Network setup for OpenWRT router VM

S

strongbad

New Member
May 10, 2023
6
0
1
I am totally new to Proxmox, but have experience with Linux and KVM based VMs. For my home install, I want to virtualize a OpenWRT (or maybe OPNSense) router. The Proxmox host has 2 wired controllers and a WiFi controller. One wired controller will will be connected directly to my cable modem and the other to a managed switch. The router will be configured with a handful of VLANs (e.g., home, work, guest, IoT) and will be in charge of managing the WiFi controller. I would like the other Proxmox VMs network data to be VLAN tagged.

Once I get the correct interfaces into the router VM, I think I will be good to go. What I am struggling with is how to setup the bridges on the host. I am hoping this is not that crazy and that someone has done this before and has a nice writeup, but if that is the case, I can't find it.
 
Enable the "vlan aware" checkbox for your bridges. You then can edit your virtio NICs and set a VLAN Tag there (so the NIC will be part of that single VLAN) or keep that VLAN tag field empty in which case the virtio NIC will let all tagged packets through (no matter what VLAN it is tagged with) where you then have to manage VLANs inside the VM. See here for en example: https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_vlan
 
Do you recommend a bridge for both the wan and the lan interfaces? The wan interface will only be used by the router VM, so I think I could just use the interface without a bridge. I think I could also use passthrough to provide both the physical lan and/or wan devices to the router VM and then create a bridge on the host that is not associated with a physical device (I think).
 
@Dunuin is mostly correct. Assuming you know about trunk ports, what I have seen in proxmox (behavior wise) is that if the trunk port has a native vlan specified then the nics of whatever is connected to that trunk port (via its bridge) inherits that native vlan when no vlan is set.

For example, vmbr1 carries vlans 1, 2 and 3 (just example). If the trunk port that vmbr1 is connected to has a native vlan of 3, then any nic attached to vmbr1 that doesn't specify a vlan tag is automatically in vlan 3.
 
strongbad said:
The wan interface will only be used by the router VM, so I think I could just use the interface without a bridge.
Click to expand...
Yes, but only when using PCI passthrough. Otherwise you need always a bridge.

strongbad said:
I think I could also use passthrough to provide both the physical lan and/or wan devices to the router VM and then create a bridge on the host that is not associated with a physical device (I think).
Click to expand...
Yes, would work. But then you got the problem that PVEs webUI/SSH isn't working without OPNsense running which would be bad. So you probably ether want a third NIC for management or not passthrough the LAN NIC and only passthroug hthe WAN NIC.
 
Last edited:
  • Like
Reactions: strongbad
generalproxuser said:
@Dunuin is mostly correct. Assuming you know about trunk ports, what I have seen in proxmox (behavior wise) is that if the trunk port has a native vlan specified then the nics of whatever is connected to that trunk port (via its bridge) inherits that native vlan when no vlan is set.

For example, vmbr1 carries vlans 1, 2 and 3 (just example). If the trunk port that vmbr1 is connected to has a native vlan of 3, then any nic attached to vmbr1 that doesn't specify a vlan tag is automatically in vlan 3.
Click to expand...
I mean for example only assigning a OPNsense VM a single virtual NIC and not setting a VLAN Tag there while using a VLAN aware bridge. Then PVE shouldn't filter out any VLANs and OPNsense should be able to access vlan 1+2+3 on that single virtual NIC.
 
There is nothing wrong to have multiple interfaces, one per VLAN, unless you have hundreds or thousands on VLANs, of course.
This gives you easer network setup inside VM.
Here I have similar setup with PFSense VM:
1683790775489.png
Interface net0 is LAN interface within PFSense
Interface net1 is WAN interface within PFSense, used as primary WAN
Interface net2 is OPT1 interface within PFSense, used as second WAN
Interface net4 is OPT2 interface within PFSense, used as third WAN
Other interfaces is internal networks.
All tagged interfaces has corresponding tagged VLANS on switches.
 
Last edited:
Dunuin said:
But then you got the problem that PVEs webUI/SSH isn't working without OPNsense running which would be bad. So you probably ether want a third NIC for management or not passthrough the LAN NIC and only passthroug hthe WAN NIC
Click to expand...
I am realizing this now. When the router VM is not running, I won't have
a home network so I will not be able to access the PVEs webUI/SSH no matter what. This is the same issue I would run into if my physical router went down. I am not sure if trouble shooting the router VM from the PVE terminal is all that different than trouble shooting the physical router.

How do people get around this?
 
I like to have a IP and NIC on the lan subnet for the PVE so you can access it without any routing required. As long as the switch isn't failng I can always access the PVE to fix the OPNsense VM.
 
  • Like
Reactions: strongbad
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back