"
I have recently done a POC where I put OPNsense in front of my routing switch and I can confirm what already was said. Outbound NAT rules need to be created manually for VLAN subnets to enable Internet access. I have also made a couple of other changes, because I did not like how OPNsense sets up the default route with its default settings. First I made sure only WAN is mark as upstream and then I marked the LAN gateway as down. I think it is unfortunate that OPNsense uses the word "down" when the gateway is actually active, but it just cannot be selected as a default one.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
General Discussion / Re: mDNS Relay Issues with OPNsense and FritzBox Exposed Host Setup
October 25, 2024, 11:14:20 PMQuote from: Tibor on October 25, 2024, 10:54:53 PMQuote from: Strator on October 25, 2024, 04:46:49 PM
@Tibor
That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.
Yes I have NAT on it. Do you mean without NAT it could perhaps working?
Well, there is also a firewall there. mDNS creates a lot of traffic. The repeater makes it even worse. mDNS traffic can be easily taken as a DoS attack by the firewall. Some other unexpected rules may not like it, either. If I were you, I would forget about this idea.
#3
General Discussion / Re: mDNS Relay Issues with OPNsense and FritzBox Exposed Host Setup
October 25, 2024, 04:46:49 PM
@Tibor
That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.
That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.
#4
24.7, 24.10 Legacy Series / Re: Configuration help needed
October 24, 2024, 06:36:10 AM
@glen4cindy
OPNsense does work as a transparent firewall. That's how I use it.
The only IP address you should have there is on LAN for management. Set a static IP address for it. You can connect OPNsense LAN directly to some management PC or your switch. The latter is a more flexible setup.
You can put that transparent firewall between your modem and router or between your router and switch.
Forget the instructions found on Dave's Garage. They are inconsistent. Follow instructions from Zenarmor. Just notice that "LAN" (uppercase) means there a local network. They use lowercase for OPNsense interfaces (wan, lan and opt1).
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
OPNsense does work as a transparent firewall. That's how I use it.
The only IP address you should have there is on LAN for management. Set a static IP address for it. You can connect OPNsense LAN directly to some management PC or your switch. The latter is a more flexible setup.
You can put that transparent firewall between your modem and router or between your router and switch.
Forget the instructions found on Dave's Garage. They are inconsistent. Follow instructions from Zenarmor. Just notice that "LAN" (uppercase) means there a local network. They use lowercase for OPNsense interfaces (wan, lan and opt1).
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
#5
24.7, 24.10 Legacy Series / Re: Configuration help needed
October 22, 2024, 07:22:14 PMQuote from: viragomann on October 22, 2024, 02:17:42 PMQuote from: glen4cindy on October 14, 2024, 04:39:48 AMWhich subnet is this?
After everything was configured and working, I moved LAN and WAN so it was between my modem and router. .
How is your router accessing the internet?
You said, you assigned an IP to the bridge interface, which? Which subnet?
Which IP has OPT1?
Do not bridge WAN with LAN. LAN is configured for management. Keep it that way. Instead, bridge WAN with OPT1.
#6
General Discussion / Re: Can't Update OPNSense after successful "transparent bridge" set up.
August 27, 2024, 07:02:58 PM
I have an OOB network, too, but I don't really use it since I have only 3 devices that can be connected to it. Instead, I use a protected VLAN for the management tasks and that's where my OPNsense management interface is connected to.
OOP means routing disabled and no connection to any other network so, if you connected your OPNsense management interface to it, you would not be able to access Internet from it.
OOP means routing disabled and no connection to any other network so, if you connected your OPNsense management interface to it, you would not be able to access Internet from it.
#7
General Discussion / Re: Can't Update OPNSense after successful "transparent bridge" set up.
August 27, 2024, 05:37:26 PM
As I said in my first message, you need to treat the OPNsense management interface like any other client device on your internal network. The management interface cannot access Internet through the bridge directly. It can access Internet only through the internal network which, of course, itself needs to have access to Internet.
I have modified one of the diagrams from that article hoping that it will help you. Take a look at the attachment.
I have modified one of the diagrams from that article hoping that it will help you. Take a look at the attachment.
#8
General Discussion / Re: Can't Update OPNSense after successful "transparent bridge" set up.
