1G Copper Bypass Card

hkjarral

Hello,

I have searched through forum and haven't had any luck. Has anyone successfully used and 1G copper bypass with pfsense on PC. I see silicom provides such cards and haven't found any post which confirms if its works with pfsense or not although silicom states its supported on FreeBSD. I am open to trying any other copper bypass cards as well.

JeGr

@hkjarral said in 1G Copper Bypass Card:

Has anyone successfully used and 1G copper bypass with pfsense on PC.

What for? What are you trying to achieve with it?

hkjarral

I am trying to set edge inline firewall with snort in bridge mode and bypass will be useful in case there is a power failure.

jimp

Bypass always seems like a good idea until you realize if someone knocks out the IDS on purpose, it's worthless.

Sometimes it may be less convenient to fail closed, but it's more secure. Bypass is the wrong answer to that problem.

hkjarral

I want to give it a shot and see how it works out. For now I need any information on quad port nic cards which support bypass. Here are my two options, I want to know if either of these would work.

https://www.intel.com/content/www/us/en/ethernet-products/gigabit-server-adapters/pro-1000-pt-quad-port-bypass-server-adapter-brief.html

or

https://www.silicom-usa.com/pr/server-adapters/networking-bypass-adapters/gigabit-ethernet-bypass-networking-server-adapters/pe2g4bpi80l-bypass-card/

Appreciate and help on these cards.

JeGr

Sorry, any hardware I have/had that actually has bypass options I check it's disabled. What use for a firewall/border gateway/filtering device, if you could just launch a DoS against its filter to bring it down to bypassing? Never could make a usecase stick for bypass, so I'm no help I'm afraid. Just can add from real world scenarios that in 99% of all use cases I've seen, you don't want that. But maybe you found a useful scenario, then I'm happy to hear :) Power failures are no useful cases, as your firewall should be on an USV anyway (and be setup to restart after powerloss) and for those 1-2min, all customers are more happy to be safe than to have a potential security risk opened. :)

hkjarral

Appreciate the feedback, I perfectly understand the least use case for bypass but in our case since our applications are mission critical and access externally, we cant even afford 1-2min downtime.

Anyhow I will work on something and see if I can workout something with code to deploy a fully working inline firewall with bypass capability on power failure. Since FreeBSD supports it, there might be some way around it.

Thanks for all the assistance.

JeGr

Thanks! I wouldn't mind your feedback on findings of the watchdog/bypass configuration. One simply doesn't know, when he meets the 1% he needs it for :)