@@homenetworkguy Anytime. Glad I found you and your website. The explanation here was well structured, clear, and thorough . Now using your website to troubleshoot other issues! Great stuff
@@karlgimmedatforfreemarx Thanks! I'm working on a written version of this transparent filtering bridge. It just takes time for the topics which have a lot more technical details included.
This guide is so much better than some other guides available and probably the one that most non network guy needs to get up and running. Setting up MGMT interface is so much better than adding those allow rules. I did get stuck on the mgmt firewall rule but got passed it in the end. Good Job on this! Have a question. Do we need to do anything about the private and bogon ips as it was disabled in the wan settings?
Thanks! My goal was to show an alternate way to set up a dedicated MGMT interface to prevent lockout. You don’t need to worry about the private IPs and bogons for the transparent bridge because that should be dealt with my the existing router on your network. The transparent bridge is not acting as your primary router but just as a firewall filtering traffic on your network.
I purchased a protecli 4 port device sitting on my desk. It was originally purchased as a replacement router with OPNsense. I decided to use the protectli Opnsene transparent filtering bride. I create a three port bridge. I found procedure on zearmor. It let me pass traffic, but I was not sure to do next. Thanks for the video.
Hey! Thanks for such an in-depth tutorial. Everything was going well up to the point we started to place the filtering bridge between devices. Half way through the tutorial I realised my desired set up was different to yours. And maybe that's why it's failing. I'm trying to add a filtering bridge between my bridge isp router and my mesh router. When I add the bridge the mesh router complains of no connection.
You’re welcome! Once you get the bridge working, you can place it between any 2 devices on the network. I tested it before the router and between 2 PCs (not in the video but when I was learning). Try getting it working with 2 other systems first and then you should be able to use it anywhere else since it should allow all traffic to pass through (assuming it’s not being blocked via firewall rules or other security features).
@@homenetworkguyThanks for responding to my message! It might be a VM issue. In hyper-v you need to enable Mac address spoofing to allow traffic to pass through the LAN and wan nics (bridge). I've also read that firewall rules need to be applied for in and out on all interfaces.
@@homenetworkguy So I figured it out! The issue was with Hyper-V and the virtual switch setting - needed to enable Mac Address spoofing! Thanks for the tutorial!
Thanks! Yeah I want to use a slightly different network architecture and different hardware than the first guide. I’ve have improved video/audio quality enough and have more practice creating videos that it is worth updating it (not to mention a new versions of OPNsense, etc). I also have more devices to use in a lab environment which helps make it much easier to create guides.
@@homenetworkguy Perhaps you could include the proper security blend to use. As in turning on intrusion protection (which may be Suricata) using Suricata, Crowdsec and Zenarmor. Also how Pi-hole fits in to all those choices.
Yeah I may include some of those topics but I also need to balance the length of the video as well and to keep it focused on specific things without getting off on too many other topics.
Ive just leaped over to OPNsense and your vids have been very helpful indeed. Also your website is awesome. Thank you. Ive been thinking about setting up a 2nd OPNsense unit behind my main production unit, to use for testing in my homelab so i dont mess up my homes access... is this the kinda setup i should use?
Thanks! I'm glad it was been very helpful! I need to get back to updating my website because I've been focused more on building up my TH-cam channel this year. I am planning to make a written version of this guide at some point. As for your lab, it depends on what you would like to do. If you set up OPNsense like in this guide, you'd basically would just have a 2nd firewall on your lab network (assuming you have all of your security protections enabled on the primary router). The setup in this guide is recommended if you want to keep your UniFi gateway device or your ISP router, etc but have additional firewall/security on your network. Personally, for experimentation, I think it would be better to have a standard OPNsense installation so that you can build an entire network behind the second router as a playground. I do something similar to this. I have a LAB VLAN where I can put a second router for demos/guides such as this one. I basically use the LAB VLAN is my "WAN" network where I connect the WAN interface of my devices I'm testing. It has a different IP address than the default 192.168.1.0/24 network that many routers default to so it doesn't interfere with testing out devices on my internal network. I also turn off my security protections such as Zenarmor on the LAB VLAN so I can test out running Zenarmor and other services on my LAB network. It is definitely great to have a dedicated area to play around in because it keeps the main network stable for the family and working from home, etc.
