Zotac CI 321 Dual NIC Nano

G.D. Wusser Esq.

Another deficiency (though maybe not very important in case of pfSense) is that despite having two memory slots this box is configured for single channel operation.

Anyway, has anyone tried Zotac CI321 with pfSence yet?

flowrider

Wondering if anyone else has used this box for pfSense yet as well.

Auric

There is a new ZBOX-CI323NANO from Zotac http://liliputing.com/2015/10/zotac-launches-mini-pcs-with-intel-braswell-chips.html

with Dual LAN and a Quad-Core Intel N3150 http://ark.intel.com/products/87258/Intel-Celeron-Processor-N3150-2M-Cache-up-to-2_08-GHz with AES-NI !! it should have plenty of Power for a Fast OpenVPN connection.

Greetings Auric

perth

The ZBOX-CI321NANO-U is now for sale!
Amazon: https://www.amazon.com/gp/product/B00W8XXAJU
Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173122

People should take note of the 1 review currently on Newegg:
… Cons: NICs are realtek but I knew that buying it but one of the NICs will not auto-negotiate with a unmanaged switch defeating the purpose of the second NIC (was using PFSense on it). ...

I'm currently buying one w/ 2x2GB memory, and an SSD (nothing lying around that'll work;) for my first pfSense venture anyway. If necessary I'll just manually set the speed on the port and life will be just fine (pretty sure I can do that, it's *nix afterall).

Here's hoping!

milocheri

@perth:

The ZBOX-CI321NANO-U is now for sale!
Amazon: https://www.amazon.com/gp/product/B00W8XXAJU
Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173122

People should take note of the 1 review currently on Newegg:
… Cons: NICs are realtek but I knew that buying it but one of the NICs will not auto-negotiate with a unmanaged switch defeating the purpose of the second NIC (was using PFSense on it). ...

I'm currently buying one w/ 2x2GB memory, and an SSD (nothing lying around that'll work;) for my first pfSense venture anyway. If necessary I'll just manually set the speed on the port and life will be just fine (pretty sure I can do that, it's *nix afterall).

Here's hoping!

Hello, did you finally buy it ? Let me know if Pfsense works please, i want to buy this one

perth

@milocheri:

Hello, did you finally buy it ? Let me know if Pfsense works please, i want to buy this one

Had some nonsense w/ Amazon, the previously linked system came bare-bones. Had to return it and ordered the bare-bones version (~$70 less) +RAM/SSD (~$70); the Zotac system is taking forever to ship… Not past the estimated delivery date yet though, and Amazon warned me. System should be here Tuesday, but I probably won't get to touch it until the week after that.

I'll definitely update this thread when I know something. :)

perth

The new Zotac CI323 previously mentioned is up for sale on Newegg: http://www.newegg.com/Product/Product.aspx?Item=N82E16856173128
Currently at ~$10 over what I paid for the 321 for more than 2x the compute power of the 321 w/ a ~40% reduction in TDP.
CI321 processor Intel spec. sheet: http://ark.intel.com/products/78943/Intel-Celeron-Processor-2961Y-2M-Cache-1_10-GHz
CI323 processor Intel spec. sheet: http://ark.intel.com/products/87258/Intel-Celeron-Processor-N3150-2M-Cache-up-to-2_08-GHz

Rather frustrating since the 321 just shipped today. -_-; Ah technology, you cruel cruel mistress.
Return it ("again"), and buy the 323 delaying the project for another week? That'll give me more headroom for doing interesting or different things with the box.
Buuuut it's going on a measly 3Mb DSL connection for traffic shaping & bandwidth monitoring. Guess I'll keep it, any input?
My goals:

• Have a learning experience.

• Fairly and dynamically split the 3Mb connection into 4 logical groups (I expect only partial success).

• Be a firewall.

• Bandwidth usage monitoring (which group, what %). No clue if pfSense has this built in.

