Configuration of Proxmox for OpenWRT behind OPNsense

[sodaws]

Hey everyone,
I need some help with a kinda exotic idea I had. I want a OPNsense VM that does all the things that my current consumer router does (routing, firewall, dhcp, etc.) and a OpenWRT Container that just does CAKE QoS for me. I made a diagram that explains it a little bit better.
What I'd like to have:


And this is my Proxmox Host's network configuration:



The problem I'm having is that I don't know how to do the whole interface/bridge configuration in Proxmox and OpenWRT/OPNsense, since I'm pretty much a noob when it comes to networking and proxmox. Right now, enp3s0 is connected to my current router and vmbr0 was added to my OPNsense/OpenWRT instances, so I can configure and access them via webGUI. I don't know, whether I have to assign IP adresses to the bridges or to the network devices of the Containers/VMs. vmbr0 was automatically configured during the proxmox installation.

Is the approach from the diagram the right one? How should I configure and assign the bridges/network devices in Proxmox? I'm not sure if I understand what a bridge actually is. What is the difference between assigning IP adresses to bridges and assigning ip adresses to network devices of VMs/Containers?

 

[guletz]

Hi,

I don't know, whether I have to assign IP adresses to the bridges or to the network devices of the Containers/VMs. vmbr0 was automatically configured during the proxmox installation.

vmbr0 - is recomended to be used only for Proxmxox administration via web/broswer, if you want to also use for your virtual NICs of yours CT/VM, then, abtter way will be to use separate vlans(for admin, and for VM/CT)

I'm not sure if I understand what a bridge actually is

Think that any BRIDGE is like a switch, and any physical interface that is part of this bridge is like a switch port.

What is the difference between assigning IP adresses to bridges and assigning ip adresses to network devices of VMs/Containers?

In most of the cases, you will do not want to have a IP on a bridge, but you will need to have IP addr on any vNIC from yours VM/CT. From security point of view, it not wise to have a an IP on a bridge where you also have some IPs of yours CT/VM because if one of them is compromise, then is possible to connect then to the IP bridge => can develop the attack on the Proxmox admin https => very bad !

Good luck / Bafta !

 

[guletz]

... and you have some errors in your concept design!

- vmbr1 does not have any phisical NIC port/slave(like a switch without any phisical port), so no traffic could be done from OPNsense -> WAN
- also, do you have a limited RAM size(8 GB), so I do not thik that you can run so much VM/CTs + Openwrt + OPNsense

Anothers ideas:
- doing QoS on a ISP link who do not offer guaranted bandwithd, is a like a gamble to lottery, much better will be to make some kind of traffic prioritisation(DSCP/ToS)
- if I will need to solve your problem, I will buy a cheap but powerfull hardware router(like Mikrotik HEX S) - who will do most of the task that you need to do with OPNsense+Openwrt(routing, firewall, dhcp, QoS, and even more) - your setup will be more simple, and the network performance will be much better(speed, latency, and so on)




Good luck / Bafta !