10Gig connection throguh 1Gig NIC firewall rules

You don’t/can’t. If you want more than 1Gb you should put the PC and NAS in the same VLAN/subnet.

If you had a managed 10Gb switch, port aggregation might let you have 2+ Gbps with multiple clients, but each client would still be 1Gb.

1 Like

Not sure of your hardware, but I think it is unlikely that the pfSense would manage to do more than 1Gb throughput in the first place. Best option is to put both devices on the same vlan even if it is a secondary one.

so as long as I keep them on same VLAN no matter if firewall has 1 gig connection?

assuming they also are in the same subnet, which is normally what you do with a VLAN, then yes.

As long as its the same VLAN and subnet, you would get a 10 gig link since they are talking via layer 2 across the switch, if it has to be routed or layer 3 to another VLAN or subnet the interface bottlenecks you on the router.

A VLAN or multiple VLAN’s will not have any affect on how much data you can send down the pipe. It would be like trying to connect three garden hoses to a fire hydrant. Sure you can bind your nics but there are cons to doing that. Is your pfSense a Netgate appliance or did you build your own? While I do not have the specifics for your project or the reason for using a 10g switch. Unless it’s something you had laying around or got for free. You would be better off using Netgate’s TNSR. It’s purpose is for high performance routing. You can get their TNSR Home+Lab Evaluation for free. Also, I would recommend checking out this post from last year. Specifically what Tom wrote, Seeking 10Gbps pfSense Router Hardware Recommendation - #4 by LTS_Tom but also recommend reading the whole post. It sounds like it’s something you are trying to do.

Hey, so if I get layer 3 switch, then firewall won’t be bottleneck!! I am noob, so just trying to understand as I am going to buy new POE switch and want to make right decision!!

I bought protectli! I am not even in tech world, but I wanted my homelab to be connected to 10gig for data transfer between hyperwiser and NAS and My main PC. When I bought 10gig, only unmanaged rj45 was cheapest, so I bought it. so my pfsesnse 1 NIC is connected to 10gig unmanages switch which gets .11 and .70 addresses which I define in whichever OS I use because those port can’t define which DHCP lease to handover (If I am making any sense to you, I am noob).

Well that’s one you could go about it, it would solve the issue and if your not apposed to the price of entry it could be done. However this might be a more cost effective solution and is close to what I am doing. Put the nas, Hypervisor, and your PC on the 10gig switch on a separate subnet this would only be used for storage traffic. Then connect you devices to a separate gigabit managed switch and route the production traffic from there. The other solution would be to upgrade your firewall to handle 10 gig.

Ya I was thinking this as well. I wasn’t sure if it will route 10gig between device if uplink is only 1 gig.

the way that traffic is routed to the 10 gig side is when you map your smb share, NFS share, or iscisi target you specify the address to the 10 gig network on the nas this will route traffic over the 10 gig connection. one word of advice when you set up the 10gig interface to DO NOT set a default gateway on that interface, things will not be happy the only interface that should have a default gateway is your 1 gig interface that can get to the internet. any device that is not on the 10 gig connection will use its LAN ip address to access the machine.

here is kinda what it would look like, sorry for the rough diagram

I’m still a bit confused so I’m trying to understand how you set this up. You said you bought a Protectli. So, I assume you installed pfSense on it or another supported OS? The Protectli products only support Gigabit connections. But in your original post you said you have a pfSense that’s connected to a 10gb unmanaged switch. Then your devices, the hypervisor, Main PC, and NAS is connected to the 10gb unmanaged. But since all products for Protectli are only Gigabit connections what product are you using for the 10g unmanaged?

If you want a 10gb network, you will need additional hardware than what you have. Unless you have already installed 10g NIC’s on your hypervisor, Main PC, and NAS. Assuming you do, they would be connected to the 10g unmanaged. That 10g unmanaged would be connected back to pfSense. Then you would need a 1g managed connected from your pfSense to your 1g NIC’s on your devices. Similar to the diagram @Night_Rider0 has provided. Actually you can leave the 10g unmanaged unplugged from pfSense but it becomes a bit more complex if you’re not familiar with networking.

I would recommend connecting the 10g unmanaged back to the pfSense. You could plug it into the OPT1 interface if your pfSense is a Netgate appliance. You haven’t mentioned if it is or not so I’m just going to assume that it is.

But again, you stated you bought a Protecli and all of their products are Gigabit only. So I’m not sure where that fits into the picture. Because at the moment, based on your descriptions you only have a 1g network. But I’m guessing your Protectli is your pfSense but with another product for your 10g unmanaged. But I don’t know what that is, so it’s a little difficult to see the whole picture.

Hey sorry for late reply. Here is my current network situation!!

unrelated to the main topic but with 6 ports on the Protectli device one could configure link aggregation between the Protectli router and the 10 Gb switch if that switch supports it.

Standards and Protocols IEEE 802.3, 802.3u, 802.3ab, 802.3x, 802.1p, 802.3an, 802.3bz

not even going to research the protectli 6 port for 802.3ad support (or lack of).

You in a year will thank you much if you skip the unmanaged device and drink the Unifi kool-aid instead.

Its in stock in the ui.com store for $269. you’re scared of the addition expense of SFP+ adapters? they can be found for under $20/port or use DACs instead.

Is this a designed or already implemented/functioning network? Because the TL-SX1008 is an unmanaged switch. It doesn’t support VLAN’s. Which confuses me on how you’re doing two networks into a flat network. Your 1G Switch is it a managed or unmanaged switch as well? What product/model is it?

What you’re trying to do won’t work and you’d be much better off going the Ubiquiti route with their 10G switches. But also keep in mind the 10G switch will only work at 1G when connected back to the Protectli.

Looks like you got your Main PC and the NAS on the same network and if they are both connected to 10G ports you should be good. You’ll need to re-IP the hypervisor to the same subnet as the NAS if you want to be able to access it on that switch.

I assigned vlan tag on os as it does pass packet with tag I guess. If I go ubiquiti route, it will be same issue as my firewall is still 1G.

I think I will have to do that. I really wanted to keep hypervisor on different subnet. If I create rule which doesn’t allow talking to each other in same subnet, is it going to interfere with 10G speed with rest of devices in same subnet?

The rule won’t matter because it is layer 2 traffic so it never has to go through the firewall to get to the other devices.