OPNsense Transparent Filtering Bridge

  Рет қаралды 7,661

Home Network Guy

Home Network Guy

Күн бұрын

Пікірлер: 74
@jaimev8304
@jaimev8304 Ай бұрын
Thanks for the Gateway MGMT setup. This was very helpful.
@homenetworkguy
@homenetworkguy Ай бұрын
You’re welcome!
@seanball2002
@seanball2002 28 күн бұрын
That Gateway setup is a big help
@homenetworkguy
@homenetworkguy 28 күн бұрын
I’m glad it was helpful!
@karlgimmedatforfreemarx
@karlgimmedatforfreemarx 26 күн бұрын
The tip about OPNsense needing to use the router as DNS was a big help, man it has been driving me crazy! 😅
@karlgimmedatforfreemarx
@karlgimmedatforfreemarx 26 күн бұрын
Thank you!
@homenetworkguy
@homenetworkguy 26 күн бұрын
I’m glad that was helpful!
@karlgimmedatforfreemarx
@karlgimmedatforfreemarx 26 күн бұрын
@@homenetworkguy Anytime. Glad I found you and your website. The explanation here was well structured, clear, and thorough . Now using your website to troubleshoot other issues! Great stuff
@homenetworkguy
@homenetworkguy 26 күн бұрын
@@karlgimmedatforfreemarx Thanks! I'm working on a written version of this transparent filtering bridge. It just takes time for the topics which have a lot more technical details included.
@drbyte2009
@drbyte2009 Ай бұрын
Great that you made this video. I also requested this. Thanx a lot !!!
@homenetworkguy
@homenetworkguy Ай бұрын
I hope you like it! I couldn't ignore the requests any longer and had to do a video on it. haha.
@drbyte2009
@drbyte2009 Ай бұрын
@@homenetworkguy I am going to install OPNsense this weekend (in Proxmox) following your explanation. 👍
@Glasairmell
@Glasairmell Ай бұрын
Awesome presentation. You mentioned you may update your Opnsense setup guide. That would be wonderful to review. Thanks for all your efforts.
@homenetworkguy
@homenetworkguy Ай бұрын
Thanks! Yeah I want to use a slightly different network architecture and different hardware than the first guide. I’ve have improved video/audio quality enough and have more practice creating videos that it is worth updating it (not to mention a new versions of OPNsense, etc). I also have more devices to use in a lab environment which helps make it much easier to create guides.
@Glasairmell
@Glasairmell Ай бұрын
@@homenetworkguy Perhaps you could include the proper security blend to use. As in turning on intrusion protection (which may be Suricata) using Suricata, Crowdsec and Zenarmor. Also how Pi-hole fits in to all those choices.
@homenetworkguy
@homenetworkguy Ай бұрын
Yeah I may include some of those topics but I also need to balance the length of the video as well and to keep it focused on specific things without getting off on too many other topics.
@colinsrin4533
@colinsrin4533 27 күн бұрын
This guide is so much better than some other guides available and probably the one that most non network guy needs to get up and running. Setting up MGMT interface is so much better than adding those allow rules. I did get stuck on the mgmt firewall rule but got passed it in the end. Good Job on this! Have a question. Do we need to do anything about the private and bogon ips as it was disabled in the wan settings?
@homenetworkguy
@homenetworkguy 27 күн бұрын
Thanks! My goal was to show an alternate way to set up a dedicated MGMT interface to prevent lockout. You don’t need to worry about the private IPs and bogons for the transparent bridge because that should be dealt with my the existing router on your network. The transparent bridge is not acting as your primary router but just as a firewall filtering traffic on your network.
@PocketRocket-u2r
@PocketRocket-u2r Ай бұрын
Ive just leaped over to OPNsense and your vids have been very helpful indeed. Also your website is awesome. Thank you. Ive been thinking about setting up a 2nd OPNsense unit behind my main production unit, to use for testing in my homelab so i dont mess up my homes access... is this the kinda setup i should use?
