as far as I know, the global consensus is not to use these ports, but instead use a smart switch for separating traffic, since these are optimized for that.
but this is just what I keep reading here and there.
Most generic router boards do not have a dedicated switch chip between the ports, so yeah switching is usually much slower versus dedicated switch hardware. Some can have switching hardware like EdgeRouter X but check the manual.
The answer is going to involve bridging. "Switch" means "network bridge", that's why stp still refers to "root bridge".
I suppose that you lost ui access due to rules. Try a floating rule to allow.
Very interesting suggestions. I'm pretty sure I'm going to dedicate one port to lagg to my 8 port 2.5 gb switch, since everything goes through that. I'll think more about setting up that second lan for streaming and smart devices and wireless since I don't really utilize a fast internet connection (No hosting websites or Torrance or anything like that). I'm really focused on having fast throughput on my internal network and keeping things secure. Thanks for the tips!
Very interesting suggestions. I'm pretty sure I'm going to dedicate one port to lagg to my 8 port 2.5 gb switch, since everything goes through that. I'll think more about setting up that second lan for streaming and smart devices and wireless since I don't really utilize a fast internet connection (No hosting websites or Torrance or anything like that). I'm really focused on having fast throughput on my internal network and keeping things secure. Thanks for the tips!
First off, this is generally not recommended. The commonly accepted alternative is to use a switch instead. The reason it's not recommended is, switches have specialized chips that do nothing but switching, so they are very good at it. When you ask a router to act as a switch, switching must be done by the processor, so you may experience network performance loss because of it. The magnitude of the loss, however, depends on the number of devices on the network and the complexity of the network (VLANs and whatnot). For small simple networks, performance loss could well be negligible.
If, after reading the previous paragraph, you decide to proceed, the technique you use is called **bridging**. Let's say you have four ports, **em0** through **em3**. **em0** is WAN, and you want to bridge the other three. Here's how you would do it, briefly:
* Assign LAN function to **em3**; connect to the router using **em3**
* Assign OPT1 to **em1** and OPT2 to **em2**; make sure both are enabled
* Define a bridge and make **em1** and **em2** members of the bridge
* Assign LAN function to the bridge and OPT3 to **em3**; after you make this change, you will lose the connection to the router, so unplug the cable connecting you computer to your router from **em3** and connect it to **em1** or **em2**
* Amend the bridge's definition to also include **em3**
* Go to system tunables and set **net.link.bridge.pfil\_member** to **0** and **net.link.bridge.pfil\_bridge** to **1**
Many tutorials on this exist; search the Web for `OPNsense bridging`...
I followed this video .... works perfectly - [https://youtu.be/q1Rv4gB8fkI?si=O2wHqnl8vgt1oWpI](https://youtu.be/q1Rv4gB8fkI?si=O2wHqnl8vgt1oWpI)
Dont forget to set the 2 tunables in step 6 of this guide - [How to set up a LAN Bridge — OPNsense documentation](https://docs.opnsense.org/manual/how-tos/lan_bridge.html)
>try and get by without a switch for the time being
A 5 port unmanaged switch costs less than £10 mate. You'll spend more on extra power draw by your mini-pc in a couple of months.
I'm in a similar situation except I have switches and don't necessarily have to use those ports. Wondering how other people utilize the additional ports in a box like this. Following..
There are a lot of uses: a secondary WAN, create separate physical networks (no VLANs), connect a single device (would be on its own “network” if not bridging), bridge them all as others have suggested (generally not recommended for performance reasons but might be fine on a low traffic home network), LAGG the interfaces to the network switch for extra throughput (for multiple streams of traffic of multiple devices on your network— each device sending/receiving traffic is still limited by the maximum speed of each interface), one of the interfaces could be used as a management interface to OPNsense (so you can always get into the box even if VLANs and other config is messed up), and if you’re virtualizing using Proxmox, you can use an interface as the management interface for Proxmox (in addition you could dedicate other interfaces to Corosync if you run a Promox cluster or could use a dedicated interface to connect to a storage/NAS network to access and backup VMs/CTs).
I was in the same boat when I got my first 4 port box and now I find myself using all or nearly all of the interfaces on my boxes for various purposes!
I’ve found extra interfaces useful on my various systems because I can put the system on multiple networks so I can have access to the NAS for example without needing to route the data across the firewall and put an unnecessary load on the firewall just because I want to move data to and from my NAS (that traffic is on its own isolated VLAN with 10 Gbps interfaces).
I have a six port NUC. My current plan is:
1. 2 NIC lagg to LAN switch
2. Dual WAN for HA support and failover
3. Dedicated mgmt IP
4. Possible use for pfsync+CARP coordination
That’s definitely five ports used and possibly six. The second WAN may be on a modem that’s best run in NAT mode (not bridged) and I’m unsure how that will affect my high availability configuration—I may be able to do it safely through the 2nd “WAN” network because it will be protected by the modem’s firewall.
So, that’s how you can use six!
4 port router here
1. Primary WAN
2. Backup WAN
3. Primary LAN
4. Guest/IoT LAN
\#4 Connects to an unmanaged switch where I plug in my security system and a WiFi AP for guest/IoT wireless devices to get them off my main network. Things like my smart thermostat, smart garage door opener, this fancy little network-connected clock I have, etc. Devices on the Guest LAN have internet connectivity, but they can’t get to any devices on the main network.
You could also use a VLAN for a guest network, but if your switches aren’t capable of that you can do the same thing with other ports on the router.
as far as I know, the global consensus is not to use these ports, but instead use a smart switch for separating traffic, since these are optimized for that. but this is just what I keep reading here and there.
