Messages

That's awesome Monviech (Cedrik)! I struggled with this a couple of years ago and finally got to come back to it and get it working.

To get the firmware updates working, don't forget to add the gateway :)

[What]

TLDR; Along with many others I struggled with the old documentation at https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

EDIT: added note about extracting ISO from the download
EDIT2: fixed typo in gateway name

This is a repeatable simple build for a new OPNsense 25.7 layer 2 firewall.

What: A Filtered transparent bridge (layer 2 firewall) is used to segment a network, isolating one more more hosts on a subnet

Why: Useful for observing traffic or for legacy systems that do not have a built-in software firewall

How: Set up a VM environment and an OPNsense firewall with two interfaces, one to your Lab network, and one for traffic "behind" the firewall

Important: Layer 2 firewall is not compatible with traffic shaping. It has a management IP address, but cannot participate in routing, proxy, IPS, etc.

Lab Topology
Update the instructions for your own Lab network

• Lab network subnet: 192.168.1.0/24
• Lab router/gateway: 192.168.1.1/24
• OPNsense management IP: 192.168.1.2/24
• DNS servers: 9.9.9.9, 1.1.1.1
• Your Lab workstation for configuring everything: IP in 192.168.1.0/24
• In my XCP-ng lab, the interfaces are xn0, xn1, xn2; these names will vary across different virtual environments

Download the Installation ISO

• https://opnsense.org/download/
• select image type: dvd and click Download OPNsense
• Use a tool like 7-Zip to extract the ISO file from the bz2 archive

Prepare the VM Networks

• VM host interface to the Lab LAN, no VLANs
• Private network for the backend network segment, no VLANs

Create the VM

• vCPU: 4[/u]
• RAM: 4GB (recommended is 8GB, but 4GB works for this Lab)
• First network: host network (192.168.1.0/24)
• Second network: back end private network
• Third network: host network (192.168.1.0/24)
• Disk: 32GB

Install OPNsense 25.7

• Boot from OPNsense 25.7 ISO (https://opnsense.org/download/ DVD
• Log in as installer/opnsense
• Select the keymap
• Install ZFS (best choice for this Lab)
• Accept the disk to install on (use space bar to check the box)
• Set the root password
• Select Reboot now
• Eject/remove the installation ISO after the reboot starts

Configure OPNsense from Console

• Log in to Console as user root with the password you selected
• 1) Assign interfaces
• LAGGs? No
• VLANs? No
• WAN interface name: none (press Enter)
• LAN interface name: xn0
• OPT1 interface name: xn1
• OPT2 interface name: xn2
• Optional interface: just press enter to stop adding interfaces
• Proceed
• 2) Set interface IP addresses
• LAN
• Configure IP via DHCP? No
• IPv4 address: 192.168.1.2
• Mask bites: 24
• Upstream gateway: press enter to accept no gateway
• IPv6 address: No, none (press enter)
• Enable DHCP server on LAN: No
• Change to HTTP: No
• Generate new self-signed web GUI certificate: No
• Restore web GUI defaults? No
• WAN and OPT: there is no WAN, no IP addresses on OPT interfaces

Configure OPNsense from Web GUI

• From your workstation on your Lab network, browse to the OPNsense firewall's management IP
• https://192.168.1.2
• Click Next to start the Wizard
• Enter a hostname, domain and DNS settings
• Uncheck Override DNS
• Uncheck Enable Resolver
• Click Next
• Where is no WAN, but to get past this screen, set type to DHCP and the IP to 4.4.4.4/32
• Make sure you do not block RFC1928 private networks or bogon networks
• Click Next
• LAN: Uncheck Configure DHCP Serer
• Click Next
• Optionally enter a new password
• Click Next
• Interfaces > Assignments
• Delete WAN interface
• Click Save
• Create Bridge Interface
• Interfaces > Devices > Bridge
• Add a new bridge, select OPT1 and OPT2
• Optionally add a description
• Click Save and then Apply
• Move management IP address to the bridge
• Interfaces > Assignments
• Change LAN to be bridge0 (Bridge)
• Click Save
• Add System Tunables
• System > Settings > Tunables
• net.link.bridge.pfil_member = 0
• net.link.bridge.pfil_bridge = 1
• Click Apply
• Modify firewall rules
• Firewall > Rules > LAN
• Modify the Default allow LAN to any rule
• Change source to any
• Enable logging
• Update description to Allow all traffic on bridge
• This change allows multicast, broadcasts, and DHCP to work
• Click Save
• Edit the IPv6 rule to disable it, and Save
• Click Apply Changes