@homenetworkguy
@homenetworkguy Ай бұрын
Thanks! I'm glad it was been very helpful! I need to get back to updating my website because I've been focused more on building up my KZbin channel this year. I am planning to make a written version of this guide at some point. As for your lab, it depends on what you would like to do. If you set up OPNsense like in this guide, you'd basically would just have a 2nd firewall on your lab network (assuming you have all of your security protections enabled on the primary router). The setup in this guide is recommended if you want to keep your UniFi gateway device or your ISP router, etc but have additional firewall/security on your network. Personally, for experimentation, I think it would be better to have a standard OPNsense installation so that you can build an entire network behind the second router as a playground. I do something similar to this. I have a LAB VLAN where I can put a second router for demos/guides such as this one. I basically use the LAB VLAN is my "WAN" network where I connect the WAN interface of my devices I'm testing. It has a different IP address than the default 192.168.1.0/24 network that many routers default to so it doesn't interfere with testing out devices on my internal network. I also turn off my security protections such as Zenarmor on the LAB VLAN so I can test out running Zenarmor and other services on my LAB network. It is definitely great to have a dedicated area to play around in because it keeps the main network stable for the family and working from home, etc.
@PocketRocket-u2r
@PocketRocket-u2r Ай бұрын
@@homenetworkguy Ok thank you... Seems like i need to do some more research/reading
@caedis_
@caedis_ Ай бұрын
If i had to guess, it was Dave's Garage who introduced the feature to a lot of people
@homenetworkguy
@homenetworkguy Ай бұрын
Yes, that's when I noticed a huge increase in requests for this sort of configuration.
@vidge1111
@vidge1111 26 күн бұрын
Yes, and a lot of people got locked out of their fw because of it lol
@homenetworkguy
@homenetworkguy 26 күн бұрын
@@vidge1111 yeah if you’re not careful it’s easy to get locked out of the web interface when reconfiguring interfaces.
@rdottwordottwo2286
@rdottwordottwo2286 Ай бұрын
I purchased a protecli 4 port device sitting on my desk. It was originally purchased as a replacement router with OPNsense. I decided to use the protectli Opnsene transparent filtering bride. I create a three port bridge. I found procedure on zearmor. It let me pass traffic, but I was not sure to do next. Thanks for the video.
@homenetworkguy
@homenetworkguy Ай бұрын
You’re welcome! Glad it helped you configure Zenarmor on the bridge!
@clydebryant2665
@clydebryant2665 6 сағат бұрын
This is an excellent video on configuring a transparent bridge with an admin port. However, I’m curious about how I would access the internet for updates when the bridge is situated between the ISP modem and my router. Your insights would be invaluable
@homenetworkguy
@homenetworkguy 5 сағат бұрын
It would be the same as configured in the video because I placed the MGMT interface on the LAN network of the existing network. The configured gateway/DNS in OPNsense uses the interface IP of the LAN interface of the main router on your network so OPNsense can access the Internet. In fact, once the MGMT interface is configured and accessible from the LAN network of your existing network, you can put your transparent filtering bridge between any 2 devices on your network!
@thomasbarratt5333
@thomasbarratt5333 Ай бұрын
Hey! Thanks for such an in-depth tutorial. Everything was going well up to the point we started to place the filtering bridge between devices. Half way through the tutorial I realised my desired set up was different to yours. And maybe that's why it's failing. I'm trying to add a filtering bridge between my bridge isp router and my mesh router. When I add the bridge the mesh router complains of no connection.
@homenetworkguy
@homenetworkguy Ай бұрын
You’re welcome! Once you get the bridge working, you can place it between any 2 devices on the network. I tested it before the router and between 2 PCs (not in the video but when I was learning). Try getting it working with 2 other systems first and then you should be able to use it anywhere else since it should allow all traffic to pass through (assuming it’s not being blocked via firewall rules or other security features).
