I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.

  • A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
  • Another interface which came with the PC itself, say eth3

PS: I also have a switch for all my other devices.

After some research, I have understood that

  1. Passing (pass-through) the NIC to the OPNsense VM is better for performance
  2. Passing it through removes the interface from the host OS
  3. If passing is not done correctly, you may lose access to Proxmox.

My questions are

  1. How do I set eth2 to be the LAN port and also use it connect to proxmox?
  2. If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
  3. If I use point #1, will local traffic (traffic handled by my switch) be affected?
  4. (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
  5. If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?

You can answer this selectively by mentioning the question number.

If you have a better idea regarding how to setup OPNsense on Proxmox, please share.

Edit: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions

  1. I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
  2. I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
  3. I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
  4. I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information

  • xavier666@lemmy.umucat.dayOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    15 hours ago

    Are you hosting more VMs on Proxmox that need network via a virtual switch?

    Only one more VM which will host some services (to be accessed via a reverse proxy)

    Are you providing network to other physical devices as well via a switch, so you need to output to that?

    The Proxmox is connected to a switch, and all my other devices (other servers/PC/access point) are connected to this switch. Ideally, these services will connect to the OPNsense VM and get IP via DHCP from OPNsense.

    Do you want OPNsense to be your gateway and assign IPs, or do you have a router?

    OPNsense should be my public facing gateway, similar to what my current router (TP-Link) is doing. Currently, my router is connected to an ISP GPON. But it seems the GPON acts only as a fiber to ethernet converter. I use my ISP provided credentials on my ROUTER to authenticate with my ISP (via PPPoE)

    As you have 3 NICs and sound like you want to use them, let’s assume you aren’t doing RoaS, but this could all be done on one (very busy) NIC.

    RoaS? Router as a Service? I have no idea. I want to the 3rd port, but if you feel like this is a bit complicated, I can leave it for now, provided I don’t incur a heavy penalty for using the LAN port for traffic and Proxmox management.

    And … you can do this!

    Thank you, I needed that! I am just starting out with Proxmox and OPNsense and it seems a bit overwhelming. I am trying to start out small. In case everything blows up, I still have my old TP-Link router.

    PS: Please check the original post as I have added a diagram regarding what I want to do.

    • zarathustrad@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 hours ago

      I essentially just did this as a total beginner and it worked. (I have built my own gaming PCs and took basic/Pascal programming in HS, but have no real network experience)

      I had some old enterprise mini PCs, added a second NIC to one and put Opnscence and pihole VMs on it. I ended up doing PCI Passthrough for the new NIC for the Opnscence VM so the WAN/modem is isolated from the host. Bit a simple bridge works. The original management LAN NIC is just in bridge mode (so the host and VMs can share it).

      I’m probably too new to be offering advice, so I’ll just pile on the encouragement. You can do it!

    • dbtng@eviltoast.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      14 hours ago

      Cool. Yes, this looks reasonable. It looks logical.

      So, my main recommendation is consider the use of virtual bridges to manage the network instead of passthrough. And I recommend installing and using the OVS style virtual bridge.
      https://pve.proxmox.com/wiki/Open_vSwitch

      This gives you flexibility going forward. Say you want to run something out in the DMZ instead of behind the firewall, well you just attach that VM to the DMZ bridge instead. And it gives you an easy way to provision network for VMs. You just attach them to the LAN bridge.

      (RoaS is a terrible name. Router on a Stick. It means your router is on the same switch as its clients, and all the communications go up and down that one port. It’s a perfectly legit way to manage a network, but sorta ugly and not what you are doing with your fancy 3-port rig. :)