First I have been a pfSense user and am setting up to move to OPNsense. Purchased a used Optiplex 5050 (I5-6500, 32GB Ram, Intel I350 4 port 1GbE NIC, Intel I219-V 1 port 1GbE NIC, 256GB M2 Sata Drive). I have successfully loaded OPNsense 23.7.8_1 on it and beginning configuration.
I have set up 1 of the I350 ports as the WAN interface and another as the LAN interface. So I have two free ports on this NIC and then the 1 built-in port on the other NIC.
I have two Netgear managed L2 switches that are both 802.1Q VLAN capable and LAGG capable. I have setup VLAN's but never setup LAGG. I will have (7) VLAN's including the default plus Wireguard.
My thought is to move the WAN interface to the I219-V port, then LAGG (2) of the I350 ports together for LAN and using LAN for only OPNsense and the switches (Default VLAN 1), then bonding the other two I350 ports together for the other 6 VLAN's. I have plenty of room (ports) on my switches for this configuration.
Is this feasible? What might the pitfalls be? Any and all opinions/guidance would be greatly appreciated.
Chuck
To run a lagg with the physical connections to two different switches the switches MUST be multi chassis LACP capable. Sometimes called "stacking". If they are not, you are limited to running two (or more) physical connections to a single switch.
HTH,
Patrick
As Patrick said,
If you want to do a LAGG between OPN and connect from it one port of the LAGG to SW1 and other to SW2 you need switches capable of MEC.
LAGGs work very well on OPNsense I am using them. LAGG with LACP between OPN and CORE Switch. the LAGG is L2, on this run VLANs and VLAN interfaces for each VLAN to act as GW.
Basically create first the LAGG, then VLANs. attach them to LAGG and create VLAN interfaces with proper IP/MASK to act as GW.
Just be careful to not lock yourself out. During migration from single port to LAGG I did create a wide inbound any any allow rule on the VLAN interfaces.
You can also create the LAG+VLAN + VLAN interfaces 1st and give them IP and keep the LAN as well. During migration you can use and keep the LAN in native VLAN 1.
Once you created VLANs over LAGG, access the OPN via new GW interfaces, once you have access you can migrate off your old LAN. Also I don't advice to keep Tagged and UnTagged VLANs as permanent solution, even if it works its not "supported" you could hit random problems. But for migration purposes its okay.
Regards,
S.
First thank you both for respomding. After reading your responses and reading some more about lagg and lacp, I think this may work. What do you (anyone) think?
Optiplex 5050 with OPNsense
Static Lagg - Lagg 0
inc0
inc01
Static Lagg - Lagg 1
inc02
inc03
Interface em1 --> WAN ISP 1GbE
:Netgear GS724T V2
Static Lagg - Lagg0
Port 22
Port 24
Static Lagg - Lagg1
Port 18
Port 20
Static Lagg - Lagg2
Port 21
Port 23
Netgear JGS516PE
Static Lagg - Lagg0
Port 15
Port 16
Optiplex Lagg0 --> GS724T Lagg0 - Vlan1 (default)
Optiplex Lagg1 --> GS724T Lagg1 - Vlan (1,10,20,30,40,50,60)
Gs724T Lagg2 --> JGS516 Lagg0 - Vlan (1,10,40,60)
In regards to cabling each Lagg member port would be cabled 1:1 to its corresponding lagg port.
The GS724T is LACP capable but the JGS516 PE is not.
Appreciate any feedback.
Chuck
Gs724T Lagg2 --> JGS516 Lagg0 - Vlan (1,10,40,60)
Why not to call it on JGS516 LAGG2 as well?
So per what you write GS724T will be like your "CORE" switch and only this will be connected towards OPN. If its LACP capable configure LACP on the LAGGs between OPN and the switch. And use static downstream from GS724T towards JGS516
(https://forum.opnsense.org/index.php?action=dlattach;topic=37157.0;attach=31257)
Also on LAGG0 only VLAN1 default by this you probably mean a NON TAGGed VLAN during migration right? So basically you will use the interface for L3 not an SVI L3 Vlan interface.
Regards,
S.
Couple of things:
- Native VLAN is untagged and hence will not work here... Everything should be tagged on LACP/LAGG interfaces.
- I would not recommend using VLAN1. Create it and send it to no where...
- I would create a LAGG with four ports (if it works) to your managed switch GS724T. And a LAGG from GS724T to the other switch with no VLAN 1 on any of the switches.