No internet to clients connected to WIFI AP from opnsense in bridge mode

Started by darkencraft, January 31, 2026, 10:30:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 31, 2026, 10:30:19 PM
Hi, I'm trying to configure wifi ap in following setup, and clients of wifi ap cannot access internet:

ISP modem/router → opnsense (w/ 6 ports; 1 port WAN, 5 ports bridged as bridge0 assigned to LAN) → Wifi AP (EAP 610)

What I tested so far:

- if i connect wifi ap directly into ISP modem/router: clients of wifi ap have internet access

- opnsense without bridge (1 port WAN, 1 port assigend to LAN, remaining 4 ports unused), and connect AP directly to the port assigned to LAN: clients of wifi ap have internet access

- opnsense without bridge (1 port WAN, 1 port assigend to LAN, remaining 4 ports unused), and connect unmanged switch to port assigned to LAN, then connect wifi AP to swtich: clients of wifi ap have internet access

So the moment that I bridge 5 ports together and assign the bridge0 as LAN, wifi clients no longer have internet access.

- When this happens, from the wifi client, I cannot ping 1) opnsense gateway (192.168.1.1), 2) outside (ie. 8.8.8.8 or 1.1.1.1) but I can ping internal machines that are wired to bridge0 (ie. my NAS).

- On the otherhand, it seems that internet connection exists on wifi AP itself, as when I check for firmware update via wifi AP's web UI (currently set to 192.168.1.99 on static), it checks and reverts with up-to-date message. (in the case of no internet, it reverts with no internet connection)

So, it seems that there's additional configurations that I need to do in opnsense to somehow allow traffic from outside to reach the wifi clients, but I can't seem to figure out what I need to configure. At the moment, I have not made any changes/addition to firewall rules and pretty much factory default set up, except the parts that I needed to configure to make ports bridge together (ie. Interfaces>Assignements)

Would appreciate community help on how I can get internet access from wifi clients!

(yes, I can remove bridge and set up wifi AP underneath the switch, but this means i need to buy a switch with more ports. So before I actually decide on spending more money, I want to try if I can some how work with current setup)
January 31, 2026, 11:57:49 PM #1
yes there are some additional settings to add. Please look in the documentation. Actually it is here https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge
Today at 12:08:44 AM #2
thank you for the response. but actually, the document was the exact document that I used to configure the bridge. I also change the configuration in the tunables already. so all the wired devices that are connected to the bridge port works fine.

the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
Today at 12:32:37 AM #3
did you reboot OPN after changing tunables? It is needed for these.
Otherwise review the steps just in case. AP definitively not running its own dhcp server or any other service?
Next is to look at firewall live log to see if the traffic is arriving. Are you using IPV6 ?
Today at 12:38:59 AM #4
yes, i rebooted OPN after tunable changes.this is actually my third attempt (each attempt, i factory defaulted OPN) and am pretty sure all steps in the documentation was followed. also, i'm not using ipv6.

As for the AP, TP Link EAP610 to be specific, its not running any dhcp server. When I compare the network parameter assignment between wired device (which internet works) and wifi device (no internet), they are quite identical.

Wi-Fi client (internet not working):

IP: 192.168.1.165
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1

Wired client (internet working):

IP: 192.168.1.103
Subnet: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1

As for the firewall live log, can you advise what i should look for, or how i should test?
Today at 04:00:41 PM #5
Coming back from some more additional findings:
When I ping OPN (192.168.1.1) from wifi device (internet not working), I can see from OPN packet capture that ARP who is request (from wifi device) and ARP reply (from OPN) are being sent.
But after this OPN packet capture does not see ICMP echo request from wifi device.

I compared this behavior with wifi device pinging an other internal device (ie. my NAS). In the OPN capture, I see ARP request/reply, followed by ICMP packet echo request/reply.

Based on this and "considering that wifi device works fine when OPN not in bridging ports", could there be cirmcumstances where:
1. Although ARP reply is sent an OPN packet capture, it is blocked by firewall rules, and never reached to the wifi device
2. Or, ICMP echo request was sent from the wifi device, but firewall rules blocking the ICMP request to OPN (but passing any other ICMP request to internal devices), therefore OPN capture not seeing any ICMP request coming in.

Is there anyway to verify 1 and 2? Or any other ideas?
Today at 04:09:25 PM #6
Quote from: darkencraft on Today at 12:08:44 AMso all the wired devices that are connected to the bridge port works fine.

the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.
If that is the case then you need to figure out what is going on at your Omada Accesspoint ?!

For example : If the WiFi SSID has Tagged VLAN setup instead of just using the Native/Untagged VLAN then the Clients obviously won't have any Internet Access in this new setup :)

And just to be sure :
- Did you setup new Firewall Rules similar to those that the LAN network has by Default ?
- DHCP settings are also adjusted ?

