Zotac ZBOX CI323 nano
-
To my shame I never continued to work in that direction, as my setup does not use anything but the cable-based NICs.
What I can say is that a config with Xenserver as the HostOS and pfsense on one of the VMs runs stable for about 4 weeks now, so unless you need WiFi, I´d recommend the box.
-
-
The card reader does not work on 10.2 or 11
-
I've installed the OS from a USB3 stick, so that works
-
It's got enough power to compile your packages from ports or a kernel
There is one big caveat though: The NICs give up under load if you're using netmap. So you can't use that box as-is if you want to do IPs with Suricata until Suricata gets fixed to work with drivers which don't support netmap.
-
-
-
The card reader does not work on 10.2 or 11
-
I've installed the OS from a USB3 stick, so that works
-
It's got enough power to compile your packages from ports or a kernel
There is one big caveat though: The NICs give up under load if you're using netmap. So you can't use that box as-is if you want to do IPs with Suricata until Suricata gets fixed to work with drivers which don't support netmap.
As an alternative, you can wait until the drivers do support netmap. From the netmap website:
Netmap-aware device drivers are needed to use netmap at high speed on ethernet ports. To date, we have support for Intel ixgbe (10G), ixl (10/40G), e1000/e1000e/igb (1G), Realtek 8169 (1G) and Nvidia (1G). FreeBSD has also native netmap support in the Chelsio 10/40G cards.
I'm not sure what all is required for netmap support for Realtek RTL8111/8168/8411 versus Realtek 8169, but this could be a "simple" coding project for someone with the time if there are enough similarities between the 8168 and the 8169 drivers.
-
-
I may stand corrected. I just browsed the Realtek driver and netmap driver code in the FreeBSD stable branch. It looks like all versions of the Realtek gigabit chipsets are are supported by netmap in FreeBSD.
-
;)
That's correct, it's been "supported" from the start. If you read the code, you can see that performance is more akin to a half-gigabit NIC.The lock up problem has been reported upstream and since there is sort of a workaround by using jumbo frames, I have hope it's something which can be fixed.
-
;)
That's correct, it's been "supported" from the start. If you read the code, you can see that performance is more akin to a half-gigabit NIC.The lock up problem has been reported upstream and since there is sort of a workaround by using jumbo frames, I have hope it's something which can be fixed.
Unfortunately, my working knowledge of BSD driver code is good enough to tell if a feature is enable, but not good enough to see that performance with netmap is around ~500 Mb/s instead of 1Gb/s. Why is there such a performance hit for the Realtek using netmap?
A second question – why does the Realtek lock up? And what is it about jumbo frames the keeps the Realtek from locking up? And, more importantly, would I have to enable jumbo frames for my entire network, or just on the Realtek interface of this particular device in order to prevent the lockup from happening?
-
Why is there such a performance hit for the Realtek using netmap?
I don't think it's related to netmap, it's either the chip or the driver, because of badly designed chips, bad documentation, bad original driver (because of bad documentation), etc.
A second question – why does the Realtek lock up? And what is it about jumbo frames the keeps the Realtek from locking up? And, more importantly, would I have to enable jumbo frames for my entire network, or just on the Realtek interface of this particular device in order to prevent the lockup from happening?
My theory is that netmap overfills the card's buffer and at some point the card can't cope any more and we end up with interrupts piling up.
By turning on jumbo frames, the total number of mbufs is split equally between the 2 types of frames and the card only almost dies (dropping from 350kpps to less than a 100).
Ideally, you'd need all your network to support 9k frames to be able to see the benefits, but if you just want the fix, you can just turn it on for the LAN interface. There will be side effects and so, you should read about what happens when using large frames with equipment which doesn't support it. -
If jumbo frames don't work for you, you can use the emulated mode by setting "dev.netmap.admode" to 2. In my tests, I get the same throughput, but use a lot more CPU.
-
Interesting. Have you tested the same chip with another OS that supports netmap? I know Linux has different drivers and supports netmap. If Linux exhibits the same or similar behavior, then the problem is with the chip itself most likely. If Linux runs better, then the problem is probably with the BSD code (and likely fixable).
