pfSense to require AES-NI from 2.5: how it affects you
September 08, 2017
March 2019 update - pfSense 2.5 will no longer require AES-NI.
Earlier this year Netgate - the maintainers of pfSense, the popular open source firewall/router distribution based on FreeBSD - announced that they would be dropping support for CPUs without AES-NI starting from version 2.5.
AES-NI is an extension to the x86 instruction set used to hardware-accelerate AES encryption and decryption.
Desktop CPUs have supported AES-NI for several years, though the lower power consumption Atom and Celeron CPUs used in many Mini-ITX boards and appliances have not until more recently.
How does this affect my existing Mini-ITX pfSense Firewall?
It won't, unless you want to upgrade. If your CPU has AES-NI, you can continue upgrading to 2.5 and beyond. If your CPU does not support AES-NI then you will be able to go no further than 2.4, which will still be available for download. Support for 2.4 will continue for many months afterwards and of course your firewall will continue to function, though without any features introduced from 2.5 onwards.
If your motherboard has a CPU from the following list it has AES-NI:
N3050, N3150, N3160, N3350, N3450 and later
If your motherboard has a CPU from this list it does NOT have AES-NI:
D510, D525, D2550, N2600, N2800, 845, 1047, J1800, J1900, N2807, N2930
If you don't know your CPU type it will show in your pfSense dashboard. We can't list every CPU here. Intel owners can check on ARK whether their processor supports AES-NI: type "ark" followed by the CPU name into Google and look for "AES" on the first resulting page. AMD owners may want to try their luck with cpu-world.com
When will this happen?
At the time of writing, 2.3.4 is still the official release and later versions are still in beta. pfSense 2.5 will be built on FreeBSD 12 - which won't be released until early/mid 2018. A pfSense 2.5 release is most likely much later in 2018.
Are there any alternatives to pfSense?
There are many. VyOS, Untangle, IPFire, Sophos UTM, ZeroShell, Shorewall, DDR-WRT to name but a few... or plain old IPTables.
pfSense 2.5 AES-NI announcement and Roadmap
Relevant comment thread on reddit
Mini PCs we supply that support AES-NI
Motherboards we supply that support AES-NI
ASRock built a Mini-ITX sized RX 570 with Thunderbolt 3 11 Jun 19
ASRock fills out range of 8th Gen Core Intel 'Coffee Lake' Mini-ITX boards 26 Apr 18
Intel Atom C3958 gets benchmarked on GIGABYTE's MA10 motherboard 09 Oct 17
Intels next generation NUCs 29 Sep 17
ZOTAC introduces two new ZBOX Mini PCs 14 Sep 17
pfSense to require AES-NI from 2.5: how it affects you 08 Sep 17
Gigabyte's GTX 1080 Mini ITX OC 8G Graphics Card 06 Sep 17
ASRock launches DeskMini GTX/RX mini PC with GTX 1080 05 Sep 17
Gigabyte's Denverton MA10 Mini-ITX motherboards 05 Sep 17
Guide: Choosing the right DC-DC PSU 05 Sep 17
|*Advert* World's Smallest 12V DC-DC ATX|
Power Supply now at the Mini-ITX store! *Advert*
The picoPSU is now available at the Mini-ITX.com Online Store. We serve the UK, Europe, USA and beyond. Order in-stock components before 7.00PM GMT and we'll ship same day!
* Back to Mini-ITX.com *