Feature #336
openOption to create lagg under assign interfaces
0%
Description
I find it easier on install to assign interfaces and vlans. So a option for lagg would also come in handy, especially if wan or lan will need lagg.
Workflow:
Do you want to set up LAGG now [y|n]?
Do you want to set up VLANs now [y|n]?
Updated by Adam Thompson almost 13 years ago
For clarification: the problem (for me, anyway) is that it's very difficult to create a LAG group spanning all physical ports in the system after the fact, because of the requirement that WAN must always exist.
Updated by Ted Lum over 12 years ago
+1 This is important to me. Although, right now I am about to try and figure out how to do it manually since I need it now, not years from now, and once its done hopefully will never need to do it again. But, it sure would be helpful for others that will come later.
Updated by Jim Pingle over 12 years ago
This should also, ideally, be able to setup bridges.
Something such as:
- Add new bridge
- Tell it which interfaces should be added to the bridge
May rely on #2386
Really any of the virtual interface types (all of the Tab headings under Interfaces > (assign) would be good to have here, so they can be done via the console, but bridging is especially hard to do in the GUI if you are managing the firewall from an interface you want to be involved in the bridge, and you want to move the IP to the bridge interface.
Updated by Mathieu Simon about 12 years ago
If it would already be possible to assign a previously created lagg (via Web) on the console that would be helpful, right now it doesn accept lagg's as valid choice on the console.
Updated by Adam Thompson about 10 years ago
This is still an outstanding problem in 2.2-beta as of 20141201-1400 build... and it's a royal PITA to work around.
Updated by Adam Thompson about 10 years ago
Best procedure I've found so far:
Tools required:
1. A switch with at least two ports configured for 802.1Q-over-LACP. (LACP, FEC and FAILOVER should all work, but you apparently can't do VLANs over ROUNDROBIN or LOADBALANCE type LAGs.)
2. A laptop that you can connect directly to the firewall.
Steps:
1. Connect laptop directly to pfSense (use crossover cable if required for 100mbps interfaces).
2. Install pfSense.
3. Assign WAN interface only during initial config, to that non-VLAN'd physical interface.
4. Log in from laptop, click on pfSense logo to skip wizard.
5. Immediately go to System->Advanced->Firewall/NAT and turn on "Disable Firewall".
6. Ensure the other interface/s is/are connected to switchports configured appropriately for VLAN+LAG (e.g. 802.1q+LACP).
7. Create the LAG: Interfaces->Assign->LAGG, "+" (add), select at least one other physical interface, and choose the appropriate interface(s).
8. Create the appropriate VLANs: Interfaces->Assign->VLANs, "+" (add). Ensure you choose "lagg0" as the parent interface (or whatever's appropriate)!
9. Add the new firewall interfaces appropriately: Interfaces->Assign->Interface Assignments, "+" (add) to add LAN, OPT, OPT2, etc. interfaces as needed. Assign them to the VLANs created in the previous step.
10. Assign IPs to the LAN, OPT, etc. interfaces (Interfaces->XXX).
11. Ensure you can reach the LAN, OPT, etc. interfaces, from elsewhere on the network.
12. Disconnect the WAN port from the laptop.
13. Connect the former WAN interface to the switch. If using LACP, the switch should refuse to bring this interface into the bundle yet.
14. Log in via the LAN interface (or OPT, etc., doesn't really matter which).
15. Move the logical WAN interface: Interfaces->Assign->Interface Assignments, and assign WAN to the appropriate VLAN.
16. Edit the LAGG to include the physical interface the WAN used to be on. (At this point, the switch should include that port in the LACP bundle.)
17. Edit firewall rules as appropriate to ensure you'll still be able to connect after the next step.
18. Clear the "Disable Firewall" checkbox from step 5.
Yeah, I'd say this calls for an option to create LAGs on the console :-).
Updated by Adam Thompson over 9 years ago
2.1, 2.2, 2.2.1, 2.2.2 also affected.
Currently going through this major PITA process on a pair of firewalls that are remote to me, yay, what fun.
Updated by Rob Emery over 8 years ago
Just to chime in, we're in the process of upgrading loads of our pfSense installs to use LAGG from single links; this is an unbelievably painful process at the moment!
