I'm trying to figure out the best or easiest way to fix my inter-vlan routing issues.
I currently an using a OPNsense firewall/ router
(Protectli) for the router on the stick paradigm connected via 2x 1GbE LAG to ICX6450. I'm not trying to do anything crazy for VLANs, just LAN, GUEST, MGMT, and CAMERA.
I am seeing an issue with WAN timeouts when the router is forced to route from CAMERA to LAN (for storage).
I'd like to keep opnsense for most DHCP, firewall duties, IPV6, multicast, etc. I'm sure that a lot of this is due to the nice GUI, and visualizations. Maybe this is wrong but i have fear that the 5 year old L3 routing code is not always going to be sufficient.
I've looked a lot of posts in this thread with similar topics, but haven't seen a "good solution" [in my probably flawed opinion]. Re:
here or
here , etc.
I had hoped that the LAG would give another path for WAN packets for streaming music & skype connections to not be interfered when the CAMERA copy is taking place, but that doesn't seem to be the case. [Un]fortunately my NAS can sustain ~350 MBps writes, so bi directional will kill the 1 GbE link.
10 GbE is not an option for this firewall box at the moment.
I don't think this issue is CPU bound on the opnsense box.. It gets up to 40-50%.. unless it's a single core issue.
Is there some LAG configuration that I could use to make this connection better?
Would some QoS PCP values make anything better?
I'd probably even consider limiting the bandwidth coming out of the CAMERA vlan/intfc. Is there a good way to do that?
Is there some way that I can add simple ACL/ route for just 192.168.60.10 <=>192.168.10.12, so this traffic doesn't need to go up to the router?
I tried to do this as per various tutorials, but since the gateway is opnsense, it goes there to get routed to the other vlan, and doesn't use the VE's that I setup on the 6450.
Or am i forced to give up this opnsense router on a stick, change the gateways, add Transit VLAN, etc. Embrace change!
I know if wanted to route at 10G, then i'd need to go there, but I would think that this setup could handle a 1G link.
Thanks!