Transparant bridge with 2 nic's

Started by Jaapaap, July 01, 2026, 06:54:24 PM

Previous topic - Next topic
@Jaapaap Do you control the router you have and seem to like? Not your ISP? Do you trust it? If the answer to all these is "yes", you won't gain much but an incredible amount of complexity by adding a bridging firewall.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I trust my router (Asus expertwifi business line) and my isp enough.
I don't use port forwarding and got a openvpn connection on the router for when needed.
I am planning on setting up Cloudflare for outdoor home assistant use, so I think I am safe enough for a home user.

Given your reply I guess I had a fun ride exploring opnsense, but I probably use the machine for Adguard (completely new to that to, but it keeps me occupied 😄).
Thanks for the quick course and the adventure in opnsense.

Quote from: Patrick M. Hausen on July 01, 2026, 10:57:25 PM- a device making forwarding decisions based on layer 3 addresses is a router

That's technically not correct, she is incorrect. L3 decision simply decides next-hop IP (talking strictly tcp/ip), not any forwarding. Forwarding always (always) happens at L2, 100% just a MAC-Port thing down to Tx on L1. ;)
ARP sits between L3 and L2. L3 is the IP-MAC table, L2 is the MAC-Port table. There is no frame forwarding on ethernet at L3.

It's a play on words mostly. "Forwarding" is a L1 frame thing. L2 on the receiver is logically processed only after the frame has been forwarded. The IP-MAC and MAC-Port things are just matrix tables stored in device memory.

And to boot - no router is a switch, and no switch is a router, but all routers have a switcher, otherwise the frames could never Tx or Rx.
Mini-pc N150 i226v x520, FREEDOM

Radia Perlman is incorrect. OK. I'm out.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on July 01, 2026, 10:59:01 PM@Jaapaap Do you control the router you have and seem to like? Not your ISP? Do you trust it? If the answer to all these is "yes", you won't gain much but an incredible amount of complexity by adding a bridging firewall.
There's also broadcast MAC issue, DHCP. Initial broadcast FFFFFF will pass right through the fw, ISP modem will try and reply, but that reply can be blocked by fw. But then I wonder if the ISP modem logs a lease? Some ISPs only allow x# of WAN leases.

Not sure of the actual setup OP has, could buffer ISP & fw with a router that has no features turned on (except NAT), just a simple dummy L3, WAN for getting dhcp for router, and LAN on router for DFG. Adds a buffer, but make sure the router denies all inbound to it's WAN iface, etc. Then bridge between router and internal subnet(s). Technically not a bad setup, places a little buffer (dmz) between ISP modem and fw.
Mini-pc N150 i226v x520, FREEDOM

Today at 12:50:56 AM #20 Last Edit: Today at 12:57:12 AM by BrandyWine
Quote from: Patrick M. Hausen on Today at 12:31:33 AMRadia Perlman is incorrect. OK. I'm out.
I know what she meant, but in technical terms she stated it incorrectly.

If I use the literal definition of forwarding ethernet frames, yes, she is wrong. There is no "forwarding" decisions being done at L3. There's only next-hop decision at L3, which is not "forwarding".

"Forwarding" is literally originates at L1 Tx. This is the only way a frame can move.

Take for example a router with two ifaces, packet comes in on A and routing table says next-hop is an IP on the B side. However, that next-hop has no arp entry, and a search for next-hop IP MAC (arp) is negative, no such next-hop IP exists. The router made a next-hop decision, and handed that off to L2, yet no forwarding was done, no positive forwarding decision made, etc.

A device (the logical process) that makes L3 next-hop decisions, is a router.
L3 decides next-hop, L2 decides how to forward.


L3 --> L2 (arp/cam) --> L1
                                        ^
                                     fwd'ing
Mini-pc N150 i226v x520, FREEDOM

Quote from: BrandyWine on July 01, 2026, 10:44:02 PM[...]I believe in OPNsense we can do 2+ ports for a single bridge.[...]

I have... 6 physical interfaces on my (current) firewall, with another 9 via a 10-port switch (acting as a port expander, where ports 1-9 are assigned unique port VLANs and 10 is a tagged uplink plugged into the firewall). So 14 available interfaces, each assigned to one of four (non-transparent) bridges. Works great. Most folks here think it would give their network the plague. (Who knows? They might be right.)

Quote from: Jaapaap on July 01, 2026, 10:55:34 PM[...]It's pure hobby, but it does have to be functional. So please just tell me to drop the stupid project  if that you pros opinions[...]

Nah, try it out. You can have a good old time trying different stuff. Never can tell. Could fix your back in short order.

Quote from: BrandyWine on Today at 12:50:56 AMI know what she meant, but in technical terms she stated it incorrectly.[...]

Heh. Heck, grab her book - it's not bad. Or Rich Seifert's.

Quote from: BrandyWine on Today at 12:50:56 AMIf I use the literal definition of forwarding ethernet frames, yes, she is wrong. There is no "forwarding" decisions being done at L3. There's only next-hop decision at L3, which is not "forwarding".

The action of an intermediate system to receive a frame for which it is not the final destination and passing it on based on some next hop decision has been called forwarding for decades. That's the definition of forwarding. I don't know where you get your "literal definition of forwarding ethernet frames" from. I suggest you read the definite textbook on the topic.



BTW: the sysctl variables that enable or disable routing (layer 3) in FreeBSD are called:

net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)