Transparent Filtering Bridge¶
Warning¶
The Transparent Filtering Bridge is not compatible with Traffic Shaping. Do not enable the traffic shaper when using the filtering bridge.
Abstract¶
A transparent firewall can be used to filter traffic without creating different subnets. This application is called filtering bridge as it acts as a bridge connection two interfaces and applies filtering rules on top of this.
For more information on Filtering Bridged on FreeBSD, see filtering-bridges
Requirements¶
- For this howto we need a basic installation of OPNsense with factory defaults as a starting point.
- And an appliance with 2 physical interfaces.
Considerations¶
To create this howto version OPNsense 15.7.11 has been used. Some screenshots maybe outdated, but setting should apply up to at least 17.1.6. If you use a different version some options can be different.
Note
The Menu System of the User Interface has been updated with sub items. Where tabs are shown in screenshots, these are now likely visible as submenu.
Configuration in 10 easy steps¶
- 1. Disable Outbound NAT rule generation
- 2. Change system tuneables
- 3. Create the bridge
- 4. Assign a management IP/Interface
- 5. Disable Block private networks & bogon
- 6. Disable the DHCP server on LAN
- 7. Add Allow rules
- 8. Disable Default Anti Lockout Rule
- 9. Set LAN and WAN interface type to ‘none’
- 10. Now apply the changes
Warning
During the configuration you will be asked to “Apply” your changes several times, however this may affect the current connection. So don’t apply anything until completely finished! You need to Save your changes for each step.
1. Disable Outbound NAT rule generation¶
To disable outbound NAT, go to Firewall -> NAT -> Outbound: Disable Outbound NAT rule generation
2. Change system tuneables¶
Enable filtering bridge by changing net.link.bridge.pfil_bridge from default to 1 in System -> Settings -> System Tuneables
And disable filtering on member interfaces by changing net.link.bridge.pfil_member from default to 0 in System -> Settings -> System Tuneables
3. Create the bridge¶
Create a bridge of LAN and WAN, go to Interfaces -> Other Types -> Bridge :Add Select LAN and WAN.
4. Assign a management IP/Interface¶
To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.
Go to Interfaces -> Assign -> Available network ports , select the bridge from the list and hit +.
Now Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces -> OPT1 enable the interface and fill-in the ip/netmask.
5. Disable Block private networks & bogon¶
For the WAN interface we nee to disable blocking of private networks & bogus ip’s.
Goto Interfaces -> WAN and unselect Block private networks and Block bogon networks.
6. Disable the DHCP server on LAN¶
To disable the DCP server on LAN goto Services -> DHCP Server -> LAN and unselect enable.
7. Add Allow rules¶
After configuring the bridge the rules on member interfaces (WAN/LAN) will be ignored. So you can skip this step.
Add the allow rules for all traffic on each of the three interfaces (WAN/LAN/OPT1).
This step is to ensure we have a full transparent bridge without any filtering taking place. You can setup the correct rules when you have confirmed the bridge to work properly.
Goto Firewall -> Rules and add a rule per interface to allow all traffic of any type.
8. Disable Default Anti Lockout Rule¶
After configuring the bridge the rules on member interfaces (WAN/LAN) will be ignored. So you can skip this step.
As we now have setup allow rules for each interface we can safely remove the Anti Lockout rule on LAN
Goto System -> Settings -> Admin Access :Anti-lockout and select this option to disable
9. Set LAN and WAN interface type to ‘none’¶
Now remove the IP subnets in use for LAN and WAN by changing the interface type to none. Goto Interfaces -> LAN & Interfaces -> WAN to do so.
10. Now apply the changes¶
If you followed each step, then you can now apply the changes. The Firewall is now converted to a filtering bridge.
Done.. ready to set your own filtering rules
Now you can create the correct firewall/filter rules and apply them. To acces the firewall you need to use the IP adress you configured for the OPT1 Interface.
Warning
Rules need to be configured on the bridge. Rules on member interfaces will be ignored!
Tip
Don’t forget to make sure your PC/Laptop is configured with an IP adress that falls within the IP range of the OPT1 subnet!