OPNSense - Bridging LAN ports

By default, for every interface/port added into OPNSense, they will be isolated from each other, hence, each port has it's own subnet. For example, eth1 has a gateway @ 192.168.18.1 while eth2 has a gateway @ 192.168.19.1

So in this post, we will bridge all the LAN ports together and shared a single gateway 192.168.18.1 just like a typical consumer router off the shelf.

OPNSense machine with 6 ethernet ports labelled

Before we begin, it will be helpful to visit one of the earlier post whereby the OPNSense was installed from scratch.

So we will assumed the following state:

OPNSense installed
- eth0 as WAN
- eth1 as LAN @ 192.168.1.1 (default)
Add the remaining interfaces (eth2, eth3, eth4 and eth5) are added and ENABLED without any further configuration as shown below

Click Interfaces -> Other Types -> Bridge -> + icon

Select eth2, eth3, eth4 and eth5 and click Save
Skip eth1 (for now) as we need the interface to continue configuring the OPNSense @ 192.168.1.1

Click Interfaces -> Assignment -> Add -> click Save

Click Interfaces -> OPT5 -> check "Enable Interface" box -> rename description -> Select "Static IPv4" -> set IPv4 address @ 192.168.18.1/24 -> Click Save
Finally click Apply changes @ top right hand corner (not shown below)

Click Services -> ISC DHCPv4 -> BridgeLAN
- Check "Enable DHCP server on the BridgeLAN interface"
- Key in the IP range from 192.168.18.10 - 192.168.18.254
  - Start from 10 to reserve some IPs for static purposes (e.g. 192.168.18.9)
- Click Save
- Click restart DHCP at top right hand corner

Click Firewall -> Rules -> BridgeLAN -> + icon

Leave all settings @ default and click Save
Click Apply changes @ top right hand corner (not shown below)

A single firewall rule has been created for BridgeLAN (for internet purposes)
Click + icon to create another rule

Select "BridgeLAN" for interface
Select "BridgeLAN net" for both source and destination
Click Save and Apply changes (not shown below)

Finally, 2 firewall rules (internet & intranet) have been created for BridgeLAN

Click System -> Settings -> Tunables
Using your browser "Ctrl+F" to search for "bridge"

Type a value "1" (default: 0) and click Save

OPNSense tunables enable filtering on bridge interface

Type a value "0" (default: 1) and click Save
Click Apply changes @ top right hand corner (not shown below)

OPNSense tunables disable filtering on bridge members interface

We have now setup a bridge with eth2, eth3, eth4 and eth5 included and configuration (interface enabled, DHCP, firewall & tunables) have been configured.

Now is the time to include the last eth1 which we are using to access the OPNSense WebGUI to perform the earlier configuration. Do note that, you will lose assess to the WebGUI due to a change in gateway from 192.168.1.1 to 192.168.18.1.

Click Services -> ISC DHCPv4 -> eth1 -> Uncheck "Enable DHCP" box
Click Save (not shown below)

Click Interfaces -> eth1 -> Select "None" @ IPv4 configuration type
Click Save and Apply changes at top-right hand corner (not shown below)

OPNSense disable static IPv4 at interface

Right at this moment, you will lose connection to the OPNSense WebGUI since DHCP and gateway IP have been removed for eth1.

You can plug into eth2 and access the OPNSense WebGUI via your browser @ 192.168.18.1 to finish up the remaining configuration.

Click Interfaces -> Other Types -> Bridge -> Edit icon

Select "eth1" to select (ensure there's a black tick beside it)
Click Save

Finally, all (except eth0 for WAN) interfaces/ports have been added into the BridgeLAN family

OPNSense summary of all interfaces at bridge

Testing the bridge interface

Below is a recommended testing matrix with a single connection:

Using the same ethernet port @ notebook (thus, same MAC address), you should get the same IP address (192.168.18.10) issued from the Bridge DHCP regardless which port you plug into the OPNSense machine