It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see for further information on our EoS policy.

How to Configure Layer 3 Bridging

  • Last updated on

Layer 3 bridging is best used for client and server groups that include just a few clients that usually communicate with machines in their group. The bridge consists of two proxy ARPs and a firewall rule to pass traffic back and forth. If you want to bridge multiple clients, use a routed transparent Layer 2 bridge instead.

  • All network traffic is delivered using Layer 3 (routing) lookups.
  • All bridged network nodes must be entered into the configuration.
  • Bridging is NOT Layer 2 transparent; the source MAC is not propagated in connection requests.
  • Traffic between routed and bridged destinations is forwarded.
  • Bridged network nodes may (if allowed) locally communicate with the interface. 

An example setup that would be appropriate for layer 3 bridging would be if one PC in the network must be separated from the other clients and protected by the firewall. The PC that is to be singled out is placed in its own small network (e.g., and the firewall acts as a non-transparent translational bridge between the and the networks. The Barracuda NG Firewall will answer all ARP requests that are transmitted between the networks.


In this article

Before you Begin

Assign an IP addresses to each network interface of the Barracuda NG Firewall that you want to use for the bridge. (Config > Full Config > Box > Virtual Servers > your virtual server > Server Properties).

Step 1. Create a Network Object for the client PC

Create a network object for the clients that should be bridged:

  1. Open the Forwarding RulesConfig > Full Config > Box > Virtual Servers >  > Assigned Services > Firewall).
  2. Click Lock.
  3. Create a network object for the clients that must be bridged.
  4. In the IP/Ref table, add the IP address of the client:
  5. In the Bridging Parameters window, edit the following settings:
    • Interface Addresses Reside - Enter the network interface that points to the bridged clients. For example, enter eth1.
    • Parent Network - Enter the parent network address. E.g.,
    • Select the Introduce Routes and Restrict PARP to Parent Network check boxes. 
  6. Click OK.
  7. Click Send Changes and Activate.

You now have a network object for the client that you can use when creating the layer 3 bridge.

Step 2. Create Proxy ARP Objects

To make sure that ARP requests are answered on the interface for the new network, create a proxy ARP object for the bridging parent network and bridged clients.

  1. Open the Forwarding Rules page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Firewall).
  2. Click Lock.
  3. Create a proxy ARP object for the bridging parent network. E.g.,


  4. Create a proxy ARP object for the bridged client. E.g., (optional) Restrict the source IP addresses of the proxy ARP object to the bridging parent network.


  5. Click Send Changes and Activate.

You can now use the separated  PC as if it were on the same network with the exception that the MAC address of the PC will be replaced by the MAC of the Barracuda NG Firewall when traversing the bridge.

Last updated on