Zotac CI 321 Dual NIC Nano
-
Hi,
I'm looking to set up a dedicated pfsense box, here are my requirements:
1. I want to encrypt all my traffic with OpenVPN and ensure it can handle ~100mbps for a bit of future proofing of my internet speed.
2. I want as small a form factor as possible.
3. I want it as cheap as possible.
4. I want it to have dual NIC, not to mess with somehow getting another NIC into it.I was eye-ing the OEM Production 2550L2D - Dual Broadcomm NIC, Dual Core Atom 1.86Ghz. It fits the bill everything except 1 from what I've read.
http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007Now I see Zotac announced the ZBOX CI 321 which will be dual nic (unfortunately likely Realtek) and a 1.1 GHz Intel Celeron 2961Y dual-core “Haswell” processor.
http://www.anandtech.com/Gallery/Album/4187What are your thoughts about this ZBox handling 100mbps? I can't find any cheap boxes with recent hardware, it's either that old Atom or this new ZBOX from what I can find.
-
I actually found your post just because I was wondering myself about CI321 as a pfSense box. I can't find it for sale at the moment, but I think this would be a great all in one box to get pfSense running. Hopefully it's not too expensive. I see ci320 (1x NIC) is $135 on amazon.
-
Does seem to be available in the US: http://www.newegg.com/Product/Product.aspx?Item=N82E16883218044
interesting, I wonder if it's fanless -
-
Bit late to the party here but it won't do 100Mbps of OpenVPN. I would think 60-70 max.
Steve
-
The Newegg product is the CI320 which does not have Dual Ethernet, while the still interesting but yet unavailable for purchase CI321 does have Dual Ethernet … I think that it would be a great box, will have a lot of power compared to the 2550 series, etc. I have been using the J1900 processors with a lot of success. Zotac has finally posted an official page on their website now for the CI321 ...
http://www.zotac.com/products/mini-pcs/zbox-c-series/product/zbox-c-series/detail/zbox-ci321-nano-zbox-ci321nano.html
-
I found the ci321 on a german webpage (all though with an unknown delivery date) at €180 which is $193. Compared to that I payed the equivalent of $160 for the ci320 half a year ago, today the price of the ci320 seems to have risen to $183 where I'm at. So roughly the same price for the ci320 and ci321. Both the barebone configuration where you need to add ram and a system disk of some sort.
The ci320 is a brilliant little machine, I've fitted an ssd and it runs completely silent, no heat issues at all or anything. Adding a second nic seems to make it even more perfect, but for some odd reason they downgraded the n2930 1.8 GHz quad-core cpu in the ci320 to a 1.1 GHz Celeron 2961Y dual-core cpu in the ci321. Fewer cores, slower clock rate and higher energy consumption, I wonder what that's all about?
A bit unrelated, I'm running pfsense on my ci320 using vlan's on the single nic and paired with a Netgear GS105E switch. The E-version of the GS105 is a little gem, costs very little and is configurable so you can do port cloning for wireshark use, split the 5 ports into different vlan's and other stuff. Only issue is that the configuration software is windows only. If you go for the 8-port GS108E instead you get a web interface for configuring stuff, but it's also in a different price range. Once configured, the GS105E remembers it's settings so no need for windows on a daily basis.
I've rigged my GS105E to act like two separate switches in one. I've got port 1 connected to my ISP and port 2 to my pfsense. The switch tags all traffic to and from port 1 with a vlan tag and only allows it to reach port 2. When pfsense gets traffic with that tag it treats it as WAN traffic.
Local LAN traffic gets a different vlan tag from pfsense and the switch forwards that traffic to port 3, which is connected to my regular LAN switch.
I don't currently use port 4 and 5 for anything, but I could set them up to clone the traffic on port 3 if I wan't to sniff packets with wireshark or something.
So in essence my GS105E currently runs as two switches in one - one that connects port 1 and 2 and another that connects port 2 and 3 and keeps everything nice and separate. The nic in my ci320 functions as two separate nics depending on which vlan tag the packets have. A bit tricky to set up, but works as a charm.
-
That is an interesting idea, I totally forgot about the application of VLAN. I actually have the bigger brother GS108T switch that adds PoE and LACP. I guess I could do something similar if I end up with one port router box, however I am still lurking around for either CI321 or a Chinese dual Intel nic box with Celeron. I am just leery to buy direcly from aliexpress and wait for some local distributor to pick those up here in US.
-
I ordered a sample unit to test, it finally shipped last week and should be in this week. I understand that a May 2015 release date has been promised on the CI321 with a price around $140, still don't see it available anywhere else other than the German site mentioned above.
-
I contacted Zotac twice about the CI321 and they were worthless. They refused to answer when the item would reach distribution channels and kept directing me to contact a distributor. The distributors have no interest in talking to consumers who are buying single quantity products. So I'm getting ready to give up on Zotac and look for something else.