@thomasbarratt5333
@thomasbarratt5333 23 күн бұрын
​@@homenetworkguyThanks for responding to my message! It might be a VM issue. In hyper-v you need to enable Mac address spoofing to allow traffic to pass through the LAN and wan nics (bridge). I've also read that firewall rules need to be applied for in and out on all interfaces.
@thomasbarratt5333
@thomasbarratt5333 17 күн бұрын
@@homenetworkguy So I figured it out! The issue was with Hyper-V and the virtual switch setting - needed to enable Mac Address spoofing! Thanks for the tutorial!
@drbyte2009
@drbyte2009 Ай бұрын
Can you also make a video about this, but then OPNSense running in Proxmox ??
@homenetworkguy
@homenetworkguy Ай бұрын
I have done a video with setting up OPNsense on Proxmox but not in a transparent bridge, of course. I could consider it for a future idea. The concept should be the same but it would be a matter of setting up the network interfaces in Proxmox as bridged interfaces or PCIe passthrough. Once you understand how networking in Proxmox works and how OPNsense works, it helps when combining the two concepts.
@drbyte2009
@drbyte2009 Ай бұрын
@@homenetworkguy I will take a look at your Proxmox video, and see if i get it working 🙂
@drbyte2009
@drbyte2009 Ай бұрын
@@homenetworkguy I managed to get this setup working in proxmox 🙂🙂 Thanks a lot !!!!
@homenetworkguy
@homenetworkguy Ай бұрын
Glad you got it working!
@eijisawakita
@eijisawakita Ай бұрын
Will you be able to do this on a trunk port with multiple VLANs?
@homenetworkguy
@homenetworkguy Ай бұрын
Yes. That’s basically what I did in the video- connected the transparent filtering bridge between the router and switch with VLANs configured. I showed connecting my phone that was on a different VLAN and you can see that ads were being blocked in the live logs of Zenarmor.
@eijisawakita
@eijisawakita Ай бұрын
@@homenetworkguy Thanks, I didn't notice that. I was trying this setup using sophos UTM as a transparent bridge inside VM, but I couldn't. My next question is, with this setup, can zenarmor do different profiles for different subnet inside the trunk port?
@homenetworkguy
@homenetworkguy Ай бұрын
Since the VLANs aren’t configured in OPNsense in a transparent bridge configuration, you won’t be able to select the VLANs in the Zenarmor policies, but you should be able to specify IP address and network IP address ranges in the policies. I haven’t tested that out but I don’t foresee any issues doing that since Zenarmor can see all of the traffic flowing through the bridge.
@EmperorTerran
@EmperorTerran Ай бұрын
Was there some configuration done on the grandstream router to let through remote ip addresses or something? Cuz I remember I failed to deploy opnsense with geoblocking where WAN side was my main mikrotik-router lan side because source-IPs were my mikrotik router IP. Or maybe I misremember it but I think that was the problem.. so no geoblocking.
@homenetworkguy
@homenetworkguy Ай бұрын
A transparent bridge should allow all traffic through (with the appropriate configuration) as though it wasn’t even there and then you can apply rules/services on the bridge to do any necessary filtering. I didn’t do anything special configuration on the Grandstream router, and I could access the Internet fine until I did the example block rule which prevented access until I removed it. I didn’t try geo blocking but I wouldn’t foresee issues there with how I configured the transparent filtering bridge.
@e7bk
@e7bk Ай бұрын
did you test any wifi 7 or 6 pcie on promox ?
@homenetworkguy
@homenetworkguy Ай бұрын
Are you referring to using a PCIe card for Proxmox? I typically stick to wired connections within my server rack. I suppose I could try it on one of my systems. As long as it has driver support in Debian (the underlying OS of Proxmox), I imagine it should work fine.
@jeffreyooi1971
@jeffreyooi1971 29 күн бұрын
can the zenarmor block youtube advertisement?
