Configuration help needed

[glen4cindy]

I have configured OPNsense as a transparent filtering bridge and have 3 interfaces assigned.
LAN, WAN, OPT1.

I used these instructions:

To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.

Go to Interfaces ‣ Assign ‣ Available network port, select the bridge from the list and hit +.

Now Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces ‣ [OPT1], enable the interface and fill-in the ip/netmask.

While I was configuring everything, I had LAN and WAN connected between my router and my switch. Everything was working and I was seeing LAN traffic being filtered as expected. I could manage OPNsense using the IP address I configured for the OPT1 interface.

After everything was configured and working, I moved LAN and WAN so it was between my modem and router. This way it can filter all of my traffic. That's the intended purpose. I am still able to access the internet on all of my devices but I am not able to access the management page at the IP address I configured for OPT1.

So at this point I have no way to manage OPNsense. It's working but I can't access it unless I move it back to it's previous position between the router and the switch. This will only filter wired traffic.

I must be missing something. Help is appreciated.

[bartjsmit]

I moved LAN and WAN so it was between my modem and router.

Presumably this involed a change of subnet. Connect to the console and set the IP of the LAN interface to be in that subnet perhaps?

[glen4cindy]

According to the instructions I followed: "A transparent firewall filters traffic without requiring the creation of separate subnets."

The video I followed by Dave from Dave's Garage also described being able to plug this in or unplug it without making any changes to the network configuration.

Apparently that's where the "transparent" part comes in.

It makes it a bit more difficult that it's "headless" at this point. My next step is to reconnect a monitor and keyboard to the device and see what I can figure out from there.

[bartjsmit]

My next step is to reconnect a monitor and keyboard to the device and see what I can figure out from there.

Check out the small KVM options. You can build PiKVM on a Zero 2 to connect over WiFi. https://docs.pikvm.org/v2/

[Patrick M. Hausen]

I am still able to access the internet on all of my devices but I am not able to access the management page at the IP address I configured for OPT1.

Did you connect your Desktop/Laptop to the OPT1 interface for management?

[glen4cindy]

I am still able to access the internet on all of my devices but I am not able to access the management page at the IP address I configured for OPT1.

Did you connect your Desktop/Laptop to the OPT1 interface for management?

Up until today I have been connecting OPT1 to my network switch.

Today I tried as you suggested and connected a network cable from OPT1 to my laptop.

There was still no access.

I even tried adding an allow rule at the top of the firewall for OPT1:

Protocol any, ip4+ip6
Interface "bridge0"
Source "bridge0 net"
Destination "bridge0 net"

This did not produce any different results.

[viragomann]

After everything was configured and working, I moved LAN and WAN so it was between my modem and router. .

Which subnet is this?
How is your router accessing the internet?

You said, you assigned an IP to the bridge interface, which? Which subnet?
Which IP has OPT1?

[Strator]

After everything was configured and working, I moved LAN and WAN so it was between my modem and router. .

Which subnet is this?
How is your router accessing the internet?

You said, you assigned an IP to the bridge interface, which? Which subnet?
Which IP has OPT1?

Do not bridge WAN with LAN. LAN is configured for management. Keep it that way. Instead, bridge WAN with OPT1.

[glen4cindy]

After everything was configured and working, I moved LAN and WAN so it was between my modem and router. .

Which subnet is this?
How is your router accessing the internet?

You said, you assigned an IP to the bridge interface, which? Which subnet?
Which IP has OPT1?

I assigned OPT1 an IP address within the same scope as my home network. The directions are not specific, but they say "to be able to configure and manage the filtering bridge (OPNsense) afterwards...." I assumed this IP would have to be one within my network.

192.168.86.x/24

/24 = 255.255.255.0 Correct?

[glen4cindy]

Do not bridge WAN with LAN. LAN is configured for management. Keep it that way. Instead, bridge WAN with OPT1.

I've followed these directions:

Create a bridge of LAN and WAN, go to Interfaces ‣ Other Types ‣ Bridge. Add Select LAN and WAN.

I've seen these same directions on multiple sites and after having all the problems I've been having I've started to wonder if either the directions are wrong or if OPNSense really can't be used in this way anymore.

This explanation makes perfect sense and it completely explains what is happening right now.

I've pulled the NUC and I did a factory reset and configured from the start again. I didn't bother with any firewall rules other than the OPT1 rules like I had read and then I tried again and failed again.

So I tried only connecting the OPT1 interface to my switch. Nothing. I rebooted it and tried again. Nothing. Even though the status screen showed for certain I had an IP on OPT1.

