"
Hi all,
I'm working on a custom OPNsense appliance that we got manufactured for a high-throughput site-to-site encryption setup, and I'm stuck trying to verify how the hardware bypass actually works.
Hardware details
Motherboard: Intel Xeon E3 platform
LAN ports: 8 × Intel I226-V (RJ-45)
SFP+ ports: 2 × Intel 82599ES (10 GbE)
Use case: VXLAN over IPsec (L2-over-L3 encryption)
Target throughput: ~5 Gbps+ with encryption
The manufacturer claims they have enabled hardware bypass — but only on the first two RJ-45 LAN ports, not on the SFP+ ports.
My goal is to have the SFP+ pair function as the inline data ports with fail-open behavior (i.e., if the appliance loses power, traffic should still pass unencrypted).
What I'm seeing
In BIOS, there's a "Bypass Enable" option.
When I enable bypass, the LEDs for the first two LAN ports (the "bypass ports") go completely dark — no link lights, no activity.
When I disable bypass, the ports come back to life and behave normally.
I tried testing by connecting:
Port 1 ↔ Port 1 between two identical appliances, and
Port 2 ↔ a laptop on each side.
I expected traffic to pass through when bypass was enabled, but I can't get any pings or link light activity.
So right now I'm unsure whether:
The board really has hardware bypass relays,
The BIOS "Bypass" toggle just disables the NICs in firmware, or
I'm testing it incorrectly.
What I need help with
How can I properly test whether these ports have a physical bypass relay or just a software setting?
Is there any way to check from OPNsense (e.g., sysctl, ifconfig, dmesg) whether the bypass mechanism is detected by the OS?
Has anyone managed to get SFP/SFP+ (Intel 82599ES) ports working with hardware bypass? Or is it truly limited to copper/RJ-45 interfaces only?
Any suggestions for external optical or PCIe-based bypass modules that work well with OPNsense?
Ultimately, I want the setup to behave as a transparent inline encryptor for VXLAN-over-IPsec — if OPNsense is up, it encrypts; if it's down, packets flow in clear through the bypass.
Any guidance, reference designs, or testing steps would be greatly appreciated.
I'm working on a custom OPNsense appliance that we got manufactured for a high-throughput site-to-site encryption setup, and I'm stuck trying to verify how the hardware bypass actually works.
Hardware details
Motherboard: Intel Xeon E3 platform
LAN ports: 8 × Intel I226-V (RJ-45)
SFP+ ports: 2 × Intel 82599ES (10 GbE)
Use case: VXLAN over IPsec (L2-over-L3 encryption)
Target throughput: ~5 Gbps+ with encryption
The manufacturer claims they have enabled hardware bypass — but only on the first two RJ-45 LAN ports, not on the SFP+ ports.
My goal is to have the SFP+ pair function as the inline data ports with fail-open behavior (i.e., if the appliance loses power, traffic should still pass unencrypted).
What I'm seeing
In BIOS, there's a "Bypass Enable" option.
When I enable bypass, the LEDs for the first two LAN ports (the "bypass ports") go completely dark — no link lights, no activity.
When I disable bypass, the ports come back to life and behave normally.
I tried testing by connecting:
Port 1 ↔ Port 1 between two identical appliances, and
Port 2 ↔ a laptop on each side.
I expected traffic to pass through when bypass was enabled, but I can't get any pings or link light activity.
So right now I'm unsure whether:
The board really has hardware bypass relays,
The BIOS "Bypass" toggle just disables the NICs in firmware, or
I'm testing it incorrectly.
What I need help with
How can I properly test whether these ports have a physical bypass relay or just a software setting?
Is there any way to check from OPNsense (e.g., sysctl, ifconfig, dmesg) whether the bypass mechanism is detected by the OS?
Has anyone managed to get SFP/SFP+ (Intel 82599ES) ports working with hardware bypass? Or is it truly limited to copper/RJ-45 interfaces only?
Any suggestions for external optical or PCIe-based bypass modules that work well with OPNsense?
Ultimately, I want the setup to behave as a transparent inline encryptor for VXLAN-over-IPsec — if OPNsense is up, it encrypts; if it's down, packets flow in clear through the bypass.
Any guidance, reference designs, or testing steps would be greatly appreciated.
