LAGG + Bridge + VLANs

[astranova]

How do I do a LAGG + Bridge + VLANs? I am running on Proxmox and want to passthrough my 4 port NIC (assuming I can get IOMMU to cooperate and put it in its own group) but I am not sure how to transition from my current setup to handling the above things inside OPNsense.

Currently, I have the LAGG setup as bond0 in Proxmox to an external switch that trunks about 5 VLANs including the WAN. The bond0 in the Proxmox setup is part of vmbr1 which is an OVS Bridge that is also used by several other VMs, they have their virtual NIC as an access port to a specific VLAN on vmbr1. Finally, my OPNsense VM has 2 NICs on vmbr1 - one is on an access port to the WAN VLAN, and the other trunks all the LAN ones - so from the OPNsense point of view, it just sees 2 NICs, one WAN, and one LAN and I separate out the VLANs in there.

If I passthrough the whole NIC, I want to use one port as WAN directly not going through the switch, and 2 ports as LAGG to the switch, like it currently is trunking the LAN VLANs, but also setup a bridge with a virtual NIC on vmbr1 to communicate with the other VMs. My thought is this will improve performance a little since devices on the switch won't have to also go through the vmbr1.

I'm not sure how to set it up - once I passthrough the 4 port NIC, I'll be able to remove the WAN virtual NIC from OPNsense and I'll have 5 total NICs showing up. I would first setup the LAGG on 2 of them that connect to the switch, and assign one to WAN. Then how do I do the VLAN assignment with the bridge - do I create the bridge and add the LAGG and the virtual NIC to it, and then split out the VLANs on the bridge device?

I'm concerned about doing something in the wrong order and losing access to the GUI. I have the built-in eth port on Proxmox that I can connect to and use another VM to access it through vmbr1 or I can use the serial terminal on the Proxmox host to configure it via CLI if I have to, but it would be nice to know the best way to accomplish this.

[Patrick M. Hausen]

You need to create the VLANs on the lagg interface, then create a bridge for each VLAN where you need one. You cannot run VLAN subinterfaces on a bridge interface in FreeBSD.

[astranova]

OK - so for example,

• first I would create the LAGG
• then under INTERFACES: OTHER TYPES: VLAN add the VLANS with the LAGG as the parent interface - the vtnet1 VLANs are already there.
• next it looks like I would need to do assignments, since if I try to create a bridge right now, it only shows interfaces from the assignments screen, so create new interfaces for the VLANs that are coming from the LAGG. at this point each VLAN has 2 interfaces, one with the LAGG as parent and one with vtnet1 as parent
• then create a bridge and add the pair of interfaces that are the same VLAN
• but then where does the IP for that VLAN subnet get set - in each interface or the bridge? maybe I've confused a step above

Without actually creating a bridge I'm not sure how it will end up. And then would I have to redo all the firewall settings since they're specified for the current interface assignments?
Thanks for the help

[Patrick M. Hausen]

IP addresses must be set on the bridge interface. See the documentation