IPfire and AES-NI

Hello everybody

I picked up two old jetway ITX motherboards with built-in cpu’s, for next to nothing at a charity fund raiser. The pair would make ideal HA IPFire firewalls, since they each have four Gigabit NICS. Unfortunately, they have two flaws that may make or break my dream of building a HA “cluster” of IPFire firewalls.
Firstly, they have old Intel Atom D525 64bit cpu’s - dual core and no AES/AES-NI.
Secondly, the motherboard only supports a maximum of 4GB ram.

Which brings me to my obvious question: Will my new motherboards be good enough for IPFire for at least the next three years?

Thanx in advance.


I would guess with HA you mean High Availability? In that case this might be helpful.

The hardware requirements for IPFire, specifically in relation to RAM, can vary depending on individual needs. In most cases, 4 GB of RAM should be sufficient for normal firewall usage. This is what I have and it has worked well for me. However, if you plan on using Suricata with a large number of intensive rules, it could potentially strain the system’s resources. I do not have enough experience to issue a recommendation, but I am confident stating that Suricata consumes RAM.

Another factor to consider is the performance of VPN connections. Without the AES-NI support, the CPU may experience limitations in handling encryption/decryption tasks efficiently. Additionally, if you anticipate high network traffic situations, the performance of the four network cards may become a bottleneck due to the CPU having only two cores.

In general, for typical firewall usage and moderate throughput requirements, the provided hardware configuration should be adequate. However, it’s important to assess your specific needs and adjust the hardware accordingly if you anticipate heavier usage, such as using a VPN, or a large number of Suricata rules or high traffic scenarios.


Hi @cfusco
Thank you very much for your informative and helpful response. I think they will just have to wait until I find a use for them as they would likely not be able to handle the load / traffic.
Thanx again.

The D525 seems like a fairly slow processor. See this:

Just so you have a comparison, this is what I used 6 years ago...


For what it is worth, the D525 might be a good device to experiment with. Then you know what can be enabled and cannot be enabled with the D525.

I should out perform a pi.

1 Like

for the RPi4B:


Pi 4