Bringing back my ZBOX CI323



  • It's almost a year since I abandoned this boxed (with pfsense). It had some trouble before because of the Realtek driver. So I turned this boxed into a Kodi machine, but the SSD failed after several months of usage. Now, I need a dependable firewall to manage my kids net access. I currently has no SSD onhand so I put a 32Gig USB thumb drive and installed the latest version 2.4.4. The machine is already running and I need to observe if the realtek ethernets will behave good this time.

    I went back to the former postings regarding this box, and the solution that they found was the recompilation of the realtek driver v1.94 in freebsd 11.1. Now that the latest freebsd version on the machine is 11.2 and the latest realtek driver is v1.95, I don't have any idea if I need a recompilation of the driver.

    My questions are:

    1. Is there a way how to find out if this latest pfsense 2.4.4 is using the latest realtek driver?
    2. How to diagnose my ethernets? Are they behaving good this time? What command(s) should I use?

    I have to wait an see if this machine is now stable with the current version.
    For those who are still using this box, kindly share some info.
    Any suggestions is very much appreciated.
    Thanks!


  • Netgate Administrator

    https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_4/sys/dev/re/if_re.c

    The Realtek driver is different to the one included in FreeBSD/pfSense.

    If it's misbehaving you will usually see watchdog timeout messages or complete loss of connectivity.

    See: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release

    Steve



  • Is your box working now?



  • @syserr_01

    So far it's behaving good. Currently, it is connected (inserted) to my existing LAN and two wired PCs are connected to it through a switch.



  • I was always able to force the watchdog timeouts with the built-in driver using iperf. You can set up the pfSense machine as either the client or the server; I usually set it up as the server (Diagnostics > iperf Server). Then you need another machine on your LAN to be the client. There are Windows binaries if you don't have any Linux hosts:
    https://iperf.fr/iperf-download.php
    You want original iperf, not iperf3. If you run the server with default options, then on a client machine you should just need to run:
    iperf -v <PFSENSE_IP>
    (where <PFSENSE_IP> is the IP address of the pfSense machine. Again, based on my historical experience, if you can get through several rounds of that, you should be good. Also there's a lot of evidence from other people running the official Realtek drivers on this machine that it's stable (I run two CI323s and they've been perfectly stable for years).


  • Netgate Administrator

    Interesting, does iperf3 not trigger it then?



  • I'd bet it would; I was just under the impression that FreeBSD only had iperf, and that iperf3 was not backwards compatible, but my information may be wrong. In other words, I was just trying to match versions between the client and server, rather than imply that the issue can only be reproduced using a specific version of iperf.


  • Netgate Administrator

    Ah, iperf3 is in our repo and is superior in a number of ways. There's GUI package for it but it's pretty self explanatory at the CLI:
    pkg install iperf3
    rehash

    Steve



  • @thenarc said in Bringing back my ZBOX CI323:

    I was always able to force the watchdog timeouts with the built-in driver using iperf. You can set up the pfSense machine as either the client or the server; I usually set it up as the server (Diagnostics > iperf Server). Then you need another machine on your LAN to be the client. There are Windows binaries if you don't have any Linux hosts:
    https://iperf.fr/iperf-download.php
    You want original iperf, not iperf3. If you run the server with default options, then on a client machine you should just need to run:
    iperf -v <PFSENSE_IP>
    (where <PFSENSE_IP> is the IP address of the pfSense machine. Again, based on my historical experience, if you can get through several rounds of that, you should be good. Also there's a lot of evidence from other people running the official Realtek drivers on this machine that it's stable (I run two CI323s and they've been perfectly stable for years).

    Windows 10 OS are currently installed in the two PC. I am currently using iperf2 (i have some problem with the iperf3). iperf -v <pf_Sense IP>.......................returns only the version of the iperf being used. So I just use a simple command iperf --port 5201 -c <pf_sense IP>. The bandwidth that I am getting is just 234 MBits/s (the most)... the pfSense Machine is the server.

    If I make the Windows 10 as the server and the pfsense machine as the client, the bandwidth that I can get is 634Mbits/s.

    Any idea about it?



  • What is the bandwidth setting for your upload limiter? I hadn't thought of that, but if you have a catch-all rule to place all inbound traffic (from the perspective of your LAN interface) into a limiter, then that's going to include the iperf traffic when your host is the client. When the pfsense machine is the client, then it originates the flow, and firewall rules aren't applied to traffic originating from the firewall itself, so it won't be placed into a limiter.



  • @thenarc said in Bringing back my ZBOX CI323:

    What is the bandwidth setting for your upload limiter? I hadn't thought of that, but if you have a catch-all rule to place all inbound traffic (from the perspective of your LAN interface) into a limiter, then that's going to include the iperf traffic when your host is the client. When the pfsense machine is the client, then it originates the flow, and firewall rules aren't applied to traffic originating from the firewall itself, so it won't be placed into a limiter.

    Where can I see the upload limiter? The pfSense in my box was newly installed so there a no rules in WAN only the LAN side (basic rule only). I created some In and Out limiters, tested them, but I just remove the rules associated with them.

    One more thing, where can I see the watchdog....?


  • Netgate Administrator

    The watchdog errors will be in the main system log if you see them.

    Steve



  • @love-it-again Sorry, been in a lot of traffic shaping threads recently and didn't realize you weren't doing shaping. If you have no limiters set up, I'm not sure what would account for the dramatically different results you see when the pfSense machine acts as the iperf server versus client. You've run the tests enough times both ways to know that this is a consistent difference? If you had set up limiters before, it's probably worth double checking to make sure you really got rid of them. Firewall > Traffic Shaper > Limiters



  • @thenarc

    No limiters at all.

    As I said before, I am getting a bandwidth of 220 to 234 MBits/s using my windows 10 PC as the client (192.168.2.100) and the pfSense Box as the server (192.168.2.1). But when i used "iperf -c 192.168.2.1 -P 20" (20 parallel clients connections) the total bandwidth is 630 to 660 Mbits/s. Which is somewhat near the results when I make the PC as the server and the pfSense Box as the client. Increasing the number on -P will not increase the bandwidth anymore. It seems I cannot get a gigabit connection.



  • It may be worth trying with UDP mode too. I just did that and got a little above 700Mbps. I wouldn't be shocked if it's just not possible to do much better than that with these Realtek NICs.