This has been problematic for me. I have a transparent bridge running IP4 and IP6. The bridge is on OPT1 and WAN. The IP4 address space is on the OPT1 interface 192.168.1.0/24. Traffic passes fine between OPT1 and the WAN. I cannot get a connection outbound from the bridge0 device to the outside world. This means I cannot get updates or add packages. I have been managing the bridge via the LAN interface on 192.168.10.1/24. I suspect this .10 address space is the problem. I have tried a few things and ended up locking myself out a couple of times so I am kind of hesitant to play around with settings until I know what is going on. How can I configure the device to it can communicate out the WAN and get updates?
Have you done this : https://docs.opnsense.org/manual/how-tos/transparent_bridge.html#change-system-tuneables ??
And are you aware of the fact that the Management Interface is used for Internet Connectivity : https://docs.opnsense.org/manual/how-tos/transparent_bridge.html#connect-interfaces-to-existing-infrastructure !!
Quote from: mantissa on April 29, 2026, 02:36:05 AMI cannot get a connection outbound from the bridge0 device to the outside world.
This requires, that the OPNsense has an IP the same subnet as the other devices, which are able to get out to WAN across the bridge and that the gateway is configured correctly.
The bridge tutorial linked above is more about transparent filtering bridges with vlans that should stay unnumbered. A normal LAN bridge should work as @viragomann mentions.
@Monviech for OPNsense to get out to the Internet in a transparent bridge setup it needs an IP address matching the other router and a properly configured default gateway.
...which makes it a bit less transparent. Of course, the utility of transparency in a bridging firewall is questionable, particularly in a private address scheme.
Quote from: pfry on April 29, 2026, 06:23:51 PM...which makes it a bit less transparent. Of course, the utility of transparency in a bridging firewall is questionable, particularly in a private address scheme.
In which way? The devices connecting through the firewall to the other default gateway don't notice the FW. It's just an address to connect to the UI and for the FW to perform DNS lookup, NTP, download updates ...
You can block access to that address for all but your single mangement PC.
Quote from: Patrick M. Hausen on April 29, 2026, 06:28:23 PMIn which way? The devices connecting through the firewall to the other default gateway don't notice the FW.[...]
Just being pedantic. I suppose if well-filtered and on a switched network, it's effectively transparent. ARP requests don't count as discovery, and replies can be filtered if so desired.