OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Noctur on January 07, 2017, 06:22:01 pm

Title: Transparent Firewall
Post by: Noctur on January 07, 2017, 06:22:01 pm
Has anyone been successful in getting a transparent firewall setup on 17.1 beta using the instructions here: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html? Or any other instructions?

I tried a few months ago using 16.x and was unsuccessful using em NICs.
Title: Re: Transparent Firewall
Post by: Noctur on March 05, 2017, 09:12:01 pm

I've seen several other people asking for help with transparent / filtering bridge, but no replies.

Anyone have this working on 17.1.x?

It would be great if the 'How-To' were revised to 17.1.x with working instructions.
Title: Re: Transparent Firewall
Post by: djGrrr on March 07, 2017, 04:32:08 am
Hi, what issue did you have exactly when trying this? Did you get any traffic flowing at all? I'm not seeing anything particularly wrong with what the guide says to do.

How many interfaces did you have in your setup? I imagine the setup would work better with a dedicated management interface.
Title: Re: Transparent Firewall
Post by: Noctur on March 07, 2017, 05:09:51 am
Thanks for the reply.

I have 3 em NICs in use for wan, lan and mgt. I could get the system to connect with the lan and communicate with anything else connected to the lan, but couldn't get anything to pass through the wan. I could get Suricata rules to update, so I know something was working. At the time I must have run through the instructions following them to a 'T' a dozen times with a fresh install each time. I just spent too much time on it and decided not to try again without some additional information.

I should probably try this again. I have a setup with 17.1.2 as router working with Suricata and GeoIP Aliases working fine. But I had originally set out to run it as a transparent bridge and still prefer that.

My goal is to have it running Suricata Inline IPS with GeoIP Alias in transparent bridge mode and have another system serve as router.
Title: Re: Transparent Firewall
Post by: Noctur on March 07, 2017, 06:50:57 pm
I spent the morning going back through the How-To with 17.1.2. The system is running in transparent bridge mode now while I'm writing with em0-WAN, em1-LAN, em2-MGT, all 3 interfaces on a single bridge Br0, with em2 assigned a static IP on the LAN. I can get out to the internet and browse and can get to the MGT interface to OpnSense. However, OpnSense does not update.

I have basic "allow-all" firewall rules per the How-To and have Suricata IPS running. However, Suricata cannot download updates and when checking for system firmware updates I get a "Could not find the repository on the selected mirror." message. It looks like the system cannot access external addresses.

Suricata has rules downloaded from 3/6/17, but is unable to update today. Looking at the Suricata Alerts, I see some alerts being generated from the GeoIP portion set up in the User-Defined section, but no Alerts generated from Suricata rules - although there hasn't been enough diverse traffic through to likely generate hits.

This is further than I've gotten in the past, and still not quite right. Any recommendations on how to allow the OpnSense system access externally? TIA
Title: Re: Transparent Firewall
Post by: djGrrr on March 08, 2017, 12:05:42 am
The management interface should not be part of the bridge, and there should be no ips on the LAN, WAN or bridge, only the management interface should have an ip, and gateway, which needs to be set as the default gateway.

After that you should be able to do transparent filtering.
Title: Re: Transparent Firewall
Post by: Noctur on March 08, 2017, 01:25:09 am
Thank you for the comments. I removed Mgt from the Br0, set gateway to main router and rebooted. When it came up, several services had to be manually started. It still could not update firmware or download updated rules.

I tweaked a bit and had to turn off DNS Forwarding service and reboot - it came up as expected. So now getting internet pass-through, check for firmware updates, rules updated. Will run for awhile to see if Suricata generates hits.

Thank you for your help.

It was unclear to me that Mgt interface (on a 3rd eth) should not be part of the Br0 since the How-To indicates the Bridge itself should be assigned as the Mgt interface with a static IP. It was also unclear that DNS Services should be OFF. What's also interesting is that I check the "Turn Off Anti-Lockout Rule" as part of the How-To and after a reboot it comes back up unchecked with the rule showing up 1st in the LAN rules list - can't keep it turned off.

And, your recommendations above indicate that Br0 should not have an IP. In my working setup, the Br0 isn't assigned to a network port, so it doesn't have an input to assign an IP. In the Interface.Assignments list, there's only LAN, WAN and MGT(OPT1), with the capability to add OPT2 to Br0. Make sense?

Thank you again - it seems to be working.

Title: Re: Transparent Firewall
Post by: djGrrr on March 08, 2017, 05:09:34 am
Technically the management interface can be the bridge, but when you have a 3 interface system, it makes more sense to have a dedicated management interface, and simplifies the setup.

Are you putting a check-mark in the "Disable web GUI anti-lockout rule" setting under System > Settings > Administration? I am using this setting myself and it definitely stays disabled on reboot. Also, you should not have to disable the DNS forwarding service; you may have to change it's interface setting, but in this setup the DNS forwarder is likely not needed in any way anyways.

In regards to the bridge not having an IP address, that was more a "just incase". You may however want to assign an interface to the bridge with ipv4 and ipv6 set to none, just like wan and lan. This would allow you to do firewall rules that apply to both interfaces without using a floating rule.
Title: Re: Transparent Firewall
Post by: Noctur on March 11, 2017, 12:56:23 am
Thank you again for the follow-up. The GUI anti-lockout rule is now 'sticking'. I must have not saved properly, going to other options beforing a save/apply. Understood about the bridge 'just in case' works fine for me as is.