[HOWTO] Filtered Bridge / Layer 2 L2 Firewall / Transparent firewall

Started by Labber53, November 13, 2025, 12:14:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 13, 2025, 12:14:34 AM Last Edit: November 13, 2025, 03:24:32 AM by Labber53
TLDR; Along with many others I struggled with the old documentation at https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

EDIT: added note about extracting ISO from the download
EDIT2: fixed typo in gateway name

This is a repeatable simple build for a new OPNsense 25.7 layer 2 firewall.

What: A Filtered transparent bridge (layer 2 firewall) is used to segment a network, isolating one more more hosts on a subnet

Why: Useful for observing traffic or for legacy systems that do not have a built-in software firewall

How: Set up a VM environment and an OPNsense firewall with two interfaces, one to your Lab network, and one for traffic "behind" the firewall

Important: Layer 2 firewall is not compatible with traffic shaping. It has a management IP address, but cannot participate in routing, proxy, IPS, etc.

Lab Topology
Update the instructions for your own Lab network
  • Lab network subnet: 192.168.1.0/24
  • Lab router/gateway: 192.168.1.1/24
  • OPNsense management IP: 192.168.1.2/24
  • DNS servers: 9.9.9.9, 1.1.1.1
  • Your Lab workstation for configuring everything: IP in 192.168.1.0/24
  • In my XCP-ng lab, the interfaces are xn0, xn1, xn2; these names will vary across different virtual environments

Download the Installation ISO

Prepare the VM Networks
  • VM host interface to the Lab LAN, no VLANs
  • Private network for the backend network segment, no VLANs

Create the VM
  • vCPU: 4[/u]
  • RAM: 4GB (recommended is 8GB, but 4GB works for this Lab)
  • First network: host network (192.168.1.0/24)
  • Second network: back end private network
  • Third network: host network (192.168.1.0/24)
  • Disk: 32GB

Install OPNsense 25.7
  • Boot from OPNsense 25.7 ISO (https://opnsense.org/download/ DVD
  • Log in as installer/opnsense
  • Select the keymap
  • Install ZFS (best choice for this Lab)
  • Accept the disk to install on (use space bar to check the box)
  • Set the root password
  • Select Reboot now
  • Eject/remove the installation ISO after the reboot starts

Configure OPNsense from Console
  • Log in to Console as user root with the password you selected
  • 1) Assign interfaces
  • LAGGs? No
  • VLANs? No
  • WAN interface name: none (press Enter)
  • LAN interface name: xn0
  • OPT1 interface name: xn1
  • OPT2 interface name: xn2
  • Optional interface: just press enter to stop adding interfaces
  • Proceed
  • 2) Set interface IP addresses
  • LAN
  • Configure IP via DHCP? No
  • IPv4 address: 192.168.1.2
  • Mask bites: 24
  • Upstream gateway: press enter to accept no gateway
  • IPv6 address: No, none (press enter)
  • Enable DHCP server on LAN: No
  • Change to HTTP: No
  • Generate new self-signed web GUI certificate: No
  • Restore web GUI defaults? No
  • WAN and OPT: there is no WAN, no IP addresses on OPT interfaces

Configure OPNsense from Web GUI
  • From your workstation on your Lab network, browse to the OPNsense firewall's management IP
  • https://192.168.1.2
  • Click Next to start the Wizard
  • Enter a hostname, domain and DNS settings
  • Uncheck Override DNS
  • Uncheck Enable Resolver
  • Click Next
  • Where is no WAN, but to get past this screen, set type to DHCP and the IP to 4.4.4.4/32
  • Make sure you do not block RFC1928 private networks or bogon networks
  • Click Next
  • LAN: Uncheck Configure DHCP Serer
  • Click Next
  • Optionally enter a new password
  • Click Next
  • Interfaces > Assignments
  • Delete WAN interface
  • Click Save
  • Create Bridge Interface
  • Interfaces > Devices > Bridge
  • Add a new bridge, select OPT1 and OPT2
  • Optionally add a description
  • Click Save and then Apply
  • Move management IP address to the bridge
  • Interfaces > Assignments
  • Change LAN to be bridge0 (Bridge)
  • Click Save
  • Add System Tunables
  • System > Settings > Tunables
  • net.link.bridge.pfil_member = 0
  • net.link.bridge.pfil_bridge = 1
  • Click Apply
  • Modify firewall rules
  • Firewall > Rules > LAN
  • Modify the Default allow LAN to any rule
  • Change source to any
  • Enable logging
  • Update description to Allow all traffic on bridge
  • This change allows multicast, broadcasts, and DHCP to work
  • Click Save
  • Edit the IPv6 rule to disable it, and Save
  • Click Apply Changes

Update Firmware and Enable Guest tools
  • Add gateway to the Internet
  • System > Gateways > Configuration
  • Add gateway
  • Name: Lab_gateway
  • Interface: LAN
  • IP address: 192.168.1.1
  • Description: Internet gateway
  • Click Save and then Apply
  • Add gateway to LAN
  • Interfaces > LAN
  • IPv4 gateway rules: Lab_gateway
  • Click Save and then Apply changes
  • Update firmware
  • System > Firmware > Status > Check for Updates
  • Due to a known issue, it will fail the first time, so run again
  • Read the long message, click Close
  • Scroll down to the end, then click Update
  • Click OK to accept the reboot
  • Enable Guest tools
  • Log back in, System > Firmware > Plugins
  • Check Show community plugins
  • find your VM environment's plugin (os-xen, os-qemu-guest-agent, os-vmware, os-virtualbox) and click "+" to install it
  • Reboot
  • Power > Reboot > Yes

Testing
  • Spin up a VM on the backend private network, e.g. Windows 11
  • DHCP should work, Internet access
  • Add firewall rules to the LAN, above the allow any rule, dropping specific traffic from that IP (e.g., https)
  • View the firewall logs
  • Firewall > Log Files > Live View
  • It is recommended to use DHCP reservations or static IPs on the systems behind the L2 firewall so you can write firewall rules for those IP addresses
November 13, 2025, 04:43:32 AM #1
nice!
November 13, 2025, 06:37:21 AM #2
I have a PR open that updates this part of the documentation:

https://github.com/opnsense/docs/pull/799

It also takes VLANs into account and is aimed at professional setups (where that kind of filtering bridge usually runs in this kind of setup)
Hardware:
DEC740
November 13, 2025, 09:12:45 PM #3
That's awesome Monviech (Cedrik)! I struggled with this a couple of years ago and finally got to come back to it and get it working.

To get the firmware updates working, don't forget to add the gateway :)
November 13, 2025, 09:20:28 PM #4
Yeah you are right I forgot about hinting at needing a Gateway. If anything else is unclear feel free to leave review comments on github and I'll evaluate and fix these spots.
Hardware:
DEC740
Print
Go Up Pages1
User actions