Lan bypass or no lan bypass



  • Hi,

    Was just trying to figure out if this feature will defeat my real purpose of firewalling. i need 6lan ports all in all but my budget fits on a box which have

    4 lan ports=4ports
    1 pair of lan bypass=2ports
    total is 6 ports.

    whats so special about the lan bypass…doest it defeats the very main purpose of firewalling?

    thanks


  • Netgate Administrator

    No lan-bypass.
    The last thing you want in a firewall is the lan connected to the wan. It can be disabled though if that's the only box available to you. If you tried hard you might be able to come up with some scenario where you could use lan-bypass in pfSense, maybe between two lans for example. Really clutching at straws though.  ::)

    Steve



  • if i got it right, you mean
    = lan bypass pair of  lan and wan port is not a good firewalling practice
    = lan bypass pair of lan ports is the right aplication

    thanks


  • Netgate Administrator

    Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

    Steve



  • thanks sir…..



  • @stephenw10:

    Yes, except that really there is no right application. If you have choice buy a board without lan-bypass. If your board has lan-bypass then the best thing to do is disable it.

    Steve

    Well…  There is a very specific use case for bypass ports on firewalls, but you should really try and not use it.

    <disclaimer>Do NOT do what I've written below.  It's a bad idea in 99% of all cases and you probably won't get it configured correctly in the 1%.  Do NOT blame me when you screw up your network or get unexpected results if you ignore this advice.</disclaimer>

    <badadvice>In the event that you do not have multiple public IPs (and therefore can't use CARP) but still want hardware redundancy in the event of a major hardware failure, you can add a Bypass NIC to your primary machine where your WAN drop goes in one port, and a cable from the bypass port goes to the WAN port on the second box.  The failover isn't instant like CARP (because unless you get OS support, the bypass will deactivate when the power is turned on, meaning that there is no bypass for reboots) but it's better than nothing.  You'd use the same WAN IP on each box and use CARP on the LAN interfaces.</badadvice>


  • Netgate Administrator

    Interesting possibility. I guess you could also use that to provide some failover solution at a much lower level than the pfSense box like any existing SOHO router for example. You might need to by-pass the LAN too though. Much cheaper than a CARP setup. Much less capable also.
    Thanks.

    Steve