Link aggregation is a way of bundling a bunch of individual (Ethernet) links together so they act as a single logical link. By bonding ethernet links together, you will get the following functions
- Get speed beyond 1 Gigabit. 2 links aggregated ethernet can get you pretty close to 2 gigabits.
- Link redundancy. Instead of having only one wire from your switch to the firewalla, you can have two. If one of them is cut, your network will still be up.
Link Aggregation can be configured on Firewalla's LAN ports with a managed switch or NAS; or on WAN ports with a modem that supports Link Aggregation.
Limitations
There are several limitations you should be aware of:
- Up to three ports can be configured per LAG. Up to two LAGs are supported per box.
- Only LACP (802.3ad) is supported; Static LAG configurations are not supported.
- All ports in a LAG must be assigned to the same network.
- VLANs are not supported on WAN LAGs.
- Link Aggregation Groups (LAG) are only supported on Firewalla Gold, Gold SE, and Gold Plus.
- LAG is not supported in Bridge Mode.
1. Create a LAG for Faster Internet Speed
If your ISP has provided you with more than 1 Gbps Internet speed, you can aggregate 2 or 3 Ethernet ports and assign the LAG to Firewalla's WAN Connection. This way, you'll be able to get a total Internet speed of 2 or 3 Gbps.
Here is an example on how to set it up:
- Create a LAG on Firewalla
- Apply the WAN connection to the LAG on Firewalla
- Enable LAG on your modem
- Connect Devices
Step 1: Create a LAG on Firewalla
On Firewalla App, tap Network on the box main page.
- Tap Link Aggregation under the networks, tap Edit -> Create Link Aggregation Group.
- Select up to three Ethernet ports, tap Done.
- Tap Save.
Step 2: Apply the WAN connection to the LAG on Firewalla
On your WAN connection, select Ethernet ports used in the LAG, then Save the configuration.
Step 3: Enable LAG on your Modem
Follow the instructions provided by your ISP to enable LAG on your Modem, it may require rebooting the modem.
Step 4: Connect Devices
Connect the Ethernet ports in the LAG on the Modem with the Ethernet ports in the LAG on Firewalla. Firewalla Gold should be getting a total Internet speed of 2 Gbps.
2. Use VLANs on a LAG
If you have a managed switch, and you need higher bandwidth to transmit data across VLANs. You can create a Link Aggregation Group (LAG) containing multiple gigabit ports on Firewalla and your Switch, and then connect them together.
Here is an example setup:
In this example, before having a Link Aggregation Group, if devices on Office VLAN are downloading data from devices on Server VLAN, the Inter-VLAN connection will be getting a maximum of 1 Gbps throughput.
If you create a LAG containing two Ethernet Ports on both Firewalla and your switch, then connect them together, you should be able to get a maximum of 2 Gbps Inter-VLAN throughput.
Here are the steps on how to set it up:
- Create a LAG on Firewalla
- Apply VLANs to the LAG on Firewalla
- Create a LAG on Switch
- Apply VLANs to the LAG on the Switch
- Connect Devices
Step 1: Create a LAG on Firewalla
On Firewalla App, tap Network on the box main page.
- Tap Link Aggregation under the networks, tap Edit -> Create Link Aggregation Group.
- Select up to three Ethernet ports, tap Done.
- Tap Save.
Step 2: Apply VLANs to the LAG on Firewalla
On your VLANs, Office VLAN and Server VLAN, select Ethernet ports used in the LAG, then Save the configuration.
Step 3: Create a LAG on your Switch
Open the switch's admin page, follow the switch's instructions to create a LAG.
If the device you are connecting to requires you to choose a Link Aggregation Mode, use Dynamic Link Aggregation, LACP (802.3ad).
If you are using an UniFi controller, select the ports you want to aggregate, choose Aggregate, type in Aggregate Ports, then Apply changes.
- Select the ports you want to aggregate.
- Select the VLANs (or profile) included on this LAG.
- Choose, Aggregate.
- Apply changes.
Unifi will show the LAG as a single 2GbE connection.
Step 4: Apply VLANs to the LAG on the switch
On the aggregated ports, select VLANs (or profile), then Apply the change.
Pro tip: if you are LAGing the uplink ports to the switch, the method below may prevent a problem that arises when you are trying to provision the switch while connected to the ports that will be changing; you will likely temporarily lose connection to the switch and provisioning can fail.
The solution to this catch-22 is simple: before you aggregate the connection:
- Switch the switch uplink to another port that will not be reconfigured in this operation. For example:
- Set another port to the proper VLAN profile so you can communicate with the switch and allow the switch to be provisioned. (Port 5 in this example).
- Disconnect the ports you wish to LAG. In this case, both ports going from switch ports 15,16 to Firewalla.
- Connect Switch port 5 to Firewalla. Now the ports you want to provision are unused.
- Wait until Port 5 becomes the uplink port.
- Aggregate the ports that will be uplink and provision the switch using the process above.
- Disconnect Port 5 and reconnect ports 15,16 and now you should have the LAG port connecting Firewalla to the switch.
You should always consult the OEM documentation for your specific switch and defer to their advice.
Step 5: Connect Devices
Connect the Ethernet ports in the LAG on the switch with the Ethernet ports in the LAG on Firewalla. Other devices connected to your VLANs may remain unchanged.
Congratulations, you should be getting a maximum of 2 Gbps throughput between the VLANs!
Comments
19 comments
When you say “All ports in a LAG must be assigned to the same network.”, does this mean that multiple networks configured as VLANs cannot be assigned to the same LAG?
