2

I am looking at using a computer with a dual-NIC card (one with two NIC ports) as an in-line traffic shaper / URL filter / traffic analyzer, etc. (probably using pfSense), but I am concerned that if this computer for whatever reason goes down, no traffic can pass.

Is there anything that can be done to let traffic pass freely between the two NIC ports in the event of a power loss or machine crash?

Laban
  • 21
  • 2
  • Not that I'm aware of. You're describing a fail-open active network tap, which means that when the machine is powered off network traffic flow ceases. What you need is a fail-closed network tap (whether active or passive). – joeqwerty Nov 14 '12 at 20:57
  • There are dual-port network adapters you can buy that will bridge by default when an OS is not doing something else. It won't help if there is a power outage or hardware failure though. – Zoredache Nov 15 '12 at 00:39

2 Answers2

1

The best way to set this up is to setup pfsense in a cluster. There is a good guide on pfsense website Configuring pfSense Hardware Redundancy (CARP).

enter image description here

Sc0rian
  • 1,011
  • 7
  • 16
  • That set up makes sense, but for many of the smaller offices where I intend to deploy this, there are space issues with having two computers. Any way to accomplish my goal without two machines? – Laban Nov 14 '12 at 22:15
  • Not that I know of. I cannot think of another way to mirror traffic shaping, url filtering etc without another pfsense box. It doesn't have to big pfsense box, you can use a fanless intel atom board, I just setup my home connection on a [intel d2500cc board](http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-d2500cc.html). Awesome piece of kit :). – Sc0rian Nov 14 '12 at 22:27
  • @Laban Unfortunately if you want redundancy you need redundant equipment - that means two machines (or one machine, no redundancy, and your clients accept the risk and downtime) – voretaq7 Nov 14 '12 at 22:39
  • How about using a dual-port bypass NIC (with a heartbeat for non-power loss issues, such as a hung or crashed pfSense process)? In other words, in case pfSense no longer passes traffic, the NIC goes into pass-all-traffic mode between the two ports. – Laban Nov 14 '12 at 22:42
  • @Laban That might be viable if you can find a supported NIC, and if you're not doing NAT in the firewall (a bypass NIC wouldn't do the address translations, so your inside systems would still lose access if they need NAT) – voretaq7 Nov 14 '12 at 22:48
  • Where can I find what NICs are supported? Would this one work for this (quad, but that does not hurt): www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-qp.html – Laban Nov 14 '12 at 23:02
  • The only NIC that I know of that will do this is the [PEG2BPi6](http://www.silicom-usa.com/Networking_Bypass_Adapters/PEG2BPi6-Dual_Port_Copper_Gigabit_Ethernet_PCI_Express_Bypass_Server_Adapter_Intel_based_58), and it's a $350 adapter. – David Schwartz Nov 15 '12 at 00:55
  • @David: Maybe worth it. Is there any data on how the bypass abilities of this adapter integrates with pfSense (e.g. how does the NIC know that pfSense is no longer passing traffic, so that the NIC can go into bypass mode)? – Laban Nov 15 '12 at 01:28
1

You can with hardware that supports bypass mode in its NICs. That's uncommon in general, but many appliance platforms focused on firewall/other network security roles (from Lanner and others) support bypass. There may be some PCI/PCI-X/PCI-e NICs you can buy that offer the same capability. Can't say I've heard of any offhand, but I've never looked. That's strictly dependent on the hardware and doesn't have any relation to the software. It's controlled in the BIOS setup in all the systems I've seen that have it.

Chris Buechler
  • 2,938
  • 14
  • 18
  • I believe there must be some connection to the software as well (via heartbeat or similar), since the bypass should kick in if the routing processes (or whatever) hangs -- not only on power loss. But it sounds more and more like this is too uncharted a territory with pfSense and I should probably go back to the drawing board and look for another approach... – Laban Nov 15 '12 at 07:11
  • In general, bypass mode fallback for firewalls is always the wrong answer. HA firewalls w/pfSense is the best option. – Chris Buechler Nov 17 '12 at 16:56