Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Building a pfsense router? - make sure your CPU is 64 bit and supports AES-NI  (Read 7847 times)

Chunkers

  • Reg Member
  • ***
  • Posts: 525
  • Brick Wall head-banger

Was watching this video and Mark Furneaux was talking about his router hardware change-out, quite boring tbh.  He mentions the version 2.4 requirement for 64 bit processor (which I knew) and then he mentioned something about announcement by Netgate regarding forward / future compatibility with version 2.5 will require a CPU which supports AES-NI

Jump to 56 seconds in for the good bit ...

[youtube]https://youtu.be/cTYgag9pGjc?t=43[/youtube]


I thought this was worth highlighting as some currently popular choices e.g. Celeron may not support future updates beyond 2.4 which is think is due pretty soon, I think its a shame personally.  I guess people who want to use old hardware will just end up using legacy versions or maybe some third party developer.

Chunks
« Last Edit: May 08, 2017, 09:19:30 PM by Chunkers »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

celeron n3150 which i use is aesni :) great 10 watt cpu

thanks for the info

http://ark.intel.com/products/87258/Intel-Celeron-Processor-N3150-2M-Cache-up-to-2_08-GHz

the decision is likely to try and push netgate sales i think
« Last Edit: May 09, 2017, 11:21:39 AM by Chrysalis »
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I think there will be a lot of annoyed users,  I'm sure mine doesn't support AES-NI.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

WWWombat

  • Kitizen
  • ****
  • Posts: 1674

Hmmm. Just when I had a pfSense box listed as one of my projects...  ::)

I started looking at the Qotom Q190G4 boxes (Celeron J1900), like @displaced, but that has no AES-NI support.
http://forum.kitz.co.uk/index.php/topic,19306.0.html

However, it looks like the Qotom Q310G4 (Celeron 3215U) has better cooling, but is otherwise similar, and is broadly the same price.
This is what I had in mind, and was close to ordering, but it has no AES-NI support either.

Their Q330G4 (Core i3-4005U) does have AES-NI support, but it comes with a £50 premium over the similar Q310G4 model.

Using @Chrys' hint about the N3150 having AES-NI support, I can see Qotom have a Q150 model series that uses it ... but it only comes with 2 LAN ports, whereas all the ones above have 4.

I don't really have a need for 4 ports at the moment. Is anyone actively using more than 2 ports at the moment?
Logged

Chunkers

  • Reg Member
  • ***
  • Posts: 525
  • Brick Wall head-banger


I don't really have a need for 4 ports at the moment. Is anyone actively using more than 2 ports at the moment?

Mine is an AMD based board (APU2C4) which luckily enough is 64 bit and supports AES-NI but has 3 LAN ports, two are used for WAN so I just use a cheap switch ... works fine

As long as you have one port for LAN then I can't see an issue unless you are very tight on space

Chunks
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

yeah 2 lan ports is fine just connect wan and lan and use something else as a switch, also bear in mind 2.4 isnt even released yet it be a while before 2.5 is the oldest supported version

there is a asrock unit posted in my lan setup thread that has 4 intel lan ports and uses the n3160 cpu, i think i linked to thread in my sig
« Last Edit: May 09, 2017, 08:55:30 PM by Chrysalis »
Logged

BigJ

  • Member
  • **
  • Posts: 83


<snip>

I don't really have a need for 4 ports at the moment. Is anyone actively using more than 2 ports at the moment?

I'm using a third port to separate WiFi access from the LAN.

Off Topic EDIT: Before switching to pfSense I used IPFire for about 8 months and for my needs was perfectly fine. I only moved to pfSense to see what all the fuss is about :) I'm now just to lazy to go back!
« Last Edit: May 14, 2017, 11:20:36 AM by BigJ »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

the backlash on pfsense forums caused a new explanation to be given, and people are saying they will move to opnsense.

The reasoning is the backend system for pfsense is moving to an encrypted commiunications model and apparently software based aes-gcm is vulnerable to side channel attacks, the pfsense lead dev did admit a workaround is to use chacha for non AESNI hardware but said a combination of making it harder for pfsense dev's and that it would cause too much load on pfsense servers for remote gui access means they wont persue that solution and the aesni requirement will remain.  One of the big features basically will be that people will be able to control their pfsense firewalls on a centralised service offered by netgate.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

No doubt requiring a monthly fee.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

Yes I be surprised if it was a completely free service.  Monetization happens to a lot of stuff.

Note that pfsense we download and install is the "community edition" :)  The one that is distributed to subscribers and pfsense hardware has some additional setup wizards but otherwise as far as I know has feature parity.
Logged

adrianw

  • Reg Member
  • ***
  • Posts: 163

Netgate vs Community editions
From https://forum.pfsense.org/index.php?topic=88578.0
The Amazon VPC VPN wizard is the only feature difference between the stock open source release and what ships on hardware from either store today. The primary difference for most people's purposes is that every box we sell is specifically tuned appropriately for that combination of hardware. That doesn't involve any differences in the software itself, rather how some of its tunables are configured.


Interestingly, the community and Netgate builds are apparently performed on different systems.

Number of ports
In most cases 2 ports are enough (WAN on one, LAN->switch->internal network).
At home I use 3 ports, as I had a second WAN connection and still have some gear connected.
Logged

WWWombat

  • Kitizen
  • ****
  • Posts: 1674

In my case, the current modem/router is plugged directly into a SamKnows box, which is then plugged into a 16-port switch - so I'm really only using the one LAN port.

That router also provides WiFi, but we only use it as a backup. The main WiFi comes from a standalone AP connected into the main switch ... and if I got around to it, I could use a separate VLAN for guest SSIDs.

Its a good question as to whether I would want a separate WAN connection, though.

Does pfsense support backup 4G connectivity? If so, via USB?
Logged

adrianw

  • Reg Member
  • ***
  • Posts: 163

Does pfsense support backup 4G connectivity? If so, via USB?
There is a list of 3g/4g dongles known to work at https://doc.pfsense.org/index.php/Known_Working_3G-4G_Modems.

Some USB Ethernet dongles are supported, potentially allowing you to tether a phone. The very cheap one I tried worked well enough to be be recognised, but was unable to see any access points. I'll probably try again at some point with better research for a suitable dongle.

A surer way, assuming you have a spare port, might be to plug in an Ethernet connected 3g/4g modem.
Logged