Hi,
So I am looking into a solution with my current hardware for my OPNsense firewall.
I would like to be able to do things like snapshot before upgrade of OPNsense and run a few virtual servers like Home Assistant. ProxMox seem to fit that simple spec. However what I am trying to figure out is well at least two challenges:
I think I'm stumbling over the fact that with ProxMox installed bare metal, ProxMox will not be safe to connect direct to say WAN. And it does not seem to provide support for WAN-FailOver, DNS block lists, Country IP list block and well some other more complexed firewall stuff. Yes I know there is a IP-filter firewall built into ProxMox - How about Unbound? DNS-Block? Country-Block? I guess one could run pi-Hole virtual and that way achieve some of this. Unbound should be able to run in a virtual server anyway and that would handle alot I guess - but it is not packed like in OPNsense? Nor does I seem to be able to have more advanced firewall rules? Or am I missing out on something?
Anyway, it will be a chicken and egg thing in the end: OPNsense will be dependent on that ProxMox is running, and ProxMox will be dependent on OPNsense to be running - otherwise nothing will work at all - since both control network, but from different layers...?
Am I thinking in the wrong way here? The only thing I would like to achive is snapshot of OPNsense - but I might be doing this the wrong way all together...?
So I am looking into a solution with my current hardware for my OPNsense firewall.
I would like to be able to do things like snapshot before upgrade of OPNsense and run a few virtual servers like Home Assistant. ProxMox seem to fit that simple spec. However what I am trying to figure out is well at least two challenges:
- How do I distribute the 8 Ethernet ports, where a few are needed to, the first 6 are dedicated for OPNsense so to speak:
- WAN (of course)
- LTE (WAN-FailOver to mobile network)
- Media (This is connected to an external switch that handles all media connected over cable, like KEF LSX2 speakers and Chromecast Ultras)
- Server (This is also an external switch to handle things like Home Assistant, Ubuntu and a few other minors - if would be nice to move some into Virtal Servers)
- Unifi AP (WiFi is good to have, right?)
- LAN (this is a local attached PC, which is used for OPNsense and sell a bunch of other things - it's a heritage from installing OPNsense we could say)
- ProxMox Intranet/Internet connection somehow?
- ProxMox Management
- What about the needs for ProxMox connection: I separated them into TWO since I well seems like a good thing. But on the other hand, are they not bridged? Static IP maybe, should need to be dynamic to be able to be connected to OPNsense. From one point it seems that I would need an Ethernet cable from the Ethernet port where the ProxMox bridge is, into one of the ports on the OPNsense side - otherwise I would need to go up (well it is mounted high up on a wall) and move an Ethernet cable from say LAN to ProxMox Management - however how do I upgrade ProxMox then? Or well you see where I stumble I guess....
I think I'm stumbling over the fact that with ProxMox installed bare metal, ProxMox will not be safe to connect direct to say WAN. And it does not seem to provide support for WAN-FailOver, DNS block lists, Country IP list block and well some other more complexed firewall stuff. Yes I know there is a IP-filter firewall built into ProxMox - How about Unbound? DNS-Block? Country-Block? I guess one could run pi-Hole virtual and that way achieve some of this. Unbound should be able to run in a virtual server anyway and that would handle alot I guess - but it is not packed like in OPNsense? Nor does I seem to be able to have more advanced firewall rules? Or am I missing out on something?
Anyway, it will be a chicken and egg thing in the end: OPNsense will be dependent on that ProxMox is running, and ProxMox will be dependent on OPNsense to be running - otherwise nothing will work at all - since both control network, but from different layers...?
Am I thinking in the wrong way here? The only thing I would like to achive is snapshot of OPNsense - but I might be doing this the wrong way all together...?
Last edited: