How I can assign same vlan to multiple interfaces

KpuCko

Hello,
In the past I had the same issue, with routers it is very hard to achieve this task, assigning same vlan interface/tag to multiple physical interfaces. I remember I've to create bridges, read tons of manuals how to do it with Mikrotik, afterwords vlan support for bridge was invented and Mikrotik implemented it in their products, so nowadays achieving the task with Mikrotik is trivial, but what about the rest?

In the Cisco world is much easier,

switchport mode access vlan5 - done
switchport mode trunk, allow vlan 5,6, - done

The question is, how I can do it in pfSense.
I have router with 6 ports, I've already used two of them to make LACP group between the switch and the router, and because the switch doesn't have enough ports, I want to be able to use those left from the pfSense.

From my point of view, this cannot be done at the moment from technical perspective.
Or if this can be done, there a huge amount of work have to be done as preparation, for example, create bridge, create another way to access the firewall, transfer vlan interfaces to the bridge and so on, and you may understood this will be very disruptive action.

So ignore my last stanza and let's discuss.

NogBadTheBad

You can't span the same vlan over multiple router ports, vlan X on your LACP trunk wouldn't be the same vlan X on another router port.

You could bridge in pfSense but buying a switch with more LAN ports or adding an additional switch would be easier and you'd not get the performance hit associated with a bridge.

KpuCko

@NogBadTheBad said in How I can assign same vlan to multiple interfaces:

vlan X on your LACP trunk wouldn't be the same vlan X on another router port.

Hm why not? The vlan tag is what all are interested in, so using same vlan tag, will carry same data. Or I have misunderstanding.

NogBadTheBad

@KpuCko said in How I can assign same vlan to multiple interfaces:

@NogBadTheBad said in How I can assign same vlan to multiple interfaces:

vlan X on your LACP trunk wouldn't be the same vlan X on another router port.

Hm why not? The vlan tag is what all are interested in, so using same vlan tag, will carry same data. Or I have misunderstanding.

pfSense is a router not a switch that's why, same with a Cisco router if you created a subinterface on g0/0.101 and g0/1.101 it would tag the packets as vlan 101 but they are two independent interfaces.

The packets may contain the same vlan tag but they are on a different broadcast domain.

KpuCko

@NogBadTheBad said in How I can assign same vlan to multiple interfaces:

@KpuCko said in How I can assign same vlan to multiple interfaces:

@NogBadTheBad said in How I can assign same vlan to multiple interfaces:

vlan X on your LACP trunk wouldn't be the same vlan X on another router port.

Hm why not? The vlan tag is what all are interested in, so using same vlan tag, will carry same data. Or I have misunderstanding.

pfSense is a router not a switch that's why, same with a Cisco router if you created a subinterface on g0/0.101 and g0/1.101 it would tag the packets as vlan 101 but they are two independent interfaces.

The packets may contain the same vlan tag but they are on a different broadcast domain.

Good. Many thanks for the clarification.
I really needed to understand how this works.

stephenw10

@KpuCko said in How I can assign same vlan to multiple interfaces:

In the Cisco world is much easier,

Yup, that's only true in the world of Cisco switches.

Steve

OGsadpanda

I'm looking for basically the same thing.

Best I found was simple bridge vs assigned bridge
https://www.netgate.com/resources/videos/wireless-access-points-with-pfsense.html
around 38min mark

but I'm not having much luck with it

stephenw10

Yeah, as discussed, you need to bridge them but don't if you have any other option!

OGsadpanda

@stephenw10 from what I'm getting here, it's worse than not being ideal... Bridging is broken/not even an option

stephenw10

Between VLANs it may be. I don't ever seen one in reality.

KpuCko

Just shooting in the dark, but I'm wondering how hard can be to implement Open vSwitch in pfSense?

mackjone

This post is deleted!

KpuCko

@mackjone said in How I can assign same vlan to multiple interfaces:

You can't traverse the equivalent vlan over different switch ports, vlan X on your LACP trunk wouldn't be the equivalent vlan X on another switch port.

Sure I've got it, so how they do it?
For example:

In Mikrotik you can create a bridge, then create all the vlans you need to work with, and set it as follow:

vlans: 1,2,3 should be tagged on port 2,4,5
vlan: 4, should be untagged on port 1,3,5

We already discussed Cisco, and how they do it.
The question is what they use under the hood?

NogBadTheBad

@KpuCko

You can bridge in pfSense, I’d advise against it.

FYI Open vSwitch isn’t a pfSense thing.

https://docs.netgate.com/pfsense/en/latest/bridges/index.html

johnpoz

@KpuCko said in How I can assign same vlan to multiple interfaces:

afterwords vlan support for bridge was invented and Mikrotik implemented

What specific mikrotik are you talking about? For example many of their devices have built in switch. Not discrete interfaces.

I fail to understand why users continue to insist on forcing the square block into the round hole.. If you want a switch in your router, then get hardware that does that. There are few models of netgate boxes that have switches built in.

While bridging has its uses sure.. But your desire to use a interface port as a switch port via bridging is not one of them..

If you want a switch, use a switch.. If unused ports on your router are driving your OCD into overdrive. Use them in a lagg, or use them as intended, and actual interface for network(s) you want to route.

If you want all your ports to be used for all your vlans to quiet your OCD of seeing a port with nothing in it.. Then put them all in a lagg, and throw your vlans on the lagg..

OGsadpanda

@johnpoz

again total n00b here but I thought the whole point of these intel dual/quad port NICs was that they ARE switches... Are they not?

(check out schematic layout):

82580 REFERENCE DESIGN

options list according to ifconfig:
RXCSUM, TXCSUM, VLAN_MTU, VLAN_HWTAGGING, JUMBO_MTU, VLAN_HWCSUM, TSO4, TSO6, LRO, VLAN_HWFILTER, VLAN_HWTSO, RXSUM_IPV6, TXSUM_IPV6

I'm not trying to be difficult... Just trying to learn.

johnpoz

@OGsadpanda said in How I can assign same vlan to multiple interfaces:

ntel dual/quad port NICs was that they ARE switches... Are they not?

No they are not switches... They are 2 or 4 discrete interfaces on the same card.. Not switches..

KpuCko

I know some of the models has a switch built in, but not all of them.

So some of the processing power is handled by the main processor, but the other one by the switch processor and so on. But nevermind.

My thoughts are I expect to be able to do switching and routing with one device, but it seems this doesn't apply here.

johnpoz

@KpuCko said in How I can assign same vlan to multiple interfaces:

My thoughts are I expect to be able to do switching and routing with one device

You can - just get a box that has switch ports in it, that does routing.. SG3100 has switch ports, the new sg2100 has switch ports. The 5100 for example does not..

My sg4860 does not.. I didn't want switch ports on it, because switching should be done on your "switch" ;) Not your router..

Keep in mind that with routers with switches, the uplink into the routing is going to be limited.. Look at the above block diagrams for example.. Notice the 1gbps and 2.5gbps uplinks from the switches..

The proper tool for the job.. Do you go buy the hammer at the store, when you need to hammer in a nail? Or do you pound on nails with your screwdriver?

Switches are not expensive these days... You could pick up a 8 port gig smart switch for like $40.. Or get a 16.. Or 24 if what you are after are switch ports. I would always suggest if you think you need a 5 port switch, get an 8 or 16.. That way when your needing another port - you don't start eyeing your router interfaces thinking you can use them as switch port ;)