There are many great devices that can be converted to run OpenWrt, including some that were originally designed for enterprise use. Many of those devices, however, have features that may stand in the way of OpenWrt operation. One of those features is bypasses.

First, what actually is a bypass? Speaking colloquially, a bypass is a device that allows a pair of ports to pretend that they don't exist; data coming into one port of the pair goes straight out of the other port with no changes. This can be helpful in some scenarios in the event of failure.

Currently, two generations of bypasses are used. Generation 2 (or Gen2) bypasses are controlled from the BIOS. Generation 3 (Gen3) bypasses are controlled by software running on the system.

We recently spent some quality time with Lanner NCA-1515 and NCA-1513 devices:

These are great high-performance desktop Gigabit boxes. They run on Intel Atom C3xxx processors with ECC memory (8-16 GB stock depending on the model and version, expandable to 32 GB on most versions and to 64 on some), m.2 SATA SSDs, and Intel network controllers. Some versions, however, contain Gen3 bypasses, which may be turned on by default. So our task is to devise a strategy to disable bypasses. Luckily, recent releases of OpenWrt have all the tools we need for that.

If we already have OpenWrt installed, we can install the necessary packages as add-ons:

opkg update && opkg install kmod-i2c-i801 kmod-i2c-smbus kmod-itco-wdt

If we do not, we can go to OpenWrt Firmware Selector and bake a custom firmware with those packages already included.

Next, we need to actually disable the bypasses. To do that, we need to edit the bootloader configuration file, /boot/grub/grub.cfg. Add one line (set nmi_watchdog=0) as shown below:

serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 --rtscts=off
terminal_input console serial; terminal_output console serial

set default="0"
set timeout="5"
set root='(hd0,msdos1)'
set nmi_watchdog=0        # <-- This is the added line

menuentry "OpenWrt" {
        linux /boot/vmlinuz root=[Remainder of the line redacted]
}
menuentry "OpenWrt (failsafe)" {
        linux /boot/vmlinuz failsafe=true root=[Remainder of the line redacted]
}

If we reboot now, the bypasses should be disabled. However, the changes we made to /boot/grub/grub.cfg may be lost at the next sysupgrade. To prevent that from happening, we need to add /boot/grub/grub.cfg to the list of files that are preserved during sysupgrades. That list is located in /etc/sysupgrade.conf. To add a file to it, simply put its full name and path (in our case, /boot/grub/grub.cfg) on a new line at the end of the file. Save the list, exit the editor, and reboot the device.