opnsense transparent filtering bridge no WAN

[wickedllama]

Hey everyone,

      I have been trying to setup a transparent filtering bridge but when I get it all setup the firewall seems to not be getting internet. I have added my layout below.

Internet->opnsense->router->

When I have it setup like this I have no internet within the opnsense firewall and then my router never works.  I have followed these tuts and videos below.

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.youtube.com/watch?v=dTUvlFfThPw
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Please let me know if there are any screen shots I should post to better help.

Thanks!

[dseven]

I've not actually done this myself, but I believe all of those guides expect you to place the bridge on the LAN side of your existing (ISP) router - i.e. the WAN port of the opnsense box would be connected to the LAN port of the existing router, and the LAN port of the opnsense box would be connected to a LAN switch - so like Internet<->Router<->Bridge<->LAN.

[wickedllama]

I've not actually done this myself, but I believe all of those guides expect you to place the bridge on the LAN side of your existing (ISP) router - i.e. the WAN port of the opnsense box would be connected to the LAN port of the existing router, and the LAN port of the opnsense box would be connected to a LAN switch - so like Internet<->Router<->Bridge<->LAN.

dseven,  Yes you are correct but wanted to now if there is a way to get it to go from WAN->opnense->router->lan.  Trying to protect my wifi network as well that is why I am trying to get this done.

I do notice that the router does get an IP from the opnsense firewall but again no internet.

[Patrick M. Hausen]

How does your router connect to your ISP? If it is PPPoE a transparent bridge in that position does not make sense. If it's DHCP or static, it can work, but you will have to give your OPNsense a separate management interface and connect that to your internal LAN.

[wickedllama]

How does your router connect to your ISP? If it is PPPoE a transparent bridge in that position does not make sense. If it's DHCP or static, it can work, but you will have to give your OPNsense a separate management interface and connect that to your internal LAN.

Patrick, thanks for the reply!

So my router is NOT using PPPoE and it is set to Auto "DCHP".  I also configured a separate management port as well to be able to get into the firewall and that works fine.

Right now I have the LANWAN bridge set to DCHP and when i connect the router it looks to grabs an IP from opnsense firewall but I get no internet traffic.  Even with just the WAN connected to it I get no internet.

[Patrick M. Hausen]

The transparent bridge won't have an IP address. It just bridges from your ISP to your router and the latter will continue to get its IP address from your ISP via DHCP just like before. No DHCP server on OPNsense anywhere!

Make sure you disable the firewall in OPNsense for initial deployment.

When that works, connect the management interface to your internal network and set it to use DHCP for configuration. It will get an IP address, gateway, DNS ... from your router and can be used to manage OPNsense from your PC and to pull updates, sync the time, etc.

Then you can investigate how to set up the transparent bridge to actually perform some filtering.
HTH, good luck,
Patrick

[wickedllama]

The transparent bridge won't have an IP address. It just bridges from your ISP to your router and the latter will continue to get its IP address from your ISP via DHCP just like before. No DHCP server on OPNsense anywhere!

Make sure you disable the firewall in OPNsense for initial deployment.

When that works, connect the management interface to your internal network and set it to use DHCP for configuration. It will get an IP address, gateway, DNS ... from your router and can be used to manage OPNsense from your PC and to pull updates, sync the time, etc.

Then you can investigate how to set up the transparent bridge to actually perform some filtering.
HTH, good luck,
Patrick

Patrick,

     Thank you for the help that has worked!!

I now have it setup as WAN->Opnsense->Router->Lan

Now just a quick question Patrick, with this setup can I setup adgaurd dns to filter all the traffic or do I need to dedicated a port to be able to do it so then devices on my network can get an IP from it?

[Patrick M. Hausen]

I don't know what you can and cannot do with this transparent bridge setup. I have never used it and probably never will. I always connect OPNsense to the Internet as a router and have strictly internal access points for WiFi. Sorry.

[wickedllama]

I don't know what you can and cannot do with this transparent bridge setup. I have never used it and probably never will. I always connect OPNsense to the Internet as a router and have strictly internal access points for WiFi. Sorry.

No worries, you have already helped a bunch!! I will keep messing around with it to see what I could do.  I would love to have opnsense as my full router but I would have to invest into different aps unless I am able to use the current devices I have in an AP mode with it.

[Patrick M. Hausen]

Don't your current device(s) have an AP mode?

[wickedllama]

Don't your current device(s) have an AP mode?

Patrick,  I am currently using 2 RT6600ax, one being a router the other in AP-Mode. But I was not sure if this AP mode is only for there own mesh wifi or if I could use these in AP mode and use opnsense as my firewall. 

I know some users have used ubiquiti with the controller installed but I just recently moved away from ubiquiti but was not sure if/what options out there to use for Ap's.

[dseven]

with this setup can I setup adgaurd dns to filter all the traffic or do I need to dedicated a port to be able to do it so then devices on my network can get an IP from it?

AdGuardHome is just a DNS server. If you can get the DHCP server on your existing router to specify a DNS server of your choosing, you could use that to point to your AGH instance.

If you want to run AGH on opnsense, it would need to be reachable from your clients (LAN), and it would need to have access to an upstream DNS resolver (could be your existing router, perhaps - or something on the internet). It may be possible to use the admin interface on your opnsense box for those purposes....

[glen4cindy]

I've not actually done this myself, but I believe all of those guides expect you to place the bridge on the LAN side of your existing (ISP) router - i.e. the WAN port of the opnsense box would be connected to the LAN port of the existing router, and the LAN port of the opnsense box would be connected to a LAN switch - so like Internet<->Router<->Bridge<->LAN.

I'm stuck getting mine working but everything I've read says the OPNSense box needs to go between the ISP modem and my router.

I have Google WiFi so if I put the OPNSense box AFTER the router it will only bridge wired traffic. Am I understanding that right?

My setup appears to work. I do not lose any access to the internet but I lose access to the management even though I have a static IP set and a 3rd NIC.

[EricPerl]

I ran that transparent filtering bridge setup for a few days (I just tore it down to rebuild as a router).
I believe both guides I had had read clearly recommended inserting the bridge between the router and a switch.
The rationale was that if it was installed on the WAN side of the existing router, then it would only see NATed traffic making it nearly impossible to find where traffic was initiated from...

I just connected the management port in that same switch and connectivity was not an issue.
IIRC, the OPT1 interface doesn't get default rules accessing from the LAN so I had to add one.
And check the source in that rule. There was another post a few days ago where the OP had used the wrong interface network...