LACP between pfsense and two GS1910-24.
-
Hi,
I don't know if this topic should be in this forum topic or in a hardware design topic but i didn't find any topic that match my question so i give it a try here.Hardware.
1x Pfsense, v2.2.1
6x Network ports2x Zyxel GS1910-24, latest firmware installed.
24 ports each.To my question, i do not know if this is right way to do this config, that why I’m asking. I have configured 2 of my switches switchport 23-24 to a LAGG0 port.
-
what is your question exactly?
what is your goal? how is everything connected (diagram) ?
-
LACP between pfsense and two GS1910-24
Please note there are two different way to set up a Link Aggregation Group between devices
such as a firewall and/or network switches.Dynamic LAGs over the LACP and static LAGs by setting them up manually but with
the same settings on both sides are urgent needed, and both methods can´t be mixed
and must match the exactly same settings on both sides. If VLANs should be transported
over this LAGs we talk normally then about so called trunks.LAGs are able to set up from a minimum of two LAN ports to a maximum of eight
LAN ports for each LAG.A detailed network diagram would be either the best way to tell us what you want to do
and what you has right done or tried out. -
Thanks for the quick answers, my current diagram works for now but it's not optimal it think in a
failover scenario, if possible i would like to get my optimal diagram to work with aggregated ports.I tried to get my optimal diagram to work but i can't seam to get it to work, probably because i'm
doing something wrong somewhere in my configuration and that's why i can't get traffic to go a
cross to the other switch thru the firewall or it's something else :P.Current working diagram.
Optimal diagram if possible.
-
i'm not an expert on LACP, but i don't think your "optimal scenario" is a valid setup.
lacp (like most (non-proprietary) LAG protocols only work between 2 (logical) devices. So you cannot use 1 lacp-group for 3 devices.
what you want todo exists, but not with the switches you are using see: (http://en.wikipedia.org/wiki/Split_multi-link_trunking)
afaik zyxel does not support any of those fancy protocols (yet)anyways … the only way to make your wiring work, it to create a secondary lagg for em2-3 and assigning it a different interface & subnet. if you don't wish to have multiple firewall rules then you could probably put the lagg's in an interfacegroup.
personally i'd just keep your current setup and forget about your 'optimal' setup.
pfSense will generally not push a lot more then 2.5gbit/s across its interfaces (in any direction, no matter what hardware).
so a 4 gbit lagg toward it is probably wasted in any situation/scenario. -
Hello again,
would you please clarify more the pfSense Hardware please?
Hardware.
1x Pfsense, v2.2.1
6x Network ports
Board (Supermicro, Tyan,…)?
CPU (Atom, E3,E5,..)?
RAM (Dimension, ECC,..)?
NICs (Chips)?
PCIe slots free?In your actual network draw it is really not the best situation for you, if SW01 fails
the entire network is cut from the WAN and over the optimal network draw you get
redundancy to solve around this behavior for sure, but it must not be that 4 GBit/s
aggregated throughput are attached to the pfSense I really consider, 2 GBit/s would
be sufficient enough, related to the circumstance that you will only benefit from that
LAGs until there is enough traffic through the lines! And the LAGs are not speeding up
the normal throughput as many peoples will be expect from that constructions, but if
many users or PCs, Servers, SANs or NAS devices are in the game and many users
are pulling packets over this lines, then you will having the benefits from the LAG and
not before!And last but not least the entire pfSense aplliance must also be powerful enough to
handle this traffic smooth and easy otherwise you would be not able to use the entire
2 GBit/s or 4 GBit/s throughput.I don´t know your switches but you could have a look in the manual, if they are
supporting something like VRRP or HRSP you could be enable this at the Switches.All in all it could be also very interesting to set new switches and a new pfSense
platform that is capable for 10 GBit/s of speed and throughput, this will work out
all your problems and serve enough throughput to all sites. -
Hi,
Thanks’ again for the quick replay :)
lacp (like most (non-proprietary) LAG protocols only work between 2 (logical) devices. So you cannot use 1 lacp-group for 3 devices.
what you want todo exists, but not with the switches you are using see: (http://en.wikipedia.org/wiki/Split_multi-link_trunking)
afaik zyxel does not support any of those fancy protocols (yet)I see, then it's no point in that solution and i didn't expect a 80-100$ switch to be capable to new fancy only basic stuff :P
anyways … the only way to make your wiring work, it to create a secondary lagg for em2-3 and assigning it a different
interface & subnet. if you don't wish to have multiple firewall rules then you could probably put the lagg's in an interfacegroup.Naaa, the idea was to use both switches with vlans and the current network in use.
personally i'd just keep your current setup and forget about your 'optimal' setup.
pfSense will generally not push a lot more then 2.5gbit/s across its interfaces (in any direction, no matter what hardware).
so a 4 gbit lagg toward it is probably wasted in any situation/scenario.I probably go for other switches with 10gbe ports, uplinks and stackable functionality.
would you please clarify more the pfSense Hardware please?