Update Firmware and Enable Guest tools

• Add gateway to the Internet
• System > Gateways > Configuration
• Add gateway
• Name: Lab_gateway
• Interface: LAN
• IP address: 192.168.1.1
• Description: Internet gateway
• Click Save and then Apply
• Add gateway to LAN
• Interfaces > LAN
• IPv4 gateway rules: Lab_gateway
• Click Save and then Apply changes
• Update firmware
• System > Firmware > Status > Check for Updates
• Due to a known issue, it will fail the first time, so run again
• Read the long message, click Close
• Scroll down to the end, then click Update
• Click OK to accept the reboot
• Enable Guest tools
• Log back in, System > Firmware > Plugins
• Check Show community plugins
• find your VM environment's plugin (os-xen, os-qemu-guest-agent, os-vmware, os-virtualbox) and click "+" to install it
• Reboot
• Power > Reboot > Yes

Testing

• Spin up a VM on the backend private network, e.g. Windows 11
• DHCP should work, Internet access
• Add firewall rules to the LAN, above the allow any rule, dropping specific traffic from that IP (e.g., https)
• View the firewall logs
• Firewall > Log Files > Live View
• It is recommended to use DHCP reservations or static IPs on the systems behind the L2 firewall so you can write firewall rules for those IP addresses

This is the build for OPNsense 25.7.5. This successfully create an isolated test lab behind a firewall where traffic can only egress via Tor.

Setup:
1. Simple firewall WAN, LAN. configure/test from a PC on the LAN. All in proxmox 9.
2. proxmox vbr0 (dhcp) for the WAN, which connects to a lab network for access to the Internet
3. proxmox vbr1 (192.168.101.254/24) for the LAN, which is the secured network
4. Put a VM with a web browser on vbr1

Configuration:
0. WAN interface is vtnet0, LAN is vtnet1
1. Initial setup wizard https://192.168.101.254
- Hostname: isolationfw
- Domain: proxmox.lab
- DNS: 8.8.8.8 and 8.8.4.4 (unfiltered DNS)
- _Uncheck_ override DNS
- WAN DHCP, _uncheck_ block RFC1918 private networks since the lab is also private address space
- LAN review and click next
- update root password or leave the same and click next
2. Update System > Firmware > Status > Check for Updates, apply and reboot (optionally install plugin os-qemeu-guest-agent for proxmox and enable qemu agent in proxmox)
3. Test normal Internet access form the VM behind the firewall (web pages, nslookup, etc.)
4. Disable Internet and DNS
- Firewall > Rules > LAN
- Change the IPv4 rule to be a Block action
- Change the IPv6 rule to be a Block action
- Click Apply changes
5. Confirm that Internet browsing fails and that nslookup from the command line also fails (i.e., 'nslookup google.com' times out)
6. Configure Tor
This provides some anonymity, if done correctly
- Configure the firewall to transparently proxy Internet traffic over Tor
- Be careful to <ins>configure DNS correctly</ins> to forward over Tor so your DNS traffic is not leaked
- You many choose to configure the firewall to instead use a VPN service; be mindful of the terms and conditions and that in some cases they will surrender details of your activity to under court order
- System > Firmware > Plugins
- Check Show community plugins, install os-tor
- Refresh the page
- Services > Tor > Configuration
- General tab: Enable : yes, listen on LAN (only)
- Enable advanced mode, check Enable Transparent Proxy
- Click Save
- SOCKS Proxy ACL tab: Add acl IPv4, network 192.168.101.0/24, accept, save, reload service
7. Configure firewall
- Firewall > NAT > Port Forward
- Add rule Allow interface LAN IPv4 TCP/IP LAN Net to destination any port DNS, redirect target IP 127.0.0.1 redirect target port other 9053 description Tor for DNS
- Add rule below (at end) Allow interface LAN IPv4 TCP LAN Net to destination any port any, redirect target IP 127.0.0.1 redirect target port other 9040 description Tor for tcp traffic
- Firewall > Rules > LAN
- Move the automatic rules to the TOP
- First port 9053 rule
- Next port 9040 rule
- Followed by the block rules
- Click Save
- Click Apply changes
- Reboot the firewall
8. Test from the test VM
- Internet browser works
- nslookup works
- Using your browser connect to https://check.torproject.org
- You should see "Congratulations. This browser is configured to use Tor."

