Good morning everyone,
Current Environment
Glovary N150 Firewall with 32gb of RAM, 4x 2.5GBe ports (igc0-igc3) running OPNsense 25.7.2-amd64
TP-Link EAP670
Current network configuration
WAN on igc0 (XFinity - DHCP)
EAP670 on igc3 (192.168.150.1/24)
ASUS RT-AX88U and a TrueNAS server on igc1 and igc2 respectively (bridged - 192.168.140.2/24 and .10)
I am in the process of future-proofing my home networking by retiring a consumer grade RT-AX88U in favor of a Glovary N150 firewall appliance to handle the networking piece, and a EAP670 to handle the wireless component. The idea is to keep in place the Glovary, but to update the AP as wireless standards evolve The bulk of my devices are wireless, to include a Tablo TV device and smart home devices, but some services are provided from a TrueNAS box as well (besides file services, JellyFin, NextCloud, etc.)
Ideally, I would like everything on the same subnet (192.168.150.0/24), but I'm running into challenges that I'm not sure if they are user issues (I'm a hobbyist), configuration issues, or hardware, although I'm leaning on hardware.
Originally, I set up the router (Glovary) as near as I could tell like the RT-AX88U. The three LAN ethernet ports (igc1-igc3) I put into a bridge. and assigned it to 192.168.150.1/24. That "worked" in a sense, that every device had access to the internet - it was LAN services that were a problem. In particular, with the EAP670 inside the bridge, it seemed like the access point itself was in the bridge, but the wireless clients were not. That is, devices on the AP could not see the TrueNAS (ethernet connected), and devices outside the AP could not see e.g. the Tablo device.
Naturally, I checked firewall settings, bridge settings, etc. I tried a VLAN as well. That exhibited similar behavior. I assigned an IP to igc2 (the TrueNAS), no IP but same VLAN for the igc3 (the EAP670), and DHCP did not go through to the access point or clients, as if igc2 and igc3 were isolated from each other, even though they're in the same VLAN.
I ended up getting everything talking to each other by putting the TrueNAS (and my old router) into a subnet themselves (by bridging igc1 and igc2) and routing between the wireless clients, and the TrueNAS. This works, but ideally, I'd like everything on one subnet though, and to understand better what is going on. Is some kind of isolation happening? Can it be undone? User issue?
I did search the forums here, and noted a thread on this device, where it was not recommended primarily for IPv6 (which isn't a big concern for me). I was going to respond there, but since the thread is older, the recommendation was to make a new one.
Thanks in advance for your help!
I'm definitely a noob here too, so take my info in stride. What I'm hearing is you want a single subnet for simplicity. So you'd be looking for igc0 to be WAN network, and igc1 + igc2 + igc3 to be members of a bridge (bridge0) and that bridge0 be assigned to the LAN interface. You'd give that bridge an IP like 192.168.150.1/24. You've have DHCP running against the LAN interface, serving out a range like 192.168.150.50 - 192.168.150.200 (or however many you want); and that leaves you plenty of IPs outside the DHCP range for servers or static-y devices.
Your existing ASUS router and the TP-Link would need to be running in just AP mode (both of them) serving as access points, you could give them static IPs like 192.168.150.2 + 192.168.150.3 (what i'd do) or let them pull from DHCP. You don't want them offering services like DNS or DHCP, that's the Opnsense router's job since you really just want one network. With just one subnet/network - routing doesn't really come into play (except to the outside world) and everything is in the same L2 broadcast domain, everything is going to see each other at the layer 2 level, and being in the same network packets don't have to be routed.
Your original description mentioned multiple networks 192.168.140.X/24 + 192.168.150.X/24 which naturally makes things isolated unless you setup routing between those 2 separate networks (and that's regardless of bringing VLANs into the picture). It sounded like you put ports of both networks (igc2 + igc3) into the same VLAN which doesn't make them automatically talk to each other - different IP networks (layer 3) means they need layer 3 routing to communicate and routes setup between them. OPNsense is obviously a router, but you'd need to be setting up firewall rules allowing inter-vlan / or interface-interface communication if you have a different network on each physical interface.
Thank you very much for your reply! You are clearly more knowledgeable on these things than I am. For the VLAN stuff in particular, I depended on AI for the setup, so perhaps no surprise it didn't work.
I added some extraneous details, so I apologize for that. My goal is simply to have one subnet, 192.168.150.0/24, where my wireless clients are able to access wired, and VPN (WireGuard) services. The only way -I- know to makes igc1-igc3 act as one subnet is to bridge them. Bridging the EAP670, however, isolates the wireless clients. They can be routed out to the internet, but cannot access internal resources.
I'm pretty sure it's not a firewall issue. Internal LAN rules are quite permissive. To be honest, I'm not even sure how you could separate the wireless clients specifically - they are on the same subnet, after all. However, I am willing to try anything :)
For information only - not terribly relevant to the problem - my old router I currently have connected simply to ensure a smooth transition to the new one. I am considering essentially turning it into a switch.
Well... Short answer - everything works. :). All my devices are now on 192.168.150.0/24 bridging igc1-igc3.
In case anyone else comes up on this problem, in my case, the issue was that I needed to explicitly allow traffic on each interface in the bridge. I just created an "in" rule for ipv4 and ipv6 that allowed traffic from anywhere.
Thanks @psharkauburn for getting me to re-look things!
Quote from: dionhoustonsr on September 10, 2025, 09:13:08 AMIn case anyone else comes up on this problem, in my case, the issue was that I needed to explicitly allow traffic on each interface in the bridge. I just created an "in" rule for ipv4 and ipv6 that allowed traffic from anywhere.
That looks suspiciously like you did not apply the mandatory tunables from step #6 of the docs.
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Good deal! You mentioned client isolation a couple times, just a ping that this is a setting on the wireless APs at the SSID level. If you enable it, those wireless clients will not be able to see each other or anything else inside your network except the OPNSense as the default gateway. Even with everything in the same network, those wireless clients become blind to everything (normally). This would be HEAVILY recommened to enable for something like a Guest WiFi network.
Its funny, the guide Patrick posted kinda opens up with 'bridging the lan devices is kind of a pain, it's easier if you just buy a switch for downstream' which is spot on. I think you get errors like 'can't add a device to itself' or 'device is already part of the interface' when you're configuring from the LAN interface and need to add that port to the bridge, to takeover the LAN interface. Feels like trying to call customer support about phone issues, on the phone having the issues... and step one from them is reboot the phone, and you never hear step 2 because you followed step 1.
When I was messing with my OPNSense router (with it sitting behind another router) I found it easier to fiddle by disabling the packet filter (firewall) with 'pfctrl -d' from the OPNSense shell, and then come into the OPNSense web gui from the WAN side (just another computer on the home network) so that mucking around with LAN interfaces doesn't cut the cord you're calling from.
Yeah, I hear you. I've done the shuffling things in and out of bridges, switching to my old router to make changes,and other fun things. Today I worked on IPv6, and I found out it wasn't broadcasting because - I didn't set link local on my bridge. Anyway, I got everything stable now, so I'm happy.
OPNsense is every way a massive step up from ASUSWRT but some things about it are not terribly intuitive. I imagine everyone new goes through this cycle, though. Enjoy!