LAGGing pfSense… Manually…

Posted on by dk

Throughput through my KVM-hosted pfSense was abysmal for a 10Gbps link – despite the Intel Core i7 155h host w/128GB 5600Mhz RAM doing nothing else but hosting the pfSense VM (replete with VFIO-passthrough)…

I could get ~8-9Gbps iperf3 performance on from my PC to the WAN interface, which was “OK”, but iperf3 from pfSense out to various 10Gbps-capable public iperf3 servers was bad, as was Ookla speedtest.net results (from my PC).

In an attempt to figure out if the virtualisation was part of the issue, I attempted to run pfSense bare metal (via dual-booting – which had a whole storied journey itself)…

If you want the solution, just jump to the second last paragraph…

First boot brought up all the interfaces (thankfully) for selection – but no way to set up LAG then choose that for my WAN/LAN interface… So the “quick” work-around was to specify at least a WAN (and optionally LAN), then manually edit the /conf/config.xml file by hand (using viconf)…

I copied the various sections from my “working” pfSense – here for reference… Remember that the “outer” XML tags are for reference to know where to inject/replace the various XML snippets, and not to replace the entire XML section!

  • interface definitions:
<pfsense>
    <interfaces>
        <wan>
            <if>lagg1</if>
            <descr><![CDATA[WAN]]></descr>
            <alias-address></alias-address>
            <alias-subnet>32</alias-subnet>
            <spoofmac></spoofmac>
            <enable></enable>
            <ipaddr>dhcp</ipaddr>
            <dhcphostname>router</dhcphostname>
        </wan>
        <lan>
            <if>lagg0</if>
            <enable></enable>
            <descr><![CDATA[LAN]]></descr>
            <spoofmac></spoofmac>
            <mtu>9000</mtu>
            <ipaddr>10.0.0.254</ipaddr>
            <subnet>8</subnet>
        </lan>
    </interfaces>
</pfsense>
  • LAGG :
<pfsense>
    <laggs>
        <lagg>
                <members>ixl0,ixl1</members>
                <descr><![CDATA[LAN]]></descr>
                <laggif>lagg0</laggif>
                <proto>lacp</proto>
                <lacptimeout>fast</lacptimeout>
                <lagghash>l2,l3,l4</lagghash>
        </lagg>
        <lagg>
                <members>ixl2,ixl3</members>
                <descr><![CDATA[WAN]]></descr>
                <laggif>lagg1</laggif>
                <proto>lacp</proto>
                <lacptimeout>fast</lacptimeout>
                <lagghash>l2,l3,l4</lagghash>
        </lagg>
    </laggs>
</pfsense>

Of course, edit the LAGG interface members and <proto> and <lagghash> LACP algorithm and interface IP addresses to suit.

Unfortunately, that didn’t work either – console showed everything was “spiffy”… but guess what? I couldn’t ping anything (either from or against the pfSense router)…

Running ifconfig from shell showed there were no laggN interfaces… Anywhere! 👿

At this stage, I got fed-up and just plugged out one of the LACP’d interfaces, set the LAN up as singular, then got into the UI to set up the LAGG with a single interface, reassigned LAN to the new lagg0 with single interface – at which point I lost the link and had to swap cables, reconnected to the UI, then added the now-unassigned single interface to the LAGG… And rebooted for good measure.

So much for setting up LAGG on initial set up of pfSense 2.7.2!

Leave a Reply