Checking for leaks. Log in to the OPNsense firewall.
WAN interface is vtnet0, LAN is vtnet1

DNS leak test
- tcpdump -nni vtnet0 port 53
test nslookup and web browsing from the test VM. succeeds. should be none in the packet capture. the traffic is on vtnet1 but never leaks onto vtnet0

ICMP leak test
- tcpdump -nni vtnet0 icmp
test ping to the Internet. fails. should be none.

UDP leak (TOR does only tcp with udp 53 for DNS) (remember to use VPN if you need UDP)
- tcpdump -nni vtnet0 proto 17 and port 443
Install Chrome browser, use chrome://flags to Enable Experimental QUIC protocol, relaunch Chrome and visit google.com
The firewall will log drops but nothing will show in the packet capture.

There is no longer Services > Web Proxy > Administration in the OPNsense menu.

At least not in community edition 24.1.10_3

https://docs.opnsense.org/manual/how-tos/proxytransparent.html refers to Go to Services ‣ Web Proxy ‣ Administration

Is there a way to enable the transparent proxy in 24.1.10_3?

You got this!

Tip: you can't turn 172.20.1.0/24 into a 172.20.1.0/20
Instead you turn it into 172.20.0.0/20
172.20.0.0/20 = 172.20.0.0 - 172.20.15.255 = 4096 IP addresses subnet mask 255.255.240.0

Sorry I don't have good news for you.

I tried reproducing the Tutorial instructions https://docs.opnsense.org/manual/how-tos/transparent_bridge.html without success.

DHCP didn't work. Not even using static IP address (matching what I would have got over the bridge) worked.

There are some oddities in that document. I compared it to: https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might try that second How-To.

I will try to revisit this tomorrow. You can follow the my steps to reproduce the issue at this repo: https://github.com/doritoes/NUC-Labs/blob/XCP-ng/XCP-ng/Appendix-L2_Firewall.md

EDIT See also https://community.spiceworks.com/t/opnsense-transparent-bridge-between-isp-and-fortigate/946090/8

Hello! Nice to meet you!

How are you using OPNsense?

Hey I can help. Here is what I understand:

[ Modem]
[Layer2 Firewall] ("bridge mode")   ==> additional Management interface on LAN subnet
[Router] (might be wireless router)
[LAN]

The router is set to DHCP.
You are able to manage the firewall from the LAN
You are able to manage the router from the LAN

Issue: router fails to get WAN IP via DHCP from the ISP

Troubleshooting 1: set the Router WAN IP with the static IP address to take DHCP out of play. Does it work?
Troubleshooting 2: make sure NAT rules disabled, DHCP service, allow firewall rule added on OPNsense (see docs for the full list)

I have not deployed OPNsense as a L2 firewall ("transparent bridge") yet. I have reviewed https://docs.opnsense.org/manual/how-tos/transparent_bridge.html and will try it in my Lab today

I can help with that. How seamless it is comes down to what your LAN subnet is today .

