Messages

both docs are likely trying to solve different scenario's, in your case. When using the same sysctl settings on pfSense and OPNsense the result should also be similar in this case. But remember, the sysctl tunables are really important here, different choices can indeed result in traffic drops (default policy is drop).

You can always use

Code Select Expand

sysclt -a | grep bridge to check which settings are active.

The sysctl parameters are only a part of it.  pfsense says that one of the bridge member interfaces needs an IP.  opnsense says the bridge interface itself needs an IP and that neither member interface should have an IP.

I've previously been told that filtering on the member devices is preferable so my tunables are:

I've set the tunables above:

net.link.bridge.pfil_member=1   
net.link.bridge.pfil_bridge=0

Though I've read on the netgate forums that if you set both tunables to 0 and place all firewall rules on the bridge interface, that just works without having to mess with tunables.

So, bottom line:
1) Do I need to give either member interface an IP, or is it the bridge interface that needs an IP? pfsense and opnsense disagree here.  I only want my management interface accessible from the LAN side of the network.
2) What tunables should I set if my firewall rules are on WAN and my OPT1 LAN port with static IPs?


Thanks

I had to revert to my pfsense install because in spite of a firewall rule on my WAN at the top of my list explicitly stating no access to my firewall device (and applied it), I could still access my opnsense config page from the Internet.

I looked over pfsense's guides for a filtered/transparent bridge and opnsense's and they conflict.  opnsense says to give the bridge interface an IP.  PFSense doesn't add another firewall-exposed interface for the filtered bridge but states to only assign an IP to one of the member interfaces.

I've set the tunable to filter on the member interfaces only and not on the bridge interface. However while I can connect out, in that setting, none of my servers can be connected to at all. All with the same rules I have in Pfsense.

So I need to understand how this actually should work, otherwise by using a filtered bridge with static IPs between myself and the 'net, following the guide, I've actually got zero Firewall and with the tunables set to only filter on member interfaces, nothing gets in.

Changing my tunables to match my PFSense install blocks everything.  I'm pretty much at a loss at this point with OPNSense.

Help. :(

I found the problem for accessing the management interface.  The IP was assigned to the WAN device, not the bridge device, so that was creating some weirdness.  I've got that resolved in my OPNsense setup.  Now I need to fix an issue with OpenVPN...

One more problem.  I followed the OpenVPN Road Warrior instructions, except I omitted the OTP stuff.

I'm getting an error of "mbed TLS: SSL read error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" - Any ideas as to where I should look?  I'm using login names and passwords on OVPN Connect on my iPhone and this error is given after I attempt to connect. 

Finally, updates from the command line time out, I can't fetch suricata lists, and updates from the web seem to time out.  Internet connectivity is there, and I can ping from the web-based ping utility.  Nothing I've found via searches is yielding anything concrete.  Any suggestions there are also appreciated.

This is the last hump I need to get over and then I'm fully on OPNsense. :)

Thanks again!

You could always check on the console if the bridge actually has an address at the moment (ifconfig), the new overview (Interfaces -> Overview) should also show the current addresses.

Good call.  Even though the UI showed the IP, I evidently didn't apply it, so the Bridged interface had no IP. Sorted!

Onto moving onto moving over more of my firewall rules and seeing if this actually works.  Sadly, it looks like OPNsense won't import my firewall rules. :(

For the openvpn you probably need to share some more details (screenshots / steps to reproduce).
I expect it should be possible to set an address to the bridge and use it, but to be honest, it's a scenario we see even less often.

The steps to reproduce are simple.  After configuring the filtered bridge, try to set up an OpenVPN server instance.  It will want an interface to bind to.  The instructions for setting up a filtered bridge state that only the bridge interface should have an IP, and I've made sure that's the case.  However, when configuring the OpenVPN server, selecting the bridge interface to bind to (or any interface for that matter), I get the error of the assigned interface has no IP address.  Even when the bridged interface does.  So...I'm somewhat confused here.  If you want screenshots, please let me know of which pages and I'll post ASAP.  Thanks!

Hi Bear,

I'm not using bridging very often, it tends to get complicated for various reasons. From my most recent experience , when sitting in between the traffic (LAN/WAN), I expect you best use the rules on both interfaces in stead of the bridge device itself, direction gets misinterpreted pretty easily (since both members are considered equally by default). When tying two equal networks (LAN+WLAN for example) filtering on the bridge usually works fine, which is also the scenario described in our docs.

As with pfSense you need to take care of the sysctl parameters (keep net.link.bridge.pfil_bridge on 0 when not filtering the bridge).
A full list of parameters can be found in the freebsd man page:

https://www.freebsd.org/cgi/man.cgi?bridge(4)


Best regards,

Ad

I followed the instructions and set the sysctl parameters as required.  Hopefully that'll do.  I'll migrate my rules over from pfsense manually on the appropriate interfaces.

My other question still stands - When trying to get OpenVPN to work, it gives me the error stating that my interface has no IP, however the instructions for a filtered bridge state that only the bridge should have an IP...how do I get around this?

Thanks!

Donated $25 for starters, since I'm just getting spun up on OPNSense - More to come once I get some questions answered and I can get the system online in my home. :)

Previously, with PFSense, when I made a filtering bridge, all of my rules for what could or couldn't come in from the WAN side were on the WAN device, and rules for what could go out from the network were on the LAN device.  I'm rethinking my ways.

Would it work/be better to place all rules on the filtered bridge interface in Opnsense alone, using the "source" and "destination" options instead, while leaving both members of the bridge unconfigured?  I have a feeling that my PFSense config wasn't optimal, though the docs on using a filtered bridge weren't very helpful from the PFsense side.

Also, unrelated - When setting up an OpenVPN server, my bridge interface has an IP.  However, when in VPN:OpenVPN:Servers, whenever I select my bridged network as the interface, I get an error that says "An IPV4 protocol was selected, but the selected interface has no IPV4 address, when my bridged network interface is the ONLY interface that I've assigned an IP address to.  Does anyone have any thoughts on this as well?

I'm running a transparent bridge due to having a bunch of public IPs that I'd prefer not to 1:1 NAT with.

Any help/thoughts would be appreciated. :)

-Bear

My current problem is, the management interface is accessible one minute, inaccessible the next from the LAN port.  The only way I can typically guarantee access is by using another opt port with DHCP configured on it to configure the firewall, which is a bit annoying.  I'll have to see if that carries on to opnsense or not...

I guess this'll be my introductory post. :)

I'm a longtime user of m0n0wall who later moved to pfsense on a Dell system, and most recently, I purchased a Qotom i3-7130u-based system to move to to opnsense.

I had a couple of issues with pfsense that I'm hoping the community here can help me sort out before I try to move my opnsense box into "production."

1) I'm running pfsense (and soon opnsense) as a filtering bridge.  Randomly, my administration page will be accessible or unaccessible from the internal part of the bridge (It's expressly prohibited from the outside part) - Will I have a similar issue with pfsense?  Is there any rhyme or reason why this would occur?

Is there a better mode (rather than resorting to 1:1 NAT which has its own issues I'd prefer to avoid) for using OpnSense with a /26 of Public IPs?

2) OpenVPN has always been weird under pfsense.  For example, only one user actually works.  No other users will authenticate.  If I delete the user that works, the next user who is at the top of the config screen suddenly works without any change of credentials, certificate, account, etc.  Has anyone had this issue on opnsense?

Thanks for any help - This looks to be a great community.

-Bear