Bridge mode or not?

I am not sure whether my idea of bridge mode is correct or not.
What I want to do is have two subnets (green & red) with a shared IP address range. That is, a PC on green sends a DHCP request through the firewall to my ISP modem.
I have set both red and green to ““bridge”” in the Zone Configuration screen - is this correct.??

Maybe the other option would be to just allow DHCP request through a normal firewall.
Your suggestions will be appreciated.

1 Like

The basic idea about a firewall is connecting ( routing ) two networks, with all traffic going through the firewall.
This means the two nets must be distinct. Also a bridging isn’t really what you want, because this lets bypass some (all?) traffic the firewall.
In IPFire terms your config would connect the insecure, untrusted WAN with the secure, trusted LAN directly. To accomplish this a switch would be sufficient.

Why should your LAN get the IPs from the modem (WAN)? IPFire manages the lease of IPs by its own DHCP server.

For further readings I recommend:


Of course all traffic should be going through the firewall, but I envisage a bridge as such the picture on the right -

Is this possible with IPfire?

Also -

I don’t know if it’s possible (with ipfire).
I cannot think of a situation where I would want that, so I haven’t tried.
I would just make ipfire handle DHCP requests, and have 2 subnets.

Can you tell me why this is interesting for you?


Hi @decibel

Having read up about bridging firewalls I believe that IPFire can not provide this functionality. It could be set up to bridge the red and green interfaces and have one single subnet.
However as far as I can tell IPfire would only be acting as a switch between those interfaces and there would be no filtering occurring. Everything coming in on red would go out on green and vice versa which is not what you are looking for.

Either someone more knowledgeable on the details would need to confirm/deny the above or you could set up a system (virtual?) where you could test bridging two interfaces and then see if you can create firewall rules between those two zones. That is not something I have tried out myself as I need to use my IPFire system in routing mode.

It is not mentioned as an option in the wiki so I suspect it is probably not available or would need a lot of command line work which might need to be re-done after every Core Update.

1 Like

I suspected that this would be a bit much but I had read that Sophos claimed to do it.
The reason I was wanting to do this was that I had an IPfire failure and it was going to take so long to fix that I came under pressure from SWMBO and I had to bypass the firewall and change all my subnet settings. I thought that if a “bridge mode” could have the same pool of subnet addresses on both sides of the FW, then patching it out would be a lot easier.
Thanks, guys.

Not entirely sure what you’re trying to do, but red should never be bridged. If you want to bridge two subnets then use green and blue.

So you are saying that the arrangement shown here on the right should never be used?

I believe that’s the message in the above responses from other forum members.

A firewall is layer 3+ network appliance its purpose being to accept or reject incoming and outgoing TCP/IP packets based on a set of defined rules.

A bridge is a layer 2 network appliance its purpose being to pass on packets based on MAC address.

If you simply want to connect (bridge) two network segments then a bridge will do the job. Both sides of the bridge will need to exist in a single subnet.

To connect two subnets then you do this with layer 3+ appliance such as a router or firewall. In this scenario the TCP/IP packets can be inspected and rules applied due to TCP/IP being a layer 3 protocol.


1 Like

Apparently you can also have a Bridging Firewall or Transparent Firewall which checks packets against rules but does no routing so no subnet changes.

IPFire is not one of those systems.

A Bridging Firewall does just sort of a ‘switching job’. Means you must not send traffic through to communicate in the network it is part of.
A firewall of the IPFire class separates different networks. By concept you must use it to communicate with the other network(s).
IMO there is no need to let the WAN access my LAN(s).

That picture is too tiny to read. Do have a larger copy?

1 Like

Perhaps these articles explain it better than me -

What Is a Transparent Firewall? | Fortinet.

Now it maybe that IPfire cannot support this mode, but if so, why is it in the wiki and is settable in the GUI ??

Where is it defined in the wiki and how can it be set in the WUI?

Both articles are about bridging interfaces, not networks.

Aaah, yes. The end of that dream. :-1:
I have a trial system set up using SophosXG which does do the bridging of networks but it is not as nice as IPfire for most of what I like.
Back to square 1.

Do you need network bridging ( the less secure solution)? Why and what for?

I need / want to have a single IP address range which I cannot do without network bridging.
As for security, I presume you are saying that it is less secure because there will be no NATting done by the Firewall - that is true, but my NATting will be done by the ISP’s modem instead.

Then why not just have all your devices behind the firewall in two separate subnets?

IPFire can then filter traffic between the internal subnets based on IP addressing.

1 Like