I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.

  • A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
  • Another interface which came with the PC itself, say eth3

PS: I also have a switch for all my other devices.

After some research, I have understood that

  1. Passing (pass-through) the NIC to the OPNsense VM is better for performance
  2. Passing it through removes the interface from the host OS
  3. If passing is not done correctly, you may lose access to Proxmox.

My questions are

  1. How do I set eth2 to be the LAN port and also use it connect to proxmox?
  2. If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
  3. If I use point #1, will local traffic (traffic handled by my switch) be affected?
  4. (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
  5. If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?

You can answer this selectively by mentioning the question number.

If you have a better idea regarding how to setup OPNsense on Proxmox, please share.

Edit #1: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions

  1. I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
  2. I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
  3. I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
  4. I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information

Edit #2: Thank you for sharing your experience with Proxmox and OPNsense. I’m still reading and re-reading all of your comments to check if I have missed anything.

I have made a small mistake of not ordering the dual NIC + angled riser card before the host arrived, so my host is currently idle. When it arrives, and I manage to set it up, I will make a new post and share what i’ve learnt.

Thank you again!

  • HiTekRedNek@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 minutes ago

    My OPNsense setup is on bare metal. It’s a Sophos SG135 rev 2 with 6GB of RAM and a 64GB NVme SSD.

    It can be upgraded to 16GB, but isn’t nice for my set up.

    I don’t use Proxmox, but I do make extensive use of ZFS across most of my entire homelab.

    My NAS/Media server has 48T of spinning SAS3 drives, runs FreeBSD 15.1, and has a BhyVE VM running Alpine Linux and docker for the 1 or 2 services I use that simply won’t run easily on FreeBSD.

    I run most of the rest of my services in jails on that host, jails are what linux’s entire container subsystem is based on, having been around for 26 years now. Yes, FreeBSD’s jail system was introduced in 2000.

    I have a raspi 5 running rasbian, with Adguard Home, and audiomuse-ai on it.

    And a Lenovo M700 Tiny running Home Assistant.

    Tying it all together is a managed brocade/ruckus switch in layer 3 routing mode, handling all routing, VLANs, subnets, etc…

    I had a Linux box with two 10Mbps NICs in it in the mid to early 2000s doing NAT so I could share the cable modem connection to my wife’s computer back when you were only allowed to have a single machine connected to the Internet at home.

    I say all that to lay out my experience level.

    With all that said, you can virtualize your primary router if you like. Personally, I’d rather that system critical piece of equipment be fully isolated from any possible virtualization shenanigans.

    Not to mention what happens when you fiddle with your Proxmox setup too much and oops, you have no Internet now.

    What happens when your main network goes down, and the only way you can access that Proxmox machine is over that network?

  • Analog@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    4 hours ago

    Fully support using opnsense buuut pfsense has a good guide for doing this exact thing. It works really well.

    https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

    People recommending against proxmox don’t understand how good zfs is, but their points are valid for this being a sole point of failure. I virtualize pfsense to gain cluster advantages but tend to leave not too much else on that box.

    If you don’t pass through the card the VM can more easily be restored to dissimilar hardware. But those ports are dedicated to the pfsense/opnsense VM, leaving the single free port for proxmox management and VMs. I would enable VLANs for network segments but if you either don’t have switches that support tags or are new to all of this it’s going to be WAY less headache to just use it all untagged for now. (Spend time on funner things, seriously!)

    • HiTekRedNek@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      22 minutes ago

      Or maybe they do understand how good ZFS is, and since OPNsense is FreeBSD based, they use ZFS IN OPNsense.

      OPNsense can make snapshots and restore them native from right inside the UI.

      Which someone who used it should know.

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 hours ago

      I would enable VLANs for network segments but if you either don’t have switches that support tags or are new to all of this it’s going to be WAY less headache to just use it all untagged for now. (Spend time on funner things, seriously!)

      Setting up VLANs will be my next project :D . Right now, my goal is to get this thing working.

