LAGG (Link Aggregation)
Link aggregation is handled by
lagg(4) type interfaces (LAGG) on pfSense®
software. LAGG combines multiple physical interfaces together as one logical
interface. There are several ways this can work, either for gaining extra
bandwidth, redundancy, or some combination of the two.
LACP will only work across multiple switches if the switches are
LAGG Interface Settings
When creating or editing a LAGG interface, the following settings are available:
- Parent Interfaces
This list contains all currently unassigned interfaces, plus members of the
current LAGG interface when editing an existing instance.
To add interfaces to this LAGG, select one or more interfaces in this list.
An interface may only be added to a LAGG group if it is not
assigned. If an interface is not present in the list, it is likely
already assigned as an interface.
- LAGG Protocol
The operating modes for LAGG interfaces are: LACP, Failover, Load Balance,
Round Robin, and None.
The most commonly used LAGG protocol. This mode supports IEEE 802.3ad Link
Aggregation Control Protocol (LACP) and the Marker Protocol. In LACP mode,
negotiation is performed with the switch – which must also support LACP –
to form a group of ports that are all active at the same time. This is
knowns as a Link Aggregation Group, or LAG. The speed and MTU of each port
in a LAG must be identical and the ports must also run at full- duplex. If
link is lost to a port on the LAG, the LAG continues to function but at
reduced capacity. In this way, an LACP LAGG bundle can gain both redundancy
and increased bandwidth.
Traffic is balanced between all ports on the LAG, however, for communication
between two single hosts it will only use one single port at a time because
the client will only talk to one MAC address at a time. For multiple
connections through multiple devices, this limitation effectively becomes
irrelevant. The limitation is also not relevant for failover.
In addition to configuring this option on the firewall, the switch must
enable LACP on these ports or have the ports bundled into a LAG group. Both
sides must agree on the configuration in order for it to work properly.
LACP Has one additional option:
- LACP Timeout Mode
Controls how often the firewall sends LACP PDUs. An LACP timeout occurs
when three consecutive PDUs are missed.
Default. LACP PDUs are sent every
30 seconds. A timeout occurs after
LACP PDUs are sent every second. A timeout occurs after
When using the Failover LAGG protocol traffic will only be sent
on the primary interface of the group. If the primary interface fails,
then traffic will use the next available interface.
By default, traffic may only be received by the active interface.
Create a system tunable for
net.link.lagg.failover_rx_all with a
1 to allow traffic to be received on every member interface.
Failover mode has one additional option:
- Failover Primary Interface
This option sets the primary interface for failover mode, or auto to
allow the firewall to select the primary interface automatically. In
auto mode, the first selected interface in the list is primary.
Each non-primary interface is eligible for use in failover if the primary
- Load Balance
Load Balance mode accepts inbound traffic on any port of the LAGG group and
balances outgoing traffic on any active ports in the LAGG group. It is a
static setup that does not monitor the link state nor does it negotiate with
the switch. Outbound traffic is load balanced based on all active ports in
the LAGG using a hash computed using several factors, such as the source and
destination IP address, MAC address, and VLAN tag.
- Round Robin
This mode accepts inbound traffic on any port of the LAGG group and sends
outbound traffic using a round robin scheduling algorithm. Typically this
means that traffic will be sent out in sequence, using each interface in the
group in turn.
This mode disables traffic on the LAGG interface without disabling the
interface itself. The OS will still believe the interface is up and usable,
but no traffic will be sent or received on the group.
A short note about the purpose of this LAGG instance.
LAGG Interface Configuration
To create or manage LAGG interfaces:
Navigate to Interfaces > Assignments, LAGGs tab
Click Add to create a new LAGG, or click to
edit an existing instance.
Complete the settings as described in LAGG Interface Settings
After creating a LAGG interface, it works like any other physical interface.
Assign the lagg interface under Interfaces > Assignments and give it an IP
address, or build other things on top of it such as VLANs.
If the only purpose of the LAGG interface is to carry VLANs, it does
not need to be assigned.
LAGG and Traffic Shaping
Due to limitations in FreeBSD,
lagg(4) does not support
altq(4) so it is
not possible to use the traffic shaper on LAGG interfaces directly.
altq(4) and VLANs can be used on top of LAGG interfaces,
so using VLANs can work around the problem. As an alternate workaround, Limiters
can control bandwidth usage on LAGG interfaces.
Using a LAGG does not necessarily guarantee full throughput equal to the sum of
all interfaces. In particular, a single flow will not exceed the throughput of a
LAGG member interface. Traffic on a LAGG is hashed in such a way that flows
between two hosts, such as this firewall and an upstream gateway, would only use
a single link since the flow is between a single MAC address on each side.
In networks where many hosts communicate with different MAC addresses, the usage
can approach the sum of all interfaces in the LAGG.