Hi all, been racking my brain for a few days now and feel like I've hit a brick wall trying to get Opnsense to act as my router/firewall for Proxmox VM's.
SETUP
Bare metal server from OVHcloud with Proxmox 8.3 installed and a few Unix VM's as well as an Opnsense VM.
Single Ethernet cable from OVH (The ISP) to the physical server into eth0.
Single public IPv4 address setup against a static MAC (i.e my public IP has to be set on this MAC for the ISP to accept my traffic).
vmbr0 is setup and has only eth0 as a bridge port.
vmbr100 is setup and fully working as the LAN port for Opnsense and VM's (I can reach Opnsense GUI from my other Unux VM).
ISSUE
ARP Requests for the default gateway MAC is going to the ISP and the response is coming back, I see the traffic in tcpdump against vmbr0.
ARP responses from the ISP are not showing up in tcpdump against the tap interface (the WAN port of opnsense) but the ARP requests are showing up.
So ARP replies are not being 'switched' back to the Opnsense WAN port in vmbr0.
The destination for the ARP response in vmbr0 tcpdump output is the MAC address the ISP assigned me - this is the MAC I have configured on the WAN interface in Opnsense AND the network adapter I configured for the VM in Proxmox. When I look at ifconfig on the Opnsense VM I see this MAC listed under vtnet0 (the WAN port), but I do not see this MAC on the tap interface when I inspect the MAC's on vmbr0 - I see some other random MAC's which I honestly can't find anywhere in the Opnsense or Proxmox configs.
The only place the MAC address which was assigned to me is visible in vmbr0 MAC's is from eth0. So I am confused how I am meant to re-use this MAC address on Opnsense using Linux Bridges.
I only have access to an IPMI interface of my server hence why I haven;t included any configs or tcpdump outputs, hopefully I explained the problem in enough detail but if not, I can try grab screenshots from the console to illustrate the issue,
One idea I have is to simply pass the full eth0 port to Opnsense and remove vmbr0 - but I don't know if this is even possible. Opnsense is the only VM I want with a link into the Internet as I want to control VM access via NAT/ACL's on Opnsense.
SETUP
Bare metal server from OVHcloud with Proxmox 8.3 installed and a few Unix VM's as well as an Opnsense VM.
Single Ethernet cable from OVH (The ISP) to the physical server into eth0.
Single public IPv4 address setup against a static MAC (i.e my public IP has to be set on this MAC for the ISP to accept my traffic).
vmbr0 is setup and has only eth0 as a bridge port.
vmbr100 is setup and fully working as the LAN port for Opnsense and VM's (I can reach Opnsense GUI from my other Unux VM).
ISSUE
ARP Requests for the default gateway MAC is going to the ISP and the response is coming back, I see the traffic in tcpdump against vmbr0.
ARP responses from the ISP are not showing up in tcpdump against the tap interface (the WAN port of opnsense) but the ARP requests are showing up.
So ARP replies are not being 'switched' back to the Opnsense WAN port in vmbr0.
The destination for the ARP response in vmbr0 tcpdump output is the MAC address the ISP assigned me - this is the MAC I have configured on the WAN interface in Opnsense AND the network adapter I configured for the VM in Proxmox. When I look at ifconfig on the Opnsense VM I see this MAC listed under vtnet0 (the WAN port), but I do not see this MAC on the tap interface when I inspect the MAC's on vmbr0 - I see some other random MAC's which I honestly can't find anywhere in the Opnsense or Proxmox configs.
The only place the MAC address which was assigned to me is visible in vmbr0 MAC's is from eth0. So I am confused how I am meant to re-use this MAC address on Opnsense using Linux Bridges.
I only have access to an IPMI interface of my server hence why I haven;t included any configs or tcpdump outputs, hopefully I explained the problem in enough detail but if not, I can try grab screenshots from the console to illustrate the issue,
One idea I have is to simply pass the full eth0 port to Opnsense and remove vmbr0 - but I don't know if this is even possible. Opnsense is the only VM I want with a link into the Internet as I want to control VM access via NAT/ACL's on Opnsense.