Transparent Bridge - How to get Internet Access On Additional OPT Port?

[luxgalactic]

Good day. First, I am horrible when it comes to networking. Doesn't matter how hard I try, I just struggle.

Starting Point: https://www.youtube.com/watch?v=Rb4vlN_Hf-U
Appears to be a video of: https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Network Topology
ISP Modem > 4 Port N100 (OPNSense Device) > ASUS Router

OPNSENSE Box
1 Port is connected to the ISP Modem. (Labeled as OUT)
1 Port is connected to the ASUS Router (Labeled as IN)
1 Port is connected to the ASUS Router (Labeled as MGMNT)
1 Port is connected to a work computer (Labeled WORK)

Bridge Interface members: IN and OUT

HOME SIDE (IN OUT BRIDGE MGMNT)
ASUS Subnet 192.168.1.0/24

BRIDGE Firewall Rules: Allow all (IPv4)
MGMNT Firewall Rules: 4 different to allow access to webui, ssh, and a couple of services
OUT Firewall Rules: None
IN Firewall Rules: Default allows

NAT OUTBOUND: Disabled per video / documentation

Gateway (In OPNSense) on MGMNT Interface and 192.168.1.1

All of this side of the setup works as expected. No issues. The ASUS is still doing the majority of the work, the OPNSense is just adding some firewall pieces to my existing network

WORK SIDE
Interface is active, 192.168.2.0/24 (192.168.2.1)
DHCP is active, range from 100 to 199
Work Computer received 192.168.2.100
Firewall Rules: IPv4, WORK net, ANY / ALL (Allow all)

Problem: No internet access

Goal: I want to be able to get to the internet from my work computer. I simply wanted to get the work computer off my local network and on to its own for separation. I don't know what I need to do in order to get the traffic from the work computer out to the internet.

I have tried searching the forum and internet in general. Part of the problem I have is not having the necessary knowledge to know what I am exactly searching for. Attempts to use CHATGPT have been unsuccessful and I am fearful of 'just doing things' which might cause what works now to stop working.

Thanks in advance.

[viragomann]

This requires, that you assign an IP to the bridge or to OUT and NAT the WORK subnet to it.
I assume, that your "ISP modem" is a router in fact, so that you have a private subnet between it and the ASUS router.

So you have to add the ISP router as an upstream gateway. Then assign an IP to OUT and state this as gateway below.

[luxgalactic]

Sorry, a  piece I missed, the cable modem is in bridge mode. It is not performing any routing functions.

I get the first part, get an ip address on one of those interfaces. I think I tried to do that before and ended up having issues where nothing could get out to the internet and ended up having to start over and not stray from the video. Maybe I needed the second piece which I don't understand enough to make it work.

I'll do some more research with the idea I need to be using outbound nat rules.

[viragomann]

So the ASUS router gets the public IP. I didn't watch the videos, but I don't think, they cover this.

So I'd remove the bridge and configure the public IP on the OPNsense WAN. Do you have issues with double NAT behind the ASUS? If so possibly you can set it into bridge mode.

[dseven]

The transparent filtering bridge model that you've implemented is for one network. You're trying to add a second network ("work"), but your Asus router (which is currently handling all routing) is not setup to route that second network. If you want to keep the transparent filtering bridge model, you'd have to add the second network to the Asus router, and somehow deliver it to OPNsense (perhaps VLANs) and then build a second transparent filtering bridge on OPNsense for it.

I suppose you could do some sort of combined approach, where you keep your transparent filtering bridge for LAN, but add a routed "work" network. If you do that, you'll have to route to the internet through your management interface, and you'll also have to enable your Asus router to route back to your "work" network. That means either a static route on the Asus router (pointing to your management interface's IP address), or you could do outbound NAT on OPNsense for the "work" network, which means double-NAT (because the Asus is doing NAT too). That may be OK in your situation. If you're not doing NAT on OPNsense, the Asus router would need to do it (for the extra routed subnet) - I don't know off-hand if it would do that.

What is your motivation for keeping the Asus router, as opposed to having OPNsense handle routing, DHCP, etc?

[luxgalactic]

Originally, my goal was to use the OPNSense box as the router and put the ASUS into AP mode (acting as a switch and providing Wi-Fi). Every attempt I made just failed. One sort of problem or another. I use a lot of static / manually assigned IPs for devices so the back and forth in failed attempts was becoming burdensome. I also have a number of devices that need to go through a VPN and while I found some tutorials on setting up WireGuard client on OPNSense they almost all were routing all traffic through the VPN and I didn't want that. So mainly the driver for keeping the ASUS doing what is doing is because I can actually manage it and have it do what I need. The flexibility of OPNSense makes managing a challenge for me and while I love learning, I need a working network.

The ASUS can't do VLANs at this time on the stock firmware. The ASUS does get the Public IP. I don't think I've ever been double NATd.

I'm not really following so I think I just plug my work computer back into the ASUS and live with it. I did wonder about using an outbound NAT on the OPNSense where I used the existing MGMNT interface following viragomann's first comment. Sounds like that would not have worked without something more being needed.

[dseven]

OPNsense can do Wireguard with policy-based routing (allowing you to control what goes through the VPN) - https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

It can also do DHCP host reservations - https://docs.opnsense.org/manual/dhcp.html#reservations

I understand you're frustrated right now, though. Maybe revisit it after cooling off a bit? :)

The double-NAT method using your management interface should work, I think, asuming the work hosts only need to connect outbound, but it's a bit convoluted IMO.

[luxgalactic]

dseven, thanks. This transparent filtering bridge was my post cool down attempt so to speak ;) I had given up a couple months ago and was going to give pfSense a try because it looked to be a little less customizable and my hope was that less levers would mean success. As I was getting ready to start, I saw the video and thought I'd give this a try first because it would leave my network largely intact. Allowing me to take a baby step.

That WireGuard link looks familiar. I think I referenced that or something at least really similar. I recognize the term "Road Warrior".

My DHCP / Static mapping was more of comment about having to redo them every time. I got to a point where I could just restore my ASUS config but each time I blew out OPNSense that work needed to be redone as playing with the config xml wasn't something I was comfortable doing. If I'm being honest, this is just above me it feels and I probably should just hire someone to spend time teaching me in a hands on approach. That way I'm working on my setup and can ask questions and not blindly following a guide that isn't 1:1.

[luxgalactic]

I did add the Outbound NAT rule where I used the MGMNT interface for WORK and everything actually seems to be working without needing to do anything on the ASUS. Not that this makes sense to me but I wasn't expecting it to work given the comments. I might test this out for awhile and see what isn't working.