• It'll be freaking cool

milocheri

Well this second one seems to be better for the Intel Processor N3150 (Quad Core) keep us posted please, i'm waiting for your review to order mine Thanks !!

http://cpuboss.com/cpus/Intel-Celeron-N3150-vs-Intel-Celeron-2961Y

perth

Going w/ the Zotac CI321; decided I didn't want to wait any more. :)
Negative: No serial port. All configuration, management, and/or recovery will have to be performed via HDMI/DP connected display & USB connected keyboard, or SSH.
In other words, there is no low-level fall back recovery/configuration option (well, you could pull the drive…?).

Booting pfSense on Zotac CI321:
Following pfSense's guide to creating a bootable USB drive: https://doc.pfsense.org/index.php/Writing_Disk_Images

• Used pfSense-memstick-2.2.5-RELEASE-amd64.img.gz
• • sha256 checksum verified
• • used bs=512 instead of bs=1M due to fdisk reporting that my dive was using 512 chunks
    Could not boot from USB. After playing w/ creating the bootable USB drive in different ways, finally found a PS2 to USB adaptor and got to look at the BIOS settings.
    You will need to modify the BIOS Boot settings
• 'Del' gets you into BIOS Settings
• • Boot > Boot OS Selection: Set to Legacy Only (was set to uEFI Win8 by default IIRC).
• • • I made some other changes in there, so it's possible you'll have to poke around some more.
      Now I could boot from the USB stick prepared according to pfSense directions linked above.
      Notes: Quick boot was disabled by default.
      Notes: "Intelligent" keyboards that take a long time to initialize (gaming keyboards) will most likely take too long to become available, and you won't be able to gain access to the BIOS. Have a basic USB keyboard available. There's a setting in the BIOS to increase the wait time for USB devices to initialize, I set mine to an insane 20 secs, could probably get away with 8. I'll worry about that later, the additional delay is worth increased reliability w/ my primary keyboard (assuming it works;).

Installing pfSense on Zotac CI321:
See: https://doc.pfsense.org/index.php/Installing_pfSense
USB 2.0 boot drive was in a 3.0 front port.
Chose '1'/'Enter'. Boot Multi User.
Chose 'i' install pfSense when prompted.
(Was unable to change Video Font, Screenmap, nor Keymap.)
Chose Quick/Easy Install.
MUST: Choose Standard Kernal; lack of serial on the box makes the Embedded kernal (no VGA) a bad choice, my opinion.
Removed USB drive and restarted when prompted.

1st Boot:
(My Zotac box is not connected to any network.
These are my answers, not a guide. Usefull for seeing what options pfSense makes available to you.
Disclamer: This is the first time I'm touching pfSense; I'm probably going to break something;)
Setup VLANs now [y|n]: N
WAN interface name a=auto-detect (re0 re1 or a): re0
LAN interface name (re1 a or nothing if finished): re1
Optional 1 interface name ( a or nothing if finished): [Return]
Confirm above config.

CLI Config:
pfSense finished booting (LOL it plays happy music!) and then gives you some options. I did the following:
3) Reset webConfigurator password

• Reset password to default. admin/pfsense

14. Enable sshd
    8 ) Shell

• Changed root account's password
• Shell's available: sh, csh, tcsh, others?
• • No bash
• • passwd lists /bin/sh as default for root acount
• • passwd lists /etc/rc.initial as default for admin account
• • • runs /bin/tcsh if in recovery console mode
• • • is what creates that initial menu used above
• exit takes you back to numeric menu created by /etc/rc.initial
• • Deduction: After boot you start as 'admin' account and choosing '8 ) Shell' is similar to typing su on a nomal *nix CLI.
• • Choosing 8 ) Shell bypasses root password even after being set?