      I have messed up my timings a bit, so the dual NIC card is on the way from Amazon. I’ll post my results up here once it arrives.

  • Uncut_Lemon@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 hours ago

    Have done something similar, you’ll discover the joy of have no internet while you do server maintenance, upgrades or disaster recovery and worst case, hardware failures.

    Having internet and filesharing on one nic means internet will suffer while the nic is saturated.

    Ensure your other VMs are adequately delayed at initial boot, as that can cause weird things that need DHCP to be available

    Otherwise I never had issue running the router as a VM.

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 hours ago

      Have done something similar, you’ll discover the joy of have no internet while you do server maintenance, upgrades or disaster recovery and worst case, hardware failures.

      I may purchase another lower powered device to prevent a single point of failure, but I want to get this thing working. Sorry, too excited with Proxmox now :D Also, in the worst case scenario, I’ll just use my current router while I manage my OPNsense

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    15 minutes ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
    ISP Internet Service Provider
    NAS Network-Attached Storage
    NAT Network Address Translation
    NUC Next Unit of Computing brand of Intel small computers
    PCIe Peripheral Component Interconnect Express
    SSD Solid State Drive mass storage
    VPN Virtual Private Network
    ZFS Solaris/Linux filesystem focusing on data integrity

    [Thread #39 for this comm, first seen 3rd Jul 2026, 11:10] [FAQ] [Full list] [Contact] [Source code]

  • glizzyguzzler@piefed.blahaj.zone
    link
    fedilink
    English
    arrow-up
    3
    ·
    22 hours ago

    I have this setup. Upfront, I would not recommend Proxmox, the update methods are annoying. The better way is straight Debian with Incus installed, then you get straightforward stable Debian updates automatically - they won’t break anything and you’re secure. Sometime I’ll redo it - I haven’t because, of course, it is my router and when its down I don’t have internet! So foreboding and on the back burner.

    Also also Proxmox’s GUI leaves a lot to be desired (for me, it looks like ass and is confusing), Incus is nicer for VM control and Cockpit is nicer for host control. After typing all that I realize I’m a hater at this point

    I haven’t really noticed downtime issues cause of Proxmox updates cause I just do it when nothing is happening. And Proxmox hasn’t bricked itself, though I am wary of it because that has happened to others due to their rolling release update style.

    I’ve got a Dell Wyse 5070 Extended with a 2 port Intel NIC in it. I pass both ports through leaving the built-in port for managing Proxmox.

    Here are my notes:

    Set NIC PCIe Passthrough for Network Card

    nano /etc/default/grub

    • Edit this line by adding intel_iommu=on to get

    GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"

    update-grub

    nano /etc/modules

    • Add these lines
    vfio  
    vfio_iommu_type1  
    vfio_pci  
    vfio_virqfd  
    

    update-initramfs -u -k all

    reboot

    Click on 2nd level thing named router on the left side vertical bar hierarchy thing and then click in the top right the blue Create VM button.

    • General tab
      • Name: OPNsense
      • Start at boot: checked
      • Start/Shutdown order: 1
      • Startup delay: 15
    • OS tab
      • Use media: DVD version (usb might work) of OPNsense.iso
    • System tab
      • Machine: q35
      • Bios: OVMF (UEFI)
        • Storage: local-lvm
        • UNCHECK Pre-enroll Keys (HATE)
    • Hard Disk tab
      • Disk size (GiB): 15
      • Discard: checked
      • SSD emulation: checked
    • CPU tab
      • Cores: 4
      • Type: host {makes it not moveable between diff CPU types but will theoretically allow for more speed}
    • Memory tab
      • Memory (MiB): 2048
      • Minimum memory (MiB): 512
    • Network tab
      • No network device: checked
    • Confirm tab
      • Do not start on creation
    • After creation, go to Hardware tab in the 2nd left vertical list on the browser page and click add
    • Click PCI Device
      • Device: ...01:00.0 I350 Gigabit... & ...01:00.1 I350 Gigabit... (1st & 2nd ones)
      • PCI-Express: checked

    Go to the Console tab in the 2nd left vertical list on the browser page and hit enter to get to a command line in the OPNsense VM

    !Add expand storage via command line!

