How to add the gui admin LAN to LAGG (possible?)

[wotcha]

Is it possible to add the admin lan, and therefore the gui access to the router (https://192.168.1.1) to a lag (e.g. lagg0)?

Because when Lagg is being setup, most of us are looking at the gui right? So how can I add the LAN that I am literally accessing now to use the GUI as it cannot be deleted? The firewall admin GUI LAN interface is already assigned... it cannot be re-assigned to lagg0 unless deleted, if I delete then the GUI I'm on disappears... is there a way?

Also when I used the CLI on initial startup to create a lagg I assigned:
eth0 --> WAN
eth1, eth2 --> lagg0
eth3 --> OPT1
lagg0 --> LAN

but when I connected my cable to the eth1 port, I could not reach the LAN via https://192.168.1.1 at all. I wonder if this is because I cannot connect BOTH 2 cables to eth1 & eth2 ?

I thought if I can just connect one cable to eth1 it should be fine, I can still access the firewall

[meyergru]

You can connect with just eth1, but the connection has to be configured as a LAGG member on the other side as well. Ethernet packets have to be encapsuled within LACP frames in order to be recognized - on both sides of the LAGG.

[wotcha]

You can connect with just eth1, but the connection has to be configured as a LAGG member on the other side as well. Ethernet packets have to be encapsuled within LACP frames in order to be recognized - on both sides of the LAGG.

Okay, got it, thanks. So basically I can't connect eth1 to my computer directly.

[wotcha]

also in the Lagg interface, do I have to set a Static IPv4 DHCP range, Or can I not set it at all?

what would adding a static ipv4 DHCP range here (in lagg0) do?

[meyergru]

You can do almost anything identical on a LAGG than with a normal interface, it is only an additional layer on top of the physical enthernet interfaces, like a VLAN or a bridge.

There are few exceptions, like traffic shaping does not work for LAGGs. Maybe you have to tweak some tuneables in order to have pf filter at the correct level (don't remember that, I think that was only for bridges), but that should be about it.

[wotcha]

You can do almost anything identical on a LAGG than with a normal interface

okay thanks, but still confused on 2 points...

- So just to make doubl-y sure... I can't connect eth1 (one of the lagg0 ports) to my computer directly, right?

- I'll be adding VLANs (4 of them) to the lagg0 interface. Why do I have to set a Static IPv4 DHCP range on the lagg0 interface?

A few tutorial videos do this (like they add 192.168.99.1/24), but they don't explain why.

[meyergru]

You can connect eth1 if the link partner does LACP (either a capable switch or maybe a driver on your client), otherwise no.

You do not need to assign a subnet on the parent interface of your VLANs, unless you want to have a subnet on the untagged part of that interface. That depends if you only want VLANs or also an untagged LAN, which is often the case (like with Unifi, where the main LAN is usually untagged, whereas guest and IoT networks have a VLAN).

What you do need is to enable the VLAN parent interface (i.e. the LAGG) on OpnSense, but it does not technically need an IP address.

[wotcha]

Okay, I see. I think I would like to have untagged traffic.

Currently, I bridge the LAN (basically the Administration interface) between eth3 & eth1 (but eth1 is lagged with eth2 = custom name eth1x2)

So basically right now, there is Static ipv4 on the LAN Bridge with DHCP enabled, giving out 10.0.1.1/24 address.
But none, no ipv4 on eth3, or eth1x2, which make up the bridge.
But I can access the LAN from eth3 physical port right now without any problems.

Does that mean that untagged bridged LAN traffic is also entering the LAGG?

[Patrick M. Hausen]

Yes, of course. That is the point of a bridge.

[wotcha]

Yes, of course. That is the point of a bridge.

Great thanks. this worked out perfectly.