diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_1.png b/source/manual/how-tos/images/Filtering_Bridge_Step_1.png deleted file mode 100644 index 9f0f10be..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_1.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_2.png b/source/manual/how-tos/images/Filtering_Bridge_Step_2.png deleted file mode 100644 index ca231d9d..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_2.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_2a.png b/source/manual/how-tos/images/Filtering_Bridge_Step_2a.png deleted file mode 100644 index 6aecd81b..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_2a.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_3a.png b/source/manual/how-tos/images/Filtering_Bridge_Step_3a.png deleted file mode 100644 index 92e02b81..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_3a.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_3b.png b/source/manual/how-tos/images/Filtering_Bridge_Step_3b.png deleted file mode 100644 index 53061fc1..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_3b.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_4.png b/source/manual/how-tos/images/Filtering_Bridge_Step_4.png deleted file mode 100644 index 826255e4..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_4.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_5.png b/source/manual/how-tos/images/Filtering_Bridge_Step_5.png deleted file mode 100644 index 805e6b75..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_5.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_6.png b/source/manual/how-tos/images/Filtering_Bridge_Step_6.png deleted file mode 100644 index 38930617..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_6.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_7.png b/source/manual/how-tos/images/Filtering_Bridge_Step_7.png deleted file mode 100644 index 07355f10..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_7.png and /dev/null differ diff --git a/source/manual/how-tos/images/Filtering_Bridge_Step_9.png b/source/manual/how-tos/images/Filtering_Bridge_Step_9.png deleted file mode 100644 index 424e46d2..00000000 Binary files a/source/manual/how-tos/images/Filtering_Bridge_Step_9.png and /dev/null differ diff --git a/source/manual/how-tos/transparent_bridge.rst b/source/manual/how-tos/transparent_bridge.rst index 2c28a4b8..f5cb49fa 100644 --- a/source/manual/how-tos/transparent_bridge.rst +++ b/source/manual/how-tos/transparent_bridge.rst @@ -1,206 +1,176 @@ - ============================ Transparent Filtering Bridge ============================ -------- -Warning -------- -The Transparent Filtering Bridge is not compatible with Traffic Shaping. -Do not enable the traffic shaper when using the filtering bridge. +.. contents:: Index --------- -Abstract --------- -A transparent firewall can be used to filter traffic without creating -different subnets. This application is called filtering bridge as it -acts as a bridge connection two interfaces and applies filtering rules -on top of this. +Introduction +============================ + +A transparent firewall can be used to filter traffic without creating different subnets. +The firewall bridges the same layer 2 broadcast domain across two or more ports. +If a VLAN trunk is connected, any VLAN tagged frames will be bridged transparently. + +This setup can be used to filter via firewall rules and use IDS/IPS to inspect all packets +via a netmap driver. For more information on Filtering Bridged on FreeBSD, see `filtering-bridges `__ ------------- +.. Attention:: + + The bridge is not compatible with `Traffic Shaping`. + +.. Attention:: + + When vlan tagged frames should be passed through, do not create any vlans on the member ports of the bridge. + Otherwise, vlan tagged frames would be filtered and the bridge would not be transparent anymore. + + Requirements ------------- +---------------------------- -- For this howto we need a basic installation of OPNsense with factory - defaults as a starting point. -- And an appliance with 2 physical interfaces. +For best compatibility and performance, a bare metal appliance with at least 3 physical ports should be used. +A virtualized appliance could also work, but there could be elusive layer 2 issues with bridging or vlans. --------------- -Considerations --------------- +.. Attention:: -To create this howto version OPNsense 15.7.11 has been used. Some screenshots -maybe outdated, but setting should apply up to at least 17.1.6. If you use a -different version some options can be different. - -.. Note:: - - The Menu System of the User Interface has been updated with sub items. - Where tabs are shown in screenshots, these are now likely visible as submenu. - ------------------------------- -Configuration in 10 easy steps ------------------------------- - -.. contents:: - :local: - -.. Warning:: - - During the configuration you will be asked to "Apply" your changes several times, - however this may affect the current connection. So **don't** apply anything until - completely finished! You need to Save your changes for each step. + If a vlan trunk is used, you should always use a bare metal appliance, and preferably Intel network cards. + The native netmap driver used for IDS/IPS in combination with VLANs does not always work correctly with other vendors or + virtualized NICs. Please also ensure that only tagged frames are sent over this trunk. -1. Disable Outbound NAT rule generation +Configuration +============================ + +Our example appliance has 3 available network ports: + +- igc0: LAN (Bridge) +- igc1: WAN (Bridge) +- igc2: Management + +:: + + +-----------------+ +-----------------+ + Internet | | WAN (igc1) | (Bridge) | LAN (igc0) + -------->| ISP Router |---------------->| OPNsense |----------> Switch + | | trunk port | Firewall, IPS | trunk port + +-----------------+ +-----------------+ + | Management (igc2) + |-------------------> Switch + access port + + +.. Tip:: + + The management interface can either be directly connected to the ISP router on a separate port, + or to an internal switch on a VLAN that will circle back through the bridge. + + +1. Assign management interface --------------------------------------- -To disable outbound NAT, go to -:menuselection:`Firewall --> NAT --> Outbound` and select “Disable Outbound NAT rule generation”. +The management interface will be used to access the firewall WebGUI and to enable access +to the internet for firmware updates. + +- Go to :menuselection:`Interfaces --> Assignements` and `Assign a new interface`. + Select one of the free available ports (e.g. igc2) and assign it, set the description to `Management`. + +- Afterwards go to :menuselection:`Interfaces --> Management` and set `IPv4 Configuration Type` to `DHCP` or `Static IPv4` dependant on your usecase. + +Next we add a firewall rule to allow access to the WebGUI on this management interface: + +- Go to :menuselection:`Firewall --> Rules --> Management` and add a new rule that allows `HTTPS` access to destination `This Firewall`. + +After applying all of these settings, connect to your appliance over the management port for the next steps. -|Filtering Bridge Step 1.png| 2. Change system tuneables -------------------------- -Enable filtering bridge by changing **net.link.bridge.pfil\_bridge** -from default to 1 in :menuselection:`System --> Settings --> System Tuneables`. +Here we change that the firewall rules should match on the bridge, instead of the bridge members. -|Filtering Bridge Step 2.png| +- Go to :menuselection:`System --> Settings --> System Tuneables` and set: -And disable filtering on member interfaces by changing -**net.link.bridge.pfil\_member** from default to 0 in -:menuselection:`System --> Settings --> System Tuneables`. + - ``net.link.bridge.pfil_bridge`` - ``1`` + - ``net.link.bridge.pfil_member`` - ``0`` -|Filtering Bridge Step2a.png| 3. Create the bridge -------------------- -Create a bridge of LAN and WAN, go to -:menuselection:`Interfaces --> Devices --> Bridge`. Add Select LAN and WAN. +- Go to :menuselection:`Interfaces --> WAN` and :menuselection:`Interfaces --> LAN`: -|Filtering Bridge Step 3a.png| + - Set `IPv4 Configuration Type` and `IPv6 Configuration Type` to ``None`` + - Disable `Block private networks` and `Block bogon networks` -|Filtering Bridge Step 3b.png| +.. Attention:: -4. Assign a management IP/Interface ------------------------------------ + Disable any DHCP servers that are bound to the LAN interface. -To be able to configure and manage the filtering bridge (OPNsense) -afterwards, we will need to assign a new interface to the bridge and -setup an IP address. +- Go to :menuselection:`Interfaces --> Devices --> Bridge`: -Go to :menuselection:`Interfaces --> Assign --> Available network port`, select -the bridge from the list and hit **+**. + - Add a new bridge and select WAN and LAN as `Member interfaces` -|Filtering Bridge Step 4.png| +.. Attention:: -Now Add an IP address to the interface that you would like to use to -manage the bridge. Go to :menuselection:`Interfaces --> [OPT1]`, enable the interface -and fill-in the ip/netmask. + Do not select `Enable link-local address`, in this configuration the bridge interface + should stay unnumbered (no IP addresses or any vlans assigned to it or its member interfaces) -5. Disable Block private networks & bogon ------------------------------------------ +- Go to :menuselection:`Interfaces --> Assignements`: -For the WAN interface we nee to disable blocking of private networks & bogus IPs. + - Assign the new bridge interface, set the description to `Bridge` -Go to :menuselection:`Interfaces --> [WAN]` and unselect **Block private networks** -and **Block bogon networks**. +- Go to :menuselection:`Interfaces --> Bridge`: -|Filtering Bridge Step 5.png| + - Enable the bridge interface in the interface settings + - Set `IPv4 Configuration Type` and `IPv6 Configuration Type` on ``None`` -6. Disable the DHCP server on LAN ---------------------------------- -To