Tutorial: pfsense LAGG & LACP & Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from orange systems i want to talk about link aggregation with pf sense it's actually relatively easy to set up i'm going to walk through a couple scenarios and we're going to use a switch that supports lacp if you don't have a switch that supports lacp there are other modes of operation to still give you a little bit more bandwidth essentially by tying the ports together or redundancy depending on what you're looking for but it is obviously going to work the best if you have a switch that does support lacp check the documentation for the switch you have to see if that's supported and let's get started if you can click the like button and first if you'd like to learn more about me or my company head over to lawrences.com if you like to hire a short project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.lawrencesystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content and we'll start here with the manual what is link aggregation and link aggregation is where you're going to essentially tie some ports together to act as one logical interface inside of pf sense this can be for redundancy this can be for aggregating bandwidth together but as a warning they do have this right down here using a lag does not necessarily guarantee full thorough put equal to the sum of all interfaces in particular a single flow will not exceed the throughput of a lag member interface so in this video we're going to tie two ports together but that does not mean the two one gig ports we tie together are going to automatically give us two gigs of bandwidth there is factors involved what that does mean is a connection from my computer that may loop through this and go to another system and my computer is connected at one gig we're going to do the demo in the video for that that's no problem i can get the one gig what's the other one doing that well we can have another session that also uses one gig so cumulatively individual flows can use the bandwidth of the ports but if we have a 10 gig connection and we're trying to squeeze it over down to the 2gig well no that's still a single flow so even though we let's stay because we have a 10 gig switch here we started at 10 gig we go across the two it can not automatically depending on the type of traffic if the each flow of the traffic can't exceed the single link this is where the confusion comes in a lot with how lag works so it's not an automatic you're just going to get the full power because it's assuming that it's one logical interface but it will put the data across there now main reason for doing this of course is you have multiple flows that are going across and you want them spread across the other common reason for doing this doesn't make sense when you're doing it with one switch but doing a lag interface between multiple switches for redundancy where you have pf sense connected with multiple redundancies and you have the other devices behind it other servers perhaps connected to multiple switches with lag for redundancy that prevents a switch failure i've had some people say well shouldn't i use it because i have the extra parts and i need it because what if a cable fails cable failures not unheard of but are uncommon switch failures way more common than a failure of cable so if you want to do this in your home lab and you're saying i just want to do it because i have the ports and i don't like seeing them empty awesome you're not really gaining too much redundancy because the likelihood of a little cable failing less likely but hey it is there but i'm going to walk you through how to create the interface and how to set this up so let's go back over here to pfsense and we have a sg5100 with a pretty basic load here and a lamp now the first question i've had a few people ask me is can i just convert my lan to be lag not exactly so we're going to go over interface assignments lag and when we try to add one here i have ix 0 all the way through ix3 available but if we look at the interface assignments we see that land is assigned to igb1 and i can't include it in there this is actually by design you can't add anything to a lag that already is assigned so you can't just flip a switch and convert your lan over to lag you have to actually create a new interface now i could just delete this right here because i'm actually logged in externally from this i'm logged into the wan side so i can delete the lan and just rebuild it that's absolutely a possibility we're going to go ahead and just create another interface um all together and just walk you through the process for the first thing we need to do is pick out what ports we want to use we're going to use the last two ports now the nice thing with you get an sg5100 you're going to have these labeled you have to figure out what parts they are if you built this yourself but the sg5100 has all the port labels down below each individual port makes this really easy to figure out so we're going to use the ports right here on the end the two on the end which are labeled ix3 and ix2 so we're just going to go ahead and choose those like we have here and then we have to choose the lag protocol type now the lag protocol types are and they explain they have a nice explainer right here and they're also explained in the manual where you can do failover load balance or round robin warning if you do round robin specifically it will try to just keep sending the data back and forth on there and you actually seem to get a little bit less bandwidth when i was doing some testing with it because it's going i'm going to be helpful and just keep sending these packets some over here and some over there this round-robin actually seemed to cut some of the performance i got when i was doing this load balance might be a little bit more intuitive for that and failover courses just fail over now the other options down here failover load balancer and robin don't require any special configuration of the switch because you're telling pf sense to handle it at the interface and look for the edit interfaces but this can create confusion so if you set up a failover and you have two switches and then the switches talk to each other if the link to where the switches talk to each other it becomes broken but the link stays up between pfsense and the switches now you have a problem where it goes i don't think i seen a fail because the switch didn't turn off but it'll be confused as to how to communicate so the best way to do this is going to be lacp for the aggregation of bandwidth not in a failover situation lacp is going to be specifically to aggregate the bandwidth and that does require switch support so that's the one we're going to choose but like i said in the failover situation you know you can do that for redundant for the switches and that works really well for that redundancy and maybe if someone asks i'll