2. Set interface(s) IP address

• • Note: Configuring pfSense for shoving on my existing network for inital configuration.
• Set my LAN interface to a safe IP (not in use, outside of DHCP range) valid for my LAN.
• Subnet mask is set by CIDR notation, CIDR exaples for standard classful ranges are provided.
• Disabled DHCP for LAN
• Did not revert webConfigurator to HTTP (left as HTTPS)

5. Reboot system

• Confirm (Plays shutdown music;)
• Config changes seem to be retained. Was never asked to save the above changes; all changes seem to be written to disk instantly. There isn't a 'backup' option in this menu, though there is a '15) Restore recent configuration' option; unsure of how this works.

webConfigurator initial setup:
Plugged pfSense box into (one of) my routers, and pulled up the webConfigurator.

• Guessed that Ethernet port closest to antenna was re1; it was.
  Logged in w/ default admin/pfsense, was greated by an initial configuration wizard.
• hostname: bridgekeeper ;)
• Set DNS Servers (8.8.8.8, 8.8.4.4 for now)
• Set timeserver & timezone
• WAN Config
• • DHCP
• • All other fields left blank/default
• LAN Config
• • Pre-filled w/ settings from earlier CLI config.
• Set Admin WebGUI Password (also for SSH)
• pfSense will 'reload' at this point.

System resource usage at this point:
    MBUF Usage: 5% (1270/26584)
  Temperature: 27.8°C
  Load average: 0.01, 0.01, 0.00
    CPU usage: 0%
  Memory usage: 4% of 3984 MB
    SWAP usage: 0% of 8191 MB
    Disk usage: / (ufs): 1% of 50G
    Disk usage: /var/run (ufs in RAM): 3% of 3.4M

System Specs:
System: Zotac CI321: Intel 2961Y: 2 Thread, 2 Core, 1.1GHz: https://www.amazon.com/gp/product/B00W8XXAJU (http://ark.intel.com/products/78943/Intel-Celeron-Processor-2961Y-2M-Cache-1_10-GHz)
RAM: 2x Kingston KVR16LS11S6/2: 2GB, 204-SODIMM, DDR3L-1600, CL11: https://www.amazon.com/gp/product/B00HVTHQ4Q
SSD: ADATA SP600 ASP600S3-64GM-C: 64GB, SATA III, Synchronous NAND: https://www.amazon.com/gp/product/B009SX8WEQ
Total cost to me: $196.42

Output from 'sysctl -a': https://bpaste.net/show/978ef8d843d6
Output from 'pciconf -lv': https://bpaste.net/show/11dd1f703c04

More to follow…

perth

Of course, while I was writing this post my connection to the internet flaked out again; and I clicked preview and lost everything. :/ Looks like an IP address change is the culprit:

  Nov 14 06:18:41  php-fpm[71380]: /rc.newwanip: IP has changed, killing states on former IP 172.78.111.78.
  Nov 14 06:18:41  php-fpm[71380]: /rc.newwanip: ROUTING: setting default route to 74.42.148.214
  Nov 14 06:18:46  php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): PAYLOAD: ERROR: Invalid update URL (2)
  Nov 14 06:18:46  php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): (Unknown Response)
  Nov 14 06:18:48  php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): PAYLOAD: ERROR: Invalid update URL (2)
  Nov 14 06:18:48  php-fpm[71380]: /rc.newwanip: phpDynDNS (Redacted): (Unknown Response)
  Nov 14 06:18:49  php-fpm[71380]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
  Nov 14 06:18:49  php-fpm[71380]: /rc.newwanip: Creating rrd update script
  Nov 14 06:18:51  php-fpm[71380]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 172.78.1xx.xx -> 172.78.1yy.yy - Restarting packages.
  Nov 14 06:18:51  check_reload_status: Starting packages
  Nov 14 06:18:52  php-fpm[98867]: /rc.start_packages: Restarting/Starting all packages

I'll have to look into how to make pfSense handle this better, if that's possible.

ANYWAY

The experience so far: (fun)
I'm using the Zotac CI321 running pfSense. It seems to be working just fine, sans above flakyness. I had that earlier today after the new setup had replaced the ISP's provided modem/router/AP solution. It was bad enough I switched back to the ISP's device for a few hours (someone needed the internet:). I don't know if that was IP changes, or me poking around in pfSense's settings. I actually managed to lock myself out of the web GUI; even though I left the safety rules enabled. Still had SSH access though so I got it fixed. When I've had this new setup in place for some more time I'll give you a more definitive go ahead; if applicable.

