Same vlans on both ix0 and ix1
-
@ddvnu pfsense won't let you assign a VLAN to multiple parent interfaces at the same time. I believe the only exception, like mentioned already, is if you bridge multiple interfaces together to make a software switch, then assign the VLANs onto the bridged interface.
This is NOT recommended, since it throws switching onto the router hardware itself. So, since the "hack" is to bridge and make a sudo-switch, you're better off doing it all on the much faster switching gear that you already have.
If you're looking at failover situations with low cost consumer or SOHO switches, they aren't really built to do this kind of stuff. You could manually do this by hand, simply by swapping out cables from one switch to the other, but you'd have to be onsite when one of the switches failed. I'm not familiar with them, but do the Fortiswitches not have a failover feature when using more than one of them?
-
@akuma1x I'm really new to both PFsense and Fortiswitch as i'm useually use ubiqiti gear. the client insisted on fortiswitch and a speed more than 10 GBit on WAN so I ended with PFsense by recommendation from a friend.
-
@ddvnu More than 10Gbps on WAN? I hope you've got a good box and network card you're running pfsense on... :)
-
@akuma1x the pfsense 7100 should be able to it.
-
@ddvnu True, but not "MORE THAN" 10Gbps on WAN. I don't even know if that machine would support a greater than 10Gbps NIC in the add-on card slot - like 40Gbps or 100Gbps, or faster...
-
@akuma1x it says in spec that the "Netgate 7100 achieves up to 18.55 Gbps routing performance" that's more than 10
-
@ddvnu said in Same vlans on both ix0 and ix1:
@akuma1x it says in spec that the "Netgate 7100 achieves up to 18.55 Gbps routing performance" that's more than 10
I think you are going to be rather dissapointed if you are expecting more than 10Gbe from the 7100.
With no packages to interact with the traffic (so only pf filtering), you are looking at some 2.5Gbit max throughtput/session because of the single core bottleneck with the Atom CPU.
4 cores = about 10Gbe in pf filtering.
If you disable filtering and only do routing, it can go somewhat higher.
But with lots and lots of uses and sessions you are not going to hit 10Gbe. -
@keyser this project is 48 apartments, should it not be sufficient? I expect a maximum of no more than 20 units (phones, computers, tablets etc.) pr. apartment.
-
@ddvnu Oh boy... you might be running into the mid-to-upper limits of the 7100 for a project like this. But, maybe not... 48 apartments with around 20 devices is almost 1000 hosts on your network. That's a lot, but not unreasonable. I wouldn't overload it with a lot of crazy add-on packages.
What I would be sure to do with a setup like this is to use a lot of VLANs, like 1 VLAN per apartment, at a minimum. That will keep all of the apartment network traffic separated from each other. It will be much faster if you do this on switching hardware vs. on pfsense itself, but I don't know what performance you're expecting here. I would assume it's kinda high, since you started this thread asking about a 10Gbps WAN connection. You can technically use the 7100 switch ports as separate interfaces with VLANs, but you're going to need to know how to program that, and you'll have to run multiple VLANs on each interface. Network traffic might get clogged up pretty quick. I would say you should add on the 4 port expansion card for more ports.
So, what I would recommend before you start - contact Netgate sales and ask them some questions about the 7100 and tell them about the scope of your project. They can make recommendations so you don't buy the wrong hardware.
-
@akuma1x thanks for your advice, but it is already bought
the 2 24 ports switch’s is connected to ix0 and ix1 and I have setup 48 vlan with rules. I hope it will be capable for the task. -
@ddvnu Just curious how you tackled this... You obviously did the VLANs on the 2x switches right, but how did you get those switches into pfsense? Multiple switch ports, single switch port, how?
-
@akuma1x I put each of them on a vlan, and bridged them with the vlan lan.
-
@ddvnu said in Same vlans on both ix0 and ix1:
@keyser this project is 48 apartments, should it not be sufficient? I expect a maximum of no more than 20 units (phones, computers, tablets etc.) pr. apartment.
Yes, it will a handle a thousand devices with ease - no problems. I was simply referring to you expecting more than 10Gbe Throuhgput. That’s where you’ll meet the limit. But how do you get a “bigger than 10Gbe” WAN link on that thing? A LAGG between two 10Gbe ports?
If your WAN link is a 10Gbe link, then I would expect you will be happy with the 7100. You’ll likely never see actual 10Gbe being used - nor will it handle it unless the circumstances er “just perfect”. But for everyday use with a 1000 devices you can have it hit 5 - 6Gbe throughput “easily” if you do NOT add any packet inspection packages like Suricata, NtopNG and so on.
PfBlockerNG will be fine - it’s not a packet inspection tool. -
A afd1219 referenced this topic on
