Hello everyone,
First of all thanks for having me at the forum.
I am new to opnsense and building my first device based on an Intel j3455 with 4gb with 2 Intel n211 nic's.
I want to use it in transparant bridge mode, but the model has only two nic's.
Before I put a lot of time into it I want to know, Is this possible to build and still use the web UI in this situation (and have a safe system off course ;))
Thanks everyone!!
Perfectly possible but the devil is in the details. You need to assign an IP address to the bridge interface for management and create appropriate firewall rules.
May I ask why you intend to use a filtering bridge? In my experience in almost all situations routing is far superior to bridging.
Thanks for the reply!
The reason I am bridging is because I am perfectly happy with my EBM68 and mesh nodes, but I want to dive into some more serious firewall concepts.
Besides that I am down with a back injury and I hate being bored 😅
I assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?
Quote from: Jaapaap on Today at 07:23:11 PMI assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?
Sort of, yes. Unfortunately there is no ready-made recipe for a transparent bridge. Even the official documentation just suggests enabling IDS/IPS. If you want to really filter transparently with default deny (!) you obviously need to take DHCP from/to your uplink router, neighbour discovery in case of IPv6 etc. etc. into account. Even ARP? I don't know. Probably pf on the bridge only deals with IPv4/6. That would mean there is no firewall rule but maybe a global sysctl to pass non-IP traffic like ARP transparently.
Unknown terrain - there be dragons! But you probably won't be bored. 🙂
That's why I prefer routing.
Ok, the rabbit hole is deeper than i thought... :)
I only wanted to use the box for CrowdSec, GeoIP and WireGuard.
So my thoughts where:
igbo - no IP
igb1 - no IP
Bridge - local managemend IP
Sounded quite straight foreward, but the key is securing the bridge (if not sufficiently gaurded by the standerd firewall rules).
But since a Hero Member is warning me about dragons ;) i getting second thoughts. Did I perhaps bite off more than i can chew??
What I always wondered about that transparent bridge setup: If you have only two sides between to filter traffic, then what would be so difficult as to use different subnets (aka routing)? And if you don't, like if you have separate VLANs, then how to you even get the traffic to pass your firewall?
Once you get to understand routing, it seems natural to choose that, which is possibly why < 1% of people here would be able to help if you don't.