The pfSense Store

Author Topic: Zotac ZBOX CI323 nano  (Read 46046 times)

0 Members and 1 Guest are viewing this topic.

Offline OK

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Zotac ZBOX CI323 nano
« on: December 11, 2015, 07:50:37 am »
Hi all,

being new to pfSense and BSD (but not to firewalling and computers in general), I thought this little box might be a good idea. Well, not so much at the moment.

With the Celeron N3150 being quite new, there is a serious lack of support for the hardware, leading to a situation where most OS did not install correctly. Adding a BIOS that only has a broken "Legacy Boot" option (blank screen and nothing happens), this leaves me with the following results:

- Windows 10 works flawlessly, but who wants that
- MINT Linux installed, but X does not work. Didnīt fiddle around with the settings, but I assume the internal display is not yet supported. Same for CentOS.
- FreeBSD installed only when using the "FreeBSD-10.2-RELEASE-amd64-uefi-memstick.img" All ISO were said to be unbootable (Rufus)

With no Legacy Boot and no UEFI image for pfSense Iīm kind of stuck at the moment. The hardware itself seems to be very capable of running FreeBSD, so I assume itīs worth still chasing that.

Unless Zotac release a BIOS update that permits Legacy Boot, I wonder what is needed to create a UEFI image for pfSense. It worked for FreeBSD, so in theory itīs possible for pfSense as well (correct me if Iīm wrong).

If you have any other ideas, please let me know. I strictly refuse to install Win 10 with Virtualbox :D (but tested that and it worked, although the windows driver for the realteks seems to strip away the VLAN tags).

Cheers !


EDIT:

Maybe the BSD gurus can help here. When I boot into the EFI shell, I can navigate to "fs0:" then "cd boot" and "ls" gives me two executables, "boot1.efi" and "loader.efi". When starting "loader.efi", I get this (see attachment).

Can someone explain what the issue is ?

« Last Edit: December 11, 2015, 01:03:58 pm by OK »
There is 10 sorts of people...

Offline OK

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #1 on: December 12, 2015, 05:49:28 am »
Never underestimate the danger of assumptions....

When I said that Legacy Boot is broken, this is true as long as there is a HD TFT display attached, at least the one I used via Displayport. Instant blank screen. BUT:

Using a good old analog VGA Monitor, everything worked like a charm. Using the memstick to run live or install to SSD.

The baby is now up and running, interfaces assigned, the VLANs work great (not like under the windows I had running, where the realtek driver looked like a pre-alpha PITA).

So happy !

The base config with 4 VLANs, manual outbound natting, proxyarp was setup in no time, I really start enjoying this.

CI321 compared to CI323:
2013 vs 2015
2 cores vs 4
11W vs 6W
16GB vs 8GB (only drawback)
no fans :)


Cheers !

almost the same price, currently
There is 10 sorts of people...

Offline tazmo

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #2 on: December 17, 2015, 10:27:13 pm »
Hi-

I too am looking at purchasing this box for my first pfsense router... 2 NICs, 4 cores, AES-NI support for OpenVPN, and inexpensive, make it very attractive (at least to me).

What about Wifi?

Have you tested OpenVPN throughput?

Anything more you could provide on the Zotac ZBOX CI323 would be greatly appreciated.

Thanks,
Bob

Offline OK

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #3 on: December 18, 2015, 01:48:18 am »
I bought the box with something different in mind, so I havenīt built and measured VPNs yet. So sorry, no direct answer :)

Wireless does not seem to be supported at the moment, but I honestly didnīt try very much and will pull the wireless cards out anyway - in my case I use it cable based only.

What I did though is run a hypervisor on it and then have pfsense in a vm. Reason for this is twofold: First, instant firewall recovery by using a cloned VM, second: Utilizing the hardware (8GB, 4 cores) to run a second or third VM as syslog server or a dedicated separate security box. Just in case something is not available as a package yet or for trying stuff out, like the Sophos UTM for example, while keeping the main firewall running and untouched.

ESXi is a nightmare and soooo picky about hardware, it didntīt install and  I spent quite some time. That does not say much, but I gave up after trying most tips I found online.

Xen seems to work so far, 2 days uptime with no issues. However, I am unable to pass VLANs into pfsense, as the NICs are seen as xn0 instead em0. Not a big issue as long as weīre talking 7 VLANs or less, as one creates one xn interface per vlan on the hypervisor, so the pfsense box sees just native, untagged frames.

So yes, running pfsense on this box is very well possible minus the wifi, but thatīs from someone who has no interest in fixing the wireless part, there may be ways to get there.

















There is 10 sorts of people...

Offline tazmo

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #4 on: December 18, 2015, 11:49:57 am »
Thanks for the response... very interesting. One more question:

I can't seem to find what chipset the Gigabit ethernet cards use. I've looked a lot of places. It *seems* to be a Realtek card but I can't find a model number. I see you mention xn0 but that's a FreeBSD Xen NIC driver if I'm not mistaken...

Do you know what model it is?

Regardless, I just ordered one and of course, it's on backorder  >:(

Regardless, thanks for the response and I hope you Xen install continues to be a solid one...

Bob

Offline OK

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #5 on: December 19, 2015, 06:38:35 am »
Yes itīs a realtek, using lspci form the xenserver console i see that they are recognized as

Realtek RTL8111/8168/8411

Xen uses kernel driver r8169 to access these devices.

While weīre at it, lspci also finds the wireless card as an intel wireless 3160 but doesnīt use it as a NIC from a xenserver perspective.

