Netgate/lanner 7541 with network bypass



  • Hello,

    I just received two netgate fw7541D's.  However, I had not read the fine print regarding the network bypass port, and these models do not have it.  When I talked to Jamie at Netgate, she told me it was because the bypass wasn't supported by pfsense.  However, she couldn't tell me what that meant.  I thought I would post the question here.

    What do they mean  "pfsense won't support it".  Does this mean "pfsense can't turn this on or off", or "pfsense will not work/melt down/explode if it sees that part"?

    Here's my goal: if I can control the bypass in the bios (bypass w/o power, no bypass with power), does it really matter if pfsense knows anything about it?  If not, I will ship these back and order a set of model C's, AND I will let the netgate folks know.

    –jason



  • I don't have that particular system, but I do have Lanner boxes (FW-8865) with Bypass NICs (4x i350 onboard + 8x i350 expansion).  They can be controlled in the BIOS though I can't say I ever looked at the options in there.  I just set them to Disabled and went on my way.  I only ordered them because the price was basically the same for the i350 with/without bypass and the lead time was shorter.

    EDIT:  It's also worth mentioning that my system has Gen 3 ports, not Gen 2, so I've no idea how the ones in the Atom box will work, though I'd suspect they'd be fine.  I think they can still operate entirely at the BIOS level with power-on/off settings.


  • Netgate Administrator

    Usually the LAN-Bypass ports have several operating modes. They can be configured either in the bios or using jumpers on the board (or both). You can disable the bypass completely (using the jumpers) or control what triggers the bypass to come into effect (often in the bios setup). If you want to have the box fail into bypass mode if it looses power that doesn't require any OS support so you can always use that mode however most boxes that use LAN bypass will fail over if the OS crashes. In order to do this the LAN-bypass relays are triggered by one of the on board watchdog timers, you can often set the time limit etc. The OS has to 'pat the watchdog', resetting the timer, every 30s or so otherwise the box will fail-over. This obviously does require some OS support. There's nothing to do this built into pfSense but it's very basic stuff, Lanner gives some example code along with details of which registers on what devices need poking. You would have to write a simple program and arrange to have it run every 10secs or so.

    http://www.lannerinc.com/applications/product-features/lan-bypass

    Steve



  • @jason0:

    Hello,

    I just received two netgate fw7541D's.  However, I had not read the fine print regarding the network bypass port, and these models do not have it.  When I talked to Jamie at Netgate, she told me it was because the bypass wasn't supported by pfsense.  However, she couldn't tell me what that meant.  I thought I would post the question here.

    What do they mean  "pfsense won't support it".  Does this mean "pfsense can't turn this on or off", or "pfsense will not work/melt down/explode if it sees that part"?

    Here's my goal: if I can control the bypass in the bios (bypass w/o power, no bypass with power), does it really matter if pfsense knows anything about it?  If not, I will ship these back and order a set of model C's, AND I will let the netgate folks know.

    –jason

    The Netgate folks already know.

    We simply can't see a lot of reason for the bypass feature, so we've never ordered hardware with it (other than samples, and then we just turn it off.)

    Not even Chris Buechler can see a reason for LAN bypass on in a pfSense application.


  • Netgate Administrator

    Yep, I have to agree with that. Most firewall applications it's better to have no traffic at all than completely unfiltered traffic.

    Steve



  • Hello,

    Not even Chris Buechler can see a reason for LAN bypass on in a pfSense application.

    Hmm.  Well here's why I want this, perhaps you-all can shoot holes in my idea as needed…Please!

    My Co-location company has provided me with two network uplinks.  They connect to two cisco routers using virtual router protocol (VRP).  However they will not switch from one to the other if my hardware fails: I specifically asked it it would.  Thus I have come up with a wiring diagram that would allow me to work with it, while using carp myself.

    Thus if you look at the drawing, I (would) have two firewalls defined using carp'ed, bridged interfaces.  With the bypass in place, if one firewall goes into bypass, the ethernet uplink will be passed onto the other firewall's wan bridge.

    What do you think?

    ![failover copy.png](/public/imported_attachments/1/failover copy.png)
    ![failover copy.png_thumb](/public/imported_attachments/1/failover copy.png_thumb)


  • Netgate Administrator

    There is no need to use lan-bypass in that scenario, simply connect both uplinks to both firewalls.

    In fact it's worse than that. Your scenario above does not allow for an upstream failure. Suppose uplink1 fails whilst fwa is the active box in the carp pair. The only way to failover to uplink2 would be to switch the carp members or to power off fwb. Neither if those would normally happen.

    Course I could be wrong, this is outside what I usually do.

    Steve



  • Yeah, that's strange.  When I get two uplinks into a rack I typically just drop the uplinks into two separate switches and then run a link from each to each of my firewalls.



  • Hi,

    I will look deeper into it, but this design is in response to my colo provider telling me that if my end of the primary link goes down, their end will not automatically failover.  Thus, I need to be able to bring the link from the failed firewall into the good one so the upstream ip address will function correctly.

    My thought was to setup a script in cron that would check the uplink and/or ip state of the links and switch to the secondary as needed.  Being that I might need to configure a wan bridge with carp, I would need something like this anyway.  Hmm.  Having said this, let me write back to the colo provider: I learned a bit about VRRP, and some questions come to mind…

    --jason



  • These two links have the same IPs?  They've only given you a single gateway IP to enter into your devices?



  • Hello,

    EAch link has a different ip address but in the same subnet.  they are using cisco's VRRP and there is a third address in that subnet.  I just submitted a question to them also to clarify some things/assumptions of mine…

    I should clarify: I have a 16-block of ip addresses for my use at the colo: three are taken up by VRRP by the provider (two router, and one floating gateway.)  I intend to use another three in a carp failover setup.

    ==jason



  • You won't even need three with pfSense 2.2 (FreeBSD 10).


Log in to reply