[SOLVED] Can't connect to Web GUI after trying to implement Transparent Bridge

[bsfema]

My network:
ISP Modem---Router---Switch:
                           +--(misc other devices)
                           +--OPNSense---Laptop

I don't have a very complicated network, just a bunch of devices connected to a switch and the switch to a router.  I wanted to setup a transparent filtering bridge on an old Protectli FW4B and stick it between my router and the switch.  Since I didn't want to disrupt my network while testing this, I decided to connect OPNSense to my switch via the WAN and then use a laptop to the LAN for testing.  I have tried following these various instructions:

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

When I finish, I'm getting the internet on my laptop, with the DHCP provided by my router, but I cannot access the OPNSense web GUI anymore.

My Steps:
Install OPNSense 24.1 on a Protectli FW4B
    Boot into USB with 24.1 on it
    Login as installer/opnsense
    Run through install options and rebooted
On the console:
    Login at root/opnsense
    Chose (1 Assign Interfaces):
        LLAGs & VLANs = N
        WAN = igb0
        LAN = igb1
        OPT1 = igb2
        OPT2 = igb3
    Plugged cables into WAN and LAN

Result:
    LAN (igb1)  -> v4: 192.168.1.1/24
    OPT1 (igb2) ->
    OPT2 (igb2) ->
    WAN (igb0)  -> v4/DHCP4: 192.168.50.39/24
    Laptop (plugged into LAN):  Has internet and IP = 192.168.1.100

Login to the Web UI (http://192.168.1.1/)
Firewall -> NAT -> Outbound -> set "Disable Outbound NAT rule generation" -> Save
System -> Settings -> Tuneables -> set 'net.link.bridge.pfil_bridge' = 1, 'net.link.bridge.pfil_member' = 0 -> Save
Interfaces -> Other Types -> Bridge -> add:  Description = 'Bridge', select LAN+WAN -> Save
Interfaces -> Assignments -> add:  Device = bridge0, Description = 'Bridge' -> Save
Interfaces -> [Bridge] -> select 'Enable Interface', IPv4 Configuration Type = Static IPv4, IPV4 address = 192.168.50.200/32 -> Save
Interfaces -> [OPT1] -> select 'Enable Interface', IPv4 Configuration Type = Static IPv4, 192.168.50.201/32 -> Save
Interfaces -> [OPT2] -> select 'Enable Interface', IPv4 Configuration Type = Static IPv4, 192.168.50.202/32 -> Save
Apply Changes

Result:
        Bridge (bridge0)  -> v4: v4/DHCP4: 192.168.50.200/32
        LAN (igb1)  -> v4: 192.168.1.1/24
        OPT1 (igb2) -> v4: 192.168.50.201/32
        OPT2 (igb3) -> v4: 192.168.50.202/32
        WAN (igb0)  -> v4/DHCP4: 192.168.50.39/24

Interfaces -> WAN -> un-select 'Block private networks' & 'Block bogon networks' -> Save
Services -> DHCPv4 -> [LAN] -> un-select 'Enable DHCP server on LAN interface' -> Save
Firewall -> Rules -> select [Bridge]/[LAN]/[WAN]/[OPT1]/[OPT2] -> Add -> Save
Firewall -> Settings -> Advanced -> un-select 'Disable administration anti-lockout rule' -> Save
System -> Configuration -> Backups -> click 'Download Configuration' -> Save
Interfaces -> [LAN]/[WAN] -> set 'IPv4 Configuration Type' = None -> Save
Apply Changes

Result:
        Bridge (bridge0)  -> v4: v4/DHCP4: 192.168.50.200/32
        LAN (igb1)  ->
        OPT1 (igb2) -> v4: 192.168.50.201/32
        OPT2 (igb3) -> v4: 192.168.50.202/32
        WAN (igb0)  ->

Plug Laptop into LAN:  Has internet and IP = 192.168.50.12, can't access 192.168.50.200 (error: The connection has timed out) or 192.168.50.201/202 (error: Unable to connect)
Plug Laptop into OPT1:  No internet and doesn't get IP
Plug Laptop into OPT2:  No internet and doesn't get IP
Plug Laptop into switch:  Has internet and IP = 192.168.50.12, can't access 192.168.50.200 (error: The connection has timed out), 192.168.50.201/202 (error: Unable to connect)

I tried the same steps as above but using /24 instead of /32 for the Static IPv4s.  The results were the exact same.
I tried the same steps as above but setting the following, but the results were the exact same:  Interfaces -> [Bridge] -> select 'Enable Interface', IPv4 Configuration Type = DHCP

I don't know networking/firewalls virtually at all, so I'm probably missing something very simple/basic, but I can't figure out what it is.  Any help would be greatly appreciated.

[bsfema]

Does anyone have thoughts on how I can resolve this?  Any help would be greatly appreciated.

[realcodfish]

I'm very puzzled about this as well. Surely a truly transparent filter bridge has no addresses as such and simply passes raw packets back and forward. So, like yourself, I'd like to use another physical interface as a client to my internal subnet getting its address via DHCP like everything else. Then I have a way to get to the OPNsense GUI and configure the filtering live.

