How to configure networking for OPNsense guest?

[gstrong]

Hello, I'd like to run OPNsense as a guest in my proxmox box. I have several dedicated NICs for this purpose, but the relevant ones being the WAN port and the LAN port. I assumed that I would create a linux bridge in proxmox for the wan, and another for the lan, and create devices for each port and associate them with the physical nics. The WAN port should get its IP using DHCP, but when I create the bridge it wants a specific IP address in proxmox.

Could someone point me in the right direction here for how to set up my proxmox network to achieve what I'm trying to do?

 

[Dunuin]

You can create linux bridges without an IP. And you shouldn't set DHCP or static IPs there...at least not for the WAN. IPs set there are only for the host and not the guests.

Some people also prefer to PCI passthrough the NICs, especially the WAN so you don't got unsecure traffic over the host OS.

 

[donhwyo]

For the wan is there a best practice for pass threw vs virtio?
Thanks

 

[gstrong]

You can create linux bridges without an IP. And you shouldn't set DHCP or static IPs there...at least not for the WAN. IPs set there are only for the host and not the guests.

Some people also prefer to PCI passthrough the NICs, especially the WAN so you don't got unsecure traffic over the host OS.

Would a material performance benefit be achieved with PCI passthrough over the VirtIO?

 

[Dunuin]

Would a material performance benefit be achieved with PCI passthrough over the VirtIO?

The VM could directly process the packages without the PVE in between slowing porcessing down. And the VM could make use of some hardware offloading features of the NIC.
So yes, if you got a fast NIC that could drastically improve performance. But when using slow Gbit NICs you shouldn't see a big difference.
Might still be useful to passthrough the Gbit WAN NIC if you are paranoid so the unsecure unfiltered internet traffic doesn't need to be handled the the host OS.