  • I have pfsense set up with 3 vlans, currently all associated with a single physical interface and trunked over 1 ethernet cable to a managed switch, which distributes the vlans to the various hardware around the network.

    I have 2 extra (i.e. currently unused) physical interfaces in my pfsense box.  Would there be any advantage to having each vlan be associated with its own separate physical interface  (i.e. no vlan trunking) and separately connected to the switch (i.e. I would create a group of ports on the switch for each vlan)?  Is there an advantage in speed or in security or anything else by making this change? Or is there nothing to gain by doing this?

  • i think it would be better to spend the interfaces on a form of LAGG.

    depending on the hardware you are running on, this could make a difference for inter-vlan communications.

  • I don't allow any communication between vlans, so would there still be an advantage to LAGG?  If so, how does one accomplish this?

  • Reading more about this and I think I understand what you are recommending, but just to be sure, are you suggesting that instead of having a separate physical interface for each of 3 vlans separately connected to the switch, I should create a LAGG of the 3 physical interfaces and then trunk all 3 vlans over the LAGG to the switch (which I have confirmed is able to handle this)?

    I am assuming that in this case, pfsense treats the LAGG as a single physical interface essentially?

    Unless you are routinely pushing more than about 400Mbit/s on the trunk I'd just leave it alone.

  • Not generally moving data at that rate, but I do reach those speeds at times for data transfers within my LAN to and from a NAS. So you are saying to just leave the 3 vlans trunked into one physical interface unless speed becomes a limiting factor.  Are there any security differences between trunking the vlans and having each vlan on its own physical interface?

    Not really.

  • Thanks.  I will follow your advice then and leave well enough alone for now.  At least until I get my gigabit internet one day….

