LAN Traffic & Bandwidth to Opnsense

[drakensoul]

Hey All:

I don't (currently) use any VLANs.

Does the LAN NIC bandwidth in the Opnsense box need to be high to optimize LAN speed?  Stated differently -- does a slower NIC bottleneck LAN speeds?

I have 1200mbps internet going to my Opnsense box via 2.5G NIC -- WAN.
The Opnsense box connects to a switch via 10G SFP+ cable -- LAN.
This switch then branches out to other switches, devices, AP's, etc.

But the main switch only has two 10G ports, and I was thinking it might make more sense for the NAS to use the 10G interface instead, and the Opnsense box just have two 2.5G cards.

Would decreasing the Opnsense LAN interface to 2.5G do anything to bottleneck LAN performance given I don't use VLANs and all LAN devices are on the same subnet?

[yourfriendarmando]

Interesting question,  especially as 2.5Gbps becomes more mainstream. I think my coax plan is the same, but doesn't phase me much since the upload speed is still atrocious anyway.

That being said, the speed management functions of the underlying OS, can be managed at the IP layer 3, which doesn't care about the physical link layer under it.

I think the best question for you is, no it doesn't matter, until you DO implement VLAN and allowing traffic to traverse VLANs via your firewall. If you create, say a guest network, why not let that run over a slower 1Gbps link. When a cross VLAN device needs something,  it can happen at 2.5 or 10. Put your NAS on 10G if its disk array can respond closer to 10G. If you don't plan to use VLANs, it should be fine where it is, in case your other 10G uplink is needed to trunk to your next switch.

[TheAutomationGuy]

If you don't use VLANs, then all of your "routing" is handled at the switch level.  This means the only traffic that should be crossing through the firewall is data going to/from the internet connection.  Since your internet connection is slower than a 2.5gb connection, the difference between using a 10gb and 2.5gb between the firewall and switch is really not going to make a difference.

If you decide to switch to using VLANs (managed by OPNsense), traffic on the same VLAN will continue to be routed at the switch level.  Only traffic that needs to cross over from one VLAN to another will have to traverse to the firewall.  So even if you decide to add VLANs in the future, if you just take some time to ensure that data will travel on the same VLAN as much as possible and only cross over to another VLAN in rare occasions, you will likely still be fine using the 2.5gb connection between switch and firewall.

That being said, you don't mention the speeds of the normal ports on your network switch, but I suspect they are 10/100/1000.  This means that the real speed limitation on your network is currently with your switch, not the connection between the firewall and switch.  My recommendations above are assuming that all of your network devices are connected to the switch and nothing else is connected to the firewall (other than WAN and switch connections).

If you do have devices that can connect at faster speeds, you might want to connect those devices directly to the firewall's 2.5gb ports and then connect the firewall to the switch using the 10gb connection to ensure the fastest possible speeds should there be max throughput on several firewall ports at the same time.  In that case, using the 10gb connection between the firewall and switch could make a difference in overall network speed.

Hopefully that makes sense!