I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.
- A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
- Another interface which came with the PC itself, say eth3
PS: I also have a switch for all my other devices.
After some research, I have understood that
- Passing (pass-through) the NIC to the OPNsense VM is better for performance
- Passing it through removes the interface from the host OS
- If passing is not done correctly, you may lose access to Proxmox.
My questions are
- How do I set eth2 to be the LAN port and also use it connect to proxmox?
- If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
- If I use point #1, will local traffic (traffic handled by my switch) be affected?
- (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
- If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?
You can answer this selectively by mentioning the question number.
If you have a better idea regarding how to setup OPNsense on Proxmox, please share.
Edit: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions
- I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
- I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
- I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
- I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information


I personally would not recommend this setup as any issue with your proxmox cluster will turn into a network issue.
Instead, I would purchase a cheapish router that can run OpenWRT. If you are dead set on OPNsense you can find x86 boards from various vendors or you can make a dedicated router out of a network card and a small form factor computer
I own 2 OpenWRT routers. Fun little things. Love em.
But running a virtual firewall is a perfectly reasonable goal. OpenWRT doesn’t have the feature set that OPNsense has.
They are not the same sort of product. Lot of common ground, but not the same thing.
OpenWRT has a zone based Firewall just like OPNsense does. Sure it isn’t as clean but I don’t really see a usecase for OPNsense that OpenWRT couldn’t fulfill
I understand completely. But I will try my best to keep the Proxmox setup as stable as possible (no unnecessary fiddling/power backup). This is mostly an experiment. I have my old router as backup as well. I just wish I had the foresight to buy a router which had OpenWRT support :(
I’ve been doing exactly this for the past 5 years or so.
It’s been pretty stable and reliable.
I went with the PCI passthrough method
Agree - critical infrastructure should have as few dependencies as possible.