PfSense Teases Encryption For Version 2.5

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
PfSense has just released updated hardware requirements for future versions of the companies software. For those not in the know, pfSense is an open source firewall computer software distribution that is built upon FreeBSD. Instead of specialized and costly equipment, pfSense is installed on a physical computer or a virtual machine to make a dedicated firewall for a network. PfSense can also be used to create a DHCP server, DNS server, Router, or VPN endpoint. Personally, I like to set it up with Snort and supplement my Yara addiction.
 
Last edited:
Joined
Feb 3, 2008
Messages
665
Aww man my E8400 does not have AES-NI. It did so well as a pfsense CPU. I am currently on a 75/75 connection and said CPU entertains two 100MBps NICs. I suppose I should move up to Gigabit and a AES-NI CPU. Any suggestions from the crowd? This will be a standalone basement machine sort of thing.

Really nice to see [H] highlighting this, I think there are a lot of pfsense nerds out there.
 

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
Aww man my E8400 does not have AES-NI. It did so well as a pfsense CPU. I am currently on a 75/75 connection and said CPU entertains two 100MBps NICs. I suppose I should move up to Gigabit and a AES-NI CPU. Any suggestions from the crowd? This will be a standalone basement machine sort of thing.

Really nice to see [H] highlighting this, I think there are a lot of pfsense nerds out there.

Noted. Several members of the [H] staff are fans of their work. We'll see what we can do. :)
 

Trimlock

[H]F Junkie
Joined
Sep 23, 2005
Messages
15,228
I'm going to have to upgrade my celeron to get this. Totally worth it though.
 

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,200
Funny thing, I bought an AM1 board and processor to run my pfSense box at home. Cheap, low power processor, that in most tasks is probably quite a bit less powerful than many pfSense boxes that will not be able to handle the upgrade due to the requirements. But this little champ will, as AMD enabled AES-NI in this little processor that could!

Now, if they could only make mobile client IPSEC VPN setup a little more straightforward.
 

ruffbytes

Limp Gawd
Joined
Oct 22, 2015
Messages
447
Pfsense is awesome! We also will have to upgrade our little boxes to support this upgrade, but it sounds extremely cool!
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
The updated blog post at the bottom explains why. They plan on removing PHP in favor of RESTCONF to connect the web to the back end, and they needed to have a way to keep that secure. There are also plans to allow the front end to exist in the cloud so you can manage many servers at a time, which I'd guess is probably the biggest driver for this since single machine performance isn't as big of a deal as 1,000s of machines is.
 

Stugots

Supreme [H]ardness
Joined
Feb 25, 2004
Messages
6,991
I'm really looking forward to the new release. Running pfSense on an PCEngines APU2.
 

grtitan

Telemetry is Spying on ME!
Joined
Mar 18, 2011
Messages
1,266
Im debating the following. currently I am running Merlin/vortex in a R7000 and obtained a free optiplex 7010.

The dell idles at 40w(kw?) and the r7000 at 6 or so.

Given that where i live the dell will cost me around 5 bucks a month in electricity and the r7000 around 1 buck a month, which one should i keep?
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
I hope they keep putting out security updates at least for people running the older hardware who can't/won't upgrade right away. I've got a quad-core Intel N2930 that's been working great, but there's no AES-NI.
 
Last edited:

Vaulter98c

[H]ard|DCer of the Month - October 2009
Joined
May 21, 2008
Messages
5,775
Funny thing, I bought an AM1 board and processor to run my pfSense box at home. Cheap, low power processor, that in most tasks is probably quite a bit less powerful than many pfSense boxes that will not be able to handle the upgrade due to the requirements. But this little champ will, as AMD enabled AES-NI in this little processor that could!

Now, if they could only make mobile client IPSEC VPN setup a little more straightforward.

Which one do you have? I feel like we have the same setup lol, I could have sworn mine was AES-NI already, I think i looked into that when I bought it. But then I switched over to a J1900 if I'm not mistaken and it doesn't support it. Good thing I kept that AM1 build as a spare... now if I can just cram it in a 1U case
 

nightanole

[H]ard|Gawd
Joined
Feb 16, 2003
Messages
2,032
Im debating the following. currently I am running Merlin/vortex in a R7000 and obtained a free optiplex 7010.

The dell idles at 40w(kw?) and the r7000 at 6 or so.

Given that where i live the dell will cost me around 5 bucks a month in electricity and the r7000 around 1 buck a month, which one should i keep?


The one that supplies the wifi? Else its going to be 40 watts plus another AP.

