Setting up VLANs on LAGG DHCP questions and reality check?

I have a DIY pc (S920 Fujitsu) running pfSense. It has an unused onboard realtek NIC and a four port Intel PCIe NIC: Currently em0 is WAN, em1 is LAN and the em2 and em3 are a LAGG to ports 17&18 on a 24 port Zyxel managed switch. The LAGG is set to LACP.

The LAGG is currently unused as I’m still joining some dots with basic principles and planning - which is complicated by the fact that I need to connect the Zyxel 24 port (which doesn’t do PoE) to a 5 port TP Link PoE managed switch to run a Unifi U6 access point, which has its own GUI to configure of course. This PoE switch will also power a couple of security cameras eventually.

So I’ve got GUI’s for pfsense, Zyxel, TP-Link and Unifi to deal with and they all seem to use slightly different terminology, which makes life interesting! /s

My first question is about setting up the LAGG - this is just to serve as the parent interface for VLANs, so I was looking for some advice about what to do with the LAGG’s own IPv4 configuration. Can I just enable the interface and leave IPv4 set to ‘None’ ? I don’t need DHCP on the LAGG itself, just the VLANs it’s a parent to.

Then add the VLANs and relevant DHCP to this as the parent so that everything going over the LAGG is tagged?

I then need a tagged/trunk port to connect from Zyxel to TP-Link - on this switch there is a 5th non-PoE ‘data’ port which I’ll use for this. The port connecting on to the U6 AP should (I think) also be tagged so it can deal with Home wifi and Guest wifi VLANs.

I’ve also read that I’d ideally change the home LAN DHCP range to something other than 192.168.1.0/24 and I was thinking that a way of doing this would be to have a ‘HOME LAN’ VLAN , say on 10.0.100.0/24 with a corresponding 100 VID, with other VLANs, such as those for Guest Wifi, IoT, CAMs etc at 110, 120, 130 etc. for the third octet and the VID respectively.

The switch ports that connect to various family PC’s and unmanaged switches would presumably then need to be set to Untagged on the switch, while any connection to managed switches would be Tagged and also a trunk port.

Does that sound about right?

If so, how do I go about keeping the current LAN with DHCP range of 192.168.1.0/24 active and working on most of the home network devices (i.e. those belonging to my family) while using my own devices, which have assigned ports on the switch, to test and experiment with?

Right now the switch is just using default VLAN 1 - the ports aren’t set to either Untagged or Tagged, just blank. I admit I’m a bit confused by this - but if I take “Untagged” to mean removing VLAN information from the packet then maybe I should be setting all of the devices ports to Untagged, including those to dumb switches? All the wired home devices have assigned static IP’s in the 192.168.1.0/24 range via the LAN DHCP.

Sorry this is so long - my wife is disabled and totally reliant on a working home network and internet access, so I need to try to make sure things are working properly through testing my own gear before making changes that are going to take me a long time to roll back.

Any advice, including links to videos or other forum posts I should read very welcome. Thanks.

I have a video covering LAGG for pfsense here:

And a video covering how VLANs work with pfsense and UniFI but you can apply those concepts to other switches.

Sounds like you are overthinking it but I suppose it’s better than the opposite!

I have a similar star topology to my network too but I have only used Netgear switches but I do have a TP-Link AP. My setup hasn’t given me any grief and I barely look at the GUI’s unless I’m doing an update, perhaps you can adopt some of what I have done.

Firstly, I use the LAN as an emergency port on my router if I mess anything up, the rest of the vlans are split MGMT (with switches, AP’s etc), ISP (traffic exiting via ISP), VPN, CAM, IOT, GUEST.

My router passes all vlan traffic over a 4 port LAGG to my switch, no issues, my reasoning for this was that I have 6 ports on my router that I could use in this way. My main switch passes vlan traffic to other switches in the house over Trunk ports setup with a LAGG. My reasoning for this was that I was running ethernet cable and thought two runs would be better than one if there was ever a failure, I’m glad I did it as running more cable now would be a PITA. As it’s over an LACP then I have additional headroom if I was ever to saturate a link, though that would be rare.

There is also a PoE switch coming off my main switch over a Trunk LAGG which powers an AP and a couple of cameras. No issues with this setup.

You setup your LAGG in pfSense then setup your vlans and assign them to the LAGG (in my case).

When I originally set this all up I found some quirks, though I’m unsure if it was user error or something else, I needed to configure pfSense, then my switches with the vlans, all unconnected, then connect them and it worked. When they were physically connected and I tried to do the configuration I ran into issues, though my knowledge at the time wasn’t much.

With your AP, you ought to be able to configure the SSiDs inline with your vlans, without too much grief over a Trunk port.

All the above is the easy part ! What i would suggest is coming up with a core suite of rules that you use on each interface, then adding exceptions, otherwise it’s likely you’ll end up with so many rules that you have no idea why you can no longer do something that you think ought to work. An example of this is that the GUEST vlan is islolated from the rest of the network, except for the fact that guests have to login to a webpage not hosted on the GUEST vlan so a rule that allows access to the required IP / port is all I need.