    And lastly, during setup I have these notes

    It will choose wrong (WAN gets igb1 and LAN gets igb0 -> we want WAN gets igb0 and LAN gets igb1)  
    Default User: root, PW: opnsense (they don't tell you anywhere, you don't have internet b/c this is your new router, fuck em)  
    **Access at 192.168.1.1 via pluging an ethernet cable into the 1st port in a set of forwarded ports**  
    *Note that we will move it so the 1st port is the WAN (can't access OPNsense from the WAN port for safety), so after following this you access via 2nd port*  
    

    So watch out for those things. Not sure quite what I mean by the 1st and 2nd port things, may be related to on setup it had the order of the ports I wanted wrong so they’re switched till setup is complete and it reboots.

    I don’t remember doing this at this point, but maybe this info dump will help!

  • NarrativeBear@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 day ago

    I have been running PfSense on Proxmox for ages now.

    What I do is the following.

    1. Pass the NIC card through to PfSense.
    2. Your motherboards ethernet port is plugged into your network switch (think of proxmox as just another pc on your network)
    3. In PfSense your NIC can now be seen and all ports can be assigned as needed. Assign one as WAN and the others as LAN.

    Set your pfSense /OPNsense to start at boot when you power on proxmox.

    FYI, you might occasionally run into issues where the NIC “GUID” changes so your VM won’t be able to start.

    When this happens your pfSense/OPNsense VM won’t start so your network will be in a “down state”. This means DHCP won’t be working either, and any PC that were not assigned a static IP won’t be able to access the Proxmox GUI to quickly fix the issue.

    You might occasionally need to hook up a temporary router between a PC and your Proxmox host to access the web GUI as a result. At least this is what I do when my outrage is longer then a hour.

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      Thanks, i may go this route.

      FYI, you might occasionally run into issues where the NIC “GUID” changes so your VM won’t be able to start.

      I think this is the same issue as a Linux host forgetting where to mount a disk since the UUID was not written in fstab.

      But why does the GUID change? Can’t it be hard-coded?

      • NarrativeBear@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 hours ago

        Honestly I don’t know enough to answer that question fully.

        From what I understand PCI addresses (01:00.0) are dynamically assigned by the motherboard’s BIOS at boot. Adding or removing PCIe devices, enabling M.2 drives, or adjusting BIOS settings often shifts your device addresses up or down which can prevent a VM from starting up.

        Reading online though, there now seems to be a workaround to this issue. I might need to give it a shot on my Proxmox machine.

        “PCI ID overrides” is the term in this document to search for.

        https://pve.proxmox.com/wiki/PCI(e)_Passthrough

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 days ago

    I personally would not recommend this setup as any issue with your proxmox cluster will turn into a network issue.

    Instead, I would purchase a cheapish router that can run OpenWRT. If you are dead set on OPNsense you can find x86 boards from various vendors or you can make a dedicated router out of a network card and a small form factor computer

    • Dultas@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 hours ago

      Yeah, I did it briefly to test if I wanted to use it before getting a dedicated Protectli Vault. But gateway and NAS are both things I recommend not running on Proxmox long term.

      Router - for one you can’t form a quorum for a cluster if there is no network so you’d have to physically access the box every restart.

      NAS - You lose access to any backups you’re doing and ability to restore if that node fails.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 hours ago

        To play devil’s advocate, technically don’t need a router for network. Your Proxmox hosts should be in the same layer 2 which means they can communicate regardless of the state of the default gateway.

        • Dultas@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 hour ago

          Networking isn’t my forte but I thought IP addressing required layer 3 switching? Which is going to be dependent on your switch supporting it.

