Hello, I'm really sorry if this was asked previously but I have some specific question regarding a typical Transparent Filtering Bridge configuration.
I was using OPNsense for several years without any issues so far, however I've recently switched from a standard setup to the Transparent Filtering Bridge mode because switched from DSL to an CGNAT/ISP, so I have some questions in regards some setting which typically differs from the OPNsense TFB how-to documentation (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html)
This is my current TFB setup(IPv6 is disabled):
Interfaces: [WAN] -> igb0
IPv4 Configuration Type: DHCP (It was: NONE)
IPv6 Configuration Type: NONE (It was: DHCPv6)
Interfaces: [LAN] -> igb1
IPv4 Configuration Type: NONE
IPv6 Configuration Type: NONE (It was: Track Interface)
Interfaces: [TFB] -> igb0 + igb1
IPv4 Configuration Type: NONE
IPv6 Configuration Type: NONE
Interfaces: [ADM] -> vtnet0
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: NONE
My question is if the above TFB configuration looks acceptable since I had set the IPv4 to DHCP on the [WAN] interface, otherwise OPNsense is unable to be upgrade as expected since there's no route to host.
OPNsense and zenarmor how-to's both specify to set the IPv4's to NONE but in my case I had to set it, the TFB rules seems to work as intended however is there any security implication leaving the [WAN] IPv4 set to DHCP alway plus the required rule to "Allow All" in such IF?
I could disable and set it back to NONE after OPNsense upgrades and reboot but that is a bit of a hassle.
PS the [ADM] interface is only for local administration, also sorry as I've push Post instead Preview while writing.
Regards
What are your specific questions? Just go ahead and ask them ;-)
You have read the documentation (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html) on transparent filtering bridge?
Quote from: Patrick M. Hausen on November 15, 2025, 07:03:51 PMWhat are your specific questions? Just go ahead and ask them ;-)
You have read the documentation (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html) on transparent filtering bridge?
Hi Patrick, I've pushed wrong buttons while writing, but posted them already.
Regards
Apologies for asking such dumb questions, seems there's not many users with transparent filtering bridges with alternate configurations, nor around the web except for few YT videos just telling how to install it.
Between I've just set on all interfaces the IPv4/IPv6 Configuration Type to: NONE except for the [ADM](admin) interface.
One of the reasons for asking was because my ISP strikes it again and broke the IPv6 and OPNsense was unable to be upgraded unless IPv4 was set to DHCP in the [WAN] interface:
OPNsense_Update_Fail_No_Route_Small.png
I will try update/upgrade OPNsense host thru the admin interface, otherwise maybe I should stop being a bit too paranoid and leave the IPv4 set to DHCP on the [WAN] interface and add some rules there even if this is disregarded by the recommended setup from the docs.
Regards
Hello, I will post my rather clunky TFB setup and my own answer, in case someone is asking for a similar config on a Transparent Filtering Bridge with slightly different config from the How-To's, just for the non-networking guys like me, IPv6 is completely disabled in this example*.
This requires for 3 interfaces as expected, in my case two physical IF(passthrough) for the [TFB] and one virtual admin IF(vtnet0, virtio).
Scenario, you follow the How-To to setup an TFB, but added an 3rd interface to administer OPNsense, now Updates and/or Plugins downloads does not work because you've set the Transparent Filtering Bridge related interfaces to NONE as recommended in the How-To:
Set Interfaces [WAN] + [LAN] + [BRIDGE] to:
IPv4 Configuration Type: NONE
IPv6 Configuration Type: NONE*
However since we added a 3rd interface for admin, all we have to do is to set the Gateway for it under [System: Gateways: Configuration], my admin interface is called [ADM]:
00-Gateway_IF_Change.png
Now under [System: Settings: General] I've set the preferred DNS to use that Gateway (192.168.0.1):
01-DNS_To_Gateway.png
After reboot OPNsense is now able to update and install plugins again thru the admin interface while leaving its pure Transparent Filtering Bridge operation intact:
TFB_1.png
However in my case this was a bit different as the OPNsense is a VM guest and the admin virtual interface(vtnet0) is connected to the host(Bhyve) on the public switch, so the admin interface internet-connection will be thru the hypervisor which in contrast loops back to the TFB access-point.
Regards