Project

General

Profile

Feature #336

Option to create lagg under assign interfaces

Added by Perry Mason over 9 years ago. Updated 26 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
LAGG Interfaces
Target version:
-
Start date:
02/06/2010
Due date:
% Done:

0%

Estimated time:

Description

I find it easier on install to assign interfaces and vlans. So a option for lagg would also come in handy, especially if wan or lan will need lagg.

Workflow:
Do you want to set up LAGG now [y|n]?
Do you want to set up VLANs now [y|n]?

History

#1 Updated by Jim Pingle over 7 years ago

Somewhat related to #813

#2 Updated by Adam Thompson over 7 years ago

For clarification: the problem (for me, anyway) is that it's very difficult to create a LAG group spanning all physical ports in the system after the fact, because of the requirement that WAN must always exist.

#3 Updated by Ted Lum over 7 years ago

+1 This is important to me. Although, right now I am about to try and figure out how to do it manually since I need it now, not years from now, and once its done hopefully will never need to do it again. But, it sure would be helpful for others that will come later.

#4 Updated by Jim Pingle over 7 years ago

This should also, ideally, be able to setup bridges.

Something such as:

  • Add new bridge
  • Tell it which interfaces should be added to the bridge

May rely on #2386

Really any of the virtual interface types (all of the Tab headings under Interfaces > (assign) would be good to have here, so they can be done via the console, but bridging is especially hard to do in the GUI if you are managing the firewall from an interface you want to be involved in the bridge, and you want to move the IP to the bridge interface.

#5 Updated by JayD - about 7 years ago

+1

#6 Updated by Mathieu Simon almost 7 years ago

If it would already be possible to assign a previously created lagg (via Web) on the console that would be helpful, right now it doesn accept lagg's as valid choice on the console.

#7 Updated by Adam Thompson almost 5 years ago

This is still an outstanding problem in 2.2-beta as of 20141201-1400 build... and it's a royal PITA to work around.

#8 Updated by Adam Thompson almost 5 years ago

Best procedure I've found so far:

Tools required:
1. A switch with at least two ports configured for 802.1Q-over-LACP. (LACP, FEC and FAILOVER should all work, but you apparently can't do VLANs over ROUNDROBIN or LOADBALANCE type LAGs.)
2. A laptop that you can connect directly to the firewall.

Steps:
1. Connect laptop directly to pfSense (use crossover cable if required for 100mbps interfaces).
2. Install pfSense.
3. Assign WAN interface only during initial config, to that non-VLAN'd physical interface.
4. Log in from laptop, click on pfSense logo to skip wizard.
5. Immediately go to System->Advanced->Firewall/NAT and turn on "Disable Firewall".
6. Ensure the other interface/s is/are connected to switchports configured appropriately for VLAN+LAG (e.g. 802.1q+LACP).
7. Create the LAG: Interfaces->Assign->LAGG, "+" (add), select at least one other physical interface, and choose the appropriate interface(s).
8. Create the appropriate VLANs: Interfaces->Assign->VLANs, "+" (add). Ensure you choose "lagg0" as the parent interface (or whatever's appropriate)!
9. Add the new firewall interfaces appropriately: Interfaces->Assign->Interface Assignments, "+" (add) to add LAN, OPT, OPT2, etc. interfaces as needed. Assign them to the VLANs created in the previous step.
10. Assign IPs to the LAN, OPT, etc. interfaces (Interfaces->XXX).
11. Ensure you can reach the LAN, OPT, etc. interfaces, from elsewhere on the network.
12. Disconnect the WAN port from the laptop.
13. Connect the former WAN interface to the switch. If using LACP, the switch should refuse to bring this interface into the bundle yet.
14. Log in via the LAN interface (or OPT, etc., doesn't really matter which).
15. Move the logical WAN interface: Interfaces->Assign->Interface Assignments, and assign WAN to the appropriate VLAN.
16. Edit the LAGG to include the physical interface the WAN used to be on. (At this point, the switch should include that port in the LACP bundle.)
17. Edit firewall rules as appropriate to ensure you'll still be able to connect after the next step.
18. Clear the "Disable Firewall" checkbox from step 5.

Yeah, I'd say this calls for an option to create LAGs on the console :-).

#9 Updated by Adam Thompson over 4 years ago

2.1, 2.2, 2.2.1, 2.2.2 also affected.
Currently going through this major PITA process on a pair of firewalls that are remote to me, yay, what fun.

