Transparant bridge with 2 nic's

Started by Jaapaap, July 01, 2026, 06:54:24 PM

Previous topic - Next topic
Hello everyone,
First of all thanks for having me at the forum.

I am new to opnsense and building my first device based on an Intel j3455 with 4gb with 2 Intel n211 nic's.

I want to use it in transparant bridge mode, but the model has only two nic's.

Before I put a lot of time into it I want to know, Is this possible to build and still use the web UI in this situation (and have a safe system off course ;))

Thanks everyone!!

Perfectly possible but the devil is in the details. You need to assign an IP address to the bridge interface for management and create appropriate firewall rules.

May I ask why you intend to use a filtering bridge? In my experience in almost all situations routing is far superior to bridging.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thanks for the reply!
The reason I am bridging is because I am perfectly happy with my EBM68 and mesh nodes, but I want to dive into some more serious firewall concepts.
Besides that I am down with a back injury and I hate being bored 😅

I assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?

Quote from: Jaapaap on July 01, 2026, 07:23:11 PMI assume the firewall rules are something like only allowing local IP's accès the UI and applying bogon filtering?

Sort of, yes. Unfortunately there is no ready-made recipe for a transparent bridge. Even the official documentation just suggests enabling IDS/IPS. If you want to really filter transparently with default deny (!) you obviously need to take DHCP from/to your uplink router, neighbour discovery in case of IPv6 etc. etc. into account. Even ARP? I don't know. Probably pf on the bridge only deals with IPv4/6. That would mean there is no firewall rule but maybe a global sysctl to pass non-IP traffic like ARP transparently.

Unknown terrain - there be dragons! But you probably won't be bored. 🙂

That's why I prefer routing.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Ok, the rabbit hole is deeper than i thought... :)
I only wanted to use the box for CrowdSec, GeoIP and WireGuard.

So my thoughts where:
igbo - no IP
igb1 - no IP
Bridge - local managemend IP

Sounded quite straight foreward, but the key is securing the bridge (if not sufficiently gaurded by the standerd firewall rules).
But since a Hero Member is warning me about dragons ;) i getting second thoughts. Did I perhaps bite off more than i can chew??

What I always wondered about that transparent bridge setup: If you have only two sides between to filter traffic, then what would be so difficult as to use different subnets (aka routing)? And if you don't, like if you have separate VLANs, then how to you even get the traffic to pass your firewall?

Once you get to understand routing, it seems natural to choose that, which is possibly why < 1% of people here would be able to help if you don't.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+

July 01, 2026, 09:34:16 PM #6 Last Edit: July 01, 2026, 10:19:26 PM by BrandyWine
There's also good docs for answering the question, https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Can the device support wifi?
You can use wifi in AP mode, for just mgmt.
https://docs.opnsense.org/manual/how-tos/interface_wireless_internal.html


Quote from: Patrick M. Hausen on July 01, 2026, 07:00:16 PMMay I ask why you intend to use a filtering bridge? In my experience in almost all situations routing is far superior to bridging.
I am curious about this. In many of my PaloAlto setups I use virtual-wire (bridge) which removes L3 and increases performance (no routing time on hardware). Albeit each side of my bridge is a logical router in same subnet where each has their own WAN, so basically wedging a FW between two WANs w/o adding L3.

Is the OPNsense bridge using two (dedicated) NICs different?

Quote from: meyergru on July 01, 2026, 09:27:19 PMWhat I always wondered about that transparent bridge setup: If you have only two sides between to filter traffic, then what would be so difficult as to use different subnets (aka routing)? And if you don't, like if you have separate VLANs, then how to you even get the traffic to pass your firewall?
I dont think we can bridge two different vlans (subnets), has to be the same vlan (subnet). Albeit we can make vlanID-1 and vlandID-2 using hosts that are all in same /24, as example. This means all host IPs are local, the bridge needs to learn MACs and then proxy-arp what it knows about, so that L2 can function normally.
Mini-pc N150 i226v x520, FREEDOM

A bridge does not proxy-arp, it simply passes ARP packets transparently. Any switch is a bridge. So two bridged networks are really just one.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: BrandyWine on July 01, 2026, 09:34:16 PM[...]I dont think we can bridge two different vlans, has to be the same vlan. This means all host IPs are local, the bridge needs to learn MACs and then proxy-arp what it knows about, so that L2 can function normally.

Not sure what you're describing there. FreeBSD bridging seems to be pretty straightforward. ARP is... well, bridged. No proxy, unless you configure one (and FreeBSD default proxy ARP is cheeesy).