-
Another deficiency (though maybe not very important in case of pfSense) is that despite having two memory slots this box is configured for single channel operation.
Anyway, has anyone tried Zotac CI321 with pfSence yet?
-
Wondering if anyone else has used this box for pfSense yet as well.
-
There is a new ZBOX-CI323NANO from Zotac http://liliputing.com/2015/10/zotac-launches-mini-pcs-with-intel-braswell-chips.html
with Dual LAN and a Quad-Core Intel N3150 http://ark.intel.com/products/87258/Intel-Celeron-Processor-N3150-2M-Cache-up-to-2_08-GHz with AES-NI !! it should have plenty of Power for a Fast OpenVPN connection.
Greetings Auric
-
The ZBOX-CI321NANO-U is now for sale!
Amazon: https://www.amazon.com/gp/product/B00W8XXAJU
Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173122People should take note of the 1 review currently on Newegg:
… Cons: NICs are realtek but I knew that buying it but one of the NICs will not auto-negotiate with a unmanaged switch defeating the purpose of the second NIC (was using PFSense on it). ...I'm currently buying one w/ 2x2GB memory, and an SSD (nothing lying around that'll work;) for my first pfSense venture anyway. If necessary I'll just manually set the speed on the port and life will be just fine (pretty sure I can do that, it's *nix afterall).
Here's hoping!
-
The ZBOX-CI321NANO-U is now for sale!
Amazon: https://www.amazon.com/gp/product/B00W8XXAJU
Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173122People should take note of the 1 review currently on Newegg:
… Cons: NICs are realtek but I knew that buying it but one of the NICs will not auto-negotiate with a unmanaged switch defeating the purpose of the second NIC (was using PFSense on it). ...I'm currently buying one w/ 2x2GB memory, and an SSD (nothing lying around that'll work;) for my first pfSense venture anyway. If necessary I'll just manually set the speed on the port and life will be just fine (pretty sure I can do that, it's *nix afterall).
Here's hoping!
Hello, did you finally buy it ? Let me know if Pfsense works please, i want to buy this one
-
Hello, did you finally buy it ? Let me know if Pfsense works please, i want to buy this one
Had some nonsense w/ Amazon, the previously linked system came bare-bones. Had to return it and ordered the bare-bones version (~$70 less) +RAM/SSD (~$70); the Zotac system is taking forever to ship… Not past the estimated delivery date yet though, and Amazon warned me. System should be here Tuesday, but I probably won't get to touch it until the week after that.
I'll definitely update this thread when I know something. :)
-
The new Zotac CI323 previously mentioned is up for sale on Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173128
Currently at ~$10 over what I paid for the 321 for more than 2x the compute power of the 321 w/ a ~40% reduction in TDP.
CI321 processor Intel spec. sheet: http://ark.intel.com/products/78943/Intel-Celeron-Processor-2961Y-2M-Cache-1_10-GHz
CI323 processor Intel spec. sheet: http://ark.intel.com/products/87258/Intel-Celeron-Processor-N3150-2M-Cache-up-to-2_08-GHzRather frustrating since the 321 just shipped today. -_-; Ah technology, you cruel cruel mistress.
Return it ("again"), and buy the 323 delaying the project for another week? That'll give me more headroom for doing interesting or different things with the box.
Buuuut it's going on a measly 3Mb DSL connection for traffic shaping & bandwidth monitoring. Guess I'll keep it, any input?
My goals:-
Have a learning experience.
-
Fairly and dynamically split the 3Mb connection into 4 logical groups (I expect only partial success).
-
Be a firewall.
-
Bandwidth usage monitoring (which group, what %). No clue if pfSense has this built in.
-
It'll be freaking cool
-
-
Well this second one seems to be better for the Intel Processor N3150 (Quad Core) keep us posted please, i'm waiting for your review to order mine Thanks !!
http://cpuboss.com/cpus/Intel-Celeron-N3150-vs-Intel-Celeron-2961Y -
Going w/ the Zotac CI321; decided I didn't want to wait any more. :)
Negative: No serial port. All configuration, management, and/or recovery will have to be performed via HDMI/DP connected display & USB connected keyboard, or SSH.
In other words, there is no low-level fall back recovery/configuration option (well, you could pull the drive…?).Booting pfSense on Zotac CI321:
Following pfSense's guide to creating a bootable USB drive: https://doc.pfsense.org/index.php/Writing_Disk_Images- Used pfSense-memstick-2.2.5-RELEASE-amd64.img.gz
-
- sha256 checksum verified
-
- used bs=512 instead of bs=1M due to fdisk reporting that my dive was using 512 chunks
Could not boot from USB. After playing w/ creating the bootable USB drive in different ways, finally found a PS2 to USB adaptor and got to look at the BIOS settings.
