Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from Bridge to VLAN on Netgate 7100-1U: Questions & Advice Needed

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Nariolato
      last edited by

      Hello everyone, I'm reaching out for some advice and clarification regarding network configuration changes on my pfSense setup.

      Background:

      Currently, my environment has very few (or no) VLANs, but I'm planning to implement them soon. The hardware in use is a Netgate 7100-1U appliance. I'm picking up where someone else left off, and upon reviewing the existing configuration, I noticed that there are two interfaces (ix0 and ix1) bridged together on a /16 subnet.

      My intention is to remove this bridge (which seems physically unnecessary) and instead use a single interface configured with VLANs.

      Current Setup:

      • All devices behind the bridge are untagged.
      • Both interfaces (ix0 and ix1) are assigned in pfSense to physical ports, without any VLANs.

      My Questions:

      If I disable the bridge, create a VLAN, then create an interface and assign this VLAN to the appropriate port (assuming ix0 and ix1 correspond to eth9 and eth10, which I don't have physically since my unit only has 8 Ethernet ports if someone can confirm that too):

      1. If I keep the same subnet on the new VLAN interface (after reconfiguring DHCP accordingly), will all the devices connected to this new interface correctly retain or acquire their IP addresses without issues, especially regarding MAC addresses and connectivity?

      2. Is there anything specific I need to watch out for when transitioning from a bridge to a VLAN setup on the Netgate 7100-1U? Thank you in advance for your help!

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @Nariolato
        last edited by

        @Nariolato It has an 8 port switch and two opt ports:
        https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/io-ports.html

        If you reassign the interface then as long as the PCs have connectivity (are in the VLAN) I’d expect things to work. Logically it’s just moving wires.

        Bridging two ports means there are two physical networks so presumably there should be a change there.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        N 1 Reply Last reply Reply Quote 0
        • N Offline
          Nariolato @SteveITS
          last edited by

          @SteveITS Thanks for the reply.

          I think I’ve understood something: I have three options for creating VLANs. I can either create them on LAGG0 as the parent interface (which should correspond to the 8 base-T ports), or directly on ix0 and ix1 (the SFP ports).

          Let’s say I want to set up VLAN 100 for management. Does that mean I need to create it twice if I have a connection on both ix0 and eth1? Can devices on those interfaces communicate with each other?

          Finally, I assume the best approach is either to use the switch ports or just the SFP ports connected to a switch (since I have a 10-gig switch)—but not both at the same time.

          Sorry for changing the topic a bit!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by stephenw10

            Yes, a common misunderstanding with the 7100 is that people try to use it as they might with a switch where a configured VLAN could be available on any or all ports including the 10G ports. But the 7100 is a firewall/router with separate interfaces, it's just that one of those interfaces, lagg0, is connected to the internal switch as you say.

            So when I see a bridge configured on the 7100 I have to suspect that it might be to add the ix ports to the switch. Be aware that might have been the intention.

            But if the bridge only contained ix0 and ix1 then it could have been added the filter traffic between those interfaces while having them connected at layer2. In which case using VLANs there is not going to fulfill the same function.

            If you want to add VLAN100 and have it available on both the Eth switch ports and ix0/ix1 you would need to bridge it.
            lagg0.100 is a different interface to ix0.100 and pfSense sees them completely separately otherwise.

            N 1 Reply Last reply Reply Quote 0
            • N Offline
              Nariolato @stephenw10
              last edited by

              @stephenw10 Thank you very much for your response; I really appreciate it.

              The bridge I’m referring to is a bridge between an interface I’ll call A, which is assigned to ix0, and an interface B, which is assigned to ix1. The subnet is set on an interface named BRIDGE, assigned to bridge0. I think there’s not much advantage to having this bridge, apart from historical reasons physically, if I simply reconnect ix0 and ix1 from both my pfSense devices to a switch stack below, it’s basically the same result.

              I don’t really see the point of this bridge, since all traffic is allowed on both interfaces. My idea is instead to use LACP from a VLT switch stack to provide redundancy to my two pfSense devices. I would create a VLAN, say VLAN 10, with the same subnet as the old bridge. However, I’m having trouble estimating the impact because I have a lot of equipment. The problem is that I can’t create a VLAN for both (ix0 and ix1); so I think I’ll need to create a new LAGG1 using ix0 and ix1.

              Is there a best practice for choosing between using the SFP ports to connect to a switch stack, or just using the switch on the 7100 directly? Or is it simply a matter of preference?

              I hope I’ve been clear enough in my explanation. Please feel free to correct me if anything is unclear.

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                SteveITS Rebel Alliance @Nariolato
                last edited by

                @Nariolato The SPF ports are 10 Gbps.

                Why not put a switch in front of those ports and use only one port, to simplify things? Then traffic between devices (that would go through the router) is handled in the switch hardware, not software. Or does each half need its 10 Gbps? (to where, since the other ports are not that fast...)

                I'd suggest a wiring diagram so you have the layout, and then figure out what speeds are needed, then determine which ports to use.

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                Upvote 👍 helpful posts!

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  Nariolato @SteveITS
                  last edited by

                  This post is deleted!
                  N 1 Reply Last reply Reply Quote 0
                  • N Offline
                    Nariolato @Nariolato
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      Nariolato
                      last edited by Nariolato

                      However, I’m concerned about losing redundancy with that approach. Wouldn’t configuring a LAGG (LACP) using both ix0 and ix1 interfaces to connect to the VLT stack switch be better? If I understand correctly, VLANs would be configured as lagg1.100, lagg1.101, and so on.

                      My plan is to convert the current bridge (bridge0, which includes ix0 and ix1 and uses the subnet 10.17.0.0/16) into a LAGG. Here’s how I’m thinking of proceeding:

                      • Disable the bridge.
                      • Create the LAGG interface. (ix0 + ix1)
                      • Create a VLAN (e.g., lagg1.10).
                      • Assign a new LAN interface to lagg1.10 with the same subnet (10.17.0.0/16).
                      • Reconfigure DHCP on the new interface.

                      All future VLANs would then pass through this LAGG link to my VLT stack of two 10Gb switches. On the switch side, I’d create a trunk port-channel for these links.

                      Is this the right approach for ensuring redundancy? Or is there a better process I should follow? Redundancy is important to me.
                      And I won't use the ETH 1-8. Or vice versa, if I don't want 10 gigabits, I can only use ports eth1-8?
                      But since my WAN is already on ETH, do I understand correctly?

                      My only concern is that all computers / servers will reconnect, and especially the DHCP as will happen when their leases expire (computers).

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Yup, probably be fine then. If it was bridged just to make connections easier then almost any other setup would be better. 😉

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.