Pfsense with LAGG and VLAN Trunk

Hi, Everyone.

I have purchased Protectli box (hasn’t arrived yet) and planning to instal Pfsense on it. I currently have Edgeswitch Lite (24-port). Is it possible to setup LAGG on 2 ports on PFSENSE and then configured VLAN Trunk on those port to allow certain VLAN to pass-through those ports?

Well I have a LAGG over four ports on my chinese box, pretty easy to setup under interfaces > LAGG just select your interfaces. Though I do now see your switch needs to support IEEE 802.3ad if you want to use LACP.
Not sure what you mean regarding the VLAN, all traffic will go through the LAGG to the WAN.

Thank you for the reply

My network is configured to have VLAN (this separates my network, guest, IOT devices and security devices). I want to allow those traffic to passthrough LAGG. I believe Edswitch Lite support LACP.

Ah ok, yes I have a couple of vlans they all pass through the LAGG … though I have to admit I only set this up as I had several ports on the box, I don’t have massive amounts of traffic on my network so can’t vouch as to how well it works, it just works and hasn’t given me any gip in the last year.

Did you configure any of the ports that is a member of the LAGG to have VLAN or did you configure the VLAN on the LAGG itself?

The LAGG is based on the physical interfaces on the device, VLANS are configured independently of the LAGG. Though you must have a parent interface for a VLAN, mine is my LAGG. If you look under LAGG you’ll see there are other protocol options offering different features.

Hi, Everyone.

Just a followup on this, I have received my Protectli device and installed Pfsense. As expected I have problems making LAGG with VLAN work with Pfsense going to Edgeswitch Lite.

Here is my configuration in Pfsense

  • Under Interfaces > LAGGs: created LAGG0 and the members are igb2 and igb3
  • Under Interfaces > VLANs: created VLAN 10 to 50 binding to Interface lagg0
  • Under Interfaces > Interface Assignments: Added VLAN 10 to 50
  • Under Firewall > Rules > NameofeachVLANS: added the rule action: passsource:nameofvlan net port:any Destination:any
  • Under System > Advanced > System Tunables: added net.link.lagg.0.lacp.lacp_strict_mode with a value of 0

Here are my configuration in EdgeSwitch Lite
- Under Swtiching > Port Channel > Summary: made sure 0/23 and 0/24 is member of Interface 3/1
- Under Swtiching > Port Channel > Summary: configured 3/1 to have Static Mode to disable
- Under VLAN > Port Configurationy Interface 0/23, 0/24 and 3/1 (LAGG) are configured as Tagged on VLAN ID 10,20,30,40 and 50

Please help me identify why it hasn’t work for me. Please let me know if you need more information

Have a lagg on my spare ports, your first two steps look same as mine,

I’ve not added the above point in my setup.

Presumably you have the same bond type on pfsense and your switch, I’ve used LACP. I don’t recall that I had any particular issues with getting the lagg working.

Under System > Advanced > System Tunables: added net.link.lagg.0.lacp.lacp_strict_mode with a value of 0

I only added those entries because LAGG was not working. I have found this forum post “https://community.ui.com/questions/need-some-help-for-vlan-on-pfsense-with-lagg/05687ac3-85fd-4e22-a321-eda22df61ea5” although it was years ago I thought I’ll give it a shot. Unfortunately for me it still did not work.

This is what Netgate says, it’s fairly straight forward. Perhaps double check that you have set an LACP bond on your switch and this corresponds to the LACP bond in pfsense.
I have a Netgear switch, setting an LACP bond was again fairly straight forward.

I have check the EdgeSwitch again and found Switching>VLAN>Switch Port Summary the 3/1 is set to General under SwitchPort mode. It should be set to Trunk, I have not change this yet because I need to have my network up during morning. I’ll check configure tonight and see if it will address my issue.

The bond type on pfsense and the switch must be the same, it may operate if it isn’t but seems logical that they are the same.

I think setting the interface 3/1 to Trunk under Switching > VLAN > Switch Port Summary may have resolved the issue. It allowed my DHCP from the firewall to traverse to the VLAN. I will further test this when I get more time

Need to look at this myself as I’ve run out of ports on my 24 Port switch, so planning on using the 2 x SFP ports on the Sophos XG unit in a LAG config and drop 3 x RJ45 connections.