Transparent Filter Bridge setup - no internet

Started by tdukes, October 13, 2025, 10:04:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 13, 2025, 10:04:50 PM
Hello,

I'm having some issues setting the TFB up. I did the default install on a Protectli 4 port.

I am following the OPNsense docs. When I get to #6 - Disable DHCP Sever on LAN, there is no LAN under ISC DHCPv4, only the MGMT interface I setup following the guide.

Also, I can connect to the MGMT interface but when I try to update the packages, I am not connected to the internet.

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7 (amd64) at Mon Oct 13 15:32:08 EDT 2025
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/sets/changelog.txz: Network is unreachable
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Network is unreachable
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Network is unreachable
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Network is unreachable
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I can ssh in but cannot ping anything on the internet.

I also tried connecting the LAN interface to my switch to see if that had access. No go there. Now I can't login to my modem/router.

I think I'm hosed!

Any help would be grateful!


October 14, 2025, 12:15:35 AM #1
The TFB (what's the "F" stand for again...?) concept is a bit wonky - a completely transparent bridge would be inaccessible via IP. Since you do have a management IP, in order for the firewall itself to reach other networks, it needs at least a default route (gateway). How you would obtain the gateway depends on how you assigned the address - static or dynamic. Given this, the now not-so-transparent bridge can be used as a gateway for devices connected to the bridge (assuming it has appropriate routes); devices connected to the bridge may also reach gateways also connected to the bridge directly. And all of this assumes appropriate rules.

Your bridge can be mostly transparent if its management address is inaccessible from the bridge (using a dedicated interface) and, to be at all useful, from the Internet, but it does complicate updates, URL aliases, NTP, etc., and is therefore not recommended for most users. There's little point to it in any case.

What rules do you have? You can observe their behavior in the live log ("Firewall: Log Files: Live View"), so long as you have logging enabled (in the rule definition for your rules, and under "Firewall: Settings: Advanced" -> "Logging" for the automatic rules).

I have a bit of fun with my initial Internet edge bridge ruleset, a minimal set of rules which would handle both Internet and local traffic. It wasn't quite practical - I still have some of the rules, but I added more network-specific ones (specific source and/or destination), diluting the concept somewhat.
October 14, 2025, 12:26:55 AM #2
Hi!

Thanks!!

I started over (at least 6 times) since I posted. I am now getting the error on #9 when I try to change the LAN type to 'none'.

Code Select
The following input errors were detected:

    The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.

I was able to get back into my modem/router by unplugging OPNsense from the switch.

Here's what's in the firewall log:


October 14, 2025, 12:34:23 AM #3
I did add 'Allow All' rules to WAN, LAN and the MGMT interfaces. Not sure why the FW logs says 'Default deny'. I didn't see where to add a gateway except under System > Settings > General. Next to the DNS server, there's a drop down box that only contains 'none'.
October 14, 2025, 02:25:52 AM #4
Quote from: tdukes on October 14, 2025, 12:26:55 AMI started over (at least 6 times) since I posted. I am now getting the error on #9 when I try to change the LAN type to 'none'.

Huh! Did you have a DHCP server set up at one point? I guess it may be the default... Check "Services: ISC DHCPv4: [LAN]" (and any other interfaces), "Services: Kea DHCP: Kea DHCPv4" and "Services: Dnsmasq DNS & DHCP".

Hmm. I guess you have a separate management interface... Not a bridge, not a member of a bridge?

QuoteI did add 'Allow All' rules to WAN, LAN and the MGMT interfaces. Not sure why the FW logs says 'Default deny'. I didn't see where to add a gateway except under System > Settings > General. Next to the DNS server, there's a drop down box that only contains 'none'.

The pass rule would have to be applied to the bridge interface, whichever that is. LAN? Rules applied to bridge member interfaces will not function. I'd recommend a good old "pass in quick any" - you do want the "Quick" option checked under the rule (in most cases).

For a gateway, try "System: Gateways: Configuration". Make it an "Upstream Gateway" (checkbox). See here.
October 14, 2025, 04:09:38 AM #5
I'm locked out again even with the management interface. I'll start over again in the morning.

Has something changed since version 17.1.6 regarding this setup? I have this running as a vm but not as a TFB. Installed it a couple weeks ago just to get familiar with it. The server only has 2 NICs and I got locked out of the vm multiple times as well.

Do I need it to act as a bridge? I have to use my modem/router because its on cable. Is there any where or way to use it and give it a different IP and still route traffic through it?

Thanks again!!
October 14, 2025, 07:10:26 AM #6
What operation are you performing that locks you out? You might consider creating a file system snapshot under "System: Snapshots" before you lock yourself out, so you can reboot and switch to the saved snapshot (see here). Be sure to clean up afterward...

As far as topology, I'm actually partial to bridges. I use four on my firewall and I break down my wi-fi APs to simple bridges. So I can only give you bad advice. You might consider simply applying an address to the bridge interface rather than using a separate management interface. And don't disable the anti-lockout rule until you have your own in place.
October 14, 2025, 11:52:19 PM #7
Guess I should have put the mgmt interface on a different subnet.

I re-installed this morning and followed a different set of instructions and now have it working. Everything is being routed thru OPNsense.

The only issue I cannot do a package update. I get the following error: No address record found for the selected mirror.

When I google that, it appears to be a DNS issue. I found some suggestions but they didn't work for me.

I ran a DNS Lookup in the diagnostics for pkg.opnsense.org but it didn't return anything. Been trying differet things for the last few hours but I can't seem to figure it out.
October 15, 2025, 06:27:34 PM #8
To communicate with any host in the internet OPNsense either needs an IP and a gateway in the WAN subnet or a gateway in any other subnet (management), which routes the traffic accordingly.
I guess, you're missing this currently.
Print
Go Up Pages1
User actions