IMPORTANT: Configuration of the Fail-Open Kit requires that you've already set up the WG with bridged network interfaces in transparent bridge mode. This prerequisite is needed for the following steps. You can find information about configuration of the transparent bridge in the product guide. See the "Related Information" section for more information.
Configuring the Fail-Open unit:
- Connect to the Fail-Open 2000 unit using the serial console to set the operational parameters.
All configuration of the unit occurs over the serial console, and it's the serial port's only purpose on the Fail-Open unit. To connect to the console, you must use a laptop or other computer that includes a serial connection and has a terminal services client installed, such as PuTTy. The Fail-Open 2000 unit uses a standard DB-9 type serial connection. The serial console settings that you need are as follows:
9600 Baud
8 Data Bits
No Parity
1 stop bit
- To view the options menu, press ? and then press Enter:
?
a = Input Timeouts
b = Input Port Speed, Duplex, LFD
c = Input Heartbeat Packet
d = Display Configuration
e = Display Heartbeat Packet
f = Print revision number
z = Reset to Factory Defaults
This list shows the total available options.
- To show the current configuration and status, press the D key:
auto neg ON
1000 Mbs ON
100 Mbs ON
10 Mbs ON
Duplex ON
LFD ON
Bypass Detect ON
Time Out Period 1
Retry Count 3
Not in Bypass Mode
We do not recommend changing the autonegotiation settings on the Fail-Open unit or the interfaces on the devices it connects to. Always set the Fail-Open unit and the ports it connects to as autonegotiate first. If the Fail-Open unit detects normal WG operation, it shows Not in Bypass Mode. If the Fail-Open unit shows that it's in Bypass Mode, WG is being bypassed. The traffic is passing unfiltered. To verify, browse to sites that are blocked in your WG configuration. Because no WG is connected at this point, it's normal if your unit shows that it's in Bypass Mode. Don't be alarmed.
- Set the Time Out Period and Retry Count values by entering the "a" command. Testing has found that good settings are as follows:
Time Out Period 10
Retry Count 1
The retry count is the timer for how often heartbeat communications are sent. In this example, one heartbeat packet is sent each second. The Time Out Period is the amount of time that the Fail-Open unit needs to go without successfully receiving a heartbeat packet before it considers WG as being unresponsive and failing open.
Typically, no other settings need to be changed, and we don't recommend modifying any values other than the timeouts. If needed, you can reset the factory defaults with the "z" command and then enter the timeout values again as indicated above.
Interface layout:
Now that the Fail-Open unit is configured, you can connect the network interfaces. We recommend leaving the serial connection running for troubleshooting, although it's not needed for operation. You can disconnect it after you've verified proper function.
When WG is configured as a transparent bridge, you normally bridge the first two interfaces,
eth0 and
eth1. These steps assume this configuration.
- Connect a network cable from Port C on the Fail-Open 2000 unit to WG's eth0 interface.
- Connect a network cable from Port D on the Fail-Open 2000 unit to WG's eth1 interface.
- Connect the network cable from the client network to Port A on the Fail-Open 2000 unit. This cable would have been connected to eth0 in a regular transparent bridge with no Fail-Open unit.
- Connect a cable to the Fail-Open Port B and then the device leading to the internet gateway (typically a switch or edge firewall).
During normal operation, traffic flows into Fail-Open's Port A, and out through Port C to the WG's eth0 interface. The traffic passes over WG's bridged interface, out through eth1, and back into the Fail-Open on Port D. The connection to the internet occurs through Port D.
Troubleshooting:
Heartbeat packets travel out through Port C through the WG and back on Port D. This route makes it easy to test a failure by unplugging the connection at Port C. You see the status in the serial console. The "D" command output shows that the device enters Bypass Mode. You can then reconnect the device to resume normal operation (in about 30 seconds). For more troubleshooting and product information, see the Fail-Open Product Guide attached to this article. All references to the web interface see the EWS product and do
not apply when using the Fail-Open Kit with WG. With WG, you
must configure the device using a direct serial connection and a terminal services client.
