Using OPNsense Firewall by assigning two interfaces on the same LAN network.

Subject : Using open source OPNSense firewall with two LAN switches by configuring two interfaces of the firewall for serving the same LAN network.

 Version : v001

Author : BUGRA GUMUS (bgumus@silvercloudsts.com)

Topology :

My customer was using Forti-Gate 30D with two switches and 4 Access points. Forti-Gate interfaces were configured as switch ports. Each two interfaces were serving to the same VLAN. One pair interfaces were at LAN Network(called administration LAN) and the other two interfaces were at USER Network(called USER LAN).

The diagram was below. 

Why we do:

Customer was paying $600 per year for the licenses and he needed to have a bigger firewall. Because this customer has 40 end-users and a lot of IoT devices and the number of end-users’ devices are growing and the existing firewall was not enough to handle the traffic ; they had disabled all security features to handle 40 end-users traffic.

Having a bigger FortiGate will cause extra cost for them. I like Fortinet; PaloALto firewalls for enterprise customers but these kind of price-oriented customers these firewalls becomes costly. So we decided to install OPNSense here. We found out that OPNSense has Next Generation Firewall module to control web sites and Application Control. In Addition; DHCP Server, Free Radius, Suricata IPS, OpenVPN, Netflow are other nice features I plan to use for this project.

But the challenge was OPNSense does not support directly to put two interfaces under the same VLAN as we do Layer 3 switches and Forti-Gate firewalls. I searched the Internet and I found an useful article for that. It is almost the same way to do what I think ; https://github.com/opnsense/docs/blob/77fd7b8b7a844092fbff832f28a1f26574a23d65/source/manual/how-tos/lan_bridge.rst .There are 6 steps here and you should follow each of them to make the bridged interface run as described above.

Configuration Steps:

By following these steps I configured the OPNsense firewall it worked fine. First I created Bridge interfaces; you can do it under the menu Interfaces -> Other Types -> Bridge and press +ADD button on right top corner.

But first do bridge on the interface you don’t manage from, after it worked and you assign an ip address, enable management on that new Bridge Interface then access the firewall from the new Bridged Interface and do the same config on Admin LAN. Because OPNSENSE doesn’t carry firewall rules rom the member interface to its Bridge interface automatically.

To assign IP address ; follow Interfaces -> LAN (Bridged Int name) and assign interface by selecting Static IP option on IPv4 configuration field.

Don’t forget to set tunable settings.

Then configure and apply the rules as you wish on the menu at Firewall segment.

I am investigating this config for a while, if it causes any security gap on the network. So far I haven't found any issue. With nmap and other tools on Kali Linux I am searching ports and testing Suricata IPS if the member interfaces are missing something to the behind. Becasue I want to be sure, when I apply the rules to the bridge interface; the rules work as expected for all member interfaces.

But I find out that the automatic anti-lockout rules under the first assigned LAN member interface(physical interface) weren’t moved to its bridged interface. Can it be an issue here? I don’t know yet. https://forum.opnsense.org/index.php?topic=6593.0 I think it will not be an issue. Maybe I should disable anti-lockout rule, after I had already created the firewall access rules. If you have any idea please share with me. I couldn’t be sure about that.

 Result:

For VPN, I use OpenVPN but IPSec and WireGuard are other options and for security, there are IDS modules, Suricata IPS, Next generation Firewall module and more. The customer doesn’t pay a few thousand dollars per year to brand new firewalls and they invested the saved budget from the firewall to the end users devices as backup agents; AI based Anti-Virus software; SIEM agents; Application Control and Deploy agents and an E-mail Security per end-user. So the customer had powerful end-users protection and plus acceptable network security with IPS, IDS, NGN, DNS filtering, VPN and other modules provided by OPNSense.

I will update the article if I see any issue with this topology on OPNSense.

This is not step by step configuration notes; this is just to give information to you open source firewall admins that this topology has been working fine for weeks.