Updated by Kilian Ries almost 7 years ago
+1
Absolute impossible to create a LAGG on the CLI :/
Updated by Stéphane Lapie over 6 years ago
+1
Just bumped into the need to do a fresh install of a LAGG+VLAN setup and could not do it via CLI.
Updated by Stéphane Lapie over 6 years ago
I decided to go the very nasty route, and use PHP Shell :
$config["laggs"] = array(); $config["laggs"]["lagg"][0]["members"] = "ix0,ix1"; $config["laggs"]["lagg"][0]["descr"] = "Lagg interface"; $config["laggs"]["lagg"][0]["laggif"] = "lagg0"; $config["laggs"]["lagg"][0]["proto"] = "failover"; $config["vlans"] = array(); $config["vlans"]["vlan"][0]["if"] = "lagg0"; $config["vlans"]["vlan"][0]["tag"] = "150"; $config["vlans"]["vlan"][0]["vlanif"] = "lagg0.150"; $config["vlans"]["vlan"][0]["descr"] = "VLAN #150"; $config["gateways"] = array(); $config["gateways"]["gateway_item"][0]["interface"] = "wan"; $config["gateways"]["gateway_item"][0]["gateway"] = "10.0.150.1"; $config["gateways"]["gateway_item"][0]["name"] = "GW_WAN"; $config["gateways"]["gateway_item"][0]["weight"] = "1"; $config["gateways"]["gateway_item"][0]["ipprotocol"] = "inet"; $config["gateways"]["gateway_item"][0]["descr"] = "Interface wan Gateway"; $config["interfaces"] = array(); $config["interfaces"]["wan"]["enable"] = true; $config["interfaces"]["wan"]["if"] = "lagg0.150"; $config["interfaces"]["wan"]["descr"] = "WAN"; $config["interfaces"]["wan"]["ipaddr"] = "10.0.150.10"; $config["interfaces"]["wan"]["subnet"] = "24"; $config["interfaces"]["wan"]["blockbogons"] = ""; $config["interfaces"]["wan"]["gateway"] = "GW_WAN"; $config["interfaces"]["lan"]["enable"] = true; $config["interfaces"]["lan"]["if"] = "lagg0"; $config["interfaces"]["lan"]["descr"] = "LAN"; $config["interfaces"]["lan"]["ipaddr"] = "10.0.0.10"; $config["interfaces"]["lan"]["subnet"] = "24"; write_config(); $config = parse_config(true); interface_configure("wan"); interface_configure("lan"); touch("/cf/conf/assign_complete"); system_reboot_sync(); exec
If you do not do the last step, your configuration will be overridden every time because of the check in /etc/rc.bootup
which will run check_for_alternate_interfaces()
.
Updated by Stéphane Lapie over 6 years ago
If you only needed the LAGG, VLANs and the interfaces :
$config["laggs"] = array(); $config["laggs"]["lagg"][0]["members"] = "ix0,ix1"; $config["laggs"]["lagg"][0]["descr"] = "Lagg interface"; $config["laggs"]["lagg"][0]["laggif"] = "lagg0"; $config["laggs"]["lagg"][0]["proto"] = "failover"; $config["vlans"] = array(); $config["vlans"]["vlan"][0]["if"] = "lagg0"; $config["vlans"]["vlan"][0]["tag"] = "150"; $config["vlans"]["vlan"][0]["vlanif"] = "lagg0.150"; $config["vlans"]["vlan"][0]["descr"] = "VLAN #150"; $config["interfaces"] = array(); $config["interfaces"]["wan"]["descr"] = "WAN"; $config["interfaces"]["wan"]["enable"] = true; $config["interfaces"]["wan"]["if"] = "lagg0.150"; $config["interfaces"]["lan"]["descr"] = "LAN"; $config["interfaces"]["lan"]["if"] = "lagg0"; $config["interfaces"]["lan"]["enable"] = true; write_config(); $config = parse_config(true); interface_configure("wan"); interface_configure("lan"); touch("/cf/conf/assign_complete"); system_reboot_sync(); exec
Updated by Jim Pingle over 5 years ago
- Category changed from Interfaces to LAGG Interfaces