do a video on that but it's really just putting two switches together having them talk to each other and putting one link in each side of the failover let me build on a bigger lab scenario for a failover demo with storage servers which is actually an even more common scenario for this but i have set these up in data centers where they have one leg of each of these going to each switch that way if they have a switch failure in a data center their pf sense can talk and yes this does work with the whole ha setup you can bond together multiple ones across ha across this it gets very complex very quickly but yes it is capable of doing it and i'll leave a link to this this is also part of the netgate docs they walk you through an entire layer two redundancy setup so like i said you can get pretty advanced with this and it works really well but i'll at least cover the basics on how to get this interface set up and configured we'll go here we're gonna choose those two interfaces ix2 ix3 lacp and uh laggy interface pretty simple then we're going to go over here to interface assignments because we've now grouped them together now we have to assign the interface so let's go here and we'll call it the laggy interface then we click on it here just like any other interface because now they're bonded together and we'll call this laggy lan this will be our new land when we're done we're going to go static let's give it a static ip address of dot 12168.99 99.1 and from here is pretty much the same standard interface setup so it's going to be lan static 99.1 it's going to be a slash 24 save apply firewall rules there's our laggy lan and we're not going to dive deep into rules i have plenty of videos on that we're just going to do any any open it all up let it fly let all the data pass through so no restrictions on this then we're going to go to dcp server on our laggy lan here and we'll go from 50 to 250 plenty of range plenty of addresses on here we've enabled it we've got rules save but now here's the important aspect that has to be done we have to go in and configure the switch to work right now we've got these ports doing nothing and if they're doing nothing that's fine except they're not set up for lag so if you plug in lacp configured porch to these it's going to confuse the switch it's going to say i'm not speaking the same language and it will break so we're going to go in here and we're going to convert these over so currently this is plugged into lan this is the port 4 on this right here so we're actually going to move it over but before we do so i got to push the programming changes to this unify switch i say that because unified switches don't have an interface they use the unify software for the control plane so we're going to push the configuration but if you have a switch where you have a web interface on it it's kind of the same answer before you break it and have access to it you want to make sure you push these changes to it we're going to go over here and configure port 1 and we're going to say laggy pf sense so we're plugging in here and then we're going to go for the profile overrides and we're going to choose aggregate what are we going to aggregate to ports 1 and 2. that means port 1 and 2 are going to get assigned the lacp protocol now if we were using all four of the ports we could just change that to a four or even a three if there's three of the ports and so on and it's going to grab all the ones next to it we only need ports one and two because we set up only a two port setup we're gonna hit apply and we watch a provision right here and it says done provisioning then we can plug it in and get this set up on the other side so it provisioned the settings have been changed and now if we look at this one we look at profile for part two it's aggregating from there now comes a pretty simple part we're gonna move this over to the other side so we're gonna grab a little cable here and plug them in like this so we did port one we did port two and we have them down here actually we'll slide the switch down there we go so now those two end ports are plugged into part one and two now the order itself doesn't matter this is lacp this is going to communicate lacp to this this is going to have to take a second to get a new ip address because well we changed ips we're not using the lan anymore matter of fact while we're waiting for that to think and get connected well i'm going to speed up the process by power cycling it so pull the power out power it back on while that's doing that we're going to go back over here to pf sense and remember i'm connected to the lan so none of this really matters that this part happened at all and you can see that currently lan is down and if we wanted to we can just go over here to interfaces lan i could just disable this interface i don't even need it anymore we're not going to use it and the other one can become everything i do for land jump ahead a couple of minutes while this booted because i realized and for those closely looking at the detail familiar with this switch that first port's the council port this is port one i was actually troubleshooting something that i plugged in this way so yes i did plug it in accidentally to the console port didn't hurt anything but it certainly didn't uh allow the two interfaces to work so now that we haven't plugged in a proper interface and the switch is booted up and we have our lag interface configured we can look right here and we see lag interface ports one and two and this is just the aggregate port interface so now we got the two redundant interfaces let's go back over here we look at the status and we have it set right here so we have laggy land auto select and we see that it's up in our lan is down a couple side notes over here we're going to go status system logs now one thing i want to show is we're going to drop an interface we're just going to take this we're going to accidentally lose an interface plug unplug one and kind of show what pf sense and how that handles it so we go back over here after we unplug it refresh the page we do get a link status down so with the link status down as i mentioned though and laggy land here it still shows up because still one of them is up just not both of them are up so technically we do have a connection so plug that back in then go back over here to status system logs system state change back to up so pretty straightforward there next we're going to take this network cable here and plug my laptop in so my laptop's going to get plugged in with the extra ports here not into the console port won't make that mistake again so now my laptop should get an ip address handed out by the pf sense through the switch through the lacp lag interface or lag lecp so technically lacp is a sub protocol of lag for those that are probably going to call me out in that little detail let's uh see if i get an ip address on this move this over and