How to Configure Transparent Filtering Bridge on OPNsense?

Published on: December 20, 2022

.

12 min read

.

For German Version

.

Listen to this Article

A transparent firewall filters traffic without requiring the creation of separate subnets. This firewall is referred to as filtering bridge because it functions as a bridge between two interfaces and implements filtering rules on top of this. In this tutorial, we will explain you how to configure your OPNsense firewall as a transparent filtering bridge.

warning

There is incompatibility between the Transparent Filtering Bridge and Traffic Shaping. When utilizing the filtering bridge, do not activate the traffic shaper.

As a starting point for this tutorial, we need a basic installation of OPNsense with 3 interfaces:

• WAN interface

• LAN interface

• LAN Management interface

We will use the LAN management interface to access the OPNsense node for administration purposes. WAN and LAN interfaces will be configured as the members of the bridge interface.

Figure 1. OPNsense Transparent Filtering Bridge Topology

Best Practice

Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

You can easily configure the Transparent Filtering Bridge on OPNsense firewall by following the next 10 steps explained below:

1. Disable Outbound NAT rule generation
2. Change system tuneables
3. Create the Bridge
4. Interface Assignment
5. Disable Block Private & Bogon Networks
6. Disable the DHCP Server on LAN
7. Firewall Rule Configuration To Allow All Traffic
8. Disable Default Anti Lockout Rule
9. Set LAN and WAN interface type to none
10. Adding Firewall Rules

1. Disable Outbound NAT rule generation

To disable outbound NAT, you may follow the steps given below:

1. Navigate to the Firewall → NAT → Outbound on your OPNsense UI.

2. Select "Disable Outbound NAT rule generation".

3. Click Save.

4. Click Apply Changes to activate the configuration.

   

   Figure 2. Disable Outbound NAT on OPNsense Firewall

2. Change system tuneables

To enable filtering bridge, you must change net.link.bridge.pfil_bridge from default to 1 and change net.link.bridge.pfil_member from default to 0. To set To change these system tuneables, you may follow the steps given below:

1. Navigate to the System → Settings → Tuneables on OPNsense UI.

2. Use CTRL+F on your browser to find the net.link.bridge.pfil_bridge in the list.

   

   Figure 3. Editing net.link.bridge.pfil_bridge

3. Click on the Edit button with pen icon to set the net.link.bridge.pfil_bridge tuneable.

4. Set the Value option to 1 and click Save to enable filtering on the bridge interface.

   

   Figure 4. Enable filtering on the bridge interface

5. Use CTRL+F on your browser to find the net.link.bridge.pfil_member in the list.

   

   Figure 5. Editing net.link.bridge.pfil_member

6. Click on the Edit button with pen icon to set the net.link.bridge.pfil_member tuneable.

7. Set the Value option to 0 and click Save to disable filtering on the members of bridge interface.

   

   Figure 6. Disabling filtering on bridge member interfaces

3. Create the Bridge

To create a bridge of LAN and WAN, you may follow the steps given below:

1. Navigate to Interfaces → Other Types → Bridge on OPNsense UI

2. Click on the + Add button to create a new bridge interface.

   

   Figure 7. Adding a new bridge member interface

3. Select LAN and WAN in the Member Interfaces drop-down menu.

   

   Figure 8. Selecting member interfaces for a new bridge

4. Type a descriptive name, like Bridge in the Description field.

   

   Figure 9. Saving new bridge interface settings

5. You may leave other options as default and click Save to add the bridge interface. The you should see newly created bridge interface, bridge0, on the Bridge Interfaces page as given below.

   

   Figure 10. Viewing the bridge interfaces

4. Interface Assignment

To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address. You may follow the steps given below for the interface assignment:

1. Navigate to Interfaces → Assignments on OPNsense UI

2. Type a descriptive name like Bridge for the newly created Bridge0 network port and click on the + Add button.

   

   Figure 11. Interface assignment for the bridge network port

3. You should see the interfaces assignments as given the below figure. To enable the bridge interface and set IP configuration click on the Bridge.

