I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.

  • A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
  • Another interface which came with the PC itself, say eth3

PS: I also have a switch for all my other devices.

After some research, I have understood that

  1. Passing (pass-through) the NIC to the OPNsense VM is better for performance
  2. Passing it through removes the interface from the host OS
  3. If passing is not done correctly, you may lose access to Proxmox.

My questions are

  1. How do I set eth2 to be the LAN port and also use it connect to proxmox?
  2. If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
  3. If I use point #1, will local traffic (traffic handled by my switch) be affected?
  4. (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
  5. If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?

You can answer this selectively by mentioning the question number.

If you have a better idea regarding how to setup OPNsense on Proxmox, please share.

Edit #1: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions

  1. I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
  2. I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
  3. I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
  4. I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information

Edit #2: Thank you for sharing your experience with Proxmox and OPNsense. I’m still reading and re-reading all of your comments to check if I have missed anything.

I have made a small mistake of not ordering the dual NIC + angled riser card before the host arrived, so my host is currently idle. When it arrives, and I manage to set it up, I will make a new post and share what i’ve learnt.

Thank you again!

  • Analog@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 hours ago

    Fully support using opnsense buuut pfsense has a good guide for doing this exact thing. It works really well.

    https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

    People recommending against proxmox don’t understand how good zfs is, but their points are valid for this being a sole point of failure. I virtualize pfsense to gain cluster advantages but tend to leave not too much else on that box.

    If you don’t pass through the card the VM can more easily be restored to dissimilar hardware. But those ports are dedicated to the pfsense/opnsense VM, leaving the single free port for proxmox management and VMs. I would enable VLANs for network segments but if you either don’t have switches that support tags or are new to all of this it’s going to be WAY less headache to just use it all untagged for now. (Spend time on funner things, seriously!)

    • HiTekRedNek@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 hour ago

      Or maybe they do understand how good ZFS is, and since OPNsense is FreeBSD based, they use ZFS IN OPNsense.

      OPNsense can make snapshots and restore them native from right inside the UI.

      Which someone who used it should know.

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 hours ago

      I would enable VLANs for network segments but if you either don’t have switches that support tags or are new to all of this it’s going to be WAY less headache to just use it all untagged for now. (Spend time on funner things, seriously!)

      Setting up VLANs will be my next project :D . Right now, my goal is to get this thing working.

      I have messed up my timings a bit, so the dual NIC card is on the way from Amazon. I’ll post my results up here once it arrives.