I have done a video with setting up OPNsense on Proxmox but not in a transparent bridge, of course. I could consider it for a future idea. The concept should be the same but it would be a matter of setting up the network interfaces in Proxmox as bridged interfaces or PCIe passthrough. Once you understand how networking in Proxmox works and how OPNsense works, it helps when combining the two concepts.
Yes. That’s basically what I did in the video- connected the transparent filtering bridge between the router and switch with VLANs configured. I showed connecting my phone that was on a different VLAN and you can see that ads were being blocked in the live logs of Zenarmor.
@@homenetworkguy Thanks, I didn't notice that. I was trying this setup using sophos UTM as a transparent bridge inside VM, but I couldn't. My next question is, with this setup, can zenarmor do different profiles for different subnet inside the trunk port?
Since the VLANs aren’t configured in OPNsense in a transparent bridge configuration, you won’t be able to select the VLANs in the Zenarmor policies, but you should be able to specify IP address and network IP address ranges in the policies. I haven’t tested that out but I don’t foresee any issues doing that since Zenarmor can see all of the traffic flowing through the bridge.
Was there some configuration done on the grandstream router to let through remote ip addresses or something? Cuz I remember I failed to deploy opnsense with geoblocking where WAN side was my main mikrotik-router lan side because source-IPs were my mikrotik router IP. Or maybe I misremember it but I think that was the problem.. so no geoblocking.
A transparent bridge should allow all traffic through (with the appropriate configuration) as though it wasn’t even there and then you can apply rules/services on the bridge to do any necessary filtering. I didn’t do anything special configuration on the Grandstream router, and I could access the Internet fine until I did the example block rule which prevented access until I removed it. I didn’t try geo blocking but I wouldn’t foresee issues there with how I configured the transparent filtering bridge.
I’m not sure that it blocks them because TH-cam makes that challenging to do with simple DNS blocks. However DNS blocks work for many other ads though. Many users like to use the Brave web browser for blocking TH-cam ads or web browser plugin. I sympathize over the desire to block ads but as a content creator, it helps me if you don’t block them. 😉
Hmm you should be able to log in once you create a second interface (assuming the IPs don’t overlap with the default LAN interface in OPNsense, a static IP set that doesn’t conflict with any device on your primary network, and the appropriate default firewall rules created on the MGMT interface). You would have to disconnect/reconnect your PC/laptop to get a new IP address, etc.
@ I’ll triple check the settings tomorrow but I know IPs don’t over lap, I can see the device from my router’s GUI but I can’t get to the IP address, I must have missed something on my settings
I went back and double checked everything it’s exactly like yours except for the last digits of the IP are different to avoid conflict with something else that already had .99 the device shows up on my main router, but I can’t even connect to that port if I connect directly to it with the laptop, what am I missing?
Hmm with the static IP configuration of the MGMT interface, you won’t be able to plug directly into it to manage it because DHCP is not enabled on that interface (intentionally because the idea is to plug the MGMT interface into your existing network so you don’t want 2 DHCP servers enabled). I’m not sure what could be the problem if you gave both the MGMT interface (configured as a static IP) and your PC connected to your existing network (both being on the same network). Also I’m assuming you have the firewall rules set up on the MGMT interface as well because by default it will deny all traffic which will prevent you from accessing the interface.
I followed your instruction to the letter even doing a fresh install going through creating all of the rules for the firewall and then plugging it into my existing network. It shows up in the list of clients on my network, but I can’t get to the ip I assigned with two different laptops and an iPad that are connected to that same network.
