Also at a loss only worst

[timlab55]

I'm a newbie by the word.  I'm sorry I don't understand what Layer2 Firewall means.  This is what I would like to happen as I didn't pay $400 for a ASUS router (BE-86u).  I have a ATT gateway that brings in the 1GP fiber into my house which is currently setup in IP Passthrough to my ASUS router.  Today, I get my mini PC and want to solely put opnsense on it for the firewall only.  No router functions, just firewall, as my ASUS router will do all the DHCP.  So (as they say on TV) "how do you do that?
Thanks

[Patrick M. Hausen]

You need a transparent filtering bridge or a "layer 2" firewall.

If you consider yourself inexperienced one might question why you want to setup the most complicated and error prone type of firewall there is. Getting DHCP alone to work across such a device needs a thorough understanding of DHCP. And then there is every other protocol ...

Anyway, you do you and the documentation is here:
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

What for do you think you need OPNsense if you already paid for that Asus router - which among other things is a firewall?

[BrandyWine]

Why would the fw have to be a bridge?
ASUS router doing DHCP? That's for LAN only, because your ASUS router is not giving your ISP any IP.

Just setup fw normally and don't use DHCP server services that are available from the device (but set wan port to get IP from dhcp, etc), or, do use DHCP on LAN side if the ASUS is already configured to use DHCP on it's "wan" port, just be sure not to overlap the IP subnet with any DHCP settings of the ASUS. You would only need a /30 DHCP scope on fw to support your ASUS router getting it's WAN IP form the fw. Use something like 10.50.0.0/30 (/30 is 255.255.255.252), as long your ASUS does not have a DHCP pool that cover over that subnet.

[timlab55]

@Patrick M. Hausen - I thank you for your info and plan to follow the doc's that you gave me.  However, look at step #6.  The title is "Disable the DHCP server on LAN".  So what do I do here?  Click the box Enable DHCP server on LAN interface or not?  Here is what my router currently looks like.  My Mini PC is coming today :)

[Patrick M. Hausen]

You disable the DHCP server on OPNsense on the LAN interface of OPNsense because you want to use the DHCP server on your Asus router. All steps in that documentation apply to OPNsense only. You are not supposed to change anything about your router's configuration.

[timlab55]

I hear and obey your command.  Next question.  I will only have 2TB of storage on my mini pc.  If I stick with just the basic opnsense(clam AV) what other one (plug in) would you add?  The reason why I bring up the storage is because I would like to have the mini pc become part of my lan in the sense that I can write files back and fourth from my windows pc to my mini pc and back again, as my NAS has 3TB.  Is this possible?  If so, how do I do this part now.

[Patrick M. Hausen]

A dedicated firewall appliance is a dedicated firewall appliance and nothing else. Not a file server, not a NAS. If you install OPNsense on your mini PC it's a firewall.

You might wan to think about virtualisation, because 2 TB is not "only 2TB", it's factor 10 more than a firewall ever needs.

OK, I take back my remark about the most complicated setup possible from my first post back. The most complicated backup possible is a virtualised transparent bridge firewall and you will need familiarity with hypervisors, Unix plus advanced networking concepts.

And that PC would need at least 3 network ports to do that.

Good luck.

[timlab55]

I think you misunderstood me when I was talking about a NAS.  The files the opnsense makes/has I would like to send those to my NAS. 

[Patrick M. Hausen]

There are plugins for backup to e.g. SFTP. Apart from that what would you want to send?