Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from Bridge to VLAN on Netgate 7100-1U: Questions & Advice Needed

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 6.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Nariolato @SteveITS
      last edited by

      @SteveITS Thanks for the reply.

      I think I’ve understood something: I have three options for creating VLANs. I can either create them on LAGG0 as the parent interface (which should correspond to the 8 base-T ports), or directly on ix0 and ix1 (the SFP ports).

      Let’s say I want to set up VLAN 100 for management. Does that mean I need to create it twice if I have a connection on both ix0 and eth1? Can devices on those interfaces communicate with each other?

      Finally, I assume the best approach is either to use the switch ports or just the SFP ports connected to a switch (since I have a 10-gig switch)—but not both at the same time.

      Sorry for changing the topic a bit!

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by stephenw10

        Yes, a common misunderstanding with the 7100 is that people try to use it as they might with a switch where a configured VLAN could be available on any or all ports including the 10G ports. But the 7100 is a firewall/router with separate interfaces, it's just that one of those interfaces, lagg0, is connected to the internal switch as you say.

        So when I see a bridge configured on the 7100 I have to suspect that it might be to add the ix ports to the switch. Be aware that might have been the intention.

        But if the bridge only contained ix0 and ix1 then it could have been added the filter traffic between those interfaces while having them connected at layer2. In which case using VLANs there is not going to fulfill the same function.

        If you want to add VLAN100 and have it available on both the Eth switch ports and ix0/ix1 you would need to bridge it.
        lagg0.100 is a different interface to ix0.100 and pfSense sees them completely separately otherwise.

        N 1 Reply Last reply Reply Quote 0
        • N Offline
          Nariolato @stephenw10
          last edited by

          @stephenw10 Thank you very much for your response; I really appreciate it.

          The bridge I’m referring to is a bridge between an interface I’ll call A, which is assigned to ix0, and an interface B, which is assigned to ix1. The subnet is set on an interface named BRIDGE, assigned to bridge0. I think there’s not much advantage to having this bridge, apart from historical reasons physically, if I simply reconnect ix0 and ix1 from both my pfSense devices to a switch stack below, it’s basically the same result.

          I don’t really see the point of this bridge, since all traffic is allowed on both interfaces. My idea is instead to use LACP from a VLT switch stack to provide redundancy to my two pfSense devices. I would create a VLAN, say VLAN 10, with the same subnet as the old bridge. However, I’m having trouble estimating the impact because I have a lot of equipment. The problem is that I can’t create a VLAN for both (ix0 and ix1); so I think I’ll need to create a new LAGG1 using ix0 and ix1.

          Is there a best practice for choosing between using the SFP ports to connect to a switch stack, or just using the switch on the 7100 directly? Or is it simply a matter of preference?

          I hope I’ve been clear enough in my explanation. Please feel free to correct me if anything is unclear.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Galactic Empire @Nariolato
            last edited by

            @Nariolato The SPF ports are 10 Gbps.

            Why not put a switch in front of those ports and use only one port, to simplify things? Then traffic between devices (that would go through the router) is handled in the switch hardware, not software. Or does each half need its 10 Gbps? (to where, since the other ports are not that fast...)

            I'd suggest a wiring diagram so you have the layout, and then figure out what speeds are needed, then determine which ports to use.

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Upvote 👍 helpful posts!

            N 1 Reply Last reply Reply Quote 0
            • N Offline
              Nariolato @SteveITS
              last edited by

              This post is deleted!
              N 1 Reply Last reply Reply Quote 0
              • N Offline
                Nariolato @Nariolato
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • N Offline
                  Nariolato
                  last edited by Nariolato

                  However, I’m concerned about losing redundancy with that approach. Wouldn’t configuring a LAGG (LACP) using both ix0 and ix1 interfaces to connect to the VLT stack switch be better? If I understand correctly, VLANs would be configured as lagg1.100, lagg1.101, and so on.

                  My plan is to convert the current bridge (bridge0, which includes ix0 and ix1 and uses the subnet 10.17.0.0/16) into a LAGG. Here’s how I’m thinking of proceeding:

                  • Disable the bridge.
                  • Create the LAGG interface. (ix0 + ix1)
                  • Create a VLAN (e.g., lagg1.10).
                  • Assign a new LAN interface to lagg1.10 with the same subnet (10.17.0.0/16).
                  • Reconfigure DHCP on the new interface.

                  All future VLANs would then pass through this LAGG link to my VLT stack of two 10Gb switches. On the switch side, I’d create a trunk port-channel for these links.

                  Is this the right approach for ensuring redundancy? Or is there a better process I should follow? Redundancy is important to me.
                  And I won't use the ETH 1-8. Or vice versa, if I don't want 10 gigabits, I can only use ports eth1-8?
                  But since my WAN is already on ETH, do I understand correctly?

                  My only concern is that all computers / servers will reconnect, and especially the DHCP as will happen when their leases expire (computers).

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Yup, probably be fine then. If it was bridged just to make connections easier then almost any other setup would be better. 😉

                    N 1 Reply Last reply Reply Quote 0
                    • N Offline
                      Nariolato @stephenw10
                      last edited by Nariolato

                      @stephenw10 Thank you very much for all your help!

                      I have two last questions (I'm going to try to do a lab first because it's a pretty risky operation)

                      • As I said, I want to do a lagg1 of ix0 and ix1, but how do you configure the VLAN assignments? Because in interfaces->switch->VLANs, you only see eth1-8. Do I just configure ports 9 and 10, which correspond to ix2 and ix3? I'm talking about creating a trunk on this LAGG and passing all VLANs to a switch stack below. Usually for ports eth1-8, you just select the right port in the VLAN. Or when you use ix0 and ix1, since they are discrete ports, you don't use interfaces->switch, and all tags are done on the switch below and not on pfsense? And it accepts all TAGS by nature?

                      • Is it good practice to use only the 10 Gbps ports and not the Ethernet ports (except for the WAN, since our connection is 1 Gbps anyway)?

                      I'm a little worried about how breaking the bridge and setting up new DHCP on all the PCs/servers will go, but we have to move forward.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        The lagg on ports ix0 and ix1 will be completely separate to the switch so you don't create any thing the switch setup.

                        Instead add it as you would on any other pfSense device. So create the lagg in Interfaces > Assignments > LAGGs. Then create the VLAN(s) on that in Interfaces > Assignments > VLANs.
                        Then assign those VLANs as interfaces and apply rules etc.

                        But as I previously noted be aware that a VLAN in the switch on LAGG0 (ix2/ix3) is a completely separate interface to the same VLAN ID on the new LAGG (ix0/ix1). Traffic will not pass between them unless it's routed.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.