Great but How to do on proxmox? With suricata on in and armour on out? Plus what other VMs I need for DNS / bitwarden / recommended? Plus connecting to 4 port NAS server running home automation, how to secure. + security cams., guest, vlans Diagram pls)
That’s quite a wish list! Sounds like you want someone to build your entire network for you, haha. You can do the same process for installing OPNsense in a VM- you would need to assign the appropriate network interfaces in Proxmox (either using bridges or passing through the network interfaces). I don’t think you can set up Suricata on one interface and Zenarmor on the other because the bridge acts like a single interface. I’d have to see if that is possible because Suricata could see the bridge interface while Zenarmor could not. There’s lots of software one could recommend running but not all software fits everyone’s use cases the best.
@homenetworkguy thanks, yeah I get the point about a bridge. Just you mentioned you can't have both due to the fight over who iwns the driver. Just both together seem ideal Other software, I guess there arevtypical things 80% would want. I'll have a play try work out some kind of amor + suricata alternative. Excellent vids and site BTW. Thx
Thanks! Glad you like the videos and wesbite! It might be possible to put Suricata on one of the 2 bridge interfaces and Zenarmor on the other. I just didn't test that scenario to see if it would work since I was thinking about the single bridged interface (not knowing how the bridge could impact other services running on the physical interfaces that are part of the bridge. The OPNsense documentation states the firewall rules are ignored on the underlying interfaces so I am curious what other things may not work as you might expect when you have set up a bridge). I just know you definitely can't do both services on the same bridge interface (just like any other physical interface) because the bridge acts like a single interface. However, it could possibly work if you do it on the underlying physical interfaces on the bridge. If you want to run both services, you might be better off using OPNsense in a standard WAN/LAN configuration rather than a transparent filtering bridge-- assuming running both services doesn't work using the underlying interfaces of the transparent bridge. When using both Suricata and Zenarmor, it takes a tremendous amount of CPU resources depending on the amount of throughput you want to have (partially due to how netmap is implemented in OPNsense since it doesn't take advantage of all of the CPU cores). I personally don't find as much value in Suricata because I don't have a lot of time to spend tweaking the rulesets (you can blindly enable everything but that increases CPU processing and lowers throughput). Also there's not a good built in way to view all of the alerts so you have to dig through a bunch of logs or export the data into a tool to attempt to view the data aggregated in a useful way (which may not necessarily be trivial unless you can find some good pre-built solutions). The rules are 30 days out of date for the free rules so it doesn't help with new threats/vulnerabilities.
Thanks! Yes but if you put it between the modem and router, everything will appear to originate or be destined for the public WAN IP. This is not an issue per se but you don’t have visibility on which device on your network traffic is originating from. Also you won’t be able to block access between anything within your network. It would only be able to block/protect traffic on the edge of your network. If you are ok with those caveats, the configuration in this video should work! I actually tested this bridge between 2 computers so I could do speed tests. The Intel N5105 CPU is capable of 1.6-2 Gbps with Zenarmor running, for example.
Are you referring to using a PCIe card for Proxmox? I typically stick to wired connections within my server rack. I suppose I could try it on one of my systems. As long as it has driver support in Debian (the underlying OS of Proxmox), I imagine it should work fine.
I could but every other guide I’ve seen shows how to do it only with 2 ports. That’s another reason why I wanted to show it with 3 if you have a 3+ port device (besides the fact it’s nice have a physical dedicated interface to manage devices).
The tip about OPNsense needing to use the router as DNS was a big help, man it has been driving me crazy! 😅
Thank you!
I’m glad that was helpful!
@@homenetworkguy Anytime. Glad I found you and your website. The explanation here was well structured, clear, and thorough . Now using your website to troubleshoot other issues! Great stuff
@@karlgimmedatforfreemarx Thanks! I'm working on a written version of this transparent filtering bridge. It just takes time for the topics which have a lot more technical details included.
Thanks for the Gateway MGMT setup. This was very helpful.
You’re welcome!
That Gateway setup is a big help
I’m glad it was helpful!
This guide is so much better than some other guides available and probably the one that most non network guy needs to get up and running. Setting up MGMT interface is so much better than adding those allow rules. I did get stuck on the mgmt firewall rule but got passed it in the end. Good Job on this! Have a question. Do we need to do anything about the private and bogon ips as it was disabled in the wan settings?