    • dbtng@eviltoast.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      I own 2 OpenWRT routers. Fun little things. Love em.
      But running a virtual firewall is a perfectly reasonable goal. OpenWRT doesn’t have the feature set that OPNsense has.
      They are not the same sort of product. Lot of common ground, but not the same thing.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 days ago

        OpenWRT has a zone based Firewall just like OPNsense does. Sure it isn’t as clean but I don’t really see a usecase for OPNsense that OpenWRT couldn’t fulfill

  • dbtng@eviltoast.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 days ago

    There’s a few things we don’t know here.

    • Are you hosting more VMs on Proxmox that need network via a virtual switch?
    • Are you providing network to other physical devices as well via a switch, so you need to output to that?
    • Do you want OPNsense to be your gateway and assign IPs, or do you have a router?
    • As you have 3 NICs and sound like you want to use them, let’s assume you aren’t doing RoaS, but this could all be done on one (very busy) NIC.

    There’s nothing wrong with your plan, but that’s not how I would do it.
    I don’t pass through NICs. I bond them or I bridge them.
    In a virtual world, this sort of task is done with virtual switches. OVS switches at my job.
    OVS is a lot easier to use than oldskool linux bridges that come installed with Proxmox. There’s already a dropdown in Network where you can build with OVS objects, but you need to add the package.
    apt install openvswitch-switch

    • MGT. For your setup, I might consider (the onboard!) eth3 as my mgt NIC. That might be handy some day if you have to remove that card. Your server will still be online.

    • DMZ WAN. I would run the WAN line straight to eth1. Add eth1 to a ‘dmz’ virtual switch. Add the OPNsense WAN leg to this dmz virtual switch, so the OPNsense (and nothing else) can directly talk to the upstream router.

    • LAN Virtual. Create a ‘protected network’ virtual switch. Add the OPNsense LAN leg to this virtual switch. VMs can be a member of this downstream protected network and access any services provided by the OPNsense.

    • LAN Local. If you need to share the OPNsense protected network back out to other devices, add eth2 to to the protected network switch, and ethernet cable out from eth2 to a dumb switch. Plug other external devices into the dumb switch, and they will be downstream from and protected by your OPNsense, accessing its services.

    Feel free to ignore me here. I build a lot of big things, so I use enterprise-scale techniques. There’s nothing wrong with your pass-through plan.
    And … you can do this! I have a somewhat similar setup on my laptop with HyperV, so I can distribute wired (work VPN) and wireless (everything else) internet to guest VMs and the main OS. I made two virtual switches in HyperV.

    • The first switch gets exclusive access to my NIC attached to my VPN device. This is the OPNsense WAN leg.
    • The second switch is the OPNsense LAN leg and VMs are members.

    Good luck!

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 days ago

      Are you hosting more VMs on Proxmox that need network via a virtual switch?

      Only one more VM which will host some services (to be accessed via a reverse proxy)

      Are you providing network to other physical devices as well via a switch, so you need to output to that?

      The Proxmox is connected to a switch, and all my other devices (other servers/PC/access point) are connected to this switch. Ideally, these services will connect to the OPNsense VM and get IP via DHCP from OPNsense.

      Do you want OPNsense to be your gateway and assign IPs, or do you have a router?

      OPNsense should be my public facing gateway, similar to what my current router (TP-Link) is doing. Currently, my router is connected to an ISP GPON. But it seems the GPON acts only as a fiber to ethernet converter. I use my ISP provided credentials on my ROUTER to authenticate with my ISP (via PPPoE)

      As you have 3 NICs and sound like you want to use them, let’s assume you aren’t doing RoaS, but this could all be done on one (very busy) NIC.

      RoaS? Router as a Service? I have no idea. I want to the 3rd port, but if you feel like this is a bit complicated, I can leave it for now, provided I don’t incur a heavy penalty for using the LAN port for traffic and Proxmox management.

      And … you can do this!

      Thank you, I needed that! I am just starting out with Proxmox and OPNsense and it seems a bit overwhelming. I am trying to start out small. In case everything blows up, I still have my old TP-Link router.

      PS: Please check the original post as I have added a diagram regarding what I want to do.

