pfSense WAN lagg group


I am setting up an new xcp-ng cluster in a quarter rack.
The datacenter is providing only 1 cat5 drop to my unit.
What I would like to do is minimise the risk of downtime and have everything in HA with the single cat5 drop as the single point of failure.
I have
1x PowerEdge C6220 with 4x node
2x Dell PowerConnect 5548
2x pfSense (6 ports each)
1x Dell Powervault MD3200i

The plan was to create 1x vlan99 of 7 port on each switch.
port1 - cat5 feed in
port2 - pfSense1
port3 - pfSense2
port4 - pfSense1
port5 - pfSense2
port6 - conection to vlan99 to switch2
port7 - conection to vlan99 to switch2

port1 - conection to vlan99 to switch1
port2 - conection to vlan99 to switch1
port3 - pfSense1
port4 - pfSense2
port5 - pfSense1
port6 - pfSense2

The idea here is if a port on the switch fails, the wan remain online via the second port.
Both PowerConnect are stack via HDMI.

My question is:

  1. Is this feasible/possible
  2. is there a better way to do it?

In pfSense I when I set 2 ports has lagg group with LACP and set it to be the wan.
In the switch, I set all the port connected to the pfSense lagg to be lagg lacp.
But then I lose the gateway and access to the internet.

Does anyone know why I lose the connection to the gateway? Do I need to tell pfSense that it needs to be looking for vlan99?

Thank you in advance

I have never attempted a setup like this, I would say build it and test it.

In testing process…
Thank you

I was debating on doing this myself but havent tried beyond the planning phase. My plan for a single WAN connection to a primary pfSense with a second as backup in case the primary were to fail. To do this I was going to essentially duplicate the WAN into a switch.
Port 1 - WAN trunk
Port 2 - WAN 1 out to Primary pfSense (to a 2nd switch)
Port 3 - WAN 2 backup pfSense (to a 3rd switch).
Not sure if you should combine switches but for redundancy and failover sake, I think this would be the safer option.

Switch 2 (WAN 1 to primary pfSense) would then be cabled like any other pfSense you have setup. You mirror the exact setup with your backup pfSense with Switch 3. I use WAN and LAN ports as usual out of the 4 available ports I have.

The key is to then take port 3 or 4 and create your HA setup via direct connect. Just plug port 3 directly from your primary pfSense to port 3 on your secondary pfSense. You can use Toms guide on this to create your failover properly.

Let me know if your setup works or if you had to modify any to get everything up and running (and failing over properly).


It took me the whole day to figure it out but as @LTS_Tom said, the best way is to build it and test it.

I have 2x Dell PowerConnect 5548 switch and the two switches are stacked and configured as stacked stack using the HDMI connection. I created a vlan99 in both switch1 and switch2 and because they are stack, anything plug to vlan99 will have access to the upstream provider.

Our single point of failure will be that uplink ethernet in the rack. If you lose the switch it’s plugged into then your rack is cut off from the outside world but it is quick to plug the upstream to the other switch.

Both my pfSense has 6 NICs and are identical
NIC 1-2: WAN (I created a lag group using roundrobin protocol)
NIC 3-5: LAN (I created a lag group using LACP protocol and configure switch accordingly)
NIC 6: pfSync

Port1 - cat5 upstream provider
port2 - pfSense1
port3 - pfSense2
Port4 - pfSense1-LAN
Port5 - pfSense1-LAN
Port6 - pfSense2-LAN

port1 - pfSense1
port2 - pfSense2
Port3 - pfSense2-LAN
Port4 - pfSense2-LAN
Port5 - pfSense1-LAN

I tested by unplugging WAN and LAN and so far it working.
I now need to workout pfSense HA part

Hope this help :slight_smile:

My current configuration is two 10Gb bonded in a LAGG interface.
All other interfaces WANs and LANs are VLANS over this LAGG.


On the switch side (CISCO) it’s configured as port-channel.

We did it this way, because in the beginning, we had an intel quad port card (4 1 Gb ports) Two for WAN, One for LAN and one for Server LAN.

The problem was that people were monitoring CCTV cameras from the user network, to the server network, and they were maxing two of the 1 Gb ports.

We bonded the four ports and it was working fine, but we were detecting collisions in two of the interfaces.

It turned out that when I asked for a set of cables, the person in charge of the cables, instead of using new ones, he reused some that he found laying around. And two were defective.

My boss overrated and order us to go fiber, which is overkill in our case.

The original plan after the fibers, was to connect to a Virtual Portchannel (CISCO terminology)

1 Like