Transparent Filtering Bridge config question

Started by Jose, November 15, 2025, 06:48:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 15, 2025, 06:48:32 PM Last Edit: November 15, 2025, 07:15:10 PM by Jose
Hello, I'm really sorry if this was asked previously but I have some specific question regarding a typical Transparent Filtering Bridge configuration.

I was using OPNsense for several years without any issues so far, however I've recently switched from a standard setup to the Transparent Filtering Bridge mode because switched from DSL to an CGNAT/ISP, so I have some questions in regards some setting which typically differs from the OPNsense TFB how-to documentation

This is my current TFB setup(IPv6 is disabled):

Code Select
Interfaces: [WAN] -> igb0
  IPv4 Configuration Type: DHCP (It was: NONE)
  IPv6 Configuration Type: NONE (It was: DHCPv6)

Interfaces: [LAN] -> igb1
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE (It was: Track Interface)

Interfaces: [TFB] -> igb0 + igb1
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE

Interfaces: [ADM] -> vtnet0
  IPv4 Configuration Type: Static IPv4
  IPv6 Configuration Type: NONE

My question is if the above TFB configuration looks acceptable since I had set the IPv4 to DHCP on the [WAN] interface, otherwise OPNsense is unable to be upgrade as expected since there's no route to host.

OPNsense and zenarmor how-to's both specify to set the IPv4's to NONE but in my case I had to set it, the TFB rules seems to work as intended however is there any security implication leaving the [WAN] IPv4 set to DHCP alway plus the required rule to "Allow All" in such IF?

I could disable and set it back to NONE after OPNsense upgrades and reboot but that is a bit of a hassle.

PS the [ADM] interface is only for local administration, also sorry as I've push Post instead Preview while writing.

Regards
OPNSense on Bhyve VM set with 2vCPU, 4GB-RAM, 120GB-ZFS, Transparent Filtering Bridge(TFB).
Intel i5-2390T with 32GB-RAM and Intel I350-T4(2-Ports Passthrough for OPNsense + VirtIO).
System running Jails, MEDIA/SMB/NFS/SSH servers etc.., ZFS-Mirrors for boot and storage.
November 15, 2025, 07:03:51 PM #1
What are your specific questions? Just go ahead and ask them ;-)

You have read the documentation on transparent filtering bridge?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 15, 2025, 07:16:26 PM #2
Quote from: Patrick M. Hausen on November 15, 2025, 07:03:51 PMWhat are your specific questions? Just go ahead and ask them ;-)

You have read the documentation on transparent filtering bridge?

Hi Patrick, I've pushed wrong buttons while writing, but posted them already.

Regards
OPNSense on Bhyve VM set with 2vCPU, 4GB-RAM, 120GB-ZFS, Transparent Filtering Bridge(TFB).
Intel i5-2390T with 32GB-RAM and Intel I350-T4(2-Ports Passthrough for OPNsense + VirtIO).
System running Jails, MEDIA/SMB/NFS/SSH servers etc.., ZFS-Mirrors for boot and storage.
November 16, 2025, 08:16:18 PM #3
Apologies for asking such dumb questions, seems there's not many users with transparent filtering bridges with alternate configurations, nor around the web except for few YT videos just telling how to install it.

Between I've just set on all interfaces the IPv4/IPv6 Configuration Type to: NONE except for the [ADM](admin) interface.

One of the reasons for asking was because my ISP strikes it again and broke the IPv6 and OPNsense was unable to be upgraded unless IPv4 was set to DHCP in the [WAN] interface:
You cannot view this attachment.

I will try update/upgrade OPNsense host thru the admin interface, otherwise maybe I should stop being a bit too paranoid and leave the IPv4 set to DHCP on the [WAN] interface and add some rules there even if this is disregarded by the recommended setup from the docs.

Regards
OPNSense on Bhyve VM set with 2vCPU, 4GB-RAM, 120GB-ZFS, Transparent Filtering Bridge(TFB).
Intel i5-2390T with 32GB-RAM and Intel I350-T4(2-Ports Passthrough for OPNsense + VirtIO).
System running Jails, MEDIA/SMB/NFS/SSH servers etc.., ZFS-Mirrors for boot and storage.
November 21, 2025, 11:55:51 PM #4
Hello, I will post my rather clunky TFB setup and my own answer, in case someone is asking for a similar config on a Transparent Filtering Bridge with slightly different config from the How-To's, just for the non-networking guys like me, IPv6 is completely disabled in this example*.

This requires for 3 interfaces as expected, in my case two physical IF(passthrough) for the [TFB] and one virtual admin IF(vtnet0, virtio).

Scenario, you follow the How-To to setup an TFB, but added an 3rd interface to administer OPNsense, now Updates and/or Plugins downloads does not work because you've set the Transparent Filtering Bridge related interfaces to NONE as recommended in the How-To:

Set Interfaces [WAN] + [LAN] + [BRIDGE] to:
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE*

However since we added a 3rd interface for admin, all we have to do is to set the Gateway for it under [System: Gateways: Configuration], my admin interface is called [ADM]:
You cannot view this attachment.

Now under [System: Settings: General] I've set the preferred DNS to use that Gateway (192.168.0.1):
You cannot view this attachment.

After reboot OPNsense is now able to update and install plugins again thru the admin interface while leaving its pure Transparent Filtering Bridge operation intact:
You cannot view this attachment.

However in my case this was a bit different as the OPNsense is a VM guest and the admin virtual interface(vtnet0) is connected to the host(Bhyve) on the public switch, so the admin interface internet-connection will be thru the hypervisor which in contrast loops back to the TFB access-point.

Regards
OPNSense on Bhyve VM set with 2vCPU, 4GB-RAM, 120GB-ZFS, Transparent Filtering Bridge(TFB).
Intel i5-2390T with 32GB-RAM and Intel I350-T4(2-Ports Passthrough for OPNsense + VirtIO).
System running Jails, MEDIA/SMB/NFS/SSH servers etc.., ZFS-Mirrors for boot and storage.
Print
Go Up Pages1
User actions