-
Interesting. Have you tested the same chip with another OS that supports netmap? I know Linux has different drivers and supports netmap. If Linux exhibits the same or similar behavior, then the problem is with the chip itself most likely. If Linux runs better, then the problem is probably with the BSD code (and likely fixable).
Not yet. I need to boot into IPFire or something and apply the same pkt-gen test
-
Interesting. Have you tested the same chip with another OS that supports netmap? I know Linux has different drivers and supports netmap. If Linux exhibits the same or similar behavior, then the problem is with the chip itself most likely. If Linux runs better, then the problem is probably with the BSD code (and likely fixable).
Not yet. I need to boot into IPFire or something and apply the same pkt-gen test
Well, if you end up testing it out, let me know. I would be interested in the results. I just bought one of these things to use as my first PFSense box, but am a little concerned after reading this thread. But maybe I shouldn't be since I was planning on using Snort instead of Suratica (unless Snort uses netmap also and I am just unaware).
-
netmap is the future, for IPS or just packet forwarding with netmap-fw. I'm sure the problem will be fixed eventually. It could simply be a problem with the 8111G revision. FreeNAS users had similar issues a few years back and were forced to use the Realtek drivers while waiting for a fix, so I think it will just be a matter of being patient (or paying someone to fix the problem).
-
I've bought the same Zbox (CI323). I would like to do the same thing: Install XenServer and install pfSense or rather Sophos UTM in a VM.
However, I've a probably simple (noob) question: When you install XenServer, you need to specify an IP address etc. But the VM inside this machine is going to be my router, so how is that going to work?
Can anybody help me?
-
Not sure. But this question is probably better answered by the guys who hang out in the Virtualization sub-thread. Those guys use Xen-Server and VMWare all the time.
-
Thanks a lot! I've a look at that!
-
Really following this thread for the updates, I'm about to purchase one of these boxes for the same purpose as most here 'pfsense' guess I'll be using xenserver if exsi 6.0 doesn't work with the hardware yet was hoping it would
Main role will be openvpn client/pia plus a PBX voice server with the use of a vlan switch and exclude the VPN to just a certain IP range
had hopes of using wireless without having to bridge another router
I don't have any issues with replacing the actual WiFi card with one that works I just need advice on which wireless card to use looking to use dual band ac 1200/ I see a lot of people can't get theirs to work either. Are most of the conflicts just driver support not up to date yet.. -
I'm waiting for PFSense 2.3 to hit release before putting this Zotac through it's paces. However, PFSense 2.3 probably won't hit release until FreeBSD 10.3 is released at the end of March. I'll be happy to report my experiences on this thread when I do. However, I would not anticipate any problems. The hardware is well supported and the only potential issue is using netmap with Suricata on this device (I am more of a Snort guy).
-
Hey guys! I bought a Zotac CI-323 and have had the same experience as OP. Need to make this into a wireless router/dns sinkhole. I can boot pfsense daily without issue, I just dont know how to set this up entirely.
-
Hi guys. I just purchased this box as well. How long did you guys wait before it got to your house?
As far as ESXi 6 and realtek driver it seem this has been fixed by injecting net55-r8168 driver into esxi iso image before installing. If you can confirm that this works would be great
.
http://www.v-front.de/2015/03/vsphere-6-is-ga-ultimate-guide-to.htmlRealtek 8168 and VMware 6.0 :
net55-r8168-8.039.01-napi.x86_64.vib
I've also read some threads of some random disconnect in other thread on pfsense forum but that also seem to be fixed. I'm assuing you it's smooth sailing for you guys since it's been a while since you guys posted.
Looking forward to feedback on this box and hoping to get it soon. Hope you guys can assist me if i run into trouble he he.
-
Hi.
So, did anybody done some performance tests on this little thing? (pfsense, FreeBSD, Linux, doesn't matter for me).
I am thinking about getting one, but I would like for it to be able to do IPv4 NAT + IPv6 at full gigabit speed (at ~1KB packets) between two ports. Was somembody able to do this? What was the CPU load?
Thanks!