I will double check that from a bare metal pfsense installation and see what BSD makes of the hardware, but that will happen a few days down the road.
There is 10 sorts of people...

Offline securvark

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #6 on: January 26, 2016, 06:54:08 am »
Hey guys,

I'm about to take the plunge on this little box to build my own router and replace a TP-Link N750.

Any news on the wifi, usb 3, bluetooth and cardreader?

Thanks!


Offline OK

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #7 on: January 27, 2016, 04:02:25 am »
To my shame I never continued to work in that direction, as my setup does not use anything but the cable-based NICs.

What I can say is that a config with Xenserver as the HostOS and pfsense on one of the VMs runs stable for about 4 weeks now, so unless you need WiFi, Iīd recommend the box.

There is 10 sorts of people...

Offline interfasys

  • Newbie
  • *
  • Posts: 14
  • Karma: +5/-0
    • View Profile
    • interfaSys ltd
Re: Zotac ZBOX CI323 nano
« Reply #8 on: February 04, 2016, 06:29:42 pm »
  • The card reader does not work on 10.2 or 11
  • I've installed the OS from a USB3 stick, so that works
  • It's got enough power to compile your packages from ports or a kernel

There is one big caveat though: The NICs give up under load if you're using netmap. So you can't use that box as-is if you want to do IPs with Suricata until Suricata gets fixed to work with drivers which don't support netmap.

Offline rajl

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #9 on: February 05, 2016, 09:44:52 am »
  • The card reader does not work on 10.2 or 11
  • I've installed the OS from a USB3 stick, so that works
  • It's got enough power to compile your packages from ports or a kernel

There is one big caveat though: The NICs give up under load if you're using netmap. So you can't use that box as-is if you want to do IPs with Suricata until Suricata gets fixed to work with drivers which don't support netmap.

As an alternative, you can wait until the drivers do support netmap.  From the netmap website:

Quote
Netmap-aware device drivers are needed to use netmap at high speed on ethernet ports.  To date, we have support for Intel ixgbe (10G), ixl (10/40G), e1000/e1000e/igb (1G), Realtek 8169 (1G) and Nvidia (1G). FreeBSD has also native netmap support in the Chelsio 10/40G cards.

I'm not sure what all is required for netmap support for Realtek RTL8111/8168/8411 versus Realtek 8169, but this could be a "simple" coding project for someone with the time if there are enough similarities between the 8168 and the 8169 drivers.

Offline rajl

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #10 on: February 05, 2016, 09:56:50 am »
I may stand corrected.  I just browsed the Realtek driver and netmap driver code in the FreeBSD stable branch.  It looks like all versions of the Realtek gigabit chipsets are are supported by netmap in FreeBSD.

Offline interfasys

  • Newbie
  • *
  • Posts: 14
  • Karma: +5/-0
    • View Profile
    • interfaSys ltd
Re: Zotac ZBOX CI323 nano
« Reply #11 on: February 05, 2016, 11:00:20 am »
 ;)
That's correct, it's been "supported" from the start. If you read the code, you can see that performance is more akin to a half-gigabit NIC.

The lock up problem has been reported upstream and since there is sort of a workaround by using jumbo frames, I have hope it's something which can be fixed.

Offline rajl

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: Zotac ZBOX CI323 nano
« Reply #12 on: February 05, 2016, 12:01:59 pm »
;)
That's correct, it's been "supported" from the start. If you read the code, you can see that performance is more akin to a half-gigabit NIC.

The lock up problem has been reported upstream and since there is sort of a workaround by using jumbo frames, I have hope it's something which can be fixed.

Unfortunately, my working knowledge of BSD driver code is good enough to tell if a feature is enable, but not good enough to see that performance with netmap is around ~500 Mb/s instead of 1Gb/s.  Why is there such a performance hit for the Realtek using netmap?

A second question -- why does the Realtek lock up?  And what is it about jumbo frames the keeps the Realtek from locking up?  And, more importantly, would I have to enable jumbo frames for my entire network, or just on the Realtek interface of this particular device in order to prevent the lockup from happening?

Offline interfasys

  • Newbie
  • *
  • Posts: 14
  • Karma: +5/-0
    • View Profile
    • interfaSys ltd
Re: Zotac ZBOX CI323 nano
« Reply #13 on: February 05, 2016, 04:03:29 pm »
Why is there such a performance hit for the Realtek using netmap?
I don't think it's related to netmap, it's either the chip or the driver, because of badly designed chips, bad documentation, bad original driver (because of bad documentation), etc.


A second question -- why does the Realtek lock up?  And what is it about jumbo frames the keeps the Realtek from locking up?  And, more importantly, would I have to enable jumbo frames for my entire network, or just on the Realtek interface of this particular device in order to prevent the lockup from happening?
My theory is that netmap overfills the card's buffer and at some point the card can't cope any more and we end up with interrupts piling up.
By turning on jumbo frames, the total number of mbufs is split equally between the 2 types of frames and the card only almost dies (dropping from 350kpps to less than a 100).
Ideally, you'd need all your network to support 9k frames to be able to see the benefits, but if you just want the fix, you can just turn it on for the LAN interface. There will be side effects and so, you should read about what happens when using large frames with equipment which doesn't support it.

Offline interfasys

  • Newbie
  • *
  • Posts: 14
  • Karma: +5/-0
    • View Profile
    • interfaSys ltd
Re: Zotac ZBOX CI323 nano
« Reply #14 on: February 05, 2016, 06:57:22 pm »
If jumbo frames don't work for you, you can use the emulated mode by setting "dev.netmap.admode" to 2. In my tests, I get the same throughput, but use a lot more CPU.