Thanks! My goal was to show an alternate way to set up a dedicated MGMT interface to prevent lockout.
You don’t need to worry about the private IPs and bogons for the transparent bridge because that should be dealt with my the existing router on your network. The transparent bridge is not acting as your primary router but just as a firewall filtering traffic on your network.
If i had to guess, it was Dave's Garage who introduced the feature to a lot of people
Yes, that's when I noticed a huge increase in requests for this sort of configuration.
Yes, and a lot of people got locked out of their fw because of it lol
@@vidge1111 yeah if you’re not careful it’s easy to get locked out of the web interface when reconfiguring interfaces.
Great that you made this video. I also requested this. Thanx a lot !!!
I hope you like it! I couldn't ignore the requests any longer and had to do a video on it. haha.
@@homenetworkguy
I am going to install OPNsense this weekend (in Proxmox) following your explanation. 👍
I purchased a protecli 4 port device sitting on my desk. It was originally purchased as a replacement router with OPNsense. I decided to use the protectli Opnsene transparent filtering bride. I create a three port bridge. I found procedure on zearmor. It let me pass traffic, but I was not sure to do next. Thanks for the video.
You’re welcome! Glad it helped you configure Zenarmor on the bridge!
Hey! Thanks for such an in-depth tutorial. Everything was going well up to the point we started to place the filtering bridge between devices.
Half way through the tutorial I realised my desired set up was different to yours. And maybe that's why it's failing. I'm trying to add a filtering bridge between my bridge isp router and my mesh router. When I add the bridge the mesh router complains of no connection.
You’re welcome! Once you get the bridge working, you can place it between any 2 devices on the network. I tested it before the router and between 2 PCs (not in the video but when I was learning). Try getting it working with 2 other systems first and then you should be able to use it anywhere else since it should allow all traffic to pass through (assuming it’s not being blocked via firewall rules or other security features).
@@homenetworkguyThanks for responding to my message! It might be a VM issue. In hyper-v you need to enable Mac address spoofing to allow traffic to pass through the LAN and wan nics (bridge). I've also read that firewall rules need to be applied for in and out on all interfaces.
@@homenetworkguy So I figured it out! The issue was with Hyper-V and the virtual switch setting - needed to enable Mac Address spoofing! Thanks for the tutorial!
Awesome presentation. You mentioned you may update your Opnsense setup guide. That would be wonderful to review. Thanks for all your efforts.
Thanks! Yeah I want to use a slightly different network architecture and different hardware than the first guide. I’ve have improved video/audio quality enough and have more practice creating videos that it is worth updating it (not to mention a new versions of OPNsense, etc). I also have more devices to use in a lab environment which helps make it much easier to create guides.
@@homenetworkguy Perhaps you could include the proper security blend to use. As in turning on intrusion protection (which may be Suricata) using Suricata, Crowdsec and Zenarmor. Also how Pi-hole fits in to all those choices.
Yeah I may include some of those topics but I also need to balance the length of the video as well and to keep it focused on specific things without getting off on too many other topics.
Ive just leaped over to OPNsense and your vids have been very helpful indeed. Also your website is awesome. Thank you.
Ive been thinking about setting up a 2nd OPNsense unit behind my main production unit, to use for testing in my homelab so i dont mess up my homes access... is this the kinda setup i should use?
Thanks! I'm glad it was been very helpful! I need to get back to updating my website because I've been focused more on building up my TH-cam channel this year. I am planning to make a written version of this guide at some point.
As for your lab, it depends on what you would like to do. If you set up OPNsense like in this guide, you'd basically would just have a 2nd firewall on your lab network (assuming you have all of your security protections enabled on the primary router). The setup in this guide is recommended if you want to keep your UniFi gateway device or your ISP router, etc but have additional firewall/security on your network.
Personally, for experimentation, I think it would be better to have a standard OPNsense installation so that you can build an entire network behind the second router as a playground. I do something similar to this. I have a LAB VLAN where I can put a second router for demos/guides such as this one. I basically use the LAB VLAN is my "WAN" network where I connect the WAN interface of my devices I'm testing. It has a different IP address than the default 192.168.1.0/24 network that many routers default to so it doesn't interfere with testing out devices on my internal network. I also turn off my security protections such as Zenarmor on the LAB VLAN so I can test out running Zenarmor and other services on my LAB network.