Thanks to merlin both will support openvpn.
 

Vaulter98c

[H]ard|DCer of the Month - October 2009
Joined
May 21, 2008
Messages
5,775
2010 my arse

I have this guy as my pf sense box since its low power:
https://ark.intel.com/products/84809/Intel-Celeron-Processor-3205U-2M-Cache-1_50-GHz

Nope and it came out in 2015...

https://ark.intel.com/Search/FeatureFilter?productType=processors&AESTech=true

This kinda sucks...

I cant find anything that is low power that isnt $$$ server grade.

What size case? 2u? I got an AM 1 + 5350 + dual NIC in a 2u for under 200 including case and hdd so it can be done

I also have a j3355 fanless that supports AES NI a few months back from newegg for 55$ and a 3455 fanless for $70 so there are options

They are out there, not expensive either, although you will pay a bit more for ones with dual NIC's already but you can add a dual intel card much cheaper vs buying dual nic itx board

Hell even if you have an old sandy system lying around they support it, but i prefer the itx solutions I can 1u or 2u because it fits in the rack easier though

My current router is actually the only PC out of my whole collection that doesn't support it lol (J1900) but I'll just jump back to the AM1 probably or the J3455 and use the J1900 for torrents


TLDR // You can build a fanless AES NI still for much cheaper then a "good" off the shelf router
 
D

Deleted member 184142

Guest
Im debating the following. currently I am running Merlin/vortex in a R7000 and obtained a free optiplex 7010.

The dell idles at 40w(kw?) and the r7000 at 6 or so.

Given that where i live the dell will cost me around 5 bucks a month in electricity and the r7000 around 1 buck a month, which one should i keep?

What do you need? The answer could be either.

Do you need VPN? PfSense has lots of features with this, but the R7000 will probably do fine.
Do you need encryption? You need lots of power to do VPN encryption and PfSense would be the option to go with.
Do you need any of the more advanced features of the box? There are an ungodly number, not going to list them all out, but many you will find no where on even some enterprise routers.
Do you need WiFi? Remember that will be an extra buy, or you can turn the R7000 into a AP.
What sort of internet connection? VPN/encryption is a big load when you get into the faster connections, like Gigabit.
Does the Dell have dual NICs already? If it does not have dual NICs, you will need to buy one.
 

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,200
Which one do you have? I feel like we have the same setup lol, I could have sworn mine was AES-NI already, I think i looked into that when I bought it. But then I switched over to a J1900 if I'm not mistaken and it doesn't support it. Good thing I kept that AM1 build as a spare... now if I can just cram it in a 1U case

I bought the ASUS mAtx board, as many reviews mentioned using it well as a pfSense router. I purchased an HP dual gigabit server pull NIC for about $10.00 off fleabay. Funny thing about that that card - I picked up a 2U rack case on sale from NewEgg, and needed the low profile brackets for the card. It was actually cheaper to purchase another card that was already LP than to purchase just the extra bracket!

All-in-all, I think I have about $100 in my router, and it more than capable for what I need it to do!
 

grtitan

Telemetry is Spying on ME!
Joined
Mar 18, 2011
Messages
1,266
What do you need? The answer could be either.

1-Do you need VPN? PfSense has lots of features with this, but the R7000 will probably do fine.
2- Do you need encryption? You need lots of power to do VPN encryption and PfSense would be the option to go with.
3- Do you need any of the more advanced features of the box? There are an ungodly number, not going to list them all out, but many you will find no where on even some enterprise routers.
4- Do you need WiFi? Remember that will be an extra buy, or you can turn the R7000 into a AP.
5- What sort of internet connection? VPN/encryption is a big load when you get into the faster connections, like Gigabit.
6- Does the Dell have dual NICs already? If it does not have dual NICs, you will need to buy one.

1- Yes, to remote back home, only one device at the time, mostly.
2- OepnVPN 128 or 256 bit default i guess.
3- only thing i can think of, ad blocker.
4- keeping the r7000 as AP as needed, but a ubiquity ap crossed my mind.
5- i currently have 100 down 10 up.
6- I have an intel NIC with two ports already installed.

Thanks!!!
 

Bandalo

2[H]4U
Joined
Dec 15, 2010
Messages
2,660
2010 my arse

I have this guy as my pf sense box since its low power:
https://ark.intel.com/products/84809/Intel-Celeron-Processor-3205U-2M-Cache-1_50-GHz

Nope and it came out in 2015...

https://ark.intel.com/Search/FeatureFilter?productType=processors&AESTech=true

This kinda sucks...

