LAGG (Link Aggregation)
Link aggregation is handled by
lagg(4) type interfaces (LAGG) on pfSense®
software. LAGG combines multiple physical interfaces together as one logical
interface. There are several ways this can work, either for gaining extra
bandwidth, redundancy, or some combination of the two.
LACP will only work across multiple switches if the switches are
LAGG Interface Settings
When creating or editing a LAGG interface, the following settings are available:
- Parent Interfaces
This list contains all currently unassigned interfaces, plus members of the
current LAGG interface when editing an existing instance.
To add interfaces to this LAGG, select one or more interfaces in this list.
An interface may only be added to a LAGG group if it is not assigned. If an
interface is not present in the list, it is likely already assigned as an
- LAGG Protocol
The operating modes for LAGG interfaces are: LACP, Failover, Load Balance,
Round Robin, and None.
The most commonly used LAGG protocol. This mode supports IEEE 802.3ad Link
Aggregation Control Protocol (LACP) and the Marker Protocol. In LACP mode,
negotiation is performed with the switch – which must also support LACP –
to form a group of ports that are all active at the same time. This is
known as a Link Aggregation Group, or LAG. The speed and MTU of each port
in a LAG must be identical and the ports must also run at full- duplex. If
link is lost to a port on the LAG, the LAG continues to function but at
reduced capacity. In this way, an LACP LAGG bundle can gain both redundancy
and increased bandwidth.
Traffic is balanced between all ports using the selected Hash Algorithm.
In addition to configuring this option on the firewall, the switch must
enable LACP on these ports or have the ports bundled into a LAG group. Both
sides must agree on the configuration in order for it to work properly.
LACP Timeout Mode controls how often the firewall sends LACP PDUs. An
LACP timeout occurs when three consecutive PDUs are missed.
Default. LACP PDUs are sent every
30 seconds. A timeout occurs after
LACP PDUs are sent every second. A timeout occurs after
When using the Failover LAGG protocol traffic will only be sent
on the primary interface of the group. If the primary interface fails,
then traffic will use the next available interface.
By default, traffic may only be received by the active interface. Create
a system tunable for
net.link.lagg.failover_rx_all with a value of
1 to allow traffic to be received on every member interface.
Failover mode has one additional option:
- Failover Primary Interface
This option sets the primary interface for failover mode, or auto to
allow the firewall to select the primary interface automatically. In
auto mode, the first selected interface in the list is primary.
Each non-primary interface is eligible for use in failover if the primary
- Load Balance
Load Balance mode accepts inbound traffic on any port of the LAGG group and
balances outgoing traffic on any active ports in the LAGG group. It is a
static setup that does not monitor the link state nor does it negotiate with
the switch. Outbound traffic is load balanced based on all active ports in
the LAGG using the chosen Hash Algorithm.
- Round Robin
This mode accepts inbound traffic on any port of the LAGG group and sends
outbound traffic using a round robin scheduling algorithm. Typically this
means that traffic will be sent out in sequence, using each interface in the
group in turn.
This mode disables traffic on the LAGG interface without disabling the
interface itself. The OS will still believe the interface is up and usable,
but no traffic will be sent or received on the group.
- Hash Algorithm
The LACP and Load Balance protocols choose how to balance traffic between
their interfaces when transmitting data using details from packets checked
against the chosen Hash Algorithm.
This can only affect traffic transmitted from this system, it has no
influence over how the peer sends data or how data received from the peer
is processed by the LAGG. That behavior must be configured on the peer.
For a packet to egress via a different interface, it must differ in some way
from other packets. This option allows the user to choose which packet
properties are checked when differentiating between packets for determining
the egress interface.
The options are based on combinations of properties on different Layers
of the OSI model:
- Layer 2
Source/Destination MAC Address and optional VLAN number.
- Layer 3
Source/Destination IPv4/IPv6 Address.
- Layer 4
When the selected Hash Algorithm includes a given layer, packets are
checked for any difference in values at that layer.
Layer 2/3/4 selection means that any difference in the VLAN,
MAC address, source or destination IP address, or source/destination port on
a packet is eligible to flow out a different interface.
In some equipment the default is Layer 2 only meaning that any traffic for
a single MAC address would only utilize one interface, which primarily
affects links between routers, essentially turning them into failover only
LAGGs. If possible, choose additional layers for the hash algorithm to
better balance the load.
A short note about the purpose of this LAGG instance.
LAGG Interface Configuration
To create or manage LAGG interfaces:
Navigate to Interfaces > Assignments, LAGGs tab
Click Add to create a new LAGG, or click to
edit an existing instance.
Complete the settings as described in LAGG Interface Settings
After creating a LAGG interface, it works like any other physical interface.
Assign the lagg interface under Interfaces > Assignments and give it an IP
address, or build other things on top of it such as VLANs.
If the only purpose of the LAGG interface is to carry VLANs, it does not need
to be assigned.
LAGG and Traffic Shaping
Due to limitations in FreeBSD,
lagg(4) does not support
altq(4) so it is
not possible to use the traffic shaper on LAGG interfaces directly.
altq(4) and VLANs can be used on top of LAGG interfaces,
so using VLANs can work around the problem. As an alternate workaround, Limiters
can control bandwidth usage on LAGG interfaces.
Using a LAGG does not necessarily guarantee full throughput equal to the sum of
all interfaces. In particular, a single flow will not exceed the throughput of a
LAGG member interface. Traffic on a LAGG is hashed in such a way that flows
between two hosts, such as this firewall and an upstream gateway, would only use
a single link since the flow is between a single MAC address on each side.
In networks where many hosts communicate with different MAC addresses, the usage
can approach the sum of all interfaces in the LAGG.