AES-NI Firewall vs Computer CPU AES-NI Question

Jul 14, 2017
46
11
8
50
So since most people at my company are working from home, one question was what if anything could be done to improve VPN performance.

I built about 2 yrs ago a PFSense firewall which does have AES-NI support.

From what I can tell the AES-NI should be getting used without there needing to be some sort of explicit setting in the computer end of things. I know there's a setting in PFSense to turn on the AES-NI support and that's done.

So what I'm trying to figure out and not having any luck, is if the CPU in a computer has AES-NI (as most currently do), then is the AES-NI unnecessary on the firewall (the cpu in the PC takes advantage of it) or is there some advantage to having it in the firewall?

I've checked around with some of my co-workers and my VPN throughput seems to be significantly higher than almost any of them are reporting, relative to their internet connection. However a friend who doesn't have a firewall/router with AES-NI support (at least as far as I could tell for a Verizon FIOS quantum router), was reporting numbers similar to mine. So it's unclear exactly what if any effect there is.

To a certain extent it's probably academic, most users aren't either going to shell out for a dedicated firewall PC or be able to get PFSense up and running, but it seems like something work looking into.

One last question, from what I've read and some limited results, it looks like the max throughput for the VPNs is about 75mbs. Is that correct?
 

BlueFox

Well-Known Member
Oct 26, 2015
1,275
679
113
The two VPN endpoints, irrespective of what devices they are, could benefit from having AES-NI. If you have a site-to-site tunnel between two pfSense boxes, then it won't matter if your desktop has it since it's not encrypting/decrypting traffic.

It's also worth noting that if the CPU on the VPN endpoints isn't being bogged down by encryption, then you won't see any difference in performance by having AES-NI or not.

There is no hard limit as to VPN throughput. 1Gbit+ IPsec is easily done with inexpensive hardware. 10Gbit+ will require some modestly powerful hardware.