TLDR; Along with many others I struggled with the old documentation at https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
EDIT: added note about extracting ISO from the download
EDIT2: fixed typo in gateway name
This is a repeatable simple build for a new OPNsense 25.7 layer 2 firewall.
What: A Filtered transparent bridge (layer 2 firewall) is used to segment a network, isolating one more more hosts on a subnet
Why: Useful for observing traffic or for legacy systems that do not have a built-in software firewall
How: Set up a VM environment and an OPNsense firewall with two interfaces, one to your Lab network, and one for traffic "behind" the firewall
Important: Layer 2 firewall is not compatible with traffic shaping. It has a management IP address, but cannot participate in routing, proxy, IPS, etc.
Lab TopologyUpdate the instructions for your own Lab network
- Lab network subnet: 192.168.1.0/24
- Lab router/gateway: 192.168.1.1/24
- OPNsense management IP: 192.168.1.2/24
- DNS servers: 9.9.9.9, 1.1.1.1
- Your Lab workstation for configuring everything: IP in 192.168.1.0/24
- In my XCP-ng lab, the interfaces are xn0, xn1, xn2; these names will vary across different virtual environments
Download the Installation ISO- https://opnsense.org/download/
- select image type: dvd and click Download OPNsense
- Use a tool like 7-Zip to extract the ISO file from the bz2 archive
Prepare the VM Networks- VM host interface to the Lab LAN, no VLANs
- Private network for the backend network segment, no VLANs
Create the VM- vCPU: 4[/u]
- RAM: 4GB (recommended is 8GB, but 4GB works for this Lab)
- First network: host network (192.168.1.0/24)
- Second network: back end private network
- Third network: host network (192.168.1.0/24)
- Disk: 32GB
Install OPNsense 25.7- Boot from OPNsense 25.7 ISO (https://opnsense.org/download/ DVD
- Log in as installer/opnsense
- Select the keymap
- Install ZFS (best choice for this Lab)
- Accept the disk to install on (use space bar to check the box)
- Set the root password
- Select Reboot now
- Eject/remove the installation ISO after the reboot starts
Configure OPNsense from Console- Log in to Console as user root with the password you selected
- 1) Assign interfaces
- LAGGs? No
- VLANs? No
- WAN interface name: none (press Enter)
- LAN interface name: xn0
- OPT1 interface name: xn1
- OPT2 interface name: xn2
- Optional interface: just press enter to stop adding interfaces
- Proceed
- 2) Set interface IP addresses
- LAN
- Configure IP via DHCP? No
- IPv4 address: 192.168.1.2
- Mask bites: 24
- Upstream gateway: press enter to accept no gateway
- IPv6 address: No, none (press enter)
- Enable DHCP server on LAN: No
- Change to HTTP: No
- Generate new self-signed web GUI certificate: No
- Restore web GUI defaults? No
- WAN and OPT: there is no WAN, no IP addresses on OPT interfaces
Configure OPNsense from Web GUI- From your workstation on your Lab network, browse to the OPNsense firewall's management IP
- https://192.168.1.2
- Click Next to start the Wizard
- Enter a hostname, domain and DNS settings
- Uncheck Override DNS
- Uncheck Enable Resolver
- Click Next
- Where is no WAN, but to get past this screen, set type to DHCP and the IP to 4.4.4.4/32
- Make sure you do not block RFC1928 private networks or bogon networks
- Click Next
- LAN: Uncheck Configure DHCP Serer
- Click Next
- Optionally enter a new password
- Click Next
- Interfaces > Assignments
- Delete WAN interface
- Click Save
- Create Bridge Interface
- Interfaces > Devices > Bridge
- Add a new bridge, select OPT1 and OPT2
- Optionally add a description
- Click Save and then Apply
- Move management IP address to the bridge
- Interfaces > Assignments
- Change LAN to be bridge0 (Bridge)
- Click Save
- Add System Tunables
- System > Settings > Tunables
- net.link.bridge.pfil_member = 0
- net.link.bridge.pfil_bridge = 1
- Click Apply
- Modify firewall rules
- Firewall > Rules > LAN
- Modify the Default allow LAN to any rule
- Change source to any
- Enable logging
- Update description to Allow all traffic on bridge
- This change allows multicast, broadcasts, and DHCP to work
- Click Save
- Edit the IPv6 rule to disable it, and Save
- Click Apply Changes
Update Firmware and Enable Guest tools- Add gateway to the Internet
- System > Gateways > Configuration
- Add gateway
- Name: Lab_gateway
- Interface: LAN
- IP address: 192.168.1.1
- Description: Internet gateway
- Click Save and then Apply
- Add gateway to LAN
- Interfaces > LAN
- IPv4 gateway rules: Lab_gateway
- Click Save and then Apply changes
- Update firmware
- System > Firmware > Status > Check for Updates
- Due to a known issue, it will fail the first time, so run again
- Read the long message, click Close
- Scroll down to the end, then click Update
- Click OK to accept the reboot
- Enable Guest tools
- Log back in, System > Firmware > Plugins
- Check Show community plugins
- find your VM environment's plugin (os-xen, os-qemu-guest-agent, os-vmware, os-virtualbox) and click "+" to install it
- Reboot
- Power > Reboot > Yes
Testing- Spin up a VM on the backend private network, e.g. Windows 11
- DHCP should work, Internet access
- Add firewall rules to the LAN, above the allow any rule, dropping specific traffic from that IP (e.g., https)
- View the firewall logs
- Firewall > Log Files > Live View
- It is recommended to use DHCP reservations or static IPs on the systems behind the L2 firewall so you can write firewall rules for those IP addresses
That's awesome Monviech (Cedrik)! I struggled with this a couple of years ago and finally got to come back to it and get it working.
To get the firmware updates working, don't forget to add the gateway :)
Yeah you are right I forgot about hinting at needing a Gateway. If anything else is unclear feel free to leave review comments on github and I'll evaluate and fix these spots.