As to the review I quoted earlier, that said the Zotac CI321 running pfSense would only do 100Mbps. I can't say if this is true or not. Both of my interfaces have auto negotiated 100Mbps links, but the switch on the router/AP is only a 100Mbps link, and the other device is an ADSL 2+ modem where a 100Mbps link seems likely to be correct (why would it be higher?). Maybe tomorrow when I'm not thinking about climbing into bed I'll plug the Zotac box into something capable of gigabit speeds and see what happens. I guess I should have paid attention when I was preconfiguring it. : ) I can tell you that the pfSense web GUI will allow me to force 1000Mbps speeds on the interfaces. I don't know if that menu is adaptive to the hardware/drivers or not though. See: https://doc.pfsense.org/index.php/Forcing_Interface_Speed_or_Duplex_Settings

My Setup:
Frontier ADSL 2+ 3Mbit/~800bps D/U -> TP-LINK TD-8616 -> (re0 PPPoE) Zotac CI321, pfSense 2.2.5-RELEASE (re1) -> Linksys E2500, Bridged Mode, everything disabled

perth

From the previously linked sysctl -a output:

re0: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet=""> port 0xe000-0xe0ff mem 0xf0104000-0xf0104fff,0xf0100000-0xf0103fff irq 19 at device 0.0 on pci3
re0: Using 1 MSI-X message
re0: Chip rev. 0x2c800000
re0: MAC rev. 0x00100000
miibus0: <mii bus=""> on re0
rgephy0: <rtl8169s 8211="" 8110s="" 1000base-t="" media="" interface=""> PHY 1 on miibus0
rgephy0:  none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow
re0: Ethernet address: 00:01:2e:64:ee:d3
pcib4: <acpi pci-pci="" bridge=""> irq 16 at device 28.4 on pci0
pci4: <acpi pci="" bus=""> on pcib4
re1: <realtek 8111="" 8168="" b="" c="" cp="" d="" dp="" e="" f="" g="" pcie="" gigabit="" ethernet=""> port 0xd000-0xd0ff mem 0xf0004000-0xf0004fff,0xf0000000-0xf0003fff irq 16 at device 0.0 on pci4
re1: Using 1 MSI-X message
re1: Chip rev. 0x2c800000
re1: MAC rev. 0x00100000
miibus1: <mii bus=""> on re1
rgephy1: <rtl8169s 8211="" 8110s="" 1000base-t="" media="" interface=""> PHY 1 on miibus1
rgephy1:  none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow</rtl8169s></mii></realtek></acpi></acpi></rtl8169s></mii></realtek>

This last line seems to match what the menu for forcing the interface speeds offered. So I'd bet that gigabit works just fine.

perth

Conclusion
I believe I can say without hesitation, that the Zotac CI321 is entirely capable of being a basic pfSense appliance. The below graphs, taken directly from pfSense, should make that fairly obvious. The load average seems to (almost) always be below .1 for 1, 5, and 15 minute averages. The temperature seems to stay between 50 & 55 degrees C. (As reported by pfSense's System Information.)
I cannot say what the limitations of this fanless system will be, or how many additional features/applications/packages can be implemented on it w/out causing issue.
While I have had some issues with WAN disconnections since implementing my new network solution; I do not believe that the Zotac CI321 is responsible. I believe the issue is either that my ISP is irritated with me removing their solution (to which they seemed to have root access), or something in how I've configured the modem or pfSense box. (Example: disconnections have decreased since disabling gateway monitoring, which had been pinging the gateway once every second.)