It is definitely great to have a dedicated area to play around in because it keeps the main network stable for the family and working from home, etc.
@@homenetworkguy Ok thank you... Seems like i need to do some more research/reading
Can you also make a video about this, but then OPNSense running in Proxmox ??
I have done a video with setting up OPNsense on Proxmox but not in a transparent bridge, of course. I could consider it for a future idea. The concept should be the same but it would be a matter of setting up the network interfaces in Proxmox as bridged interfaces or PCIe passthrough. Once you understand how networking in Proxmox works and how OPNsense works, it helps when combining the two concepts.
@@homenetworkguy
I will take a look at your Proxmox video, and see if i get it working 🙂
@@homenetworkguy I managed to get this setup working in proxmox 🙂🙂 Thanks a lot !!!!
Glad you got it working!
Will you be able to do this on a trunk port with multiple VLANs?
Yes. That’s basically what I did in the video- connected the transparent filtering bridge between the router and switch with VLANs configured. I showed connecting my phone that was on a different VLAN and you can see that ads were being blocked in the live logs of Zenarmor.
@@homenetworkguy Thanks, I didn't notice that. I was trying this setup using sophos UTM as a transparent bridge inside VM, but I couldn't. My next question is, with this setup, can zenarmor do different profiles for different subnet inside the trunk port?
Since the VLANs aren’t configured in OPNsense in a transparent bridge configuration, you won’t be able to select the VLANs in the Zenarmor policies, but you should be able to specify IP address and network IP address ranges in the policies. I haven’t tested that out but I don’t foresee any issues doing that since Zenarmor can see all of the traffic flowing through the bridge.
Was there some configuration done on the grandstream router to let through remote ip addresses or something? Cuz I remember I failed to deploy opnsense with geoblocking where WAN side was my main mikrotik-router lan side because source-IPs were my mikrotik router IP. Or maybe I misremember it but I think that was the problem.. so no geoblocking.
A transparent bridge should allow all traffic through (with the appropriate configuration) as though it wasn’t even there and then you can apply rules/services on the bridge to do any necessary filtering. I didn’t do anything special configuration on the Grandstream router, and I could access the Internet fine until I did the example block rule which prevented access until I removed it. I didn’t try geo blocking but I wouldn’t foresee issues there with how I configured the transparent filtering bridge.
can the zenarmor block youtube advertisement?
I’m not sure that it blocks them because TH-cam makes that challenging to do with simple DNS blocks. However DNS blocks work for many other ads though.
Many users like to use the Brave web browser for blocking TH-cam ads or web browser plugin.
I sympathize over the desire to block ads but as a content creator, it helps me if you don’t block them. 😉
What do I do if after following your directions I cannot log in via the mgmt port?
Hmm you should be able to log in once you create a second interface (assuming the IPs don’t overlap with the default LAN interface in OPNsense, a static IP set that doesn’t conflict with any device on your primary network, and the appropriate default firewall rules created on the MGMT interface). You would have to disconnect/reconnect your PC/laptop to get a new IP address, etc.
@ I’ll triple check the settings tomorrow but I know IPs don’t over lap, I can see the device from my router’s GUI but I can’t get to the IP address, I must have missed something on my settings
I went back and double checked everything it’s exactly like yours except for the last digits of the IP are different to avoid conflict with something else that already had .99 the device shows up on my main router, but I can’t even connect to that port if I connect directly to it with the laptop, what am I missing?
Hmm with the static IP configuration of the MGMT interface, you won’t be able to plug directly into it to manage it because DHCP is not enabled on that interface (intentionally because the idea is to plug the MGMT interface into your existing network so you don’t want 2 DHCP servers enabled).
