Messages

Thank you again @Eric, and others for your input.

My primary router is a fortinet device.  I only wanted to place the OPNsense(as a WAN/LAN bridge with SPI and no routing) between this fortinet and my internet modem to monitor/capture internet traffic.  And I don't see any other way to capture all incoming/outgoing traffic, unless this device sits between the fortinet and OPNsense, since I use physical network ports (no vlans).  I keep thinking plugging the OPNsesne as a bridge into my fortinet port will only capture that traffic under that port and not all other ports/networks in place.

My obsession for the secondary router (tp-link wifi with 4 gig ports), is to be able to look inside the OPNsense device's capture log that is outside my fortinet router and before the internet modem.  I dont think is possible to create a FW rule from my fortinet(or any other primary router) to traverse outside its WAN port and look into the OPNsense's MGMT port I setup.  I know I setup port-forward before for coming IN thru my fortinet to an internal network.  Just never have done and out-going port forward or static-route.

I've been busy past days, but I am soon resuming this project again and see if I canmake it work.

thank you.

[OPNsense bridge]

Appreciate the feedback @EricPerl.

My setup is more..
at the moment..
Internet modem=>Primary router=>several physical network ports and 2-wifi ssids.
Primary router is a fortinet with 9 ports assigned to diff networks (no vlans).

If I setup..
Internet modem=>Primary router=>OPNsense bridge=>several physical network ports and 2-wifi ssids.
I wont be able to reach the bridge I don't think since no IP assigned...is a bridge.
and more importantly, I will not capture all traffic to all networks inside since they are all isolated.

Aiming setup....
Internet modem=>secondary router=>OPNsense bridge=>Primary router=>several physical network ports and 2-wifi ssids.

I figure easier to show in attached drawing.

I am trying to wrap my mind around that....because the primary router is also a firewall with non-routable network IP of 192.168.7.x.  I don't know how I would have a PC with say address 192.168.7.10, be able to traverse thru the WAN and connect to the OPNsense device (with no IP) before the modem.
...since there is no IP on the bridge once I finalize the config.  Just WAN/LAN bridged with a new name device of WANLANBridge and no IP to attach too.

So this is why I though to have a true management port on OPNsense and reachable only by myself, is to setup a 3rd physical port (MGMT port).

My confusion may be that I am trying to set this up with a laptop directly to the OPNsense so as to NOT impact my internet connection before I introduce this change.  Also, keeping in mind that I may want to do further changes and not lock out my primary connection and have to unplug this device and back to a 1-to-1 connection to try to resolve...again, with no IP will be difficult to attach to the device.

@EricPerl
The idea of second router is so I don't need to go upto the OPNSense device and physically plug in a laptop to MGMT port watch traffic.  Since the OPNsense is on my live network with No IPs (since ports are bind as bridge), then I need some other way to access the monitor view.  There is where the MGMT port comes in with an IP that can plug-in a physical laptop.  BUT I am just using the second router as wifi connection where both physical OPNsense MGT cable and physical primary network come together and I can remotely access thru wifi to monitor.

When I first set this up, I lost a way to watch traffic by removing the IP addresses.  And so I started again and set the a physical MGMT port with same IP as my second router LAN.  they are both on same 192.168.8.x network.  The WAN side of second router is my primary network 192.168.7.x.

Not sure if my explanation makes sense.

I see the OPNsense documentation is showing to add and IP tot he bridge setup (instead of a 3rd physical port).  Perhaps that's the way to go???

Ok, hello everyone...so I am new to this forum and OPNsense.

I just got a cwwk device, which includes (2) SFP+ ports (I plugged in 2 1.25gb sfps for now) and (2) 2.5gb intel 226 ports.

Initially, I set this up with the 2.5gb ports as a 'transparent device' in bridge mode, only to find out I looked my self out when I deactivated the WAN/LAN ports IPs.  So I got (2) SFPs and started the new install.

Install when well.  SPFs set up as LAN/WAN interface, with LAN as DHCP and 192.168.1.1 default network.  My laptop received a 192.168.1.100 address as I am connected right into the LAN port.  GUI comes up and I can continue there.

And before I setup the bridge, I took one of the 2.5GB ports to be the MGMT port under assignment.  I set-it up and with its own new static IP of 192.168.8.4.  DHCP is OFF.  this is because I plugged into a secondary WiFi router (tplink) under the LAN PORT.
The secondary TPLink router has LAN IP of 192.168.8.2 and DHCP ON from 192.168.8.100.

The idea is to plugin the OPFsense bridge WAN/LAN to my primary router and modem for traffic to go thru and I can have a way to connect to the secondary tplink router (wifi or LAN port) with my laptop and watch traffic or modify OPFsense as needed.

At the moment, I can access the OPNsense GUI connected directly to SPF(LAN) port with my laptop on same 192.168.1.1 network (also can type in 192.168.8.4) and reachable....BUT, when I try to connect directly to MGMT port with network 192.168.8.1, I cannot ping or open the OPNsense GUI on 192.168.8.4 (MGMT port assignment).   I suspect something on GUI side needs to be checked On or Off for me to be on MGMT port and have GUI load.  OR is a static route missing...not sure.

I also expected my laptop and MGMT port directly to secondary TPlink router under LAN ports should open OPNsense GUI, but it does not.  both 8.4 and 1.1 time-out

I welcome any feedback..thank you