OPNSense Passthrough Ethernet or WAN - Having disconnections

A

andrema2

Member
Dec 7, 2020
28
5
8
53
Hi all

I set up a OPNSense VM in a NUC machine. It has only one ethernet, so I added an USB-C dongle with another ethernet. This USB-C is passed through to the OPNsense as the WAN port.

It looks ok, but I'm getting a lot of disconnections or at least the gateway is unable to ping 8.8.8.8 and all device at the network can't access anything on the internet.

At the OPNsense all hardware offloading is checked.

The LAN is set as virtio and is recognized as 10G (it's not, it's a phisycal 1G), the WAN is recognized as 1G as it should.

Is I stop the bypassing and leave it all as virtio NICs I don't have any problem, but I understand it is less secure because the WAN is then available for Proxmox.

I know I'm missing logs to help here. Where and how can I get these information ?

My VM is set processor is set as host and as follows:
Screen Shot 2020-12-14 at 12.54.01.jpg

Thanks for your help
 
Last edited:
andrema2 said:
I set up a OPNSense VM in a NUC machine. It has only one ethernet, so I added an USB-C dongle with another ethernet. This USB-C is passed through to the OPNsense as the WAN port.
Click to expand...
If you use USB-passthrough, it most likely won't work reliably, as all data must then go through user space which severely limits performance (personal experience: 24 bit stereo audio is already too much, even on a high-end machine, so gigabit ethernet is clearly a no-go).

You could try PCIe passthrough of a USB controller, or just leave it be with the virtio NIC, since at gigabit speeds it really shouldn't matter that much (only maybe a bit for latency, but with a USB-to-ethernet adapter that ship has sailed anyway).

andrema2 said:
The LAN is set as virtio and is recognized as 10G (it's not, it's a phisycal 1G), the WAN is recognized as 1G as it should.
Click to expand...
virtio NIC always reports 10G, and it technically *is* a faster-than-gigabit interface, as long as you use it only to talk to the host (PVE). Network performance is always limited by the weakest link in the chain, and the virtio developers just wanted to make sure that their driver isn't it ;)

andrema2 said:
Is I stop the bypassing and leave it all as virtio NICs I don't have any problem, but I understand it is less secure because the WAN is then available for Proxmox.
Click to expand...
That threat-model makes little sense, a compromised hypervisor will always have access to all connected hardware...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom