Hello.
I am trying to set up an OPNsense box running as a VM in proxmox. This OPNsense box needs to be my gateway/firewall for all of the VLANs on the LAN. I am however a little confused on a couple of things.
Up until now I have tried to set this up with a single vlan aware linux bridge. I have not had success on getting this up an running. The problem here lies in the network configuration on the virtual machine. I want to trunk all of my VLANs through to the firewall, therefor I leave the 'VLAN tag' field empty in the network configuration of the VM. I just cannot seem to get this right, when I create the VLANs on the firewall itself. The connection sometimes work, and sometimes just drops.
Because of this problem, I have been searching the internet for a solution to this. Here some are suggesting that you create a subinterface for every vlan on the host itself. This should harden the security, since the VLAN segregation will happen on the host itself. I do not know if this is true however. Please correct me if this is wrong.
I guess that boils it down to my original questions:
1. Is it smarter/easier to create a sub-bridge for every VLAN, and then just assign those interfaces to the virtual firewall?
2. Or should I go with a single bridge, and try to get that working?
3. Will separate bridges be more secure?
4. I know that the theoretical internal switching speed is 10Gb when using the same bridge between VMs/containers. Will it go down to 1Gb if using separate bridges?
Just some short info on my setup:
WAN network interface is a PCIe card, that has been assigned directly to the VM.
The firewall hardware, has been assigned according to the requirements found on OPNsense wiki.
I am trying to set up an OPNsense box running as a VM in proxmox. This OPNsense box needs to be my gateway/firewall for all of the VLANs on the LAN. I am however a little confused on a couple of things.
Up until now I have tried to set this up with a single vlan aware linux bridge. I have not had success on getting this up an running. The problem here lies in the network configuration on the virtual machine. I want to trunk all of my VLANs through to the firewall, therefor I leave the 'VLAN tag' field empty in the network configuration of the VM. I just cannot seem to get this right, when I create the VLANs on the firewall itself. The connection sometimes work, and sometimes just drops.
Because of this problem, I have been searching the internet for a solution to this. Here some are suggesting that you create a subinterface for every vlan on the host itself. This should harden the security, since the VLAN segregation will happen on the host itself. I do not know if this is true however. Please correct me if this is wrong.
I guess that boils it down to my original questions:
1. Is it smarter/easier to create a sub-bridge for every VLAN, and then just assign those interfaces to the virtual firewall?
2. Or should I go with a single bridge, and try to get that working?
3. Will separate bridges be more secure?
4. I know that the theoretical internal switching speed is 10Gb when using the same bridge between VMs/containers. Will it go down to 1Gb if using separate bridges?
Just some short info on my setup:
WAN network interface is a PCIe card, that has been assigned directly to the VM.
The firewall hardware, has been assigned according to the requirements found on OPNsense wiki.