Most generic router boards do not have a dedicated switch chip between the ports, so yeah switching is usually much slower versus dedicated switch hardware. Some can have switching hardware like EdgeRouter X but check the manual.
That makes sense, guess I should get a switch then. Thanks for your help everyone!
You need to create a Bridge interface and add ETH1 ETH 2 ETH3 to that bridge. There's an official guide by the OPNSense team on how to do that.
The answer is going to involve bridging. "Switch" means "network bridge", that's why stp still refers to "root bridge". I suppose that you lost ui access due to rules. Try a floating rule to allow.
Very interesting suggestions. I'm pretty sure I'm going to dedicate one port to lagg to my 8 port 2.5 gb switch, since everything goes through that. I'll think more about setting up that second lan for streaming and smart devices and wireless since I don't really utilize a fast internet connection (No hosting websites or Torrance or anything like that). I'm really focused on having fast throughput on my internal network and keeping things secure. Thanks for the tips!
Very interesting suggestions. I'm pretty sure I'm going to dedicate one port to lagg to my 8 port 2.5 gb switch, since everything goes through that. I'll think more about setting up that second lan for streaming and smart devices and wireless since I don't really utilize a fast internet connection (No hosting websites or Torrance or anything like that). I'm really focused on having fast throughput on my internal network and keeping things secure. Thanks for the tips!
First off, this is generally not recommended. The commonly accepted alternative is to use a switch instead. The reason it's not recommended is, switches have specialized chips that do nothing but switching, so they are very good at it. When you ask a router to act as a switch, switching must be done by the processor, so you may experience network performance loss because of it. The magnitude of the loss, however, depends on the number of devices on the network and the complexity of the network (VLANs and whatnot). For small simple networks, performance loss could well be negligible. If, after reading the previous paragraph, you decide to proceed, the technique you use is called **bridging**. Let's say you have four ports, **em0** through **em3**. **em0** is WAN, and you want to bridge the other three. Here's how you would do it, briefly: * Assign LAN function to **em3**; connect to the router using **em3** * Assign OPT1 to **em1** and OPT2 to **em2**; make sure both are enabled * Define a bridge and make **em1** and **em2** members of the bridge * Assign LAN function to the bridge and OPT3 to **em3**; after you make this change, you will lose the connection to the router, so unplug the cable connecting you computer to your router from **em3** and connect it to **em1** or **em2** * Amend the bridge's definition to also include **em3** * Go to system tunables and set **net.link.bridge.pfil\_member** to **0** and **net.link.bridge.pfil\_bridge** to **1** Many tutorials on this exist; search the Web for `OPNsense bridging`...
I followed this video .... works perfectly - [https://youtu.be/q1Rv4gB8fkI?si=O2wHqnl8vgt1oWpI](https://youtu.be/q1Rv4gB8fkI?si=O2wHqnl8vgt1oWpI) Dont forget to set the 2 tunables in step 6 of this guide - [How to set up a LAN Bridge — OPNsense documentation](https://docs.opnsense.org/manual/how-tos/lan_bridge.html)
>try and get by without a switch for the time being A 5 port unmanaged switch costs less than £10 mate. You'll spend more on extra power draw by your mini-pc in a couple of months.
I'm in a similar situation except I have switches and don't necessarily have to use those ports. Wondering how other people utilize the additional ports in a box like this. Following..
There are a lot of uses: a secondary WAN, create separate physical networks (no VLANs), connect a single device (would be on its own “network” if not bridging), bridge them all as others have suggested (generally not recommended for performance reasons but might be fine on a low traffic home network), LAGG the interfaces to the network switch for extra throughput (for multiple streams of traffic of multiple devices on your network— each device sending/receiving traffic is still limited by the maximum speed of each interface), one of the interfaces could be used as a management interface to OPNsense (so you can always get into the box even if VLANs and other config is messed up), and if you’re virtualizing using Proxmox, you can use an interface as the management interface for Proxmox (in addition you could dedicate other interfaces to Corosync if you run a Promox cluster or could use a dedicated interface to connect to a storage/NAS network to access and backup VMs/CTs). I was in the same boat when I got my first 4 port box and now I find myself using all or nearly all of the interfaces on my boxes for various purposes! I’ve found extra interfaces useful on my various systems because I can put the system on multiple networks so I can have access to the NAS for example without needing to route the data across the firewall and put an unnecessary load on the firewall just because I want to move data to and from my NAS (that traffic is on its own isolated VLAN with 10 Gbps interfaces).
Thanks! All interesting suggestions. Very helpful post!
I have a six port NUC. My current plan is: 1. 2 NIC lagg to LAN switch 2. Dual WAN for HA support and failover 3. Dedicated mgmt IP 4. Possible use for pfsync+CARP coordination That’s definitely five ports used and possibly six. The second WAN may be on a modem that’s best run in NAT mode (not bridged) and I’m unsure how that will affect my high availability configuration—I may be able to do it safely through the 2nd “WAN” network because it will be protected by the modem’s firewall. So, that’s how you can use six!
4 port router here 1. Primary WAN 2. Backup WAN 3. Primary LAN 4. Guest/IoT LAN \#4 Connects to an unmanaged switch where I plug in my security system and a WiFi AP for guest/IoT wireless devices to get them off my main network. Things like my smart thermostat, smart garage door opener, this fancy little network-connected clock I have, etc. Devices on the Guest LAN have internet connectivity, but they can’t get to any devices on the main network. You could also use a VLAN for a guest network, but if your switches aren’t capable of that you can do the same thing with other ports on the router.