We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure Layer 2 Bridging

  • Last updated on

When performing layer 2 bridging the Barracuda NG Firewall will be completely transparent to the user. The interface is not assigned an IP address and can not be directly contacted by the user in the bridged networks. Traffic passing through the layer 2 bridge will retain it's original MAC address with the bridge acting as a proxy ARP in the middle. Since the bridged network interface do not have an IP address you will need to use a separate interface to locally administer the Barracuda NG Firewall. You can define multiple bridging groups on one interface. Traffic between the interface groups is forwarded on layer 3. Define a pass and a broad-multicast firewall rule for each bridge interface group.

The bridge can only be used for IP based protocols.


In this article:

Step 1. Configure Transparent Layer 2 Bridging

To configure transparent Layer 2 bridging, complete the following steps:

  1. Open the Firewall Forwarding Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Firewall).
  2. In the left navigation pane, select Layer 2 Bridging.
  3. Click Lock.

  4. In the Bridged Interface Group table, click + to add an entry. For each interface group, you can edit the following settings:

    • Bridged Interfaces – Add all interfaces to be bridged together in this group. For each interface enter the following settings:
      • Name –The exact network interface label, as listed in the network configuration. E.g., eth1
      • Allowed Networks (ACL) – Always add to allow ARP requests and other networks that are allowed to communicate over the bridged interface. You can enter complete networks, individual client/server IP addresses, or network ranges.
      • Unrestricted MACs – List of MAC address for which the Allowed Networks (ACL) does not apply.
      • MAC Change Policy – Select Allow–MAC–Change to permit the MAC address of the interface to be changed, otherwise select Deny-MAC-Change.
    • Use IP BARP Entries –  Select yes if the Barracuda NG Firewall must learn the MAC addresses from IP and ARP traffic and record IP addresses that are assigned to a specific MAC address in a separate table. If there are a very large number of IP addresses in a specific network segment, select no to keep the ARP table from being overrun


  5. Click OK.
  6. Click Send Changes and Activate.

Step 2. Create Firewall Rules for Layer 2 Bridging

To allow network traffic to pass between the bridged interfaces, create Pass and Broad-Multicast firewall rule for every bridged interface group.

  1. Open the Forwarding Rules page (Config > Full Config > Box > Virtual Servers >  your virtual server>Assigned Services > Firewall).
  2. Click Lock.
  3. Create a Pass firewall rule with the following settings:
    • Bi–Directional – Yes
    • Source – Select Any (
    • Service – Select Any.
    • Destination – Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., and
    • Connection Method – Select No SNAT.
  4. Create a Broad–Multicast firewall rule with the following settings:
    • Source – Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., and
    • Service Select Any.
    • Connection Method – Select No SNAT.
    • Destination –Enter the destination networks/IP addresses. E.g.,

      To use a DHCP server over the layer 2 bridge, also add to the source and to the destination IP addresses.

  5. Rearrange the order of the firewall rules so the new rules can match incoming traffic.
  6. Click Send Changes and Activate.

Last updated on