I need help figuring out how to enable AES-NI. I used to have this setting enabled and visible in system information Dashboard but after I recently replaced my hard drive SSD and re-installed opnsense fresh I lost indications that AES-NI is enabled from Dashboard.
This is what I did so far:
1) I have verified that AES-NI is enabled in BIOS and enabled cryptography setting of AES-NI under System: Settings: Miscellaneous:hardware accretion.
2) I ssh to the console and run this command:
#sudo dmesg | grep -i aes
Features2=0x43d8e3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,RDRAND>
aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
3) I rebooted/restarted the system multiple time, enable and disable the setting multiple times.
4) I tried the system under OpenSSL and LibreSSL
my system information:
Versions: OPNsense 20.7.4-amd64
FreeBSD 12.1-RELEASE-p10-HBSD
OpenSSL 1.1.1h 22 Sep 2020
CPU Type: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz (4 cores)
Any input or suggestion would be appreciated.
### Update Feb 3, 2021
i was having some intermittent internet/pocket drops. i notice the issue mostly when using Teams/skype calls and also during Zoom calls.
i reset the modem/computers/firewalls and tried no filtering, but the issue (internet /pocket ) drops didn't go away.
i re-installed the opnsense OS a couple of time with no impact to AES-NI visibility in the GUI.
finally I installed pfsense and was able to get AES-NI configuration back in the GUI which leads me to think the issue maybe driver/hardware related.
right now i am running the firewall through a VM (i have a server with 4 NIC) and the issue appears to be resolved. i am using the VM for now until i have time to set the Atom firewall with pfsense. or maybe i will just stay using VM as it is much easier to backup and start from fresh whenever i need.
while i am not a network engineer; i have been using opnsense for about 5 years and never had issues with it. The internet drops appeared to be hardware/driver related and I only noticed it sometimes after 17.xx update. which was about the same time i have noticed AES-NI functionality in Gui disappeared.
have you tried opnsense 21.1 yet?
I finished testing/re-installation of different versions this weekend. i re-installed 21.1, 19.7 and 19.1.4. it is the same issue.
when I installed pfsense 2.4.5.p1, i get AES-NI in the dashboard, once i enabled the hardware acceleration in the cryptography settings (see attached picture). So there are no bios issue and my hardware is working correctly. so i suspect i firmware or a setting in GUI that is causing this issue.
One thing i noticed in the settings that is different than pfsense, is that opnsense appears to select AES-NI hardware acceleration in Cryptography settings automatically. after initial install, when go to setting to make change and enable it; i find it already selected. unfortunately, toggling it multiple time and restarting firewall didn't resolve the issue.
i think i spent enough time testing what i can. i will stay with a VM firewall, as i worry that my hardware is getting old or is not compatible with current firmware in opnsense. Hopefully there will be other updates that will fix this issue.
Never saw an indicator for aes-ni in OPNsense. I was guessing that OPNsense is using it as soon as the CPU supports it. Do you have any performance issues or is it just the indicator that is missing?
The only reason i was going down the rabbit hole..., is because I was having some intermittent internet/pocket drops during zoom and Teams calls. i thought the issue was hardware/firmware issues. Not having the AES-NI option visible in GUI made me suspicious that maybe my hardware is not compatible with latest opnsense releases.
Quote from: cavin on February 14, 2021, 09:12:40 AM
The only reason i was going down the rabbit hole..., is because I was having some intermittent internet/pocket drops during zoom and Teams calls. i thought the issue was hardware/firmware issues. Not having the AES-NI option visible in GUI made me suspicious that maybe my hardware is not compatible with latest opnsense releases.
Packet drops on connections that should be using AES-NI? Like OpenVPN? On a common WAN IPv4/IPv6 connection there shouldn't be any AES-NI involved. Are those calls routed through a VPN tunnel?
All of my customers experience Zoom or Teams video-call hiccups these days because 1) Zoom and MS still are having trouble to handle the massive load in peak times and 2) generally more load during weekdays on home internet connections. Especially cable (coax) lines are a shared medium, so if your neighbors are all working from home, you share the bandwidth with them. Those problems are reaching from a freeze frame for a short time to being removed from the call and need to reconnect. The latter one is rare though.