I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.

  • A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
  • Another interface which came with the PC itself, say eth3

PS: I also have a switch for all my other devices.

After some research, I have understood that

  1. Passing (pass-through) the NIC to the OPNsense VM is better for performance
  2. Passing it through removes the interface from the host OS
  3. If passing is not done correctly, you may lose access to Proxmox.

My questions are

  1. How do I set eth2 to be the LAN port and also use it connect to proxmox?
  2. If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
  3. If I use point #1, will local traffic (traffic handled by my switch) be affected?
  4. (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
  5. If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?

You can answer this selectively by mentioning the question number.

If you have a better idea regarding how to setup OPNsense on Proxmox, please share.

Edit #1: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions

  1. I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
  2. I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
  3. I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
  4. I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information

Edit #2: Thank you for sharing your experience with Proxmox and OPNsense. I’m still reading and re-reading all of your comments to check if I have missed anything.

I have made a small mistake of not ordering the dual NIC + angled riser card before the host arrived, so my host is currently idle. When it arrives, and I manage to set it up, I will make a new post and share what i’ve learnt.

Thank you again!

  • glizzyguzzler@piefed.blahaj.zone
    link
    fedilink
    English
    arrow-up
    4
    ·
    23 hours ago

    I have this setup. Upfront, I would not recommend Proxmox, the update methods are annoying. The better way is straight Debian with Incus installed, then you get straightforward stable Debian updates automatically - they won’t break anything and you’re secure. Sometime I’ll redo it - I haven’t because, of course, it is my router and when its down I don’t have internet! So foreboding and on the back burner.

    Also also Proxmox’s GUI leaves a lot to be desired (for me, it looks like ass and is confusing), Incus is nicer for VM control and Cockpit is nicer for host control. After typing all that I realize I’m a hater at this point

    I haven’t really noticed downtime issues cause of Proxmox updates cause I just do it when nothing is happening. And Proxmox hasn’t bricked itself, though I am wary of it because that has happened to others due to their rolling release update style.

    I’ve got a Dell Wyse 5070 Extended with a 2 port Intel NIC in it. I pass both ports through leaving the built-in port for managing Proxmox.

    Here are my notes:

    Set NIC PCIe Passthrough for Network Card

    nano /etc/default/grub

    • Edit this line by adding intel_iommu=on to get

    GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"

    update-grub

    nano /etc/modules

    • Add these lines
    vfio  
    vfio_iommu_type1  
    vfio_pci  
    vfio_virqfd  
    

    update-initramfs -u -k all

    reboot

    Click on 2nd level thing named router on the left side vertical bar hierarchy thing and then click in the top right the blue Create VM button.

    • General tab
      • Name: OPNsense
      • Start at boot: checked
      • Start/Shutdown order: 1
      • Startup delay: 15
    • OS tab
      • Use media: DVD version (usb might work) of OPNsense.iso
    • System tab
      • Machine: q35
      • Bios: OVMF (UEFI)
        • Storage: local-lvm
        • UNCHECK Pre-enroll Keys (HATE)
    • Hard Disk tab
      • Disk size (GiB): 15
      • Discard: checked
      • SSD emulation: checked
    • CPU tab
      • Cores: 4
      • Type: host {makes it not moveable between diff CPU types but will theoretically allow for more speed}
    • Memory tab
      • Memory (MiB): 2048
      • Minimum memory (MiB): 512
    • Network tab
      • No network device: checked
    • Confirm tab
      • Do not start on creation
    • After creation, go to Hardware tab in the 2nd left vertical list on the browser page and click add
    • Click PCI Device
      • Device: ...01:00.0 I350 Gigabit... & ...01:00.1 I350 Gigabit... (1st & 2nd ones)
      • PCI-Express: checked

    Go to the Console tab in the 2nd left vertical list on the browser page and hit enter to get to a command line in the OPNsense VM

    !Add expand storage via command line!

    And lastly, during setup I have these notes

    It will choose wrong (WAN gets igb1 and LAN gets igb0 -> we want WAN gets igb0 and LAN gets igb1)  
    Default User: root, PW: opnsense (they don't tell you anywhere, you don't have internet b/c this is your new router, fuck em)  
    **Access at 192.168.1.1 via pluging an ethernet cable into the 1st port in a set of forwarded ports**  
    *Note that we will move it so the 1st port is the WAN (can't access OPNsense from the WAN port for safety), so after following this you access via 2nd port*  
    

    So watch out for those things. Not sure quite what I mean by the 1st and 2nd port things, may be related to on setup it had the order of the ports I wanted wrong so they’re switched till setup is complete and it reboots.

    I don’t remember doing this at this point, but maybe this info dump will help!