I have two hardware setups that i can use for my firewall/pfsense solution, the first one is the one i use now the other bord
is planned for the use of 10gbe nics when i have $$$ to buy it :)The pfsense hardware
ASROCK C2750D4I (http://www.asrockrack.com/general/productdetail.asp?Model=C2750D4I#Specifications)
0. Chipset:- C2750D4I?
1. CPU:
- 1x Intel Avoton C2750 Octa-Core Processor
2. Memmory modules:
- 4x Kingston, 8GB 1600MHz DDR3 ECC CL11 UDIMM (KVR16E11K4/32) or 2x8GB
3. Network entegrated and expantion cards:
-
1x HP NC364T PCI Express Quad Port Gigabit Server Adapter
-
1x Dual Intel i210 Gigabit LAN ports
4. Expansion slot:
- 1x PCI-E x8 slot.
SUPERMICRO H8SCM-F (http://www.supermicro.com/Aplus/motherboard/Opteron4000/SR56x0/H8SCM-F.cfm)
0. Chipset:- 1x AMD SR5650 / SP5100 Chipset
1. CPU:
- 1x Single AMD Opteron
4000 series (4162EE)
2. Memmory modules:
- 2x Crucial 16GB 1600MHz DDR3L ECC LRDIMM (CT2K16G3ELSLQ8160B) or 1x16GB
3. Network entegrated and expantion cards:
-
2x Intel
82574L controllers, Two single-port Gigabit Ethernet -
1x HP NC364T PCI Express Quad Port Gigabit Server Adapter
4. Expansion slot:
-
1x PCI-E 2.0 x8 (in x16 slot)
-
1x PCI-E 2.0 x8
-
1x PCI-E 2.0 x4 (in x8 slot)
-
1x PCI
In your actual network draw it is really not the best situation for you, if SW01 fails
the entire network is cut from the WAN and over the optimal network draw you get
redundancy to solve around this behavior for sure, but it must not be that 4 GBit/s
aggregated throughput are attached to the pfSense I really consider, 2 GBit/s would
be sufficient enough, related to the circumstance that you will only benefit from that
LAGs until there is enough traffic through the lines! And the LAGs are not speeding up
the normal throughput as many peoples will be expect from that constructions, but if
many users or PCs, Servers, SANs or NAS devices are in the game and many users
are pulling packets over this lines, then you will having the benefits from the LAG and
not before!I know :(, i also loss connectivity to all my networks since pfsense lagg0 is my DG for all the networks, the good part about
this is that's it's only a home/lab environment so it's an easy fix if something would happened.For the throughput part with 2 Gbe/s or 240MB/s (Optimal :/) is sufficient for now because my current maximum R/W throughput from one
of my ZFS dev is 150MB/s~ in FREENAS from cli, but it would be nice to not get an bottleneck problem due network bandwidth problem and also see
if i can achieve better bandwidth throughput with LACP.I don´t know your switches but you could have a look in the manual, if they are
supporting something like VRRP or HRSP you could be enable this at the Switches.All in all it could be also very interesting to set new switches and a new pfSense
platform that is capable for 10 GBit/s of speed and throughput, this will work out
all your problems and serve enough throughput to all sites.These cheap switches for 80-100$ have no fancy pancy stuff like VRRP or HRSP :P but the plan is to buy 10gbe switches when i have $$$ to spend on it.
-
i love the zyxel switches
1900 series … they are stable as a rock and cheap as hell. good for connecting clients.if you need a little more features then you can pick up the 2200 series for double $$ (and thats still cheap compared to other brands with same spec).
-
I see, then it's no point in that solution and i didn't expect a 80-100$ switch to be capable to new fancy only basic stuff
For sure they do but not in way you where trying it.
As I wrote at first only between two devices you will be able to set up one the LAG!I probably go for other switches with 10gbe ports, uplinks and stackable functionality.
It is not a must be, but one other try out to safe ports and gaining the real throughput on top.
The Switches from Zyxel you are using are great, and if you set up only 2 LAGs from the pfSense
to each switch would be really sufficient enough I think. Stackable would be good if the entire network
is growing up. The D-Link DGS1510-24 is offering 10 GBit/s for a smaller budget. But all this is also
pending on what you have also inside of your network! I mean the whole network topology.To connect the FreeNAS to the switches you could also go by static LAGs by setting them up then
manually and not over the LACP and then choosing something like weighted round robin if you are
using iSCSI. Would also help a little bit more to saturate the LAG links.1x HP NC364T PCI Express Quad Port Gigabit Server Adapter
This would be powerful enough in my eyes to set up a LAG with two lines.