Cool, although i am not quite sure i understand all of the data you linked 
But from what i do understand its quite fascinating
Well as a benefit, if AES-NI is one day uncovered as being backdoored, you don't have to worry about that. 
2 Likes
I did some testing with AES-NI disabled and currently it is inconclusive and show little difference between the two, I'll have to do some more testing and maybe change my methodology and see whats up, maybe because my CPU is good enough for the task either way it doesn't matter/show a meaningful difference.
1 Like
Interresting 
Thank you very much for taking time out of your day to to these test, its quite interesting to read 
I would suggest building a small pc to run pFsense there is a reason those small boxes are cheaper than building a small computer, with a small computer you are going to have way more options than a small box. I myself am going to build a small computer that isn't much more bigger than those small devices. I am just waiting until I save enough money to install Ethernet in the house I live in currently.
You might want to consider this.
pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI
[...] Please remember these requirements when you are considering components for your pfSense system.
Source
2 Likes
So what will that mean for folks who are running older hardware such as a Core2Duo that doesn't support AES-NI? Will we be stuck at whatever version after the cutoff?
I thought the same, and I don't know to be honest. I'm sure it will figure somewhere on the interwebs very soon.
To me it seems like them limiting pfSense 2.5 to AES-NI CPUs is their approach to unify the cryptographic stack on pfSense to either make it easier to maintain or improves the way it is implemented as they won't have to worry about people not having AES-NI extensions. You'd think that they'd have a compelling reason to do this because removing support for a whole load of CPUs couldn't be an easy decision for them to make as it limits the potential number people using pfSense as a router.
3 Likes
When you have the specs could you link them in this thread? I would love to see what configuration you are gonna be using @MichaelLindman Can you link yours aswell? Would love to get some idea's of great pFsense setups. Gonna be buying all the parts here in a month or 2 depending on how much free time i can get while studying
Well s*** Thanks for linking to this, will be looking into getting a CPU that supports AES-NI then
2 Likes
My router is built on the AM1 platform with the Athlon 5350 quad-core SoC, 4GBs of DDR3 1600 and two TP-Link Gigabit NICs. For the most part it works pretty well for my needs and handles traffic from four users with around 25-30 devices on the network with an up/down link of 115/6mbps. It does have some limitations though, the first being that the temperature sensors on AM1 are completely broken, right now it reads 20.1°C which is lower than ambient and it only has 4x PCIe lanes so adding a single quad-port NIC is about the limit, which I plan on doing soon as I want to replace my TP-Link NICs with a single quad-port Intel one. Other than the hardware listed above It also has an almost 10 year old 80GB SATA Seagate HDD, Fractal Design 750W Integra PSU and a old random Zalman case which were all parts I had laying around when I built it.
Specifications
- AMD Athlon 5350
- ASUS AM1M-A
- 4GB HyperX DDR3 1600MHz
- Fractal Design 750W Integra
- Two TP-Link Gigabit NICs
- 10 yearish old 80GB SATA Seagate HDD mounted to the top vent
- An old random Zalman case
PC Partpicker: https://pcpartpicker.com/list/6wdp4C
1 Like
Cool setup! But dosen't that use alot of power(partpicker says 89W)? and because of that, wont it be quite expensive? My current train of thought would be to get a cheap I3 which has a tdp of 20-35W max and a itx mobo. Then with a harddrive, mobo and other things you could have a router that uses less then 30W
It seems a lot of PfSense users are worried the change is not because of easier maintenance, but revenue by e.g selling VPN services in the future or locking people to PfSense own hardware. People are perplexed that a feature many don't use should be mandatory. It seems this is some of the explanation.
the choice is either to design, engineer and release a less-than-strong product, because with AES you either design, test, and verify a bitslice implementation, (giving up a lot of performance in the process), leverage hardware offloads, or leave the resulting system open to several known attacks. I've selected the "leverage hardware offloads" path. The other two options are either unthinkable, or involve a lot of effort for diminishing returns.