192.168.0.0 addresses were designed to be /24 or smaller (Class C)
172.16.0.0-172.31.255.55 can be down to /12
10.0.0.0 addresses can be down to /8

But good news! OPNsense lets you use "supernets", that is, use smaller masks for 192.168.0.0 addresses

https://mxtoolbox.com/subnetcalculator.aspx

192.168.0.0/20 = 192.168.0.0 - 192.168.15.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.16.0/20 = 192.168.16.0 - 192.168.31.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.32.0/20 = 192.168.32.0 - 192.168.47.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.48.0/20 = 192.168.48.0 - 192.168.63.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.64.0/20 = 192.168.64.0 - 192.168.79.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.80.0/20 = 192.168.80.0 - 192.168.95.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.96.0/20 = 192.168.96.0 - 192.168.111.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.112.0/20 = 192.168.112.0 - 192.168.127.255 = 4096 IPs in range = subnet mask 255.255.240.0
[and so on]

If you are using 192.168.0.0/24 today and OPNsense is 192.168.0.1 with DHCP (using leases for any fixed IPs) then its almost seamless.
1. change the mask
2. update DHCP range/scopes to take advantage of the additional space
3. reboot everything

If you are using static IPs on your devices instead of DHCP, it's not seamless. Static IP devices need the updated subnet mask and a reboot.

@Koloa is spot on. When is set up a firewall as a site, I choose my subnets so I can increase the size (/24 to /23 to /22) without impacting the other subnets. Subnets have a "shape" and once you master that, it get easier.

BLUF: can't get Tor and transparent proxy working again

Some time ago I had OPNsense working with transparent proxy and Tor to isolate my Lab.

I just rebuilt everything on XCP-ng instead of ESXi. I lost the password to my OPNsense VM, so I am re-creating from scratch and writing a Tutorial on how I did it. My intention is to post it in the Tutorials section.

I'm stuck. Anyone have a link or a tutorial for the latest version of OPNsense?

Here is what I have so far if you want to play along and help fix it. Simple firewall WAN, LAN. configure/test from a PC on the LAN.

1. Log in to firewall via https
2. System > Firmware > Plugins
  -  os-tor - click "+" to install
3. Refresh the page
4. Click Services > Tor > Configuration
  - General Tab
    - Enable: Yes
    - Listen Interfaces: LAN
    - Enable Advanced Mode
      - Check Enable Transparent Proxy
      - Confirm SOCKS port number: 9050
      - Confirm Control Port: 9051
      - Confirm Transparent port: 9040
      - Confirm Transparent DNS port: 9053
  - Click Save
5. Firewall > Rules > LAN
  - Add rule to top of policy
    - Action: Pass
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: This Firewall
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Allow DNS to firewall
    - Click Save
    - Move the new rule to the top if necessary
      - Put a Check next to new rule Allow DNS to Firewall
      - Click the arrow icon to the right of the first rule to move it to the top
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  -  Add a second rule just below it
    - Action: Blick
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: any
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Deny unsanctioned DNS
    - Click Save
    - Move the new rule below the first rule if necessary
      - Put a Check next to new rule Deny unsanctioned DNS
      - Click the arrow icon to the right of the <ins>second</ins> rule to move it to the second position
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  - Click Apply Changes
6. Firewal > NAT > Port Forward
  - Add rule
    - Click the "+" to add a rule
    - Interface: LAN (be sure you ONLY select LAN)
    - TCP/IP Version: IPv4
    - Protocol: TCP (TOR rejects UDP packets except for DNS requests)
    - Source: LAN net
    - Source port range: any
    - Destination: ANY
    - Destination Port: ANY
    - Redirect Target IP: Single Host or Network: 127.0.0.1
    - Redirect Target Port: (other) 9040 (this is the Transparent TOR port)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Port forward to Tor
    - Filter rule association:
      - (default) add associated filter rule
    - Click Save
    - Click Apply changes
- Reboot the firewall
  - Power > Reboot > confirm
- Using your browser connect to https://check.torproject.org
  - You should see "Congratulations. This browser is configured to use Tor."