If your wife needs a working network, then I’d recommend just using a spare router, it might take you longer to set everything up than you think, you don’t need internet access to complete the full configuration.

Hi thanks neogrid for the reply and detailed explanation. I’ve been ‘over thinking’ this for months now because the last time I thought I’d joined all the dots chaos ensued that only got resolved by a pfsense reinstall from scratch that I finally got working at about 4 a.m. I am very, very keen not to repeat that experience!

Thanks also to Tom for the links to those videos, though I have already watched them, more than once

The first video demonstrates setting up DHCP on the LAGG itself - which prompted my question about whether it’s OK to choose ‘none’ for IPv4 configuration on the LAGG interface as I just want to use it as the parent interface for the subsequent VLANs I create?

Then as I add those VLANs in pfsense, I’d add the appropriate IPv4 subnets and ranges on a per VLAN basis, DHCP and firewall rules. I’m worried that doing what I’m proposing reveals a fundamental misunderstanding?

Re the second video: unfortunately the language and GUI that Ubiquiti uses makes it very difficult (for me) to translate into ‘Zyxel-ese’ and ‘TP-Link-ese’. I have learned to just RTFM for each of those devices, rather than even attempting to ‘translate’ from Ubiquiti-ese! Also unfortunately, I find the Zyxel manuals especially to be poorly written - I know you get what you pay for!

At least in the UK Ubiquiti gear (even secondhand) is 2x or even 3x the price, which maybe justifiable in business - but not for a home network built on a shoestring budget.

Disconnecting the physical cables - especially the LAGG between pfsense and the Zyxel switch - until it’s all set up on both devices, sounds like an excellent idea!

Many thanks

I’m not getting the “DHCP on the LAGG” thing, maybe I need to re-watch the video. As far as I can see you create the LAGG using those ports on your router in pfsense. When you create the vlans, you then assign them to the newly created LAGG under interfaces. DHCP doesn’t come into regarding LAGG, you configure it for your vlan as you like.

One other thing I noticed with my Negear switches was that if I wanted to say add another vlan, I could do this easily in pfSense and my main switch without any issue. However, some of the other switches I could not add them without doing a factory reset and configuring the switch as required. You might find once you have your first vlan working the way you want then add all the others at the same time. One thing for sure, if you later add a vlan and haven’t kept notes then it will take you ages to remember what you did, in spite of looking at your current vlans, obviously I know this from experience !!

Unless you deal with pfSense / firewalls for a living, it’s a steep learning curve. I would take screenshots of of your configurations, it will take mere seconds to forget what you have done let alone why, keeping good notes is vital. I had to do a complete rebuild of pfSense to get it to work when I switched ISP, so it’s a poor bet to assume you’ll only need to do a fresh rebuild only once.

No one loves Netgear switches in this forum, but, on certain models they have a lifetime guarantee, meaning they will swap it out if it fails at no additional cost, I’ve tested it and it works. I’m in the UK too so I know the costs have virtually doubled since pre-covid.

Again, many thanks for the thoughtful reply neogrid - much appreciated!

Re the DHCP on LAGG thing - here’s a screen shot:

Where I have the IPv4 Configuration Type set to ‘None’ - in the video Tom chooses ‘Static IPv4’ from the drop down. In my case this just creates a subnet and DHCP range I have no intention of using, since I’ll just be using it as a parent interface for VLANs that’ll have their own subnet matched to the VLAN ID. eg. 10.0.10.0/24 for VLAN ID 10 and so on.

I just wanted to confirm that doing this won’t create problems further down the road. I don’t think it should, but obviously if I was really confident I wouldn’t be asking the question

Re Netgear - yes I bought one and returned it to Amazon when I realised it didn’t do LACP on LAGGs. It just seemed a cheapskate move by Netgear (probably trying to flog off hardware based on an ancient chipset) when every man and his dog use LACP on every single LAGG related video I’ve ever watched. And that’s now FAR more than I want to think about !

I’ve learned to be fairly meticulous with note taking the hard way. I tend to use spreadsheets and diagrams over screenshots, but now I realise I can upload images to this forum without having to host them independently I might upload some for some feedback.

Thanks again.

Oh ok I see what you mean, I suppose you do say you’ve created the LAGG.

When you configure your fist vlan you will need to assign it to the LAGG interface:

Then you configure the interface (I forget the order, however, both need to be done)

Now when you configure your vlans, you can assign all of them to the LAGG interface.

It looks like what you’ve done is to configure the LAGG and stop. I doubt there is a problem with that, but it’s a 5 min task if done correctly Then you need to do the bulk of the work on the vlans et al.

It feels like, you have your LAN running and now you are going step by step. However, the LAGG and vlan config is one step, albeit big.

Before I buy I RTFM, hence I deduced the Netgear Pro had LACP but the Plus didn’t, though it’s not immediately obvious unless you compare.

Thanks again - yes I know the next step is to add the vlans, which I will do with more confidence that things won’t go to hell on me (again) now I’ve disconnected the cables to the switch!

The process over quite a few weeks has been trying to get through the setting up of the VLANs on all the devices only for things to break when I’m part of the way through - then doing ‘headless chicken’ impressions trying to revert everything back to what was working.

Cheers