Bypass on custom OPNsense appliance (I226 + 82599ES) for VXLAN/IPsec setup

[Nitish P]

Hi all,

I'm working on a custom OPNsense appliance that we got manufactured for a high-throughput site-to-site encryption setup, and I'm stuck trying to verify how the hardware bypass actually works.

Hardware details

Motherboard: Intel Xeon E3 platform

LAN ports: 8 × Intel I226-V (RJ-45)

SFP+ ports: 2 × Intel 82599ES (10 GbE)

Use case: VXLAN over IPsec (L2-over-L3 encryption)

Target throughput: ~5 Gbps+ with encryption

The manufacturer claims they have enabled hardware bypass — but only on the first two RJ-45 LAN ports, not on the SFP+ ports.
My goal is to have the SFP+ pair function as the inline data ports with fail-open behavior (i.e., if the appliance loses power, traffic should still pass unencrypted).

What I'm seeing

In BIOS, there's a "Bypass Enable" option.

When I enable bypass, the LEDs for the first two LAN ports (the "bypass ports") go completely dark — no link lights, no activity.

When I disable bypass, the ports come back to life and behave normally.

I tried testing by connecting:

Port 1 ↔ Port 1 between two identical appliances, and

Port 2 ↔ a laptop on each side.
I expected traffic to pass through when bypass was enabled, but I can't get any pings or link light activity.

So right now I'm unsure whether:

The board really has hardware bypass relays,

The BIOS "Bypass" toggle just disables the NICs in firmware, or

I'm testing it incorrectly.

What I need help with

How can I properly test whether these ports have a physical bypass relay or just a software setting?

Is there any way to check from OPNsense (e.g., sysctl, ifconfig, dmesg) whether the bypass mechanism is detected by the OS?

Has anyone managed to get SFP/SFP+ (Intel 82599ES) ports working with hardware bypass? Or is it truly limited to copper/RJ-45 interfaces only?

Any suggestions for external optical or PCIe-based bypass modules that work well with OPNsense?

Ultimately, I want the setup to behave as a transparent inline encryptor for VXLAN-over-IPsec — if OPNsense is up, it encrypts; if it's down, packets flow in clear through the bypass.

Any guidance, reference designs, or testing steps would be greatly appreciated.