there's the ip address i got 99.101 and let's go ahead and ping the pf sense which is that that 99.1 pretty straightforward it pings so while it's pinging and so you see what i'm doing right here i'm going to drop one of the connections and watch the pings and it's going to pause for a second while it figures out oh you need to go across the other path this is how the redundancy works it's pretty seamless except this was a packet flow coming from one system so because lacp would be figuring out the flows from different systems and putting them across the connections which cable that goes across is going to be a little bit not the word random isn't there but now that this one's coming up and down it's going to go over here once it decides which cable is going over it goes over there unless there's a change in topology so now that we know it's going probably across the black cable we'll go ahead and do this unplug it went back across this one but now that it's going across the other cable now we're going to plug this back in so listen for the click it doesn't pause to start the flow back on the other side this is how lacp works with the lag and the protocols together once it decides which cable it's going over that flow will continue to go over that cable and it's dynamically figuring it out that's the advantage of way this protocol works now a couple of side notes inside of pf sense of how this works in terms of how about vlans or everything else actually no change there so even though the interfaces are bonded together because they're bonded together as their the physical layer is bonded together to work as a single interface as as we're calling it laggy land we go to interfaces assignments and we do something like a vlan and we add and we say we want uh vlan tag i don't know 88 just so we have something 888 sure why not you choose the parent interface and the parent interface is going to be lag zero so all the other rules apply so by doing that there's the parent interface and we go back to the assignments we can then assign vlan 888 to here and then there's no change inside the unify software when you assign a vlan it still just works the same it's not going to be any difference just because you're lagging these together so you can still and we can edit these ports for example and i have a vlan test 123 in here i'd have to define it in here if i wanted to use vlan 88 like i did in there but you get the idea you can even assign to lag interfaces the vlan now it's going to be varied how this works with different model switches but it's not a big deal in terms of how it works including when you're building out a storage network maybe you want a dedicated vlan just for all your storage devices you can lag those interfaces together you know obviously lacp and that dependency still is required in the switches if you want to use full lacp but it's that easy to set up in pf sense it's pretty straightforward it works just as another interface so any other videos i've done where i'm talking about assigning some interface once you build the lag interface away you go it just works now one last thing what if you wanted to add one more well you can do that so we're going to go here and first we'll as i said you have to always make sure we have the switch on there so we have one two three now so we're going to apply this and we're going to let this configuration push while we're doing that where's that third interface going to come from well go over here to lag you can edit these because we still haven't assigned anything to ix1 so it's still just an empty port and hit save so now it's going to apply this here we're provisioning the switch we'll give the switch a second to catch up but while we're doing that we go over here snap and they're crisscrossing the cables here but you get the idea um now i've got all three of these ports and all three assigned to this same rules apply and now it's just lacp is going to talk to all three ports let's see if the switch provisioned yep it pushed the provision on there so now it says port 2 port 3 and that easy now you didn't have to do this now this would disrupt users but you didn't have to do anything uh else in pf sense to add more to this aggregation group we've just added one more we could just as easily drop one from it now when you do this there is a disruption in network so if you're routing a bunch of traffic over it and you change these assignments when it does configure the switches there's a disruption to rebuild them into the link but hey that's not that big of a deal the disruption is pretty minor and happens pretty much fast we do this essentially in real time so if there's someone on a voip call they're going to be angry at you because it may drop the call but for the most part it's a pause in the internet and everything keeps working so i'll leave links to the pages and the documentation from netgate on this to dive deeper into this and uh leave comments below or head over to forums and you know talk about maybe uh suggestions you have for having me lab out a larger setup or install but i am going to do another video on this topic related to doing this with storage service all right thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to launchsystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.lawrentsystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time you
Info
Channel: Lawrence Systems
Views: 43,602
Rating: undefined out of 5
Keywords: lawrencesystems, pfsense firewall, load balance, pfsense lagg setup, pfsense, pfsense setup, pfsense router, pfsense (software), router, pfsense lacp setup, firewall, pfsense install, pfsense tutorial, pfsense firewall setup
Id: VULKulpXBYU
Channel Id: undefined
Length: 20min 24sec (1224 seconds)
Published: Wed Sep 23 2020
Related Videos
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
922K
Tutorial: TrueNAS FreeNAS LAGG & LACP Setup
Lawrence Systems
27K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
2.2M
Should You Trust a Business Deployment With UniFi Ubiquiti?
Lawrence Systems
72K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
406K
Netgate SG-2100 pfsense Firewall Hardware Review
Lawrence Systems
181K
pfSense Load Balancing & Failover (easy mode)
The Network Berg
11K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
153K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
415K
Testing UniFi Controller 6.0.22 With VLANS Over MESH & The Problems With UniFi Products
Lawrence Systems
58K
TrueNAS SCALE 22.12.0 Bluefin Is a Whale of an Update! 🐟
Lawrence Systems
21K
Tutorial:How to configure Synology For LAGG and LACP
Lawrence Systems
21K
My pfSense Setup - VLANs, VPN, Firewall, DHCP
Raid Owl
15K
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
131K
Basic Setup and Configuring pfsense Firewall Rules For Home
Lawrence Systems
186K
pfsense VS OPNSense
Lawrence Systems
211K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.