Netgate Logo Netgate Docs
  • Appliances
  • Platforms
  • Support
  • Training
latest
  • Preface
  • Introduction
  • Releases
  • Product Manuals
  • Networking Concepts
  • IPv6
  • Hardware
  • Installing and Upgrading
  • Configuration
  • Netgate® Nexus
  • Backup and Recovery
  • Interface Types and Configuration
    • WAN vs LAN Interfaces
    • Interface Configuration
    • IPv4 Configuration Types
    • IPv6 Configuration Types
    • Interface Groups
    • PPPs
    • GRE (Generic Routing Encapsulation)
    • GIF (Generic tunnel InterFace)
    • LAGG (Link Aggregation)
      • LAGG Interface Settings
      • LAGG Interface Configuration
      • LAGG and Traffic Shaping
      • LAGG Throughput
    • QinQ Configuration
    • Integrated Switches
    • Physical and Virtual Interfaces
    • Switches
    • Limitations
  • User Management and Authentication
  • Certificate Management
  • Firewall
  • Network Address Translation
  • Routing
  • Bridging
  • Virtual LANs (VLANs)
  • Multiple WAN Connections
  • Virtual Private Networks
  • IPsec
  • L2TP VPN
  • OpenVPN
  • WireGuard
  • Services
  • DHCP
  • DNS
  • Dynamic DNS
  • NTPD
  • Traffic Shaper
  • Captive Portal
  • High Availability
  • System Monitoring
  • Monitoring Graphs
  • System Logs
  • Diagnostics
  • Packages
  • Virtualization
  • Wireless
  • Cellular Wireless
  • Troubleshooting
  • pfSense® software Configuration Recipes

References

  • Menu Guide
  • Glossary of Terms
  • Development
  • References
  • Licensing

Recipes

  • pfSense® software Configuration Recipes
The pfSense Documentation
  • Docs »
  • pfSense® software »
  • Interface Types and Configuration
  • Give Feedback
Next
QinQ Configuration
Previous
GIF (Generic tunnel InterFace)

On This Page

  • LAGG (Link Aggregation)
    • LAGG Interface Settings
    • LAGG Interface Configuration
    • LAGG and Traffic Shaping
    • LAGG Throughput

LAGG (Link Aggregation)¶

Link aggregation is handled by lagg(4) type interfaces (LAGG) on pfSense® software. LAGG combines multiple physical interfaces together as one logical interface. There are several ways this can work, either for gaining extra bandwidth, redundancy, or some combination of the two.

Note

LACP will only work across multiple switches if the switches are Stackable.

LAGG Interface Settings¶

When creating or editing a LAGG interface, the following settings are available:

Parent Interfaces:

This list contains all currently unassigned interfaces, plus members of the current LAGG interface when editing an existing instance.

To add interfaces to this LAGG, select one or more interfaces in this list.

Note

An interface may only be added to a LAGG group if it is not assigned. If an interface is not present in the list, it is likely already assigned as an interface.

LAGG Protocol:

The operating modes for LAGG interfaces are: LACP, Failover, Load Balance, Round Robin, and None.

LACP:

The most commonly used LAGG protocol. This mode supports IEEE 802.3ad Link Aggregation Control Protocol (LACP) and the Marker Protocol. In LACP mode, negotiation is performed with the switch – which must also support LACP – to form a group of ports that are all active at the same time. This is known as a Link Aggregation Group, or LAG. The speed and MTU of each port in a LAG must be identical and the ports must also run at full- duplex. If link is lost to a port on the LAG, the LAG continues to function but at reduced capacity. In this way, an LACP LAGG bundle can gain both redundancy and increased bandwidth.

Traffic is balanced between all ports using the selected Hash Algorithm.

In addition to configuring this option on the firewall, the switch must enable LACP on these ports or have the ports bundled into a LAG group. Both sides must agree on the configuration in order for it to work properly.

LACP Timeout Mode controls how often the firewall sends LACP PDUs. An LACP timeout occurs when three consecutive PDUs are missed.

Slow:

Default. LACP PDUs are sent every 30 seconds. A timeout occurs after 90 seconds.

Fast:

LACP PDUs are sent every second. A timeout occurs after 3 seconds.

Failover:

When using the Failover LAGG protocol traffic will only be sent on the primary interface of the group. If the primary interface fails, then traffic will use the next available interface.

Note

By default, traffic may only be received by the active interface. Create a system tunable for net.link.lagg.failover_rx_all with a value of 1 to allow traffic to be received on every member interface.

