Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question re vlans and physical interfaces

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfsensory
      last edited by

      I have pfsense set up with 3 vlans, currently all associated with a single physical interface and trunked over 1 ethernet cable to a managed switch, which distributes the vlans to the various hardware around the network.

      I have 2 extra (i.e. currently unused) physical interfaces in my pfsense box.  Would there be any advantage to having each vlan be associated with its own separate physical interface  (i.e. no vlan trunking) and separately connected to the switch (i.e. I would create a group of ports on the switch for each vlan)?  Is there an advantage in speed or in security or anything else by making this change? Or is there nothing to gain by doing this?

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper
        last edited by

        i think it would be better to spend the interfaces on a form of LAGG.

        depending on the hardware you are running on, this could make a difference for inter-vlan communications.

        1 Reply Last reply Reply Quote 0
        • P Offline
          pfsensory
          last edited by

          I don't allow any communication between vlans, so would there still be an advantage to LAGG?  If so, how does one accomplish this?

          1 Reply Last reply Reply Quote 0
          • P Offline
            pfsensory
            last edited by

            Reading more about this and I think I understand what you are recommending, but just to be sure, are you suggesting that instead of having a separate physical interface for each of 3 vlans separately connected to the switch, I should create a LAGG of the 3 physical interfaces and then trunk all 3 vlans over the LAGG to the switch (which I have confirmed is able to handle this)?

            I am assuming that in this case, pfsense treats the LAGG as a single physical interface essentially?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Unless you are routinely pushing more than about 400Mbit/s on the trunk I'd just leave it alone.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P Offline
                pfsensory
                last edited by

                Not generally moving data at that rate, but I do reach those speeds at times for data transfers within my LAN to and from a NAS. So you are saying to just leave the 3 vlans trunked into one physical interface unless speed becomes a limiting factor.  Are there any security differences between trunking the vlans and having each vlan on its own physical interface?

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Not really.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    pfsensory
                    last edited by

                    Thanks.  I will follow your advice then and leave well enough alone for now.  At least until I get my gigabit internet one day….

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.