I’m not sure what could be the problem if you gave both the MGMT interface (configured as a static IP) and your PC connected to your existing network (both being on the same network). Also I’m assuming you have the firewall rules set up on the MGMT interface as well because by default it will deny all traffic which will prevent you from accessing the interface.
I followed your instruction to the letter even doing a fresh install going through creating all of the rules for the firewall and then plugging it into my existing network. It shows up in the list of clients on my network, but I can’t get to the ip I assigned with two different laptops and an iPad that are connected to that same network.
Great but
How to do on proxmox?
With suricata on in and armour on out?
Plus what other VMs I need for DNS / bitwarden / recommended?
Plus connecting to 4 port NAS server running home automation, how to secure.
+ security cams., guest, vlans
Diagram pls)
That’s quite a wish list! Sounds like you want someone to build your entire network for you, haha.
You can do the same process for installing OPNsense in a VM- you would need to assign the appropriate network interfaces in Proxmox (either using bridges or passing through the network interfaces).
I don’t think you can set up Suricata on one interface and Zenarmor on the other because the bridge acts like a single interface. I’d have to see if that is possible because Suricata could see the bridge interface while Zenarmor could not.
There’s lots of software one could recommend running but not all software fits everyone’s use cases the best.
@homenetworkguy thanks, yeah I get the point about a bridge. Just you mentioned you can't have both due to the fight over who iwns the driver.
Just both together seem ideal
Other software, I guess there arevtypical things 80% would want.
I'll have a play try work out some kind of amor + suricata alternative.
Excellent vids and site BTW. Thx
Thanks! Glad you like the videos and wesbite!
It might be possible to put Suricata on one of the 2 bridge interfaces and Zenarmor on the other. I just didn't test that scenario to see if it would work since I was thinking about the single bridged interface (not knowing how the bridge could impact other services running on the physical interfaces that are part of the bridge. The OPNsense documentation states the firewall rules are ignored on the underlying interfaces so I am curious what other things may not work as you might expect when you have set up a bridge).
I just know you definitely can't do both services on the same bridge interface (just like any other physical interface) because the bridge acts like a single interface. However, it could possibly work if you do it on the underlying physical interfaces on the bridge. If you want to run both services, you might be better off using OPNsense in a standard WAN/LAN configuration rather than a transparent filtering bridge-- assuming running both services doesn't work using the underlying interfaces of the transparent bridge.
When using both Suricata and Zenarmor, it takes a tremendous amount of CPU resources depending on the amount of throughput you want to have (partially due to how netmap is implemented in OPNsense since it doesn't take advantage of all of the CPU cores).
I personally don't find as much value in Suricata because I don't have a lot of time to spend tweaking the rulesets (you can blindly enable everything but that increases CPU processing and lowers throughput). Also there's not a good built in way to view all of the alerts so you have to dig through a bunch of logs or export the data into a tool to attempt to view the data aggregated in a useful way (which may not necessarily be trivial unless you can find some good pre-built solutions). The rules are 30 days out of date for the free rules so it doesn't help with new threats/vulnerabilities.
Great and useful video. If I need to place opnsense between modem and router mgmt interface configuration will be the same?
Thanks! Yes but if you put it between the modem and router, everything will appear to originate or be destined for the public WAN IP. This is not an issue per se but you don’t have visibility on which device on your network traffic is originating from. Also you won’t be able to block access between anything within your network. It would only be able to block/protect traffic on the edge of your network. If you are ok with those caveats, the configuration in this video should work! I actually tested this bridge between 2 computers so I could do speed tests. The Intel N5105 CPU is capable of 1.6-2 Gbps with Zenarmor running, for example.
did you test any wifi 7 or 6 pcie on promox ?
Are you referring to using a PCIe card for Proxmox? I typically stick to wired connections within my server rack. I suppose I could try it on one of my systems. As long as it has driver support in Debian (the underlying OS of Proxmox), I imagine it should work fine.
make a video about only using 2 network ports.
I could but every other guide I’ve seen shows how to do it only with 2 ports. That’s another reason why I wanted to show it with 3 if you have a 3+ port device (besides the fact it’s nice have a physical dedicated interface to manage devices).