With that said, I would not buy the CI321 again. As previously mentioned, Zotac has since released the CI323. That system, spec wise, is significantly better for an extremely minor increase in cost (at the time). Considering the success of this system, I would feel reasonably comfortable assuming the CI323 will also be compatible.
Caveats:

• I have not attempted to use the included WiFi or Bluetooth. In pfSense, under Interfaces > (assign) > Wireless the Parent Interface drop-down is not populated. I have made absolutely no attempt to get the wireless NIC to work; I have no interest in it. See the sysctl or pciconf output in one of my earlier posts to determine if this interface is compatible with pfSense/FreeBSD.
• You have to change the Boot Mode option in the UEFI BIOS before the CI321 will boot something other than Windows. See random YouTube video of the BIOS I found: https://www.youtube.com/watch?v=Cznx10PqoR0

Hope this helps! Feel free to ask me questions about this device, or for some specific output (provide instructions, just in case).

RRD Graphs, 8 hour period, 1 minute average
Throughput States Processor Memory Mbuf Clusters

RRD Graphs, 1 week period, 1 hour average
Throughput States Processor Memory Mbuf Clusters

A Former User

This post is deleted!

perth

I installed, and am more or less constantly viewing, ntopnp. Small increase in processor usage and memory.

RRD Graphs, 1 day period, 5 minute average
      Processor                  Memory

I'm loving this thing. Just need to figure out where the problem is that is causing all these disconnects…

yashiharu

can you try with the ac wifi?

just want to know if it works & the performance of 1T1R

thanks

ReFleX

Well this is a very intresting topic to read. This is also the main reason i bought a CI323 so i can install pfSense on it.
When i recieve my order i will start a topic with my findings, it will be a setup with a OpenWRT router and several VLAN's.
Somebody that has this kind of setup?

duren

I have this kind of setup. While waiting for a suitable box, which now is looking like the ci323, I've been running pfsense very comfortably in a VM. I have an Asus n66u running Tomato/shibby that acts as an access point and backup router.

The cable modem is vlan'd onto a switch and serves one public IP to the AP and one public IP to pfsense on the VM, soon to be a box like the 323.

The router runs a heartbeat script against pfsense such that if the VM goes down, within one minute the router will create a virtual interface matching the IP of pfsense so that devices continue to function transparently. When the VM comes back up, the router will tear down the interface and all is well again. Dhcp is not a problem because the ap is responsible for that, not pfsense. The heartbeat is on an aliased IP of pfsense.

I needed vlans to achieve this. I also experimented with vlans in case I had to settle on a box with one nic. This works perfectly also.

To tell you the truth, the VM setup is working so well, I'm questioning getting a box, especially with this redundancy in place.

ReFleX

@duren:

I have this kind of setup. While waiting for a suitable box, which now is looking like the ci323, I've been running pfsense very comfortably in a VM. I have an Asus n66u running Tomato/shibby that acts as an access point and backup router.

The cable modem is vlan'd onto a switch and serves one public IP to the AP and one public IP to pfsense on the VM, soon to be a box like the 323.

The router runs a heartbeat script against pfsense such that if the VM goes down, within one minute the router will create a virtual interface matching the IP of pfsense so that devices continue to function transparently. When the VM comes back up, the router will tear down the interface and all is well again. Dhcp is not a problem because the ap is responsible for that, not pfsense. The heartbeat is on an aliased IP of pfsense.

I needed vlans to achieve this. I also experimented with vlans in case I had to settle on a box with one nic. This works perfectly also.

To tell you the truth, the VM setup is working so well, I'm questioning getting a box, especially with this redundancy in place.

Well that sounds interesting, did you make the heartbeat script?
Sounds like a homebrew way to provide a FHRP.

duren

@ReFleX:

Well that sounds interesting, did you make the heartbeat script?
Sounds like a homebrew way to provide a FHRP.

That's right, it's a bash script that executes as a cron job on the router. It simply setups or or tears down that virtual interface depending on the result of a ping every minute.

TWiST

How are you guys doing with the CI323, I was about to order one on Amazon for 149 barebones, but I am just doing one last round of research. The processor should be great, just wondering about the NICs. I have tried to find an N3150 with Intel NICs, but it was not very fruitful.