disable the DHCP server on LAN go to :menuselection:`Services --> DHCPv4 --> [LAN]` and -unselect enable. +4. Add Firewall rules +---------------------------- -|Filtering Bridge Step 6.png| +- Go to :menuselection:`Firewall --> Rules --> Bridge`: -7. Add Allow rules -------------------- -After configuring the bridge the rules on member interfaces (WAN/LAN) will be -ignored. So you can skip this step. + - Add firewall rules on the bridge interface to allow all traffic (direction in and out) -Add the allow rules for all traffic on each of the three interfaces (WAN/LAN/OPT1). +.. Tip:: -This step is to ensure we have a full transparent bridge without any filtering -taking place. You can setup the correct rules when you have confirmed the bridge -to work properly. + You can create more restrictive rules if required. If only IDS/IPS should be used, + rules that allow any traffic are sufficient. Since the bridge is fully transparent and unnumbered, + no client can communicate with the firewall directly. -Go to :menuselection:`Firewall --> Rules` and add a rule per interface to allow all traffic -of any type. -|Filtering Bridge Step 7.png| +5. Enable IDS/IPS +---------------------------- -8. Disable Default Anti Lockout Rule ------------------------------------- -After configuring the bridge the rules on member interfaces (WAN/LAN) will be -ignored. So you can skip this step. +To inspect all bridge traffic, we can enable the `Intrusion Detection` service. -As we now have setup allow rules for each interface we can safely remove -the Anti Lockout rule on LAN +Go to :menuselection:`Services --> Intrusion Detection --> Administration --> General Settings` -Go to :menuselection:`Firewall --> Settings --> Admin Access`: Anti-lockout and select -this option to disable +================================ ======================================================================================== +Option Description +================================ ======================================================================================== +Enabled ``X`` +IPS mode ``X`` +Promiscuous mode ``X`` (if vlan tagged frames are received on bridge members) +Interfaces ``WAN`` +================================ ======================================================================================== -9. Set LAN and WAN interface type to 'none' -------------------------------------------- +Afterwards download and activate the rules that you need and apply the configuration. -Now remove the IP subnets in use for LAN and WAN by changing the -interface type to none. Go to :menuselection:`Interfaces --> [LAN]` and :menuselection:`Interfaces --> [WAN]` -to do so. +.. Attention:: -|Filtering Bridge Step 9.png| + Do not choose the bridge interface, always choose the WAN interface. The emulated netmap driver cannot process vlans on the bridge, + it must attach in native mode to the physical interface. -10. Now apply the changes -------------------------- -If you followed each step, then you can now apply the changes. The -Firewall is now converted to a filtering bridge. +6. Connect interfaces to existing infrastructure +-------------------------------------------------------- -.. rubric:: Done.. ready to set your own filtering rules - :name: done..-ready-to-set-your-own-filtering-rules +Now you can connect the bridge member interfaces to their respective switch or router. -Now you can create the correct firewall/filter rules and apply them. To -acces the firewall you need to use the IP adress you configured for the -OPT1 Interface. +WAN should be connected to a trunk port on the WAN facing side, and LAN to a trunk port on the internal protected side. -.. WARNING:: - - Rules need to be configured on the bridge. Rules on member interfaces will - be ignored! - -.. TIP:: - - Don't forget to make sure your PC/Laptop is configured with an IP adress that - falls within the IP range of the OPT1 subnet! - -.. |Filtering Bridge Step 1.png| image:: images/Filtering_Bridge_Step_1.png - :width: 700px -.. |Filtering Bridge Step 2.png| image:: images/Filtering_Bridge_Step_2.png - :class: thumbimage - :width: 700px -.. |Filtering Bridge Step2a.png| image:: images/Filtering_Bridge_Step_2a.png - :class: thumbimage - :width: 700px -.. |Filtering Bridge Step 3a.png| image:: images/Filtering_Bridge_Step_3a.png - :width: 700px -.. |Filtering Bridge Step 3b.png| image:: images/Filtering_Bridge_Step_3b.png - :width: 700px -.. |Filtering Bridge Step 4.png| image:: images/Filtering_Bridge_Step_4.png - :width: 700px -.. |Filtering Bridge Step 5.png| image:: images/Filtering_Bridge_Step_5.png - :width: 700px -.. |Filtering Bridge Step 6.png| image:: images/Filtering_Bridge_Step_6.png - :width: 619px -.. |Filtering Bridge Step 7.png| image:: images/Filtering_Bridge_Step_7.png - :width: 700px - :height: 69px -.. |Filtering Bridge Step 9.png| image:: images/Filtering_Bridge_Step_9.png - :width: 700px +The firewall will be able to connect to the internet to fetch the latest updates via the management port.