BUT, I've only ever been able to see the WebGUI on the LAN interface, and activating bridge kills that ability. I also notice an unremovable anti-lockout rule which seems to port-forward 80 and 443 to LAN which is perhaps why the WebGUI disappears forever resulting in a console reset being required.

Any expert help gratefully appreciated...

[Strator]

It works fine for me. I've bridged WAN with OPT1 and use LAN for management. It also lets OPNsense to install new plugins and receive updates, which wasn't the case with pfSense. Only LAN has an IP address. The bridge is between my Internet gateway and core switch. Inter-VLAN routing is done on the switch. It's OPNsense 24.1.6-amd64.

BRG (bridge0)   ->
LAN (vmx1)      -> v4: 192.168.10.17/24
OPT1 (vmx2)     ->
WAN (vmx0)      ->

[bsfema]

I tried your suggestion Strator and bridged WAN to OPT1.  The result was what I was looking for.  When the laptop was plugged into OPT1 it had internet access, when plugged into LAN I could access the WebGUI.

The only problem was that the WebGUI didn't have internet access.  I received a "no address record found for the selected mirror" when trying to update.  I could ping my local DNS server (pihole), but nothing else (e.g. 1.1.1.1 8.8.8.8).

I tried System->Settings->General->
Have/NotHave DNS entries listed there (with no gateway specified)
Have/NotHave "Allow DNS providers to be overwritten by DHCP" enabled
Have/NotHave "Do not use the local DNS service as a nameserver for this system" enabled

Nothing seemed to help.  I'm not sure what else to do to troubleshoot this, so I'll wipe it and start from scratch again to see if I just messed up somewhere.

[bsindia]

BSFEMA,

I resolved this by adding a Management interface. I used a fixed IP for that interface. Then I removed IPs from every other interface in the transparent bridge. I can now access the WebGUI via the Management interfcace. Hope this helps

Burley

[Strator]

Make sure the upstream gateway is set up correctly. My OPNsense interface is on my management VLAN and the VLAN's SVI is the gateway. This gives OPNsense access to my local network and Internet. I have Unbound DNS enabled with some block lists and no other custom DNS setting on OPNsense, so OPNsense uses it for Internet address resolution. For my local devices, I have 2 other DNS servers which use the OPNsense DNS as a forwarder.

[bsfema]

I got it working.  I think running the initial setup wizard after the install helped as I don't think I really did anything different.

Recap:  Instead of bridging LAN+WAN, bridge OPT1+WAN.  Also run the initial setup wizard.

[markp]

I have been tring to setup a transparent bridge by following the instructions in this video (Dave's Garage)

https://www.youtube.com/watch?v=dTUvlFfThPw

The Network is configures as follows:

ISP Router / Box  --> OPNSense Bridge --> Netgear ORBI (also doing DHCP for LAN/WIFI)



The mini-pc I am using has 2 physical network ports, the output from the ISP Box (WAN) does into the OPNSense box and the output (LAN) from the OPNSense  box goes into the WAN input of the ORBI.

If I go-ahead and disable IPv4 for the WAN & LAN there is no way to access the web gui or SSH onto the box. even though I believe I have assigned a ststic ip address to the Bridge.

What am I missing? Does the setup from Dave's Garage video require 3 physical ports?

[Strator]

That's not the best video. It keeps mixing a mini-pc with 2 NICs with one with 4 NICs. I think he used a 4-NIC mini-pc in the end. You can add another NIC by attaching a RJ45 USB adapter and using it for OPT1.

Follow these instructions instead.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

[markp]

That's not the best video. It keeps mixing a mini-pc with 2 NICs with one with 4 NICs. I think he used a 4-NIC mini-pc in the end. You can add another NIC by attaching a RJ45 USB adapter and using it for OPT1.

Follow these instructions instead.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Thanks I will get an RJ45 USB adapter and give it a try

[davidm71]

Hi,

I also followed the Daves Garage video on Youtube and after can't login to the web portal unless on the command window enable ip address access which enables the GUI though DHCP gets enabled as well. I could even see its ip address registered on my network but could not login without enabling access at the command line. Whats the proper way to get web access?

Thanks

[markp]

I appear to have it all up and working using a USB/RJ45 connector as follows:

re0 - LAN   (WebGui via IPv4)
re1 - WAN
ue0 - OPT1 (USB/RJ45)

I set the bridge up between WAN and OPT1 (with the bridge between WAN & LAN I couldn't access the WebGui on OPT1 even though I gave it a static ipv4 address.

I had to add a gateway to allow the device itself access to the WAN so that ClamAV / FreshClam  could update, i.e.

    Name: LAN-GW
    interface: LAN
    Protocol: IPv4
    Priority: 255
    Gateway 192.168.2.1

Is this the  correct thing to do?

Now I have the system up and running can someone point me to a beginners guide for things I should configure to protect my network?

I have also enabled Intrusion Detection with IPS (as per Dave's video) - is there anything else I should do to properly configure this? I noticed that using the WebGUI there currently no Rules configured and there are options for downloading Rulesets.