@homenetworkguy
@homenetworkguy 29 күн бұрын
I’m not sure that it blocks them because KZbin makes that challenging to do with simple DNS blocks. However DNS blocks work for many other ads though. Many users like to use the Brave web browser for blocking KZbin ads or web browser plugin. I sympathize over the desire to block ads but as a content creator, it helps me if you don’t block them. 😉
@flatlandhilljack9244
@flatlandhilljack9244 20 күн бұрын
What do I do if after following your directions I cannot log in via the mgmt port?
@homenetworkguy
@homenetworkguy 20 күн бұрын
Hmm you should be able to log in once you create a second interface (assuming the IPs don’t overlap with the default LAN interface in OPNsense, a static IP set that doesn’t conflict with any device on your primary network, and the appropriate default firewall rules created on the MGMT interface). You would have to disconnect/reconnect your PC/laptop to get a new IP address, etc.
@flatlandhilljack9244
@flatlandhilljack9244 20 күн бұрын
@ I’ll triple check the settings tomorrow but I know IPs don’t over lap, I can see the device from my router’s GUI but I can’t get to the IP address, I must have missed something on my settings
@flatlandhilljack9244
@flatlandhilljack9244 20 күн бұрын
I went back and double checked everything it’s exactly like yours except for the last digits of the IP are different to avoid conflict with something else that already had .99 the device shows up on my main router, but I can’t even connect to that port if I connect directly to it with the laptop, what am I missing?
@homenetworkguy
@homenetworkguy 20 күн бұрын
Hmm with the static IP configuration of the MGMT interface, you won’t be able to plug directly into it to manage it because DHCP is not enabled on that interface (intentionally because the idea is to plug the MGMT interface into your existing network so you don’t want 2 DHCP servers enabled). I’m not sure what could be the problem if you gave both the MGMT interface (configured as a static IP) and your PC connected to your existing network (both being on the same network). Also I’m assuming you have the firewall rules set up on the MGMT interface as well because by default it will deny all traffic which will prevent you from accessing the interface.
@flatlandhilljack9244
@flatlandhilljack9244 20 күн бұрын
I followed your instruction to the letter even doing a fresh install going through creating all of the rules for the firewall and then plugging it into my existing network. It shows up in the list of clients on my network, but I can’t get to the ip I assigned with two different laptops and an iPad that are connected to that same network.
@IndyCotton
@IndyCotton Ай бұрын
make a video about only using 2 network ports.
@homenetworkguy
@homenetworkguy Ай бұрын
I could but every other guide I’ve seen shows how to do it only with 2 ports. That’s another reason why I wanted to show it with 3 if you have a 3+ port device (besides the fact it’s nice have a physical dedicated interface to manage devices).
@PeterPain
@PeterPain Ай бұрын
Great but How to do on proxmox? With suricata on in and armour on out? Plus what other VMs I need for DNS / bitwarden / recommended? Plus connecting to 4 port NAS server running home automation, how to secure. + security cams., guest, vlans Diagram pls)
@homenetworkguy
@homenetworkguy Ай бұрын
That’s quite a wish list! Sounds like you want someone to build your entire network for you, haha. You can do the same process for installing OPNsense in a VM- you would need to assign the appropriate network interfaces in Proxmox (either using bridges or passing through the network interfaces). I don’t think you can set up Suricata on one interface and Zenarmor on the other because the bridge acts like a single interface. I’d have to see if that is possible because Suricata could see the bridge interface while Zenarmor could not. There’s lots of software one could recommend running but not all software fits everyone’s use cases the best.