      • zarathustrad@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 day ago

        I essentially just did this as a total beginner and it worked. (I have built my own gaming PCs and took basic/Pascal programming in HS, but have no real network experience)

        I had some old enterprise mini PCs, added a second NIC to one and put Opnscence and pihole VMs on it. I ended up doing PCI Passthrough for the new NIC for the Opnscence VM so the WAN/modem is isolated from the host. Bit a simple bridge works. The original management LAN NIC is just in bridge mode (so the host and VMs can share it).

        I’m probably too new to be offering advice, so I’ll just pile on the encouragement. You can do it!

      • dbtng@eviltoast.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        Cool. Yes, this looks reasonable. It looks logical.

        So, my main recommendation is consider the use of virtual bridges to manage the network instead of passthrough. And I recommend installing and using the OVS style virtual bridge.
        https://pve.proxmox.com/wiki/Open_vSwitch

        This gives you flexibility going forward. Say you want to run something out in the DMZ instead of behind the firewall, well you just attach that VM to the DMZ bridge instead. And it gives you an easy way to provision network for VMs. You just attach them to the LAN bridge.

        (RoaS is a terrible name. Router on a Stick. It means your router is on the same switch as its clients, and all the communications go up and down that one port. It’s a perfectly legit way to manage a network, but sorta ugly and not what you are doing with your fancy 3-port rig. :)

  • jaschen306@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 day ago

    I did the same setup except I used pfsense and a Dell.

    I wouldn’t recommend it at all. Want setting change that requires a reboot from proxmox would result in a total lots of the network. The weakest link is settings based.

    I can’t begin to tell you the amount of times this happened to me that I went out and bought a Intel NUC and put the pfsense on bare metal.

    • xavier666@lemmy.umucat.dayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      Want setting change that requires a reboot from proxmox would result in a total lots of the network

      Did you mean a setting change in proxmox? If yes, then I understand the risks.

      Also, after the reboot does the setup comeback online automatically? Or do you need to perform some manual intervention?

      • Dultas@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 hours ago

        It will come back if you set it to start on boot. Make sure you set its priority to start before anything else that requires network connectivity. If you ever move to having a cluster it’ll be a real headache because you won’t have a network for quorum and so you’ll have to physically access the box to force start it. I would highly recommend going out and getting a NUC or some other dedicated hardware as a priority before any other expansion.

      • jaschen306@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 hours ago

        Well, at the time, there was no AI. So a lot of this was just me and stack overflow. I imagine it’s a lot easier now.

        I had 3 Ethernets. 2x 10Gbe. 1x 1Gbe.

        My Synology would directly connect to the proxmox directly using the 10Gbe since it has immich on it and the source of truth is on the Synology.

        The other 10Gbe went into the 10Gbe switch which had ports for 2.5Gbe and my wifi 7 connects to this.

        The main WAN would come in on the 1Gbe.

        Any random settings that I updated, I would lose everything and have to plug in a keyboard and redo the .conf.

        What I ended up doing was just have one the 10Gbe as the router WAN and then the 1Gbe became the console/different VLAN and so I don’t count on the router to connect to my pfsense.

        I still at the very end just gutted pfsense out and gave it a proper box. Never a problem since.

      • m4ylame0wecm@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 hours ago

        Start on Boot for the VM should take care of that.

        My OpnSense is a VM on some n100 mini PC under proxmox. Regular reboots haven’t had a need to attach a monitor in years, or manually hit the proxmox webui for anything like that.

        If you skip passing through NICs, virtio can work just fine (1 Gbps NAT throughput on 1G intel nics). For me, this is to have the option of adding a 2nd opnSense or whatever alongside (segmentation or just prepping replacement or stuff like that). I also run small core services (dns) on the miniPC as additional containers or VMs.

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    2 days ago

    Enable pci passthrough for the card, use the onboard interface for proxmox management. It will only cause a loop if you bridge the interfaces or enable routing in proxmox, which is really hard to do accidentally. Don’t worry about it too much. Even if it happens, just unplug one of the connections and reboot the switch, then go back in and fix it.