Failover mode has one additional option:

Failover Primary Interface:

This option sets the primary interface for failover mode, or auto to allow the firewall to select the primary interface automatically. In auto mode, the first selected interface in the list is primary.

Each non-primary interface is eligible for use in failover if the primary fails.

Load Balance:

Load Balance mode accepts inbound traffic on any port of the LAGG group and balances outgoing traffic on any active ports in the LAGG group. It is a static setup that does not monitor the link state nor does it negotiate with the switch. Outbound traffic is load balanced based on all active ports in the LAGG using the chosen Hash Algorithm.

Round Robin:

This mode accepts inbound traffic on any port of the LAGG group and sends outbound traffic using a round robin scheduling algorithm. Typically this means that traffic will be sent out in sequence, using each interface in the group in turn.

None:

This mode disables traffic on the LAGG interface without disabling the interface itself. The OS will still believe the interface is up and usable, but no traffic will be sent or received on the group.

Hash Algorithm:

The LACP and Load Balance protocols choose how to balance traffic between their interfaces when transmitting data using details from packets checked against the chosen Hash Algorithm.

Note

This can only affect traffic transmitted from this system, it has no influence over how the peer sends data or how data received from the peer is processed by the LAGG. That behavior must be configured on the peer.

For a packet to egress via a different interface, it must differ in some way from other packets. This option allows the user to choose which packet properties are checked when differentiating between packets for determining the egress interface.

The options are based on combinations of properties on different Layers of the OSI model:

Layer 2:

Source/Destination MAC Address and optional VLAN number.

Layer 3:

Source/Destination IPv4/IPv6 Address.

Layer 4:

Source/Destination port.

When the selected Hash Algorithm includes a given layer, packets are checked for any difference in values at that layer.

The default Layer 2/3/4 selection means that any difference in the VLAN, MAC address, source or destination IP address, or source/destination port on a packet is eligible to flow out a different interface.

Note

In some equipment the default is Layer 2 only meaning that any traffic for a single MAC address would only utilize one interface, which primarily affects links between routers, essentially turning them into failover only LAGGs. If possible, choose additional layers for the hash algorithm to better balance the load.

Description:

A short note about the purpose of this LAGG instance.

LAGG Interface Configuration¶

To create or manage LAGG interfaces:

  • Navigate to Interfaces > Assignments, LAGGs tab

  • Click fa-plus Add to create a new LAGG, or click fa-pencil to edit an existing instance.

  • Complete the settings as described in LAGG Interface Settings

  • Click Save

After creating a LAGG interface, it works like any other physical interface. Assign the lagg interface under Interfaces > Assignments and give it an IP address, or build other things on top of it such as VLANs.

Note

If the only purpose of the LAGG interface is to carry VLANs, it does not need to be assigned.

LAGG and Traffic Shaping¶

Due to limitations in FreeBSD, lagg(4) does not support altq(4) so it is not possible to use the traffic shaper on LAGG interfaces directly. vlan(4) interfaces support altq(4) and VLANs can be used on top of LAGG interfaces, so using VLANs can work around the problem. As an alternate workaround, Limiters can control bandwidth usage on LAGG interfaces.

LAGG Throughput¶

Using a LAGG does not necessarily guarantee full throughput equal to the sum of all interfaces. In particular, a single flow will not exceed the throughput of a LAGG member interface. Traffic on a LAGG is hashed in such a way that flows between two hosts, such as this firewall and an upstream gateway, would only use a single link since the flow is between a single MAC address on each side.

In networks where many hosts communicate with different MAC addresses, the usage can approach the sum of all interfaces in the LAGG.

Next
QinQ Configuration
Previous
GIF (Generic tunnel InterFace)
Was this page helpful?

Documentation Feedback

For assistance in solving software problems, please post your question on the Netgate Forum. If you see anything that's wrong or missing with the documentation, please suggest an edit by using the feedback button in the upper right corner so it can be improved.

© 2025 Electric Sheep Fencing LLC and Rubicon Communications LLC. All Rights Reserved. | Privacy Policy | Legal

This page was last updated on Sep 05 2023.

    Other Resources
  • Platforms Overview
  • TNSR Solutions
  • pfSense Solutions
  • Appliances
  • Find a Partner
  • Support Plans
  • Training
  • Professional Services
  • Blog
  • Resource Library
  • Security Information
  • About Us
  • Careers
  • Contact Us
Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

Additional Resources v: latest
Languages
en
Versions
latest
Software Documentation
pfSense
TNSR
Product Manuals