Quote from: darkencraft on January 31, 2026, 10:30:19 PM(yes, I can remove bridge and set up wifi AP underneath the switch, but this means i need to buy a switch with more ports. So before I actually decide on spending more money, I want to try if I can some how work with current setup)
For what's it worth :

I really like having each NIC dedicated to one of my VLAN's in OPNsense :
- eth0 = WAN
- eth1 = Untagged Port for LAN a.k.a. VLAN 1
- eth2 = Untagged Port for VLAN 10 Network
- eth3 = Tagged Port for a small Guest VLAN network and in the future maybe some other stuff...
(This last one is not recommended by many, but I was curious to see how it would work and what is different (or not) compared to the WAN Tagged VLAN setup...)

For a cheap small 8-port Switch there are TP-Link and Netgear options and both have '108E' in their model name.
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 04:26:43 PM #7
I may not be following your precise configuration. Is the AP in bridge mode?

Context: I have a similar setup: multiple bridges on an OPNsense firewall, with a Linksys MX8500 running OpenWRT connected to one bridge. The MX8500 is also in bridge mode - that is, the wireless radios are attached to a bridge which contains the Ethernet interface connected to the firewall; it (the radio bridge on the AP) has no IP address assigned and no DHCP client (or server, of course) running. (For completeness I have a second bridge on the MX8500 for management which is not accessible from the client/radio bridge, which is a DHCP client, connected to a different bridge on the firewall.)
Today at 04:32:49 PM #8
QuoteI may not be following your precise configuration. Is the AP in bridge mode?

yes, AP is in bridge mode. dhcp handled from OPN.
As from my first post, below is the setting:
ISP modem/router → opnsense (w/ 6 ports; 1 port WAN, 5 ports bridged as bridge0 assigned to LAN) → Wifi AP (EAP 610)
Today at 04:44:10 PM #9
QuoteIf that is the case then you need to figure out what is going on at your Omada Accesspoint ?!
Yea, at first I was suspicious of Omada AP. But AP and its wifi clients work fine when AP is directly connected to ISP mode/router or to OPN non-bridge. (ie. OPN's LAN assigned to a physical port igc1). So the internet inaccessibility is only prevalent during bridge, so that is why I'm assuming its OPN problem.

QuoteFor example : If the WiFi SSID has Tagged VLAN setup instead of just using the Native/Untagged VLAN then the Clients obviously won't have any Internet Access in this new setup :)
Just double checked this in AP's web ui. VLAN is disabled.

Quote- Did you setup new Firewall Rules similar to those that the LAN network has by Default ?
No. I did not add any additional firewall rules.
This is my third attempt, and I factory-reset OPN before each try.
I intentionally kept the firewall rules in their out-of-box state so that any custom rules would not introduce variables or interfere when asking for community support.

Quote- DHCP settings are also adjusted ?
When I was setting up OPN, for WAN ipv4 config type = DHCP, for LAN ipv4 config type was static ipv4 with dhcp server for LAN interface. not sure if this answers the question, or are you referring to something else?
Today at 05:23:11 PM #10
Have you checked the MAC addresses learned from ARP on each device? Actual values, not just presence. Looking for a problem proxy.
Today at 05:40:03 PM #11
QuoteHave you checked the MAC addresses learned from ARP on each device? Actual values, not just presence. Looking for a problem proxy.
From ARP Table, I see:
192.168.1.1 → 58:9c:fc:10:e1:13 (OPN MAC)
192.168.1.134 → 22:b2:b5:e8:db:00 (Wifi Client)
192.168.1.99→ 3c:78:95:90:de:da (Wifi AP)

When I do packet capture, I see:
22:b2:b5:e8:db:00 ff:ff:ff:ff:ff:ff ARP, length 64: Request who-has 192.168.1.1 tell 192.168.1.134, length 50
58:9c:fc:10:e1:13 22:b2:b5:e8:db:00 ARP, length 46: Reply 192.168.1.1 is-at 58:9c:fc:10:e1:13, length 32 LAN

This is what you are advising me to check, correct?
Today at 06:37:12 PM #12
Quote from: darkencraft on Today at 04:44:10 PM
Quote- Did you setup new Firewall Rules similar to those that the LAN network has by Default ?
No. I did not add any additional firewall rules.

I intentionally kept the firewall rules in their out-of-box state so that any custom rules would not introduce variables or interfere when asking for community support.
I am not sure if the rules that the default LAN Interface has after a fresh install are also applied when you create the new "Bridged LAN Interface" so to speak since it basically is a NEW Interface like any other newly created interface...

You need to have the firewall rules that allow IPv4 and IPv6 communication to other networks + internet access and ofcourse :
Quote
Quote- DHCP settings are also adjusted ?
for LAN ipv4 config type was static ipv4 with dhcp server for LAN interface. not sure if this answers the question, or are you referring to something else?
DHCPv4 at least for that new "Bridged LAN Interface" in order to get IPv4 addresses.

But you told us already that regular wired LAN Clients have a fully working connection on the "Bridged LAN Interface" so I am guessing you have applied these settings already ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 07:01:16 PM #13
Quote from: darkencraft on Today at 05:40:03 PM[...]This is what you are advising me to check, correct?

Essentially. Not the capture (at this point), but what was learned on each device. Normally proxies are pretty easy to spot... once you look. More of an issue on bridges because of the (potentially) larger L2 domain.
Print
Go Up Pages1
User actions