Transparant bridge with 2 nic's

Started by Jaapaap, July 01, 2026, 06:54:24 PM

Previous topic - Next topic
@Jaapaap Do you control the router you have and seem to like? Not your ISP? Do you trust it? If the answer to all these is "yes", you won't gain much but an incredible amount of complexity by adding a bridging firewall.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I trust my router (Asus expertwifi business line) and my isp enough.
I don't use port forwarding and got a openvpn connection on the router for when needed.
I am planning on setting up Cloudflare for outdoor home assistant use, so I think I am safe enough for a home user.

Given your reply I guess I had a fun ride exploring opnsense, but I probably use the machine for Adguard (completely new to that to, but it keeps me occupied 😄).
Thanks for the quick course and the adventure in opnsense.

Quote from: Patrick M. Hausen on July 01, 2026, 10:57:25 PM- a device making forwarding decisions based on layer 3 addresses is a router

That's technically not correct, she is incorrect. L3 decision simply decides next-hop IP (talking strictly tcp/ip), not any forwarding. Forwarding always (always) happens at L2, 100% just a MAC-Port thing down to Tx on L1. ;)
ARP sits between L3 and L2. L3 is the IP-MAC table, L2 is the MAC-Port table. There is no frame forwarding on ethernet at L3.

It's a play on words mostly. "Forwarding" is a L1 frame thing. L2 on the receiver is logically processed only after the frame has been forwarded. The IP-MAC and MAC-Port things are just matrix tables stored in device memory.

And to boot - no router is a switch, and no switch is a router, but all routers have a switcher, otherwise the frames could never Tx or Rx.
Mini-pc N150 i226v x520, FREEDOM

Radia Perlman is incorrect. OK. I'm out.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on July 01, 2026, 10:59:01 PM@Jaapaap Do you control the router you have and seem to like? Not your ISP? Do you trust it? If the answer to all these is "yes", you won't gain much but an incredible amount of complexity by adding a bridging firewall.
There's also broadcast MAC issue, DHCP. Initial broadcast FFFFFF will pass right through the fw, ISP modem will try and reply, but that reply can be blocked by fw. But then I wonder if the ISP modem logs a lease? Some ISPs only allow x# of WAN leases.

Not sure of the actual setup OP has, could buffer ISP & fw with a router that has no features turned on (except NAT), just a simple dummy L3, WAN for getting dhcp for router, and LAN on router for DFG. Adds a buffer, but make sure the router denies all inbound to it's WAN iface, etc. Then bridge between router and internal subnet(s). Technically not a bad setup, places a little buffer (dmz) between ISP modem and fw.
Mini-pc N150 i226v x520, FREEDOM