August 27, 2024, 12:30:10 AM #9
General Discussion / Re: Can't Update OPNSense after successful "transparent bridge" set up.
August 26, 2024, 05:35:07 PM
I'm not sure why you've provided this information. I was writing about subnets, not physical interfaces. The only thing I can add to my previous message is that you need to use the OPNsense LAN for your management interfaces. If you bridged the OPNsense WAN with LAN and used some OPT for the management interfaces, you need to change it. Bridge WAN with OPT and, again, use LAN for the management interface. Good luck.
#10
General Discussion / Re: Can't Update OPNSense after successful "transparent bridge" set up.
August 25, 2024, 09:50:22 PM
The OPNsense management side needs to have access to Interent to receive updates. Your IP configuration doesn't look right.
If you configure OPNsense as a transparent firewall, you should have only one subnet on it. That subnet should be on your internal network and have access to Internet. The OPNsense management side should be treated just like any other endpoint device on that network. The OPNsense management interfaces should have an IP address on the subnet and the OPNsense gateway should be set to the IP address of the gateway in the subnet.
If you configure OPNsense as a transparent firewall, you should have only one subnet on it. That subnet should be on your internal network and have access to Internet. The OPNsense management side should be treated just like any other endpoint device on that network. The OPNsense management interfaces should have an IP address on the subnet and the OPNsense gateway should be set to the IP address of the gateway in the subnet.
#11
General Discussion / Re: New setup - tagged vlan for default LAN interface
August 07, 2024, 12:20:43 AM
The OPNsense parent interface is your untagged VLAN on the switch, i.e. the native VLAN of the trunk. Child interfaces will be your tagged VLANs.
#12
General Discussion / Re: Transparant Bridge mode
August 07, 2024, 12:08:27 AMQuote from: ldanna1945 on August 05, 2024, 07:46:07 PM
Trying to access OPNsense web GUI. in transparent bridge mode. Connections are as follows.
WAN connection from Modem to WAN connection on OPNSense 1x1. the LAN connection 1x0 on OPNSense to the WAN in on the router. LAN out from router to a switch. My computer connected to the switch. Access to internet works at this point indicating bridge is working.
I connected third NIC on OPNSense 1x2 to the switch and configured the connection in OPNsense via serial CLI to be configured via DHCP.
OPNSense got an address of 192.168.1.168 from the router. My computer has an address of 192.168.1.166. Ping to internet is successful. Ping to 1x2 address 192.168.1.168 failed and I cannot access web GUI.
So what am I doing wrong or is there another configuration I should try.
Thanks
LArry
Use the OPNsense LAN as the management interface, i.e. connect it to the switch. Connect the extra third NIC to the router WAN. Bridge the OPNsense WAN and the third NIC (OPT1). Do it exactly as described here.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
It works.
#13
General Discussion / Re: Static Routing vs Firewall based
June 04, 2024, 04:04:26 AM
Do you mean the routing based on a routing table vs PBR (Policy Based Routing)? Note that there are dynamic routing protocols which use routing tables. Anyway, there is always a routing table and I think using PBR should be avoided. PBR is like using "GOTO" in the old days of computer programming.
#14
General Discussion / Re: [SOLVED] Can't connect to Web GUI after trying to implement Transparent Bridge
May 13, 2024, 12:36:24 AM
That's not the best video. It keeps mixing a mini-pc with 2 NICs with one with 4 NICs. I think he used a 4-NIC mini-pc in the end. You can add another NIC by attaching a RJ45 USB adapter and using it for OPT1.
Follow these instructions instead.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
Follow these instructions instead.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense
#15
General Discussion / Re: Can't connect to Web GUI after trying to implement Transparent Filtering Bridge
May 10, 2024, 03:10:05 AM
Make sure the upstream gateway is set up correctly. My OPNsense interface is on my management VLAN and the VLAN's SVI is the gateway. This gives OPNsense access to my local network and Internet. I have Unbound DNS enabled with some block lists and no other custom DNS setting on OPNsense, so OPNsense uses it for Internet address resolution. For my local devices, I have 2 other DNS servers which use the OPNsense DNS as a forwarder.
