Load balance Lagg interfaces

reinvtv

Hi,

I am currently building a new pfSense box with a i340-t4 intel card, and currently have 2 hp 1810-24G switches that are LACP connected.

I would like to run my storage traffic through the firewall (currently i just put storage and server on the same vlan/network).

I know pfSense supports LACP, but can I create 2x a LACP bond and then bridge/failover those LAGG interfaces? the 1810G switches unfortunately do not support RSTP or STP, but do pass BPDU packets.
I only need one LACP link active at all times (2Gbit is enough, the storage i have is only connected with 1Gbit uplinks anyway).

I hope to achieve a failover situation where any of the switches can go down without disconnecting the storage-server vlan communication.

Anyone who can shed some light on this? Is a bridged interface the way to go? with RSTP setup on the LAGGs? Or would a LoadBalanced interface be possible between the 2 LACP-LAGGs?

Quick drawing:

      HP1810G
----------------------
|  |LACP          |  |
|  |              |  +---------|LACP
|  |              +------------|
|  |                           |pfSense box
|  |              +------------|
|  |              |  +---------|LACP
|  |LACP          |  |
----------------------
      HP1810G

stephenw10

No. Bridging will just create a loop.

Do those switches support cross-chassis LACP? They are stackable?
That is the correct way to do this.

How is your storage connected there? What is accessing it?

Steve

reinvtv

@stephenw10

The storage boxes are all connected with bonded interfaces. Balance-slb is the term for most of the boxes.
Unfortunately the switches aren’t stackable.
I know in a perfect scenario stackable switches would solve this, but I’m not upgrading my home lab at the moment :).
What about bridging with rstp activated?

stephenw10

I mean you could try it.... I'm not really sure what you will gain by doing so though.

If one of your switches fails everything connected to it will lose connectivity.

Unless your hosts there are using failover lagg to both switches?

This seems like it's more likely to cause problems that prevent any IMO.

Steve

reinvtv

@stephenw10

An updated schematic, this time including storage and xen nodes

SLB stands for Software Load Balancing it is a linux feature that keeps both links up, but as the name suggests, balances out based on mac address and ip address hash.
This makes it possible to use both links at the same time and (theoretically) fill 2x 1Gbit with data.

I use XCP (Xen fork) as a hypervisor, (using ESXi now, migrating things slowly), and noticed pfSense isnt that happy with Xen as it is on my ESXi. (ESXi i can get line speed, but XCP is only giving me 150-250Mbit on a single link). I read some stuff about the offloading of the TX or RX, but that doesnt seem to help.

All other virtual servers running on any node have no problem getting 800-900Mbit to any other vm, on any other node, which is sufficient for all my needs.
I figured a hardware firewall would be the better choice anyway, and i have the hardware laying around anyway.

So i'm looking for something like Balance-SLB on linux, but for free/openbsd/pfsense ;)

reinvtv

@stephenw10

Maybe my thinking is overcomplicated and i could just create a 4 port LAGG LOADBALANCE interface accross 2 switches?

stephenw10

How much of that is already setup? How is pfSense connected currently?

I assume you're going to add VLANs over those links to separate the storage and servers?

If you bridge the two LAGGs and rely on STP to prevent a loop only one of those links will ever be active.
So I guess you would need the LAGG between the switches since you're load-balancing each host to both.
That also means you have no redundancy here. And if that's the case why not just use LACP from each host to one switch?

This just seems needlessly complex with little to no advantage.

Steve

reinvtv

@stephenw10

Current setup is everything but the pfsense. The current pfsense (ha) is setup on 2 virtual machines which reside on different hosts.

This current setup is fully redundant, any host can go and any switch can go. Vlans are already running (currently 12).

stephenw10

Ah, Ok. So you have an LACP link from each switch to one HA node currently?

And the CARP VIP is only ever on one of them so the switches move the packets accordingly.

If so a failiover LAGG to one firewall should produce similar results. Though only one port can be master AFAIK.

reinvtv

@stephenw10

Ok that confirms my theory.

Can you confirm the LAGG LOADBALANCE connected with 2 uplinks to the same switch would be able to get a total of 2 Gbit bandwidth (split over multiple streams ofc, i know one stream will always be limited to 1 Gbit)

stephenw10

Yes, you can so that if the switch supports it. Better to use LACP if you can though.

Steve