You will need to modify the BIOS Boot settings
- used bs=512 instead of bs=1M due to fdisk reporting that my dive was using 512 chunks
- 'Del' gets you into BIOS Settings
-
- Boot > Boot OS Selection: Set to Legacy Only (was set to uEFI Win8 by default IIRC).
-
-
- I made some other changes in there, so it's possible you'll have to poke around some more.
Now I could boot from the USB stick prepared according to pfSense directions linked above.
Notes: Quick boot was disabled by default.
Notes: "Intelligent" keyboards that take a long time to initialize (gaming keyboards) will most likely take too long to become available, and you won't be able to gain access to the BIOS. Have a basic USB keyboard available. There's a setting in the BIOS to increase the wait time for USB devices to initialize, I set mine to an insane 20 secs, could probably get away with 8. I'll worry about that later, the additional delay is worth increased reliability w/ my primary keyboard (assuming it works;).
- I made some other changes in there, so it's possible you'll have to poke around some more.
-
Installing pfSense on Zotac CI321:
See: https://doc.pfsense.org/index.php/Installing_pfSense
USB 2.0 boot drive was in a 3.0 front port.
Chose '1'/'Enter'. Boot Multi User.
Chose 'i' install pfSense when prompted.
(Was unable to change Video Font, Screenmap, nor Keymap.)
Chose Quick/Easy Install.
MUST: Choose Standard Kernal; lack of serial on the box makes the Embedded kernal (no VGA) a bad choice, my opinion.
Removed USB drive and restarted when prompted.1st Boot:
(My Zotac box is not connected to any network.
These are my answers, not a guide. Usefull for seeing what options pfSense makes available to you.
Disclamer: This is the first time I'm touching pfSense; I'm probably going to break something;)
Setup VLANs now [y|n]: N
WAN interface name a=auto-detect (re0 re1 or a): re0
LAN interface name (re1 a or nothing if finished): re1
Optional 1 interface name ( a or nothing if finished): [Return]
Confirm above config.CLI Config:
pfSense finished booting (LOL it plays happy music!) and then gives you some options. I did the following:
3) Reset webConfigurator password- Reset password to default. admin/pfsense
- Enable sshd
8 ) Shell
- Changed root account's password
- Shell's available: sh, csh, tcsh, others?
-
- No bash
-
- passwd lists /bin/sh as default for root acount
-
- passwd lists /etc/rc.initial as default for admin account
-
-
- runs /bin/tcsh if in recovery console mode
-
-
-
- is what creates that initial menu used above
-
- exit takes you back to numeric menu created by /etc/rc.initial
-
- Deduction: After boot you start as 'admin' account and choosing '8 ) Shell' is similar to typing su on a nomal *nix CLI.
-
- Choosing 8 ) Shell bypasses root password even after being set?
- Set interface(s) IP address
-
- Note: Configuring pfSense for shoving on my existing network for inital configuration.
- Set my LAN interface to a safe IP (not in use, outside of DHCP range) valid for my LAN.
- Subnet mask is set by CIDR notation, CIDR exaples for standard classful ranges are provided.
- Disabled DHCP for LAN
- Did not revert webConfigurator to HTTP (left as HTTPS)
- Reboot system
- Confirm (Plays shutdown music;)
- Config changes seem to be retained. Was never asked to save the above changes; all changes seem to be written to disk instantly. There isn't a 'backup' option in this menu, though there is a '15) Restore recent configuration' option; unsure of how this works.
webConfigurator initial setup:
Plugged pfSense box into (one of) my routers, and pulled up the webConfigurator.- Guessed that Ethernet port closest to antenna was re1; it was.
Logged in w/ default admin/pfsense, was greated by an initial configuration wizard. - hostname: bridgekeeper ;)
- Set DNS Servers (8.8.8.8, 8.8.4.4 for now)
- Set timeserver & timezone
- WAN Config
-
- DHCP
-
- All other fields left blank/default
- LAN Config
-
- Pre-filled w/ settings from earlier CLI config.
- Set Admin WebGUI Password (also for SSH)
- pfSense will 'reload' at this point.