I cant find anything that is low power that isnt $$$ server grade.


There's some...you need the newer level low-power chips though, like the Celeron 3855U. Shuttle has the $230 DS67U small bare-bones machine ( http://www.madshrimps.be/articles/article/1000894/Shuttle-XPC-Slim-DS67U-Barebone-Review/0 ). It's got a pair of Intel 1Gb interfaces, so it'd make a pretty decent choice.
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
Aww man my E8400 does not have AES-NI. It did so well as a pfsense CPU. I am currently on a 75/75 connection and said CPU entertains two 100MBps NICs. I suppose I should move up to Gigabit and a AES-NI CPU. Any suggestions from the crowd? This will be a standalone basement machine sort of thing.

Really nice to see [H] highlighting this, I think there are a lot of pfsense nerds out there.

Pentium G4560 with 2 cores, 4 threads at $60-$75 is calling you :)
 

Sufu

[H]ard|Gawd
Joined
Sep 3, 2006
Messages
2,009
I dumped pfSense after dealing with their shitty product for the last time. If you report anything on their bug tracker, they just close the ticket and tell you to F off. Had tons of issues getting pfSense to work in ESXi if I used a different SATA driver on the box, where all my other VMs worked out of the box. VoIP and Video had a large amount of packet delay, making it unusable. Switched to all Ubiquiti gear in my house and all my problems went away.
 
D

Deleted member 184142

Guest
1- Yes, to remote back home, only one device at the time, mostly.
2- OepnVPN 128 or 256 bit default i guess.
3- only thing i can think of, ad blocker.
4- keeping the r7000 as AP as needed, but a ubiquity ap crossed my mind.
5- i currently have 100 down 10 up.
6- I have an intel NIC with two ports already installed.

Thanks!!!

Just remoting back home should not be an issue for either, the 256bit VPN however might, from what I have seen, you will hit a significant wall on speed, on 128bit most people are seeing a 20-30mbps cap, 256 the few reports were showing as low as 12mbps, CPU limited. That will probably depend on encryption type and strength for the R7000. So PfSense would be the choice, as depending on CPU in it, it can probably do gigabit VPN.

Seems to be the main sticking factor, the others are taken care of and I would lean to the PfSense box. You could run the VPN on the computer in question as well to get around the limits of the R7000 however.
 

GotNoRice

[H]F Junkie
Joined
Jul 11, 2001
Messages
11,367
I've used a 2.4Ghz Pentium4 PFsense box for years, after I upgraded from a 450Mhz Pentium2 running M0n0wall. I guess I won't be able to get away with making use of these ancient computers anymore.

Though I have to say, I was a bit burned the last time I upgraded my PFsense box, IIRC it was when I upgraded to 2.3.3. They changed the traffic graph that they used, to one that is way less reliable and doesn't display nearly as much information. As silly of a feature as it is, being able to keep the traffic graph up on a secondary monitor has always been one of my favorite features.
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
I'm going the reverse route. My edgerouter lite is at the point it takes 3 hours to boot...
 

tazeat

[H]ard|Gawd
Joined
Jul 3, 2007
Messages
1,268
I'm using one of the newer Atom procs for my pfsense box... Should work great, x64 and AES-NI. SuperMicro 1u half depth case, sits right on my switch. Also went with Aruba for wireless, I got a couple cheap, 2x Aruba IAP-215s cover my house (and backyard/front) perfectly with decent AC coverage.
 

nightanole

[H]ard|Gawd
Joined
Feb 16, 2003
Messages
2,032
I'm using one of the newer Atom procs for my pfsense box... Should work great, x64 and AES-NI. SuperMicro 1u half depth case, sits right on my switch. Also went with Aruba for wireless, I got a couple cheap, 2x Aruba IAP-215s cover my house (and backyard/front) perfectly with decent AC coverage.
What is cheap, $500 an AP + controller?

My company has one of those every 20ft, i just drool at them...
 

AliceCooper

[H]ard|Gawd
Joined
Mar 25, 2007
Messages
1,477
Woohoo! Got mine running on a box with an I5-2400 and 4GB DDR3 booting off a 500GB HD lol. Way overkill, but had that stuff laying around and power is cheap!
 

bbenz33

Gawd
Joined
Dec 8, 2004
Messages
536
I've been running pfSense for years and I'm definitely liking the updates that are coming. I recently moved to an ESXi setup that has worked out great.
 
Top