Missing something

jrey

So I started with the community edition on a virtual box to test things out. Got everything working LAGG, Bridge and a Backdoor(different IP range) for configuring the LAGG and Bridge without loss of connectivity on the LAN. All good. Working on the on device connected to it.

OK order the real device (a 2100).
first step was to to make the 4 lan ports discrete on the switch (I think I did this correctly) (LAN 1 with 1, 5) LAN 2 with (2, 5) etc, the community edition does not act as a switch on the virtual so they are discrete ports.
set IP range on LAN 4
the status on the dashboard shows WAN / LAN UP and I can connect on the 1.1 IP
LAN 2, LAN 3, LAN 4 all show as down (correct at this point)
LAN 4 the backdoor is showing with the 10.1 range (seems correct)
Plug in another system LAN 4 port (IP'd in the 10.x range)
LAN 4 now shows UP (again seems correct)

I created a firewall rule on the Backdoor, to allow any traffic for now. (same as I did on the test virtual box) But I can't connect to the dashboard, as I could in the community edition on the virtual.

Thoughts on what I might be missing..

thanks

Jarhead

@jrey Did you follow this:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

jrey

@jarhead said in Missing something:

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

Thanks for taking a look.

I did, but will check everything again. (the switch portion didn't exist at all in the community edition on the virtual box, just the virtual ports I created)

this could be what I did wrong,
what I ended up with was VLAN
Group 0 tag 1 Members 1,5
Group 1 tag 4000 Mem 4,5
Group 2 tag 2000 Mem 2,5
Group 3 tag 3000 Mem 3,5

but the result was that I ended up with 4 LANS showing on the dashboard, but the only one I can connect to LAN (the one with 1, 5) and browse the internet here etc.

as I connect another system on LAN 4 the status changes to up (and the IP range is there)

rcoleman-netgate

@jrey said in Missing something:

but the result was that I ended up with 4 LANS

that's the correct result from what you described.

What do you WANT to do? And we can help you get it configured correctly.

jrey

@rcoleman-netgate

again thanks for looking at this,

first I'd just like to be able to just connect to the dashboard on the lan 4 IP range (it really doesn't need to go anywhere else except access the dashboard)

When I did this on the test virtual (again just ports, no internal switch) it worked fine and I could connect to LAN on the standard IP and LAN 4 from a different machine on a second subnet.

This then on the virtual box. Let me put LAN and LAN 1 in a LAGG, and finally adding LAN 3 as a Bridge with the LAN -- it all just worked as expected (and as documented)
So in test ports 1,2 are a LAGG and port 3 is bridged with that (all forming the LAN connection) port 4 is the backdoor used to set it up.

in test I've been able to simulate everything and it works fine.

LAN to LAGG
https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html
LAN to BRIDGE
https://protectli.com/kb/how-to-enable-lan-bridge-with-pfsense/

because the process in either of those, disconnects the LAN during the setup, the backdoor is required to do the configuration. If only I could put the test box into production. (but that's why I purchased the 2100, the only difference I can see is the ports needed to be discrete for this to work)

currently can't connect to the dashboard backdoor IP so that's where I'm stuck, once solved the rest should likely go as expected. (I hope)

rcoleman-netgate

@jrey said in Missing something:

LAN to LAGG
https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html
LAN to BRIDGE
https://protectli.com/kb/how-to-enable-lan-bridge-with-pfsense/

no need for any of these things. Your 2100 has a switch on LAN1-4.

If you're using LAGGs and Bridges... remove them.

I highly recommend you do one of two things:

1. Factory default and start over from scratch importing only sections of your old config that are absolutely necessary or

2. Remove those things and re-configure the switch as 802.1Q. All that is covered in the switch-config link earlier in the thread.

stephenw10

It looks like you may not have set the PVID on ports 2,3 and 4 to match the untagged VLANs on them. That is required for inbound traffic. There is a separate tab for that in the switch config.

Yes, you don't need to bridge anything, the switch does a better job of acting as a switch. Unless you need to filter between network segments in the same subnet.

You cannot use the switched LAN ports as LAGG members. The switch does not pass the required layer 2 packets to connect to and external LAG device.

Steve

jrey

Ryan

Thanks
I assumed I had to have discrete ports to build the LAGG group, initially when I looked at (LAGG) there was nothing listed to build it with.

There is also nothing currently on the device for LAGG or Bridge.

So what you are saying is the LAGG does not need to be built on the device? just plug in the 2 wires from the switch down the hall. Guess I'm not clear on how it would know they are a LAGG if you can't build it (or then would act as the LAN interface)
Is there another document on that (because the one I provided above seems to be the only discussion on LAN to LAGG I could find)

Do I still need to make them discrete ports? (I'm not that far in that I can't factory reset and start fresh)

Much appreciated.

stephenw10

The switch ports (LAN 1-4 on the 2100) do not support LACP LAGG. The switch can only do a load-balance LAGG to something external. If your external switch supports that you could use it but there is little point since a single link provides all the bandwidth the 2100 will pass and there is no redundancy in a load-balance LAGG.

