features introduced from 2.5 onwards.

If your motherboard has a CPU from the following list it has AES-NI:
N3050, N3150, N3160, N3350, N3450 and later

If your motherboard has a CPU from this list it does NOT have AES-NI:
D510, D525, D2550, N2600, N2800, 845, 1047, J1800, J1900, N2807, N2930

If you don't know your CPU type it will show in your pfSense dashboard. We can't list every CPU here. Intel owners can check on ARK whether their processor supports AES-NI: type "ark" followed by the CPU name into Google and look for "AES" on the first resulting page. AMD owners may want to try their luck with cpu-world.com

When will this happen?

At the time of writing, 2.3.4 is still the official release and later versions are still in beta. pfSense 2.5 will be built on FreeBSD 12 - which won't be released until early/mid 2018. A pfSense 2.5 release is most likely much later in 2018.

Are there any alternatives to pfSense?

There are many. VyOS, Untangle, IPFire, Sophos UTM, ZeroShell, Shorewall, DDR-WRT to name but a few... or plain old IPTables.

Links:
pfSense 2.5 AES-NI announcement and Roadmap
Relevant comment thread on reddit

Store Links:
Mini PCs we supply that support AES-NI
Motherboards we supply that support AES-NI

m Permalink | mini-link

Recent Stories

AMD announce Ryzen 4000 "G " Series with Integrated Graphics 21 Jul 20
ASRock built a Mini-ITX sized RX 570 with Thunderbolt 3 11 Jun 19
ASRock fills out range of 8th Gen Core Intel 'Coffee Lake' Mini-ITX boards 26 Apr 18
Intel Atom C3958 gets benchmarked on GIGABYTE's MA10 motherboard 09 Oct 17
Intels next generation NUCs 29 Sep 17
ZOTAC introduces two new ZBOX Mini PCs 14 Sep 17
pfSense to require AES-NI from 2.5: how it affects you 08 Sep 17
Gigabyte's GTX 1080 Mini ITX OC 8G Graphics Card 06 Sep 17
ASRock launches DeskMini GTX/RX mini PC with GTX 1080 05 Sep 17
Gigabyte's Denverton MA10 Mini-ITX motherboards 05 Sep 17

News Archives

July 2020
Full Archive

* Back to Mini-ITX.com *

/div>