Edit: And, as should be abundantly clear by now, this is not (just) about "VPN".
Source
Full thread, be warned, there is a lot of shit being thrown around and the developers are not popular. Some reddit users are slinging shit like saying the CEO is a pedophile, and the developers are naturally fed up.
No, That 89W is the absolute maximum the whole system might use and in the real world this just isnt the case. I have one of these CPUs running as a headless linux box and I can tell you from experience it uses hardly any power. It would probably be my go to machine if I was to set up a pFsense machine. I also have an i3 for my HTPC. I can tell you as well that it doesnt quite sip power like the AMD box does but its also quite a bit faster and more expensive, so make of that what you will.
Well, from what i have gathered from the reddit thread this wont be a problem for another 24-28 months maybe more ("So the 2.4 series would continue to get security patches until at least September 2019. It's 1 May 2017 now, so 27-28 months from now, minimum?" - gonzopancho").
Atm i might still consider the small box. But i am looking at either a I3 itx based system or something AMD. Looking into what options i have. I also have to find a great acces point(Heard that Ubiquiti should be the s***), but i haven't decided yet. Wouldn't mind using more money on this project if it means i get some better hardware and that it will last longer
I'm sorry, but i am not sure what you mean by that. Would you care to elaborate?
1 Like
As @Adubs said the power usage stated by PCPartpicker is the maximum, if you go into the total power usage of the build on the site it states that the motherboard uses 15-60W which is unrealistic, I've tested the power usage on this machine myself in the past and it was between 20-30W.
1 Like
You were comparing the power draw of an i3 to an AMD 5350. While the i3 is a pretty low power CPU it does use more power than the 5350 but also is faster and costlier. I'm not trying to steer you away from going intel in this case, I'm simply saying its more expensive but also faster.
If I were in your shoes I would be considering a Pentium G3258/G4400 strongly because its much newer hardware. Its also considerably cheaper while still being fairly powerful. The AMD 5350 is nice but also old and out dated on a basically dead socket that AMD is no longer developing. On the other hand a 1151 socketed board will likely work with anything up to an i7 7700k as well should you decide to repurpose the hardware.
These are synthetic benchmarks so dont put too much weight on them but they give a decent idea of what each CPU's strong suit is. All things considered I think the G4400 is the perfect middle ground between price/performance/power useage though I may be a little biased. If you want low power I must recommend the AMD 5350 as I have one myself and love it.
3 Likes
Riiiiight Have been attending 8 hours of lecture today so my brain crapped itself there When i was mentioning the I3 i was thinking of an I3-7100T, since it supports AES-NI, is new, cheap and has the functionallity i need it to have and a low operating tdp. Then find a good cheep ITX board and then use a "HP 331T" or "HP 366FLR" as a NIC.
I know, didn't think ti through, when i wrote my comment Thanks for posting numbers tho, insane how low Watt your build is
When you have the specs could you link them in this thread? I would love to see what configuration you are gonna be using @MichaelLindman Can you link yours aswell? Would love to get some idea's of great pFsense setups. Gonna be buying all the parts here in a month or 2 depending on how much free time i can get while studying
Well s*** Thanks for linking to this, will be looking into getting a CPU that supports AES-NI then
[/quote]
It will be at least 6 month to a year before I will be building my pfsense box. The House I live in now was built between 1915-1929, so I am lucky it has electricity and an inside Human waste disposable unite, but it isn't wired for Ethernet currently. This Pfsense is very finicky with WiFi, it doesn't make sense to build a custom Pfsense box until I have wire the whole house with Ethernet. I haven't decided which cpu I am going with yet or motherboard, but I have decided on what type of case I am going to use, I am going to use the Antec ISK 300-150 Mini ITX Desktop Case w/150W Power Supply
Was meant as a respons to @Shadowbane, sorry for wrong respons thread
I sure will, i am on the same time scheduele as you tho And for Michael's build he linked to it here