Lan bypass or no lan bypass

ozlecz

Hi,

Was just trying to figure out if this feature will defeat my real purpose of firewalling. i need 6lan ports all in all but my budget fits on a box which have

4 lan ports=4ports
1 pair of lan bypass=2ports
total is 6 ports.

whats so special about the lan bypass…doest it defeats the very main purpose of firewalling?

thanks

stephenw10

No lan-bypass.
The last thing you want in a firewall is the lan connected to the wan. It can be disabled though if that's the only box available to you. If you tried hard you might be able to come up with some scenario where you could use lan-bypass in pfSense, maybe between two lans for example. Really clutching at straws though.  ::)

Steve

ozlecz

if i got it right, you mean
= lan bypass pair of  lan and wan port is not a good firewalling practice
= lan bypass pair of lan ports is the right aplication

thanks

stephenw10

Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

Steve

ozlecz

thanks sir…..

jasonlitka

@stephenw10:

Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

Steve

Well…  There is a very specific use case for bypass ports on firewalls, but you should really try and not use it.

<disclaimer>Do NOT do what I've written below.  It's a bad idea in 99% of all cases and you probably won't get it configured correctly in the 1%.  Do NOT blame me when you screw up your network or get unexpected results if you ignore this advice.</disclaimer>

<badadvice>In the event that you do not have multiple public IPs (and therefore can't use CARP) but still want hardware redundancy in the event of a major hardware failure, you can add a Bypass NIC to your primary machine where your WAN drop goes in one port, and a cable from the bypass port goes to the WAN port on the second box.  The failover isn't instant like CARP (because unless you get OS support, the bypass will deactivate when the power is turned on, meaning that there is no bypass for reboots) but it's better than nothing.  You'd use the same WAN IP on each box and use CARP on the LAN interfaces.</badadvice>

stephenw10

Interesting possibility. I guess you could also use that to provide some failover solution at a much lower level than the pfSense box like any existing SOHO router for example. You might need to by-pass the LAN too though. Much cheaper than a CARP setup. Much less capable also.
Thanks.

Steve