As soon as I connected LAN I was able to connect to management again.

I'm going to reconfigure it like this and give it a try. Thank you.

[viragomann]

I assigned OPT1 an IP address within the same scope as my home network. The directions are not specific, but they say "to be able to configure and manage the filtering bridge (OPNsense) afterwards...." I assumed this IP would have to be one within my network.

192.168.86.x/24

/24 = 255.255.255.0 Correct?

Since you didn't state your network ranges before, I don't know.
If it's the LAN subnet behind the router, it's wrong. This would put the whole OPNsense bridge inside your LAN, which isn't that, what you want.

You might have a transit network between the router and the modem,  where you put the firewall in between. I asked for it, but you didn't mention. OPNsense should have an IP inside this subnet, it should be defined on the bridge.

AND your bridge should only have two member interfaces. The OPT1 is useless for your purpose.

[glen4cindy]

I assigned OPT1 an IP address within the same scope as my home network. The directions are not specific, but they say "to be able to configure and manage the filtering bridge (OPNsense) afterwards...." I assumed this IP would have to be one within my network.

192.168.86.x/24

/24 = 255.255.255.0 Correct?

Since you didn't state your network ranges before, I don't know.
If it's the LAN subnet behind the router, it's wrong. This would put the whole OPNsense bridge inside your LAN, which isn't that, what you want.

You might have a transit network between the router and the modem,  where you put the firewall in between. I asked for it, but you didn't mention. OPNsense should have an IP inside this subnet, it should be defined on the bridge.

AND your bridge should only have two member interfaces. The OPT1 is useless for your purpose.

I'm a bit more confused now.

You mention "a transit network between the router and the modem" but the only thing between my router (which is Google Home WiFi) and my modem is an ethernet cable. My ISP has locked access to my modem once it is in operation. If I catch it during boot it has an IP address of 192.168.100.1 or 1.100 I can't remember which. Are you saying this is the the IP range where the bridge needs to be?

The bridge does only have 2 member interfaces.

I have OPT1 because I followed step 4:

4. Assign a management IP/Interface
To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.

Go to Interfaces ‣ Assign ‣ Available network port, select the bridge from the list and hit +.

Filtering Bridge Step 4.png

Now Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces ‣ [OPT1], enable the interface and fill-in the ip/netmask.

When I followed a later suggestion here and used LAN for management and bridged WAN and OPT1 the bridge appeared to work and my wired network worked as well but the Google Home WiFi router lost connection and never locked again until I removed the NUC and put the cable directly into the cable modem. Rebooting each, and all 3 didn't resolve.

[Strator]

@glen4cindy

OPNsense does work as a transparent firewall. That's how I use it.

The only IP address you should have there is on LAN for management. Set a static IP address for it. You can connect OPNsense LAN directly to some management PC or your switch. The latter is a more flexible setup.

You can put that transparent firewall between your modem and router or between your router and switch.

Forget the instructions found on Dave's Garage. They are inconsistent. Follow instructions from Zenarmor. Just notice that "LAN" (uppercase) means there a local network. They use lowercase for OPNsense interfaces (wan, lan and opt1).

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

[viragomann]

You mention "a transit network between the router and the modem" but the only thing between my router (which is Google Home WiFi) and my modem is an ethernet cable.

I tried to find out, if there is a local subnet between your modem and router or if your router gets the public IP address from your ISP.

I have OPT1 because I followed step 4:

4. Assign a management IP/Interface
To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.

Go to Interfaces ‣ Assign ‣ Available network port, select the bridge from the list and hit +.

Filtering Bridge Step 4.png

Now Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces ‣ [OPT1], enable the interface and fill-in the ip/netmask.

You can do this though, but you would have to connect your computer directly to OPNsense OPT1 interface to access it. You cannot access it from behind the router, because it doesn't know this IP and directs all traffic to unknown destinations to the default gateway, which is either the modem or somewhere at the ISPs network.
Seems a bit inconvenient to me.

[Patrick M. Hausen]

@glen4cindy please take one step back and check fundamental requirements first.

How does your ISP (?) router connect to the Internet via the ISP modem? If it's via DHCP - fine. If it is PPPoE, you need to redesign your setup, anyway. A transparent bridge firewall cannot inspect a PPPoE data stream.

Apart from that - what @viragomann wrote: you need one interface connected to your internal network with an IP from your internal network. This not part of the bridge! It's just for management purposes. And it needs a patch cable to your switch or one of the internal ports of your router if you do not have a dedicated switch.

HTH,
Patrick