This means if you use port 1 and port 2 as one LAG, then they can't be used by anything else. VLAN over LAG is supported on 1.9731
I'm still not clear on this. I'm trying to get clarification on whether or not I can assign multiple networks that are setup as tagged VLANs on the Firewalla to the same LACP group like I can on a switch. I route traffic across VLANs internally so I can inspect things between my primary trusted networks and my IoT network for example, and it would be advantageous to not be bottlenecked by a single interface (yes I know a single TCP stream won't span more than 1 physical port).
Yes, you will be able to assign multiple VLANs to the same LAG, but it requires box version 1.9731, which is currently in early access release.
Any ETA to stable relase. I set up VLANs last night assuming the Firewalla had LAG currently to be sadly disappointed :(
Or, how do I get access to this build?
VLAN over LAG is now supported in 1.9731 release. As the time of this message, 1.9731 is in beta and hopefully soon be in production.
I am trying to setup a LAG between FWG and SXR80 (Netgear SXK80 pair in bridge mode) and cant seem to get it work.
I have the LAG group setup on the FWG across port 1 and 2 with VLAN's
I have the SXR80 port 1 and 2 'bound' using the default trunk mode
If I have one cable plugged in from the FWG to the SXR80 it works
As soon as I plug in the second uplink cable from the FWG to the second bound port on the SXR80 it drops off.
The SXK80 manual states - '802.3ad link aggregation for static LAGs' so I am thinking its not compatible, is the only way to have LAG working is to put in a switch between the FWG and SXR80 that supports LACP for the FWG and then Static LAG for SXK80 or am I missing something obvious?
Is there any chance that LAG and Bridge mode could work together? Is there a technical limitation? It would be nice for a bit more speed in inter-vlan routing.
I have an L3 switch and want to LAG all 4 ports on my gold unit together so my WAN can go through the switch isolated to my FW to filter and watch everything, but the app limits me to a maximum of 3 ports to be LAG'ed together. Why is it limited to 3? I want four to work with VLANS to make everything work and get the maximum throughput.
Is there a plan to support Static LAG configurations at some point in the future? Or, at least comment on the feature request
If i recall correctly, it can detect static and switch to static. I used a switch that only supported static and was able to LAG with the Gold.
Got 2.5 GBPS fiber, that requires PPPOE WAN connection (uses pong fps fiber to 2.5 Gbps singlr port) and pppoe conection,.
With dynamic link aggregated supported switch, according to firewalla user guide , it should be possible to use two firewalla gold ports in LAG mode, aggregated on Firewalla and the switch, linked to the single ethernet WAN port on the adapter.
The examples given in the article use DHCP mode, and I wanted to verify that this would work with PPPOE conecting my Firewalla gold box, that would also act as the modem, by "virtualizing, Firewalla 2 Gb ports and linking it to the 2.5 Gbps ethernet port on the ISP adapter would not only "see "as a single connection, but work through Firewalla PPPOE over LAG, enabling me to take advantage of Broder band.
my questions are as follows:
1. Would this set up work with PPPOE I Firewalla link aggregation?
2. Since multi gigabit switches that support802.3AD dynamic link aggregation are expensive and mostly redundant , as I only need one 2.5 Gbps ethernet port and two other 1Gps to Firewalla (sort of a "smart splitter"), are there any recommendations for cost-effective solutions for this switch.
3. Another option I was thinking of was an fps (Apple Inc. multi gigabit fiber, downlink gigabit ethernet), but that would need to replace and comply with pong standards on the adapter I was provided with on the Fibo side, which is Nokia G-010G-T with one 2.5 Gb ethernet port and one for fiber. Since I really need a quote "smart splitter " from a single multi gigabit to two 1gbps ports on Firewalla, a $200 multi gigabit switch that supports these standards seems like an overkill.
If anyone can confirm feasibility, and recommend products either to replace the fiber to ethernet adapter or an appropriate switch, I would be most appreciative.
It can be setup in that way, but unlikely it would work as you expected. Because the box and the switch can't decode PPPoE payload, the load balancing may not fully work as expected or not well distributed to two ports. In worst case, it could actually just use one of the ports to transfer data.
Even though the load balancing works, the performance of the original Gold may not be able to support 2.5gbps download speed over PPPoE.
I want to LAG ports 2 and 3 of a Gold Plus and connect them to a managed switch (also configured for LAG).
I then want to use port 1 on the Gold Plus to connect another device TO THE SAME NETWORK.
This does not seem possible Firewalla gives me an error saying the ethernet ports should not be selected in the same network, but I can't see any good reason why not?
Surely LAG is just having a bigger pipe? I can connect port 2 to the switch and port 1 to a device and them both be on the same network. Why can't I do the same using LAG?
You can not do this.
2/3 -> Network A
1 -> Network A
This creates a switch loop. One of them will be automatically turned off.
Can you explain why this will create a switch loop? I already have:
2 -> Network A
1 -> Network A
I'm just looking to join 2 and 3 together for a faster speed.
The switch connected to port 1 is not connect to the switch on port 2, so there should be no loops.
If (1)(2) are both on the same network A, and both connect to the same switch, it will not work.
If (1) connect to one switch and (2) connect to another switch, it will work. If the two switches are connected together, it will not work.
If (1)(2) LAG connect to a switch, it will work.
Sure but I have Switch A and Switch B, and they are not connected.
I have Switch A connected to Firewalla port 1
I have Switch B connected to Firewalla port 2
That's all fine, and no loops.
Now I want to LAG ports 2 and 3, and have Switch B connected to LAG 2+3, but while still having Switch A connected to port 1.
There are still no loops doing that, so why won't it let me?
Please sign in to leave a comment.