Messages

There is no longer Services > Web Proxy > Administration in the OPNsense menu.

At least not in community edition 24.1.10_3

https://docs.opnsense.org/manual/how-tos/proxytransparent.html refers to Go to Services ‣ Web Proxy ‣ Administration

Is there a way to enable the transparent proxy in 24.1.10_3?

You got this!

Tip: you can't turn 172.20.1.0/24 into a 172.20.1.0/20
Instead you turn it into 172.20.0.0/20
172.20.0.0/20 = 172.20.0.0 - 172.20.15.255 = 4096 IP addresses subnet mask 255.255.240.0

Sorry I don't have good news for you.

I tried reproducing the Tutorial instructions https://docs.opnsense.org/manual/how-tos/transparent_bridge.html without success.

DHCP didn't work. Not even using static IP address (matching what I would have got over the bridge) worked.

There are some oddities in that document. I compared it to: https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might try that second How-To.

I will try to revisit this tomorrow. You can follow the my steps to reproduce the issue at this repo: https://github.com/doritoes/NUC-Labs/blob/XCP-ng/XCP-ng/Appendix-L2_Firewall.md

EDIT See also https://community.spiceworks.com/t/opnsense-transparent-bridge-between-isp-and-fortigate/946090/8

Hello! Nice to meet you!

How are you using OPNsense?

Hey I can help. Here is what I understand:

[ Modem]
[Layer2 Firewall] ("bridge mode")   ==> additional Management interface on LAN subnet
[Router] (might be wireless router)
[LAN]

The router is set to DHCP.
You are able to manage the firewall from the LAN
You are able to manage the router from the LAN

Issue: router fails to get WAN IP via DHCP from the ISP

Troubleshooting 1: set the Router WAN IP with the static IP address to take DHCP out of play. Does it work?
Troubleshooting 2: make sure NAT rules disabled, DHCP service, allow firewall rule added on OPNsense (see docs for the full list)

I have not deployed OPNsense as a L2 firewall ("transparent bridge") yet. I have reviewed https://docs.opnsense.org/manual/how-tos/transparent_bridge.html and will try it in my Lab today

I can help with that. How seamless it is comes down to what your LAN subnet is today .

192.168.0.0 addresses were designed to be /24 or smaller (Class C)
172.16.0.0-172.31.255.55 can be down to /12
10.0.0.0 addresses can be down to /8

But good news! OPNsense lets you use "supernets", that is, use smaller masks for 192.168.0.0 addresses

https://mxtoolbox.com/subnetcalculator.aspx

192.168.0.0/20 = 192.168.0.0 - 192.168.15.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.16.0/20 = 192.168.16.0 - 192.168.31.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.32.0/20 = 192.168.32.0 - 192.168.47.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.48.0/20 = 192.168.48.0 - 192.168.63.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.64.0/20 = 192.168.64.0 - 192.168.79.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.80.0/20 = 192.168.80.0 - 192.168.95.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.96.0/20 = 192.168.96.0 - 192.168.111.255 = 4096 IPs in range = subnet mask 255.255.240.0
192.168.112.0/20 = 192.168.112.0 - 192.168.127.255 = 4096 IPs in range = subnet mask 255.255.240.0
[and so on]

If you are using 192.168.0.0/24 today and OPNsense is 192.168.0.1 with DHCP (using leases for any fixed IPs) then its almost seamless.
1. change the mask
2. update DHCP range/scopes to take advantage of the additional space
3. reboot everything

If you are using static IPs on your devices instead of DHCP, it's not seamless. Static IP devices need the updated subnet mask and a reboot.

@Koloa is spot on. When is set up a firewall as a site, I choose my subnets so I can increase the size (/24 to /23 to /22) without impacting the other subnets. Subnets have a "shape" and once you master that, it get easier.

BLUF: can't get Tor and transparent proxy working again

Some time ago I had OPNsense working with transparent proxy and Tor to isolate my Lab.

I just rebuilt everything on XCP-ng instead of ESXi. I lost the password to my OPNsense VM, so I am re-creating from scratch and writing a Tutorial on how I did it. My intention is to post it in the Tutorials section.

I'm stuck. Anyone have a link or a tutorial for the latest version of OPNsense?

Here is what I have so far if you want to play along and help fix it. Simple firewall WAN, LAN. configure/test from a PC on the LAN.

1. Log in to firewall via https
2. System > Firmware > Plugins
  -  os-tor - click "+" to install
3. Refresh the page
4. Click Services > Tor > Configuration
  - General Tab
    - Enable: Yes
    - Listen Interfaces: LAN
    - Enable Advanced Mode
      - Check Enable Transparent Proxy
      - Confirm SOCKS port number: 9050
      - Confirm Control Port: 9051
      - Confirm Transparent port: 9040
      - Confirm Transparent DNS port: 9053
  - Click Save
5. Firewall > Rules > LAN
  - Add rule to top of policy
    - Action: Pass
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: This Firewall
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Allow DNS to firewall
    - Click Save
    - Move the new rule to the top if necessary
      - Put a Check next to new rule Allow DNS to Firewall
      - Click the arrow icon to the right of the first rule to move it to the top
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  -  Add a second rule just below it
    - Action: Blick
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: any
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Deny unsanctioned DNS
    - Click Save
    - Move the new rule below the first rule if necessary
      - Put a Check next to new rule Deny unsanctioned DNS
      - Click the arrow icon to the right of the <ins>second</ins> rule to move it to the second position
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  - Click Apply Changes
6. Firewal > NAT > Port Forward
  - Add rule
    - Click the "+" to add a rule
    - Interface: LAN (be sure you ONLY select LAN)
    - TCP/IP Version: IPv4
    - Protocol: TCP (TOR rejects UDP packets except for DNS requests)
    - Source: LAN net
    - Source port range: any
    - Destination: ANY
    - Destination Port: ANY
    - Redirect Target IP: Single Host or Network: 127.0.0.1
    - Redirect Target Port: (other) 9040 (this is the Transparent TOR port)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Port forward to Tor
    - Filter rule association:
      - (default) add associated filter rule
    - Click Save
    - Click Apply changes
- Reboot the firewall
  - Power > Reboot > confirm
- Using your browser connect to https://check.torproject.org
  - You should see "Congratulations. This browser is configured to use Tor."