System resource usage at this point:
MBUF Usage: 5% (1270/26584)
Temperature: 27.8°C
Load average: 0.01, 0.01, 0.00
CPU usage: 0%
Memory usage: 4% of 3984 MB
SWAP usage: 0% of 8191 MB
Disk usage: / (ufs): 1% of 50G
Disk usage: /var/run (ufs in RAM): 3% of 3.4MSystem Specs:
System: Zotac CI321: Intel 2961Y: 2 Thread, 2 Core, 1.1GHz: https://www.amazon.com/gp/product/B00W8XXAJU (http://ark.intel.com/products/78943/Intel-Celeron-Processor-2961Y-2M-Cache-1_10-GHz)
RAM: 2x Kingston KVR16LS11S6/2: 2GB, 204-SODIMM, DDR3L-1600, CL11: https://www.amazon.com/gp/product/B00HVTHQ4Q
SSD: ADATA SP600 ASP600S3-64GM-C: 64GB, SATA III, Synchronous NAND: https://www.amazon.com/gp/product/B009SX8WEQ
Total cost to me: $196.42Output from 'sysctl -a': https://bpaste.net/show/978ef8d843d6
Output from 'pciconf -lv': https://bpaste.net/show/11dd1f703c04More to follow…
-
Of course, while I was writing this post my connection to the internet flaked out again; and I clicked preview and lost everything. :/ Looks like an IP address change is the culprit:
Nov 14 06:18:41 php-fpm[71380]: /rc.newwanip: IP has changed, killing states on former IP 172.78.111.78. Nov 14 06:18:41 php-fpm[71380]: /rc.newwanip: ROUTING: setting default route to 74.42.148.214 Nov 14 06:18:46 php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): PAYLOAD: ERROR: Invalid update URL (2) Nov 14 06:18:46 php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): (Unknown Response) Nov 14 06:18:48 php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): PAYLOAD: ERROR: Invalid update URL (2) Nov 14 06:18:48 php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): (Unknown Response) Nov 14 06:18:49 php-fpm[71380]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Nov 14 06:18:49 php-fpm[71380]: /rc.newwanip: Creating rrd update script Nov 14 06:18:51 php-fpm[71380]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 172.78.1xx.xx -> 172.78.1yy.yy - Restarting packages. Nov 14 06:18:51 check_reload_status: Starting packages Nov 14 06:18:52 php-fpm[98867]: /rc.start_packages: Restarting/Starting all packagesI'll have to look into how to make pfSense handle this better, if that's possible.
ANYWAY
The experience so far: (fun)
I'm using the Zotac CI321 running pfSense. It seems to be working just fine, sans above flakyness. I had that earlier today after the new setup had replaced the ISP's provided modem/router/AP solution. It was bad enough I switched back to the ISP's device for a few hours (someone needed the internet:). I don't know if that was IP changes, or me poking around in pfSense's settings. I actually managed to lock myself out of the web GUI; even though I left the safety rules enabled. Still had SSH access though so I got it fixed. When I've had this new setup in place for some more time I'll give you a more definitive go ahead; if applicable.As to the review I quoted earlier, that said the Zotac CI321 running pfSense would only do 100Mbps. I can't say if this is true or not. Both of my interfaces have auto negotiated 100Mbps links, but the switch on the router/AP is only a 100Mbps link, and the other device is an ADSL 2+ modem where a 100Mbps link seems likely to be correct (why would it be higher?). Maybe tomorrow when I'm not thinking about climbing into bed I'll plug the Zotac box into something capable of gigabit speeds and see what happens. I guess I should have paid attention when I was preconfiguring it. : ) I can tell you that the pfSense web GUI will allow me to force 1000Mbps speeds on the interfaces. I don't know if that menu is adaptive to the hardware/drivers or not though. See: https://doc.pfsense.org/index.php/Forcing_Interface_Speed_or_Duplex_Settings
My Setup:
Frontier ADSL 2+ 3Mbit/~800bps D/U -> TP-LINK TD-8616 -> (re0 PPPoE) Zotac CI321, pfSense 2.2.5-RELEASE (re1) -> Linksys E2500, Bridged Mode, everything disabled -
From the previously linked sysctl -a output:
re0: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet=""> port 0xe000-0xe0ff mem 0xf0104000-0xf0104fff,0xf0100000-0xf0103fff irq 19 at device 0.0 on pci3 re0: Using 1 MSI-X message re0: Chip rev. 0x2c800000 re0: MAC rev. 0x00100000 miibus0: <mii bus=""> on re0 rgephy0: <rtl8169s 8211="" 8110s="" 1000base-t="" media="" interface=""> PHY 1 on miibus0 rgephy0: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow re0: Ethernet address: 00:01:2e:64:ee:d3 pcib4: <acpi pci-pci="" bridge=""> irq 16 at device 28.4 on pci0 pci4: <acpi pci="" bus=""> on pcib4 re1: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet=""> port 0xd000-0xd0ff mem 0xf0004000-0xf0004fff,0xf0000000-0xf0003fff irq 16 at device 0.0 on pci4 re1: Using 1 MSI-X message re1: Chip rev. 0x2c800000 re1: MAC rev. 0x00100000 miibus1: <mii bus=""> on re1 rgephy1: <rtl8169s 8211="" 8110s="" 1000base-t="" media="" interface=""> PHY 1 on miibus1 rgephy1: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow</rtl8169s></mii></realtek></acpi></acpi></rtl8169s></mii></realtek>This last line seems to match what the menu for forcing the interface speeds offered. So I'd bet that gigabit works just fine.