Steve

jrey

@stephenw10

Thanks Steve
that's rather unfortunate, the previous wifi router supported LAGG, and when it was the first point after the modem, wired stations through the switch the modem was LADD'd with enjoyed roughly double the speed to the internet (speedtest). Now that the NetGate has replaced the Wifi router with LAGG, and only a single wire to the NetGate (now the first step after the modem) those same wired clients enjoy roughly half the throughput they did previously. I'm considering going back to the wifi with LAGG as the first point after the modem, and/or trying to determine if the 2100 is the issue. (I did restore to factory defaults, and take a basic approach to connecting, wan/lan (single port connected at this time to the switch) internet works, just slower IMHO. (also did remove the LAGG group at the switch end, because it was showing only one wire connected, that had no impact, other than the switch is no longer complaining the that lagg is only half there)

Much appreciate the feedback. Thanks

stephenw10

What bandwidth is your WAN?
Each link in the LAGG will pass 1G which is more then the 2100 will pass for most traffic. If your external switch support load-balanced static lagg you can use it there though. That will increase available bandwidth between the external switch and the 2100 internal switch but it won't effect bandwidth to/from the internet.

Steve

jrey

@stephenw10

Thanks again for the reply.
The WAN is nowhere near the cap. (evidenced by their attainable speed through the old router/switch) The devices on the switch are not even getting close to cap and still they are not even close to what they could achieve before.
Now that the 2100 is running, I hesitant to try and make changes, but what would be the general strategy for placing the LAN in a LAGG, which is what I was trying to accomplish when I started breaking the ports apart as noted earlier following the documents that had been linked. (I get it don't need the Bridge part, because this is a switch) When I look now, as before, nothing shows up under LAGGS to even try and build the it on.(ie when you click on ADD LAGG, the Parent Interfaces list is empty) Can you give me a couple of bullet points steps to follow? (I currently have two empty Lan ports, having plugged a small hub into one of the others, for testing) so 2/4 lan ports are used at this time, and everything is still connected.

Much appreciate the feedback, Thank you

stephenw10

You have to configure the 2100 switch ports as a lagg. It's independent of the Interfaces > Lagg setup in pfSense.
There is still a single 1G link between the internal NIC (mvneta1) and the switch in the 2100. And the WAN side can only be 1G at most so I really would not expect this make any difference.

What available WAN bandwidth is your ISP providing?

What speed differences were you seeing with and without the LAGG using the previous router?

Steve

rcoleman-netgate

@jrey said in Missing something:

nothing shows up under LAGGS to even try and build the it on.(ie when you click on ADD LAGG, the Parent Interfaces list is empty)

Because these ports do not exist in the pfSense software -- they are a single in-bound port of mvneta1.

The Marvell (the M of mvneta, the rest being Virtual NETwork Adapter, I believe -- if not it works so ¯\_(ツ)_/¯ ) are all handled by the SoC and not by the pfSense base.

jrey

@stephenw10

Thanks Steve and Ryan for your assistance. As it turns out, after connecting and testing on a second port at the netgate (not through the switch) the slowness to internet was also observed.

Cable tester to the rescue -- turns out the cable Wan port to Modem must have been damaged in the move. it was still working, just not well. Replaced that cable and presto.

looking into installing a "speedtest" on the netgate. I saw something about that somewhere, would have been handy to have there a couple of days ago.

Also what is the correct forum (please) for apcupsd questions?

Thanks again

stephenw10

@jrey said in Missing something:

looking into installing a "speedtest" on the netgate.

At the command line:

[22.05-RELEASE][admin@cedev-3.stevew.lan]/root: pkg search speedtest
py38-speedtest-cli-2.1.3       Command line interface for testing internet bandwidth
[22.05-RELEASE][admin@cedev-3.stevew.lan]/root: pkg install py38-speedtest-cli
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	py38-speedtest-cli: 2.1.3 [pfSense]

Number of packages to be installed: 1

38 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching py38-speedtest-cli-2.1.3.pkg: 100%   38 KiB  39.0kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing py38-speedtest-cli-2.1.3...
[1/1] Extracting py38-speedtest-cli-2.1.3: 100%
[22.05-RELEASE][admin@cedev-3.stevew.lan]/root: rehash
[22.05-RELEASE][admin@cedev-3.stevew.lan]/root: speedtest-cli --secure
Retrieving speedtest.net configuration...
Testing from Plusnet (x.x.x.x)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by 1Ago (Sint-Niklaas) [303.34 km]: 17.173 ms
Testing download speed................................................................................
Download: 61.46 Mbit/s
Testing upload speed......................................................................................................
Upload: 18.56 Mbit/s

Questions about apcupds should be in the Packages sub-forum.

Steve