<Interface> address in transparent filtering bridge mode

Started by EricPerl, October 09, 2024, 02:42:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 09, 2024, 02:42:16 AM
Still experimenting with OPNsense until I get more memory and storage.
I set it (virtualized) between my router and my main bridge.
LAN and "WAN" are bridged (correct tunables set) and since I use a third interface for management, neither LAN or WAN have an IP address.
If I screw up, I just bypass the bridge and everything falls back in place...

At this point, I'd like to move my existing rules from my router (TP-link) to OPNsense.
At least I'd get some logging (TP-link ACLs produce none!).
Am I correct assuming that 'LAN address' (and similar) is undefined since the interface has no IP?

In a more standard setup, with OPNsense acting as the router and gateway for the LANs, then 'LAN address' would be the IP of the OPNsense LAN interface (the gateway IP). Correct?
October 09, 2024, 01:55:44 PM #1
Quote from: EricPerl on October 09, 2024, 02:42:16 AM
At this point, I'd like to move my existing rules from my router (TP-link) to OPNsense.
You cannot use it as a router in bridge mode, however.

Quote from: EricPerl on October 09, 2024, 02:42:16 AM
Am I correct assuming that 'LAN address' (and similar) is undefined since the interface has no IP?
Yes.
When you want to give it an IP, you should assign it better to the bridge, not to the member interface, however.

Quote from: EricPerl on October 09, 2024, 02:42:16 AM
In a more standard setup, with OPNsense acting as the router and gateway for the LANs, then 'LAN address' would be the IP of the OPNsense LAN interface (the gateway IP). Correct?

Yes, the LAN IP acts as the gateway for your LAN devices.
The router has configured an upstream gateway as well on its part.
October 09, 2024, 07:34:13 PM #2
Quote from: viragomann on October 09, 2024, 01:55:44 PM
Quote from: EricPerl on October 09, 2024, 02:42:16 AM
At this point, I'd like to move my existing rules from my router (TP-link) to OPNsense.
You cannot use it as a router in bridge mode, however.
Of course. For now, I'm converting my existing gateway ACLs (TP-link speak for firewall rules) to OPNsense firewall rules on the bridge interface.
The idea is to check how my hardware (2x N100 cores, 4GB (soon 8GB) RAM, 2x passthrough i225 NIC) handles the load. I might reconfigure the bridge as a router and ditch my existing router later, if everything looks good.

Quote from: viragomann on October 09, 2024, 01:55:44 PM
Quote from: EricPerl on October 09, 2024, 02:42:16 AM
Am I correct assuming that 'LAN address' (and similar) is undefined since the interface has no IP?
Yes.
When you want to give it an IP, you should assign it better to the bridge, not to the member interface, however.
I gathered as much based on docs and some experimentation on Windows. I'm not sure why I'd need or want one though.

Quote from: viragomann on October 09, 2024, 01:55:44 PM
Quote from: EricPerl on October 09, 2024, 02:42:16 AM
In a more standard setup, with OPNsense acting as the router and gateway for the LANs, then 'LAN address' would be the IP of the OPNsense LAN interface (the gateway IP). Correct?

Yes, the LAN IP acts as the gateway for your LAN devices.
The router has configured an upstream gateway as well on its part.
Thanks!
Print
Go Up Pages1
User actions