Transparant bridge with 2 nic's

Started by Jaapaap, Today at 06:54:24 PM

Previous topic - Next topic
Hello everyone,
First of all thanks for having me at the forum.

I am new to opnsense and building my first device based on an Intel j3455 with 4gb with 2 Intel n211 nic's.

I want to use it in transparant bridge mode, but the model has only two nic's.

Before I put a lot of time into it I want to know, Is this possible to build and still use the web UI in this situation (and have a safe system off course ;))

Thanks everyone!!

Perfectly possible but the devil is in the details. You need to assign an IP address to the bridge interface for management and create appropriate firewall rules.

May I ask why you intend to use a filtering bridge? In my experience in almost all situations routing is far superior to bridging.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thanks for the reply!
The reason I am bridging is because I am perfectly happy with my EBM68 and mesh nodes, but I want to dive into some more serious firewall concepts.
Besides that I am down with a back injury and I hate being bored 😅

I assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?

Quote from: Jaapaap on Today at 07:23:11 PMI assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?

Sort of, yes. Unfortunately there is no ready-made recipe for a transparent bridge. Even the official documentation just suggests enabling IDS/IPS. If you want to really filter transparently with default deny (!) you obviously need to take DHCP from/to your uplink router, neighbour discovery in case of IPv6 etc. etc. into account. Even ARP? I don't know. Probably pf on the bridge only deals with IPv4/6. That would mean there is no firewall rule but maybe a global sysctl to pass non-IP traffic like ARP transparently.

Unknown terrain - there be dragons! But you probably won't be bored. 🙂

That's why I prefer routing.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)