   

   Figure 12. Editing bridge interface

4. Select the Enable Interface option in the Basic Configuration pane to enable the bridge interface.

   

   Figure 13. Enabling bridge interface

5. You may select Static IPv4 or DHCP in the IPv4 Configuration Type option

   

   Figure 14. Selecting IPv4 Configuration Type as Static IPv4

6. If you select Static IPv4 option, you must set IPv4 address and subnet mask in the Static IPv4 configuration pane. You may add new gateway by selecting Default gateway option and typing IP address in the Gateway IPv4 field depending on your WAN configuration.

   

   Figure 15. Setting IPv4 Configuration

7. Click Save to save the bridge interface configuration.

8. Click Apply Changes to activate the settings.

   

   Figure 16. Applying Bridge Configuration

5. Disable Block Private & Bogon Networks

On the WAN interface, we must deactivate the blocking of private and bogon networks. To enable private network and bogon network traffic, you may follow the next steps given below:

1. Navigate to Interfaces → WAN on OPNsense UI.

2. Unselect Block private networks and Block bogon networks options in the Generic Configuration pane.

   

   Figure 17. Enable private network and bogon network traffic on WAN interface

6. Disable the DHCP Server on LAN

To disable the DHCP server on LAN you may follows the steps given below:

1. Navigate to Services → DHCPv4 → [LAN] on OPNsense UI.

2. Unselect Enable DHCP server on LAN interface.

   

   Figure 18. Disabling DHCP server on LAN interface

7. Firewall Rule Configuration To Allow All Traffic

This step ensures that the bridge is completely transparent, with no filtering occurring. After verifying the bridge's functionality, you may put up the appropriate rules.

To add a rule per interface for allowing all traffic of any type, you may follow the next steps:

1.Go to Firewall → Rules on OPNsense UI.

2. Select Bridge interface and click + Add button to add a rule.

   

   Figure 19. Adding Firewall Rule on Bridge interface

3. Select Pass for Action option.

4. Select in for Direction option.

5. Select any for Protocol option.

6. Select any for Source option.

   

   Figure 20. Creating Firewall Rule on Bridge interface to Allow All Incoming Traffic-1

7. Select any for Destination option.

8. Enable Log packets that are handled by this rule for Log option.

9. Type Allow All for Description option.

   

   Figure 21. Creating Firewall Rule on Bridge interface to Allow All Incoming Traffic-2

10. Click Save and then click Apply Changes to activate the configuration.

11. Define a firewall rule on LAN interface as explained in steps 7.2-7.9.

    

    Figure 22. Creating Firewall Rule on LAN interface to Allow All Incoming Traffic

12. Define a firewall rule on WAN interface as explained in steps 7.2-7.9.

    

    Figure 23. Creating Firewall Rule on WAN interface to Allow All Incoming Traffic

8. Disable Default Anti Lockout Rule

After configuring the bridge, member interface (WAN/LAN) rules will be disregarded. Therefore, you may skip this step. As each interface now has permit rules in place, we can safely remove the Anti-Lockout rule from the LAN by following next steps.

1. Navigate to Firewall → Settings → Advanced on OPNsense UI.

2. Unselect Disable anti-lockout option.

   

   Figure 24. Disable anti-lockout rule

9. Set LAN and WAN Interface IPv4 Configuration to none

To remove the IP address in use for LAN and WAN, you may follows next steps:

1. Go to Interfaces → [LAN] on OPNsense UI.

2. Select None for the IPv4 Configuration Type.

3. Click Save.

   

   Figure 25. Setting IPv4 Configuration Type to None for LAN

4. Go to Interfaces → [WAN] on OPNsense UI.

5. Select None for the IPv4 Configuration Type.

6. Click Save.

   

   Figure 26. Setting IPv4 Configuration Type to None for WAN

7. Click Apply Changes to activate the configuration.

10. Adding Firewall Rules

Now, you have filtering bridge and can configure your firewall rules on bridge interface.

tip

Rules on member interfaces of the bridge are disregarded.You should define filtering rules on the newly created bridge interface, Bridge0.

Listen to this Article