I’m thinking about building a box for pfsense. Looking at hardware options and I see a pretty significant difference in price when comparing hardware with and without AES-NI. I don’t necessarily think I’ll need AES. The way I understand it, AES is for using VPN that is somehow running on the router??? I mean, my wife and I both use VPNs on our work computers so we can reach our work networks, but that isn’t using any encryption features on my router, is it?? Or am I not understanding?
If you don’t use a VPN on the router, you won’t need it.
But what if you decide to set one up so you can VPN in while on the road? Personally, I’d rather have it and not need it, than need it and not have it…as well as “buy once, cry once” rather than need to upgrade down the line.
I’m not sure what you’re shopping for with AES-NI but I can strongly recommend the HP T730 and T740 thin clients if you’re trying to build a budget home firewall machine. Both support AES-NI (but obviously not Xeon QAT) and the t730 is cheap on eBay. Drop whatever NIC and an SSD in and you’re off to the races with OPNSense. The T740 is performant enough to run OPNSense on Proxmox if that’s your thing, you’ll have plenty of spare processing time to do something else on the machine beyond routing/firewalling a 1-2Gb home connection.
Pfsense has an openvpn server and client built in. Also if you are using site-to-site ipsec vpns it can be useful. I think it will also use the extensions if you run a web proxy to inspect tls traffic. If you just use it for a nat gateway, then you don’t need aes-ni or even most of the features Pfsense provides.
Any VPN that terminates on the firewall (be it site to site or remote access / “road warrior”) may be affected, but not all will. Some VPN tech uses very efficient computations. Notably affected VPNs are OpenVPN and IPSec / StrongSwan.
If the VPN doesn’t terminate on the firewall, you’re in the clear. So even if your work provided an OpenVPN client to you that’s affected by AES-NI, because the tunnel runs between your work laptop and the work server, the firewall is not part of the encryption pipeline.
Another affected technology may be some (reverse) proxies and web servers. This would be software running on the firewall like haproxy, nginx, squid. See https://serverfault.com/a/729735 for one example. In this variation of the check, you’d be running one of these bits of software on the firewall itself and either exposing an internal service (such as Nextcloud) to the internet, or in the case of squid doing some HTTP/S filtering for a tightly locked down network. However, if you just port forwarded 443/TCP to your nextcloud server (as an example), your nextcloud server would be the one caring about the AES-NI decrypt/encrypt. Like VPN, it matters to the extent of where the AES decrypt/encrypt occurred.
Personally, I’d recommend you get AES-NI if you can. It makes running a personal VPN easier down the road if you think you might want to go that route. But if you know for sure you won’t need any of the tech I mentioned (including https web proxy on the firewall), you won’t miss it if it’s not there.
Edit: I don’t know what processors you’re looking at that are missing AES-NI, but I think you have to go to some really really old tech on x86 to be missing it. Those (especially if they’re AMD FX / Opteron from the Bulldozer/Piledriver era) may have other performance concerns. Specifically for those old AMD processors (Not Ryzen/Epyc), just hard pass if you need something that runs slightly fast. They’re just too inefficient.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
If installing Wireguard as your VPN is a possibility, Install Opnsense + Wireguard on old hardware and forget about AES.
If you don’t use a VPN on the router, you won’t need it.
But what if you decide to set one up so you can VPN in while on the road? Personally, I’d rather have it and not need it, than need it and not have it…as well as “buy once, cry once” rather than need to upgrade down the line.
I’m not sure what you’re shopping for with AES-NI but I can strongly recommend the HP T730 and T740 thin clients if you’re trying to build a budget home firewall machine. Both support AES-NI (but obviously not Xeon QAT) and the t730 is cheap on eBay. Drop whatever NIC and an SSD in and you’re off to the races with OPNSense. The T740 is performant enough to run OPNSense on Proxmox if that’s your thing, you’ll have plenty of spare processing time to do something else on the machine beyond routing/firewalling a 1-2Gb home connection.
You should consider opnsense instead of pfsense in any case.
why?
Pfsense has an openvpn server and client built in. Also if you are using site-to-site ipsec vpns it can be useful. I think it will also use the extensions if you run a web proxy to inspect tls traffic. If you just use it for a nat gateway, then you don’t need aes-ni or even most of the features Pfsense provides.
Any VPN that terminates on the firewall (be it site to site or remote access / “road warrior”) may be affected, but not all will. Some VPN tech uses very efficient computations. Notably affected VPNs are OpenVPN and IPSec / StrongSwan.
If the VPN doesn’t terminate on the firewall, you’re in the clear. So even if your work provided an OpenVPN client to you that’s affected by AES-NI, because the tunnel runs between your work laptop and the work server, the firewall is not part of the encryption pipeline.
Another affected technology may be some (reverse) proxies and web servers. This would be software running on the firewall like haproxy, nginx, squid. See https://serverfault.com/a/729735 for one example. In this variation of the check, you’d be running one of these bits of software on the firewall itself and either exposing an internal service (such as Nextcloud) to the internet, or in the case of squid doing some HTTP/S filtering for a tightly locked down network. However, if you just port forwarded 443/TCP to your nextcloud server (as an example), your nextcloud server would be the one caring about the AES-NI decrypt/encrypt. Like VPN, it matters to the extent of where the AES decrypt/encrypt occurred.
Personally, I’d recommend you get AES-NI if you can. It makes running a personal VPN easier down the road if you think you might want to go that route. But if you know for sure you won’t need any of the tech I mentioned (including https web proxy on the firewall), you won’t miss it if it’s not there.
Edit: I don’t know what processors you’re looking at that are missing AES-NI, but I think you have to go to some really really old tech on x86 to be missing it. Those (especially if they’re AMD FX / Opteron from the Bulldozer/Piledriver era) may have other performance concerns. Specifically for those old AMD processors (Not Ryzen/Epyc), just hard pass if you need something that runs slightly fast. They’re just too inefficient.