@PeterPain
@PeterPain Ай бұрын
@homenetworkguy thanks, yeah I get the point about a bridge. Just you mentioned you can't have both due to the fight over who iwns the driver. Just both together seem ideal Other software, I guess there arevtypical things 80% would want. I'll have a play try work out some kind of amor + suricata alternative. Excellent vids and site BTW. Thx
@homenetworkguy
@homenetworkguy Ай бұрын
Thanks! Glad you like the videos and wesbite! It might be possible to put Suricata on one of the 2 bridge interfaces and Zenarmor on the other. I just didn't test that scenario to see if it would work since I was thinking about the single bridged interface (not knowing how the bridge could impact other services running on the physical interfaces that are part of the bridge. The OPNsense documentation states the firewall rules are ignored on the underlying interfaces so I am curious what other things may not work as you might expect when you have set up a bridge). I just know you definitely can't do both services on the same bridge interface (just like any other physical interface) because the bridge acts like a single interface. However, it could possibly work if you do it on the underlying physical interfaces on the bridge. If you want to run both services, you might be better off using OPNsense in a standard WAN/LAN configuration rather than a transparent filtering bridge-- assuming running both services doesn't work using the underlying interfaces of the transparent bridge. When using both Suricata and Zenarmor, it takes a tremendous amount of CPU resources depending on the amount of throughput you want to have (partially due to how netmap is implemented in OPNsense since it doesn't take advantage of all of the CPU cores). I personally don't find as much value in Suricata because I don't have a lot of time to spend tweaking the rulesets (you can blindly enable everything but that increases CPU processing and lowers throughput). Also there's not a good built in way to view all of the alerts so you have to dig through a bunch of logs or export the data into a tool to attempt to view the data aggregated in a useful way (which may not necessarily be trivial unless you can find some good pre-built solutions). The rules are 30 days out of date for the free rules so it doesn't help with new threats/vulnerabilities.
@yalexca51
@yalexca51 Ай бұрын
Great and useful video. If I need to place opnsense between modem and router mgmt interface configuration will be the same?
@homenetworkguy
@homenetworkguy Ай бұрын
Thanks! Yes but if you put it between the modem and router, everything will appear to originate or be destined for the public WAN IP. This is not an issue per se but you don’t have visibility on which device on your network traffic is originating from. Also you won’t be able to block access between anything within your network. It would only be able to block/protect traffic on the edge of your network. If you are ok with those caveats, the configuration in this video should work! I actually tested this bridge between 2 computers so I could do speed tests. The Intel N5105 CPU is capable of 1.6-2 Gbps with Zenarmor running, for example.
Virtualizing OPNsense on Proxmox as Your Primary Router
41:08
Home Network Guy
Рет қаралды 100 М.
Beginner's Guide to Set up a Full Network using OPNsense
41:29
Home Network Guy
Рет қаралды 83 М.
Жездуха 41-серия
36:26
Million Show
Рет қаралды 5 МЛН
Hilarious FAKE TONGUE Prank by WEDNESDAY😏🖤
0:39
La La Life Shorts
Рет қаралды 44 МЛН
Маусымашар-2023 / Гала-концерт / АТУ қоштасу
1:27:35
Jaidarman OFFICIAL / JCI
Рет қаралды 390 М.
Set up a Full Network using OPNsense (Part 2: OPNsense)
1:50:46
Home Network Guy
Рет қаралды 103 М.
The Ultimate Guide to Tailscale on Unraid
1:36:07
The Uncast Show
Рет қаралды 8 М.
1. VMware ESXi to Cisco ACI: A Deep Dive
42:41
NetMaven
Рет қаралды 208
TWISTED: The dramatic history of twisted-pair Ethernet
28:30
The Serial Port
Рет қаралды 327 М.
Let's Bridge These Ports - OPNsense
10:02
Jason's Lab
Рет қаралды 26 М.
Chip Off Firmware Extraction - Hacking the Totolink WiFi Router
31:15
Secure Your OPNsense Network with Zenarmor NGFW!
36:25
apalrd's adventures
Рет қаралды 34 М.
Why I am Not Using OPNSense
8:26
Lawrence Systems
Рет қаралды 124 М.
NEW to UNIFI VLANs??  START HERE!!!
41:06
Ethernet Blueprint
Рет қаралды 84 М.
Жездуха 41-серия
36:26
Million Show
Рет қаралды 5 МЛН