[SOLVED] AES-NI doesn't give any performance gains in pfSense VM on PVE8

T

tommy.bongaerts

New Member
Proxmox Subscriber
Jun 27, 2024
3
1
3
Hi all,

I recently reinstalled an ESXi 7 server with PVE8 and then restored all VMs on it.
The VMs on this server are all pfSense firewalls used in the various labs we have in our company.

All pfSense VMs are working perfectly fine on PVE8, except for one. This particular pfSense VM handles around 250Mbps of continuous IPsec traffic. I have pfSense configured to use the AES-NI instruction set, and this always worked fine when the VM was running on ESXi 7. On PVE8 however, the presence of AES-NI doesn't give any performance gains, which means the pfSense VM cannot handle the decryption of packets anymore. With regards to performance there is no difference with AES-NI enabled and AES-NI disabled on the pfSense VM.

I think I did all the right things and I also have the CPU set to 'host' to make sure all CPU features are exposed to the VM. I also tried setting the AES flag explicitly, but this didn't do anything at all. pfSense also has the AESNI module loaded, and it shows as active in the web GUI.

Does anyone has any idea what I'm missing here. I obviously already googled this issue for days, and I couldn't find a single solution to this problem.

Just to illustrate, here's the CPU load on ESXi vs the CPU load on PVE8. You can clearly see where I went from ESXi to PVE ;-)

image.png
 
ESXi does not protect against CPU vulnerabilities (please search the forum or Linux documentation for this). You can turn those all off and go fast but you won't be protected.
 
  • Like
Reactions: guletz
I already did that too. Like I said, I've already researched this topic as crazy :)

However, I think I have finally found the solution. I've always used the Intel E1000 interface under ESXi and I just kept that with PVE. I just finished switching all the interfaces to virtio and performance is great again.

I'm marking this as resolved and hope someone can get some benefit from this when facing the same issue.
 
  • Like
Reactions: leesteken
tommy.bongaerts said:
However, I think I have finally found the solution. I've always used the Intel E1000 interface under ESXi and I just kept that with PVE. I just finished switching all the interfaces to virtio and performance is great again.
Click to expand...
VirtIO uses para-virtualization and has less overhead then emulating actual devices. Good idea!
tommy.bongaerts said:
I'm marking this as resolved and hope someone can get some benefit from this when facing the same issue.
Click to expand...
Thank you.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back