#10 Updated by Rob Emery about 3 years ago

Just to chime in, we're in the process of upgrading loads of our pfSense installs to use LAGG from single links; this is an unbelievably painful process at the moment!

#11 Updated by Kilian Ries over 1 year ago

+1

Absolute impossible to create a LAGG on the CLI :/

#12 Updated by Stéphane Lapie over 1 year ago

+1

Just bumped into the need to do a fresh install of a LAGG+VLAN setup and could not do it via CLI.

#13 Updated by Stéphane Lapie over 1 year ago

I decided to go the very nasty route, and use PHP Shell :

$config["laggs"] = array();
$config["laggs"]["lagg"][0]["members"] = "ix0,ix1";
$config["laggs"]["lagg"][0]["descr"] = "Lagg interface";
$config["laggs"]["lagg"][0]["laggif"] = "lagg0";
$config["laggs"]["lagg"][0]["proto"] = "failover";

$config["vlans"] = array();
$config["vlans"]["vlan"][0]["if"] = "lagg0";
$config["vlans"]["vlan"][0]["tag"] = "150";
$config["vlans"]["vlan"][0]["vlanif"] = "lagg0.150";
$config["vlans"]["vlan"][0]["descr"] = "VLAN #150";

$config["gateways"] = array();
$config["gateways"]["gateway_item"][0]["interface"] = "wan";
$config["gateways"]["gateway_item"][0]["gateway"] = "10.0.150.1";
$config["gateways"]["gateway_item"][0]["name"] = "GW_WAN";
$config["gateways"]["gateway_item"][0]["weight"] = "1";
$config["gateways"]["gateway_item"][0]["ipprotocol"] = "inet";
$config["gateways"]["gateway_item"][0]["descr"] = "Interface wan Gateway";

$config["interfaces"] = array();
$config["interfaces"]["wan"]["enable"] = true;
$config["interfaces"]["wan"]["if"] = "lagg0.150";
$config["interfaces"]["wan"]["descr"] = "WAN";
$config["interfaces"]["wan"]["ipaddr"] = "10.0.150.10";
$config["interfaces"]["wan"]["subnet"] = "24";
$config["interfaces"]["wan"]["blockbogons"] = "";
$config["interfaces"]["wan"]["gateway"] = "GW_WAN";

$config["interfaces"]["lan"]["enable"] = true;
$config["interfaces"]["lan"]["if"] = "lagg0";
$config["interfaces"]["lan"]["descr"] = "LAN";
$config["interfaces"]["lan"]["ipaddr"] = "10.0.0.10";
$config["interfaces"]["lan"]["subnet"] = "24";

write_config();
$config = parse_config(true);
interface_configure("wan");
interface_configure("lan");
touch("/cf/conf/assign_complete");
system_reboot_sync();
exec

If you do not do the last step, your configuration will be overridden every time because of the check in /etc/rc.bootup which will run check_for_alternate_interfaces().

#14 Updated by Stéphane Lapie over 1 year ago

If you only needed the LAGG, VLANs and the interfaces :

$config["laggs"] = array();
$config["laggs"]["lagg"][0]["members"] = "ix0,ix1";
$config["laggs"]["lagg"][0]["descr"] = "Lagg interface";
$config["laggs"]["lagg"][0]["laggif"] = "lagg0";
$config["laggs"]["lagg"][0]["proto"] = "failover";

$config["vlans"] = array();
$config["vlans"]["vlan"][0]["if"] = "lagg0";
$config["vlans"]["vlan"][0]["tag"] = "150";
$config["vlans"]["vlan"][0]["vlanif"] = "lagg0.150";
$config["vlans"]["vlan"][0]["descr"] = "VLAN #150";

$config["interfaces"] = array();
$config["interfaces"]["wan"]["descr"] = "WAN";
$config["interfaces"]["wan"]["enable"] = true;
$config["interfaces"]["wan"]["if"] = "lagg0.150";

$config["interfaces"]["lan"]["descr"] = "LAN";
$config["interfaces"]["lan"]["if"] = "lagg0";
$config["interfaces"]["lan"]["enable"] = true;

write_config();
$config = parse_config(true);
interface_configure("wan");
interface_configure("lan");
touch("/cf/conf/assign_complete");
system_reboot_sync();
exec

#15 Updated by Alessandro Pessanha 8 months ago

+1 Very important feature!

#16 Updated by Jim Pingle 26 days ago

  • Category changed from Interfaces to LAGG Interfaces

Also available in: Atom PDF