I’ve build a custom Pfsense box that includes an intel X710 4 port 10G card.
I currently have 2 wan connections:
WAN1: 1G up and down
WAN 2: 700 MBps down and 70 MBps
I also have several VLAN’s:
Staff
Students
Teachers
Guest
I have a Unifi Pro aggregation switch. Is there a benefit of using all 4 the ports of the Intel card instead of making a TRUNK with al VLANS/WANS and just using one port?
What would be the best setup if it’s better to use multiple ports?
Thank you for reading this and thank you for your help.
There’s nothing wrong with the way you’re doing it. There are a couple benefits to using multiple ports in the right situation, though.
You could isolate networks physically rather than by VLANs (assuming the NICs are individual rather than using the same switching chip).
More interestingly (from my perspective) you can do link aggregation, making one trunk from multiple ports. That increases the shared bandwidth of the connection. For example, if I have a NAS with a single gigabit link to my switch, all connections to the NAS share that gigabit. If I aggregate two gigabit links, each individual connection will still be topped out at one gigabit, but all connections will share two gigabits of bandwidth to that NAS. The same can be done with a firewall that’s doing VLAN routing on a busy network.
None of these is the one right way, they’re all just options based on the demands of your network.
A possible benefit might be monitoring of traffic on that port would be easier / less resource intensive if required.
However, I prefer a trunk in a LACP setup between the router and switch to use up the ports, in the event of a dodgy cable or port, there is resilience in place.
Additionally, it might be handy to keep a port on the router assigned to the LAN so that you could directly plug into the router if something were to go wrong.
Im not sure you want to group the WANS and VLANS as one big trunk…If you have 4 ports - are you planning on driving the WAN1 and WAN2 using the X710 or is the X710 dedicated to communicate with the aggregation switch?? Either way you will end up with 2 or 4 ports that I would link aggregate together and get 20G or 40G bandwidth between router and switch. I would send all vlans tagged through this aggregated trunk except the management vlan which I would send untagged (so you can actually access the switch itself) Isolating the traffic physically would help if you knew the traffic shape and mix between the vlans and had very specific timing/qos requirements… but if the student traffic was large and the staff traffic small isolating them to indiividaul physical links would hinder your throughput…
nothing really to add, the others have explained it very well.
just make sure you understand what your requirements for security monitoring are. changing the interface setup later, especially with a lot of rules in place can be laborsome.
if you really need the bandwith, a LACP setup is great, but you having network security monitoring on LACP is really not a simple approach, then it is simpler to use Zeek and/or Suricata packages on pfsense. This may not be possible with some tighly packaged solutions such as Security Onion where you would want to use their sensor image (also imcludes Zeek and Suricata). If you want or need to use such a solution, don’t use LACP aggregation of several ports.