Backhaul Bypass

Set up backhaul bypass to allow any v3.0 or later Airwall Gateway to reach bypass destinations by tunneling traffic using designated bypass egress Airwall Gateways.

Supported Roles
  • System Administrators
  • Network Administrators with the “Can view and edit bypass destinations” permission
Supported Versions
Airwall Gateways and Conductor v3.0 and later. The Airwall Gateways for both ends of the backhaul bypass and your Conductor must all be on v3.0.
Supported Airwall Gateways
All v3.0 and later Airwall Gateways

Only the bypass egress gateways need to enable bypass on an underlay port group and ensure the bypass destination is reachable from this port group.

You can designate any bypass-enabled v3.0 or later Airwall Gateway as a bypass egress Airwall Gateway, and then can assigned it to other Airwall Gateways to use when tunneling bypass traffic. You can also assign a default backhaul Airwall Gateway to use if you have not designated a specific one.

The Conductor determines the bypass gateway to use in this order:

  1. Use a local bypass if the Airwall Gateway has a local bypass-enabled port group.
  2. Use an assigned bypass Airwall Gateway, if set.
  3. Use the Conductor default gateway, if set. The default is used for all v3.0 Airwall Gateways without a local bypass port and with trust set up to the bypass destination on an overlay.
Note:
  • Backhaul bypass can be used for any bypass destination including destinations using hostnames.
  • Backhaul bypass can use relays just like normal overlay traffic. There is no special configuration needed on the Airwall Relay.
  • You can set up backhaul Airwall Gateways with multiple bypass-enabled underlay port groups and use link manager to fail over between them.
  • If you have both local bypass and a backhaul bypass set for an Airwall Gateway, it uses the local bypass for egress.

Requirements and Considerations

  • You must configure at least one underlay port group with bypass enabled on all backhaul bypass Airwall Gateways.
  • As a best practice, enable source NAT (SNAT) and routed-only mode on the bypass port group.
  • When using hostname bypass destinations, you must meet these requirements:
    • The DNS server used by the overlay device must be on the Conductor-configured allow-list for bypass DNS.
    • The traffic path to resolve hosts must follow the same path on the overlay as the traffic to the actual bypass destination. This means that the DNS server must itself be a bypass destination and the overlay devices using it must have policy to it.

Set up Backhaul Bypass

  1. Set up one or more Airwall Gateways with Seamless bypass, including creating bypass destinations, creating an overlay with devices and the bypass destination, and adding trust. For details, see Seamless Bypass.
    Note: Bypass destinations are not assigned to individual Airwall Gateways. Any bypass gateway can bypass to any bypass destination, assuming underlay routing and trust is set up.
  2. Configure any Seamless bypass Airwall Gateways to be used as bypass Airwall Gateways.
  3. (Optional) Set up a bypass Airwall Gateway to be the default for your Airwall secure network. The default is used for all v3.0 Airwall Gateways that do not have a local bypass set up and do have trust set up to the bypass destination on an overlay. (See the Add trust step that follows)
  4. Set up other v3.0 Airwall Gateways to use a bypass Airwall Gateways, selecting a specific one to use, or allowing it to use the default. Note that you can assign a bypass gateway using Bulk Configuration of Airwall Edge Services.
    Note: If you didn’t set a default in Conductor Settings, you need to select one to use.
  5. Add trust between devices and the bypass destination. For details, see Add and remove device trust.
  6. (Optional) Set up allowed DNS servers to enable hostname bypass destination. This step should already be done when you set up Seamless Bypass. (For instructions, see Enable DNS lookup for bypass destinations.)
See the following sections for details on steps 2 through 4.

Configure an Airwall Gateway as a Bypass gateway

Configuring an Airwall Gateway as a bypass gateway allows other Airwall Gateways to use it to access bypass destinations.

  1. Go to Airwalls and open an Airwall Gateway.
  2. Go to the Ports tab and select Edit Settings.
  3. Open any Underlay port group, and check Enable bypass.
    Note: Using routed-only mode and source-NAT is recommended but not required.

    Enable backhaul bypass on an Airwall Ports page Underlay

  4. Go to the Airwall gateway tab and select Edit Settings.
  5. Under Advanced settings, check Allow Airwall to act as a bypass gateway, and select Update Settings.

    Check "Allow Airwall to act as a bypass gateway"

Note: If you want to use FQDNs for your DNS servers, check that the DNS resolver has access through the same tunnel as backhaul bypass. For example, backhaul to your corporate office and use the DNS resolver there. This access allows the egress gateway to learn the DNS FQDNs. Also, note that some common DNS over HTTPs (DoH) or DNS over TLS (DoT) settings (for example, on Google Chrome) can prevent hostname based policies from working.

(Optional) Select a default Bypass Airwall Gateway

Select a default Bypass Airwall Gateway for other Airwall Gateways to use so you don’t need to specify it for each Airwall Gateway.

Note: The default is used for all v3.0 Airwall Gateways without a local bypass port and with trust set up to the bypass destination on an overlay.
  1. In the Conductor, go to Settings > Advanced > Bypass Settings and select Edit Settings.
  2. Under Default bypass egress gateway, select the bypass Airwall Gateway you want to use as the default for your Airwall secure network:

    Set the default Bypass egress gateway in Conductor Settings
  3. Select Update.
All v3.0 Airwall Edge Services now will automatically use the default as needed, unless you've set them to use a specific one.

Select a Specific Bypass Airwall Gateway

Once you've got a bypass Airwall Gateway set up, you can set up other Airwall Gateways to use it for bypass.

If you set up a bypass Airwall Gateway and set it as the default in the Conductor (see (Optional) Select a default Bypass Airwall Gateway), all v3.0 Airwall Gateways automatically use the default as needed. If you want an Airwall Gateway to use a specific one instead of the default, or if you have not selected a default, here's how.

  1. Go to Airwalls and open an Airwall Gateway that you want to use a bypass Airwall Gateway.
  2. Set a bypass gateway to use:
    1. Go to the Airwall gateway tab and select Edit Settings.
    2. Under Advanced settings, next to Use bypass gateway, select a specific bypass Airwall Gateway to use.

      Selecting a default bypass egress gateway in Conductor Settings

    3. Select Update.
    Note: You can also set this option in bulk. See Bulk Configuration of Airwall Edge Services, and choose the Bypass gateway option:

    Bulk configuration options showing Bypass gateway selected

  3. In an Overlay, add trust from this Airwall Gateway's local devices to the bypass destination.