Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Lan bypass or no lan bypass

    Hardware
    3
    7
    2493
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ozlecz last edited by

      Hi,

      Was just trying to figure out if this feature will defeat my real purpose of firewalling. i need 6lan ports all in all but my budget fits on a box which have

      4 lan ports=4ports
      1 pair of lan bypass=2ports
      total is 6 ports.

      whats so special about the lan bypass…doest it defeats the very main purpose of firewalling?

      thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        No lan-bypass.
        The last thing you want in a firewall is the lan connected to the wan. It can be disabled though if that's the only box available to you. If you tried hard you might be able to come up with some scenario where you could use lan-bypass in pfSense, maybe between two lans for example. Really clutching at straws though.  ::)

        Steve

        1 Reply Last reply Reply Quote 0
        • O
          ozlecz last edited by

          if i got it right, you mean
          = lan bypass pair of  lan and wan port is not a good firewalling practice
          = lan bypass pair of lan ports is the right aplication

          thanks

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

            Steve

            1 Reply Last reply Reply Quote 0
            • O
              ozlecz last edited by

              thanks sir…..

              1 Reply Last reply Reply Quote 0
              • J
                jasonlitka last edited by

                @stephenw10:

                Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

                Steve

                Well…  There is a very specific use case for bypass ports on firewalls, but you should really try and not use it.

                <disclaimer>Do NOT do what I've written below.  It's a bad idea in 99% of all cases and you probably won't get it configured correctly in the 1%.  Do NOT blame me when you screw up your network or get unexpected results if you ignore this advice.</disclaimer>

                <badadvice>In the event that you do not have multiple public IPs (and therefore can't use CARP) but still want hardware redundancy in the event of a major hardware failure, you can add a Bypass NIC to your primary machine where your WAN drop goes in one port, and a cable from the bypass port goes to the WAN port on the second box.  The failover isn't instant like CARP (because unless you get OS support, the bypass will deactivate when the power is turned on, meaning that there is no bypass for reboots) but it's better than nothing.  You'd use the same WAN IP on each box and use CARP on the LAN interfaces.</badadvice>

                I can break anything.

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Interesting possibility. I guess you could also use that to provide some failover solution at a much lower level than the pfSense box like any existing SOHO router for example. You might need to by-pass the LAN too though. Much cheaper than a CARP setup. Much less capable also.
                  Thanks.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post