Transparent Filtering Bridge
Warning
The Transparent Filtering Bridge is not compatible with Traffic Shaping. Do not enable the traffic shaper when using the filtering bridge.
Abstract
A transparent firewall can be used to filter traffic without creating different subnets. This application is called filtering bridge as it acts as a bridge connection two interfaces and applies filtering rules on top of this.
For more information on Filtering Bridged on FreeBSD, see filtering-bridges
Requirements
For this howto we need a basic installation of OPNsense with factory defaults as a starting point.
And an appliance with 2 physical interfaces.
Considerations
To create this howto version OPNsense 15.7.11 has been used. Some screenshots maybe outdated, but setting should apply up to at least 17.1.6. If you use a different version some options can be different.
Note
The Menu System of the User Interface has been updated with sub items. Where tabs are shown in screenshots, these are now likely visible as submenu.
Configuration in 10 easy steps
Warning
During the configuration you will be asked to “Apply” your changes several times, however this may affect the current connection. So don’t apply anything until completely finished! You need to Save your changes for each step.
1. Disable Outbound NAT rule generation
To disable outbound NAT, go to and select “Disable Outbound NAT rule generation”.
2. Change system tuneables
Enable filtering bridge by changing net.link.bridge.pfil_bridge from default to 1 in .
And disable filtering on member interfaces by changing net.link.bridge.pfil_member from default to 0 in .
4. Assign a management IP/Interface
To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assign a new interface to the bridge and setup an IP address.
Go to , select the bridge from the list and hit +.
Now Add an IP address to the interface that you would like to use to manage the bridge. Go to , enable the interface and fill-in the ip/netmask.
5. Disable Block private networks & bogon
For the WAN interface we nee to disable blocking of private networks & bogus IPs.
Go to and unselect Block private networks and Block bogon networks.
7. Add Allow rules
After configuring the bridge the rules on member interfaces (WAN/LAN) will be ignored. So you can skip this step.
Add the allow rules for all traffic on each of the three interfaces (WAN/LAN/OPT1).
This step is to ensure we have a full transparent bridge without any filtering taking place. You can setup the correct rules when you have confirmed the bridge to work properly.
Go to and add a rule per interface to allow all traffic of any type.
8. Disable Default Anti Lockout Rule
After configuring the bridge the rules on member interfaces (WAN/LAN) will be ignored. So you can skip this step.
As we now have setup allow rules for each interface we can safely remove the Anti Lockout rule on LAN
Go to : Anti-lockout and select this option to disable
9. Set LAN and WAN interface type to ‘none’
Now remove the IP subnets in use for LAN and WAN by changing the interface type to none. Go to and to do so.
10. Now apply the changes
If you followed each step, then you can now apply the changes. The Firewall is now converted to a filtering bridge.
Done.. ready to set your own filtering rules
Now you can create the correct firewall/filter rules and apply them. To acces the firewall you need to use the IP adress you configured for the OPT1 Interface.
Warning
Rules need to be configured on the bridge. Rules on member interfaces will be ignored!
Tip
Don’t forget to make sure your PC/Laptop is configured with an IP adress that falls within the IP range of the OPT1 subnet!