To the original poster: Bridging works for me. My Internet link is bridged, and managing several internal networks on the firewall (I have a few more than two interfaces, and everything runs through the firewall) is quite easy with bridges. The only downside I've seen is FreeBSD's susceptibility to ARP proxies (my Internet ONT is one, so I have static ARP entries for everything on that bridge except for the ONT). (A "layer"-agnostic filter would be nice, but hey.) Not much more to it. It may work for you, or not.

Quote from: meyergru on July 01, 2026, 09:27:19 PMWhat I always wondered about that transparent bridge setup: If you have only two sides between to filter traffic, then what would be so difficult as to use different subnets (aka routing)? And if you don't, like if you have separate VLANs, then how to you even get the traffic to pass your firewall?

Like I said I like my EBM68 so it would just be serving for CrowdSec, GeoIP and WireGuard.
I do not use vlan's besides a SDN on my EBM68 for a guest network.
I always that router behind router = hell, so I started out with bridge mode.

@BrandyWine
It does not have wifi, but I do have a usb to Ethernet dongle laying around. Realtek chip though, so I don't no if that is a smart move.

But my main question is, is the bridge safe from the wan side when given an local IP address.

My remarks were not really meant to be questions, but purely rhetorical, which is to say:

If you only have two sides (or interfaces), doing a routed setup is no more complex than a transparent bridge - if you have more than two, a transparent bridge cannot be used at all (or at least I fail to see how). So, why use a transparent bridge in the first place?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+

Quote from: Jaapaap on July 01, 2026, 10:26:17 PMBut my main question is, is the bridge safe from the wan side when given an local IP address.

If your firewall rules block that access, you are safe. If they don't, you are not. Or then again ... if the router in front of your bridged OPNsense does NAT and firewalling as is the case for the majority of setups how would anyone on the Internet access your OPNsense's private RFC 1918 address?

What do you hope to add? Your router which you seem to like already blocks everything from the Internet inbound to your network.

You might consider setting up a Pihole or AdGuard Home for DNS filtering for outbound blocking. I do not see anything you are gaining with that bridge. Crowdsec is worthless for free tier users (my opinion!).

Can your current router add static routes for internal networks? If yes, you can use router behind router without double NAT and you can run DHCP and DNS for the double private network on OPNsense and then we're in business. Bridging is a measure of last resort if the router cannot be replaced for policy reasons and it does not support static routes and/or you do not have access because it's all ISP managed and you do not trust your ISP.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

July 01, 2026, 10:44:02 PM #12 Last Edit: July 01, 2026, 10:47:56 PM by BrandyWine
Quote from: Patrick M. Hausen on July 01, 2026, 09:53:07 PMA bridge does not proxy-arp, it simply passes ARP packets transparently. Any switch is a bridge. So two bridged networks are really just one.
Yeah, bad choice of words I used.
I had done this debate years ago. Since there's a fwd'ing device between the two hosts (a L2 switch), where neither bridge port is ever a host, it's technically doing "proxy" to be able to move across the bridge (it accepts frames on behalf of destination, then fwd's). It's not the L3 proxy-arp, so my bad for that missing clarity.

I believe in OPNsense we can do 2+ ports for a single bridge. This makes it easy to create 4 segments where all hosts are IP'd as /22 but each segment is kept in contiguous /24 blocks, and each is firewalled from the others. LAN/WAN/WIFI/NAS, etc, all using one switch (one vlanID per segment).

So when short on L3 interfaces, use bridge and managed switch to facilitate segmentation, even when everything is in the same L3 subnet.

One minor pitfall with bridge, as host counts go up on each side of the bridge, more wasted cpu cycles come with. Any/all arp broadcasts (who has) get copied to the other side of the bridge (all ports), which means the fw has to process packets even when the two hosts involved are on same side of bridge.
Mini-pc N150 i226v x520, FREEDOM

Ok, let's start with how did I get here 😉
I am/was down with a back injury. I got me a cheap mini pc with 2 nic's and was looking to give it purpose.
Since I have got NAS and HASS server running I 'thought' that best use case was setting it up as a firewall.
If the conclusion is that it's overkill/unnecessary I can easily drop the project and perhaps set it up for Adguard or something.

It's pure hobby, but it does have to be functional. So please just tell me to drop the stupid project  if that you pros opinions 😆
Extra points of failure with no benefits is not worth the hobby.

@BrandyWine Let's stick with terminology established by Radia Perlman (the lady who invented spanning tree and now presents at conferences stating layer 2 bridging was a big mistake):

- a device making forwarding decisions based on layer 2 addresses is a bridge
- a device making forwarding decisions based on layer 3 addresses is a router
- "switch" is a marketing term that can mean anything but is intended to say "faster/cheaper/somehow-better than our competitors"

Essentially any layer 2 switch is a multiport bridge and nothing else and a layer 3 switch is a router.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)