What is the best approach to have the same iprange on different interfaces including LAGG

fhegedus

I have a pfsense box with 6 ports on the ground floor and my planned setup would be:
igb0 - WAN
igb1 - LAN - Unifi AP
igb2 - TV
igb3 - Soundbar
igb4-5: LAGG to unifi switch

And a unifi 16 port switch on the 1st floor as my main switch:

I'd like to connect the pfsense box and the 16 port switch with LAGG and my unifi controller (Cloud key gen2 plus) is also connected to this switch as well as other APs and POE cameras. As far as i know it's good to have the controller and the APs in the same network but I don't know what is the best way to achieve this.

So far i realized that I can't attach the same VLAN to the LAN and LAGG interfaces simoultenously and while bridging the LAGG and LAN is possible, but not recommended and puts the switching on pfsensebox.

johnpoz

@fhegedus bridging is not a good choice that is for sure.

So if you want the ability to put any network/vlan on any port, send your vlans/networks to your switch. How you then get your vlans/networks to pfsense for routing can be done a few ways, via uplink specific like say your lan or over a lagg sure - but you can not have multiple uplinks for the same network/vlan..

What vlans were you planning on running on this lagg? Seems like you your going plug ig2 and igb3 directly into devices? They would be on their own network/vlans?

Easy solution is just to run lagg to your switch, how ever many ports you want and then just run your vlans on the lag, limit here is control - you have no idea if intervlan routing would hairpin or not (over the same physical interface) And you can only have 1 untagged nework.

But you can if you want just uplink any specific network or vlans over different interfaces.. You just can not run multiple untagged networks over the same physical interface or lagg.

Do you need/want a drawing as example?

edit: here quick and dirty

you have multiple different uplinks for different networks and or some with untagged (net) and vlans on them.. Now you can put any port on your switch on any network/vlan you want. And or trunk all the networks or some of them to some other switch or AP..

Just for clarity when I say network this means native untagged, vlan is tagged.

What exactly are you wanting to get out of using the lagg? Other than redundancy for failed port, or cable it doesn't really get you much to be honest other than lack of control over what physical interface traffic would be flowing.

Lagg is more useful when you connect say switches together and you have lots of different clients all talking to other clients on some other switch and you need more total bandwidth between the switches than 1 physical interface can provide.

Say for example you had a lot of clients on network Z, and your internet was say 2gig vs just 1 gig - then lagging network Z into pfsense might make sense.. Or if say you had 500 or gig internet and your interfaces to your switches were only 100mbps..

fhegedus

@johnpoz First I'd like to thank you for your effort! :)

This would be my target state:

The answers to your questions:
ig1 and igb2 are connected to end devices
igb3 connected to the AP U6LR

LAGG would provide the new "LAN interface" i call it home VLAN and carries untagged and tagged traffic (except CAM vlan) and this would be only uplink between the two device. I only have this two cable between the two location and I'd like to add redundancy and also there are cases when many wifi 6 clients communicate with services running on my esxi which also connected to the switch with LAGG.

And what I still don't understand: When I create the HOME vlan the parent interaface should be the LAGG and then how add this VLAN to other ports on the pfsense box?

johnpoz

@fhegedus

And this doesn't work

The ports on pfsense are not switch ports.. As I went over do that on your switch.. Create uplinks from your switch into pfsense for each network/vlan - either on same physical interface, or different ones for each vlan/network or throw them on a lagg..

But that setup isn't going to work without some bridge to bork up everying you have to configure on pfsense. A bridge is not a switch..

Get a 40$ smart switch for your ground floor, and then run from that switch up to your 1st floor.

What your wanting to do is done on the switch, not on discrete interfaces of a L3 firewall/router.

edit: Also your unifi controller doesn't need legs in more than 1 vlan/network.. So not sure why your showing iot/cam/home on it.. It only needs the network your going to use for management of your AP/Unifi switches.

fhegedus

@johnpoz OK :( But i would have been so clean :). I have a spare 8 port managed unifi switch what I can use but it's plus one device with wiring and power cable.
I have unifi cameras and the controller is the nvr, plus the unifi controller is a cornerstone of my home automation that's why it needs to have legs in every vlan.

Thanks for the guidance!

johnpoz

@fhegedus said in What is the best approach to have the same iprange on different interfaces including LAGG:

why it needs to have legs in every vlan

Defeats the whole purpose segmentation to be honest.. Why do you think it needs a leg in every network? If your going to put devices in all networks - just run 1 flat network.