Messages

1

Hardware and Performance / Re: Will AES-NI support be a CPU requirement for future OPNsense releases?

« on: May 08, 2017, 03:28:05 pm »

I just signed up to the forums and I'm considering switching to OPNSense due in small part to the AES-NI situation with pfSense 2.5 but mainly due to the way they conduct themselves on HN and Reddit regarding the change.

I noticed also that they're not longer supporting 32-bit in 2.4 but made an exception for their own ARM SG1000 (32-bit ARM CPU) it also doesn't feature AES-NI (it has its own cryptographic hardware that implements AES in hardware) but it too will get release 2.5.

But of course if we (the community) wish to use 2.4 on 32-bit we're not allowed, nor can we use cryptographic accelerators or architectures that have their own crypto hardware which isn't AES-NI.

So I have to agree that this whole situation feels like planned obsolescence to get community members to purchase branded hardware.

And that is why I'm here really, I don't like the way things are going there and I've woken up to the realities that they're moving away from openness to make money.

Regardless though I'm happy to be here and learning about OPNSense.

Me too. I'm using a Supermicro j1900 motherboard for mine. No AES-NI. No plan to toss it out either since the home router cost nearly $400 at the time I built it. Supermicro isn't cheap but it's supposed to be ultra reliable.

Going to try to convert first on a spare laptop and use a usb lan cable for the 2nd lan outlet. After I get it to work as I like, I'll install on the Supermicro and load the config from the laptop experiment.
 
If the laptop experiment fizzles I'll do the same but on Hyper-V.

2

General Discussion / Re: Switching from pfSense - features

« on: May 08, 2017, 01:03:14 pm »

fabian, franco,

Thank you. I think I read that both Opnsense and sophos work with a usb lan attachment.  I have a couple lying about and also a spare laptop that has a gigabit port. I plan to replace the hard drive in it temporarily and try both softwares. Sophos is only an indulgence as I have always wanted to see it. I suspect the learning curve will be far too steep, but I'm curious.

Then I will install Opnsense on it and configure it to my needs. After it works I'll reformat my Supermicro, install Opnsense and update the configuration. I'll decide about the wifi later as It would only be for fun; I have a R6400 as a wireless access point on the 1st floor; the main router is in the basement where the wires enter the house - I wired the 1st floor with cat6.

edit: Decided to go straight to Opnsense and ignore Sophos. Sophos has a 3 year free license renewal period. It's free but I don't want to have to worry about a router not working 3 years down the road because of a failure to replace it with a new free 3 year license.

BTW, you might want to add to the improvement list an auto-update capability for new versions of Opnsense as they are pumped out. Perhaps give it a delay so it's not installed until a month or so after release so it can be pulled if there's a problem before auto-update.

3

General Discussion / Re: Switching from pfSense - features

« on: May 07, 2017, 04:43:06 pm »

I'm going to switch over too. Here's my concerns. I assume the conversion will work well, however.

1) I have a supermicro j1900 based motherboard with 8gb ram and 120GB SSD. two i210-at intel gigabit lan ports ... OK? No AES-NI.

2) As an aside, i noticed opnsense will support wifi. I have a spare intel 6205 dual band card. My motherboard will support it. Will I need an external antenna ... if so, pointers on how to install it. Thanks.

3) I'm assuming openVPN still support multiple servers like pfSense? I want to install a tun, possibly a tap, and a site to site. Can openvpn be locked to specific users and the certs must match the user? Is there a client export capability?

4) Geoblocking and IPS/IDS are needed and appear to be offered. Any big differences? It took a while but I eliminated most snort false positives in pfSense. Are specific false positives easy to override in opnsense?

5) No-IP dynamic DDNS is used by me. Is it supported?

6) I need to afix a few permanent ip addresses on a couple of devices. I assume it's pretty easy?

7) Any big differences you have to deal with? The above pretty well described my complete needs. My preference is that the forum here doesn't have as many snotty contributors as pfSense has.

Thanks, much. Glad opnsense is available. My other option was sophos, and I was not looking forward to the learning curve. I don't like being forced to buy new hardware just to continue with pfSense. It's good but not the only product out there. Apparently, other products support AES-NI if it's detected, otherwise it's ignored.

edit: jut did some research. Looks good. I plan to test it out soon. Still wondering about the wifi - mostly how to deal with antennas on a motherboard - in general.