I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.
- A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
- Another interface which came with the PC itself, say eth3
PS: I also have a switch for all my other devices.
After some research, I have understood that
- Passing (pass-through) the NIC to the OPNsense VM is better for performance
- Passing it through removes the interface from the host OS
- If passing is not done correctly, you may lose access to Proxmox.
My questions are
- How do I set eth2 to be the LAN port and also use it connect to proxmox?
- If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
- If I use point #1, will local traffic (traffic handled by my switch) be affected?
- (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
- If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?
You can answer this selectively by mentioning the question number.
If you have a better idea regarding how to setup OPNsense on Proxmox, please share.
Edit #1: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions
- I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
- I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
- I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
- I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information
Edit #2: Thank you for sharing your experience with Proxmox and OPNsense. I’m still reading and re-reading all of your comments to check if I have missed anything.
I have made a small mistake of not ordering the dual NIC + angled riser card before the host arrived, so my host is currently idle. When it arrives, and I manage to set it up, I will make a new post and share what i’ve learnt.
Thank you again!


Did you mean a setting change in proxmox? If yes, then I understand the risks.
Also, after the reboot does the setup comeback online automatically? Or do you need to perform some manual intervention?
It will come back if you set it to start on boot. Make sure you set its priority to start before anything else that requires network connectivity. If you ever move to having a cluster it’ll be a real headache because you won’t have a network for quorum and so you’ll have to physically access the box to force start it. I would highly recommend going out and getting a NUC or some other dedicated hardware as a priority before any other expansion.
Well, at the time, there was no AI. So a lot of this was just me and stack overflow. I imagine it’s a lot easier now.
I had 3 Ethernets. 2x 10Gbe. 1x 1Gbe.
My Synology would directly connect to the proxmox directly using the 10Gbe since it has immich on it and the source of truth is on the Synology.
The other 10Gbe went into the 10Gbe switch which had ports for 2.5Gbe and my wifi 7 connects to this.
The main WAN would come in on the 1Gbe.
Any random settings that I updated, I would lose everything and have to plug in a keyboard and redo the .conf.
What I ended up doing was just have one the 10Gbe as the router WAN and then the 1Gbe became the console/different VLAN and so I don’t count on the router to connect to my pfsense.
I still at the very end just gutted pfsense out and gave it a proper box. Never a problem since.
Start on Boot for the VM should take care of that.
My OpnSense is a VM on some n100 mini PC under proxmox. Regular reboots haven’t had a need to attach a monitor in years, or manually hit the proxmox webui for anything like that.
If you skip passing through NICs, virtio can work just fine (1 Gbps NAT throughput on 1G intel nics). For me, this is to have the option of adding a 2nd opnSense or whatever alongside (segmentation or just prepping replacement or stuff like that). I also run small core services (dns) on the miniPC as additional containers or VMs.