I’m thinking about building a box for pfsense. Looking at hardware options and I see a pretty significant difference in price when comparing hardware with and without AES-NI. I don’t necessarily think I’ll need AES. The way I understand it, AES is for using VPN that is somehow running on the router??? I mean, my wife and I both use VPNs on our work computers so we can reach our work networks, but that isn’t using any encryption features on my router, is it?? Or am I not understanding?

  • titus@lemmy.worldEnglish
    6·
    11 months ago

    If installing Wireguard as your VPN is a possibility, Install Opnsense + Wireguard on old hardware and forget about AES.

  • ninjan@lemmy.mildgrim.comEnglish
    41·
    11 months ago

    It’s for encryption and decryption so only valid for VPN tunnels initiated by pfsense. Not a needed feature by any means if you don’t selfhost stuff and want to setup VPN tunnels and run a lot of traffic through (like say media through Jellyfin)

  • seaQueue@lemmy.worldEnglish
    31·
    11 months ago

    I’m not sure what you’re shopping for with AES-NI but I can strongly recommend the HP T730 and T740 thin clients if you’re trying to build a budget home firewall machine. Both support AES-NI (but obviously not Xeon QAT) and the t730 is cheap on eBay. Drop whatever NIC and an SSD in and you’re off to the races with OPNSense. The T740 is performant enough to run OPNSense on Proxmox if that’s your thing, you’ll have plenty of spare processing time to do something else on the machine beyond routing/firewalling a 1-2Gb home connection.

  • jubilationtcornpone@sh.itjust.worksEnglish
    2·
    11 months ago

    Encryption and Decryption can be resource intensive processes. Most firewalls typically have a lower throughout for VPN connections than they do for just straight routing because of the extra processing power required for VPN. Based on what little I’ve read, it seems like CPU’s with AES-NI are capable of handling the encryption process more efficiently which probably reduces system load and allows for more throughput.

    This only helps in situations where your firewall is either serving or connecting to a VPN. It won’t make any difference if your connecting to a work VPN form your computer. Even if you are hosting a VPN connection from your firewall, AES-NI is probably overkill unless you’re planning to connect a bunch of clients to it at the same time or plan to do something like file transfers at Gigabit speeds.

  • Gobo@lemmy.worldEnglish
    2·
    11 months ago

    Pfsense has an openvpn server and client built in. Also if you are using site-to-site ipsec vpns it can be useful. I think it will also use the extensions if you run a web proxy to inspect tls traffic. If you just use it for a nat gateway, then you don’t need aes-ni or even most of the features Pfsense provides.

  • FutileRecipe@lemmy.worldEnglish
    1·
    11 months ago

    If you don’t use a VPN on the router, you won’t need it.

    But what if you decide to set one up so you can VPN in while on the road? Personally, I’d rather have it and not need it, than need it and not have it…as well as “buy once, cry once” rather than need to upgrade down the line.