Some confusing information

[amb7247]

So, I've been reading and watching alot of information online and on youtube. Many of youtube content providers already established a proxmox setup only to start installing OPNSense. I feel like there is some type of gap somewhere.

To explain.

This is what i have. I have a 4 port NIC, disabled onboard NIC on an optiplex 9010 sff computer.

Proxmox is configured wish a gateway ip of 192.10.10.1 and an Access IP of 192.10.10.2.

I have also installed OPNSense. not yet ran. In one video he mentioned to go to devices and go to the OPNsense VM -> Hardware -> Add -> PCI device. so I added the eth3 and eth2 ports from the NIC card to this.

my question follow in two parts.

1) Do I still need to add a vmbr1 (WAN) and vmbr2 (LAN) to the defualt vmbr0? This would point to the same ports when I added the two ports when I added to PCI device above.

2) second question is: What do you guys typically set your gateway IP for Proxmox compared to the gateway IP of OPNsense. Should this be the same gateway or am I required to make the gateway, for example 192.10.11.1 instead of 192.10.10.1?

Thank you.

 

[Dunuin]

1) Do I still need to add a vmbr1 (WAN) and vmbr2 (LAN) to the defualt vmbr0? This would point to the same ports when I added the two ports when I added to PCI device above.

When you passthrough a NIC this NIC can'T be used any longer by the host, so you don'T need to dd a bridge for those NICs.

2) second question is: What do you guys typically set your gateway IP for Proxmox compared to the gateway IP of OPNsense. Should this be the same gateway or am I required to make the gateway, for example 192.10.11.1 instead of 192.10.10.1?

Depends...
Set the PVE nodes gateway to 192.10.10.1 and your PVE management (webUI,API and SSH) is on the WAN side, so not protected by OPNsense. But atleast your PVE node is then still administratable and updatable in case your OPNsense VM got a problem and won't work/start.

 

[amb7247]

Thanks you if I repeat anything you said, I'm just rolling through the info in my mind so it's clear.

Got it. So with the host proxmox is plugged into it's port the nic, continue to leave that bridge on (default one, vmbr0), and if I continue to use the passthrough. then bridge isn't needed for vmbr1 and vmbr2 but vmbr0 is still needed. If any if this is incorrect please correct me anytime. Lol, so funny how everybody does it differently in their tutorial videos.


Okay so you are basically saying if I set the gateway IP for proxmox to 192.10.10.1 and the gateway of OPNSense to 192.10.11.1, then basically OPNSense cannot protect proxmox however if something bad happens or goes down for OPNsense at least I have a gateway assigned to proxmox to get back into it. I guess it just depends on risk factor then.

However it is definitely not out of the question if somebody wanted to set both gateways to the same gateway IP, you could. But if you wanted the protection by OPNSense or not

Correct?

 

[Dunuin]

Got it. So with the host proxmox is plugged into it's port the nic, continue to leave that bridge on (default one, vmbr0), and if I continue to use the passthrough. then bridge isn't needed for vmbr1 and vmbr2 but vmbr0 is still needed. If any if this is incorrect please correct me anytime. Lol, so funny how everybody does it differently in their tutorial videos.

That really depends on your setup. With 3 NICs and two of them passthroughed for LAN + WAN and the third one for LAN access of your host as well as other guests, you just need one bridge.

With 4 NICs, 2 passthroughed to OPNsense, 1 on the WAN side for the PVE host, 1 on the LAN side for the other guests you would need 2 bridges (LAN+WAN side) or 1 bridge (LAN side) + gateway/IP directly assigned to that physical WAN NIC.

With 2 NICs, 1 for passthrough for WAN, 1 for LAN for your PVE host + OPNsense LAN side + other guests you only need one bridge.

But it would be good to route between different subnets. For example a dedicated DMZ subnets for your Guests for better isolation/security. Such a DMZ subnet then would require an additional bridge, as you need some way to connect the DMZ side of the OPNsense with the guests.

Okay so you are basically saying if I set the gateway IP for proxmox to 192.10.10.1 and the gateway of OPNSense to 192.10.11.1, then basically OPNSense cannot protect proxmox however if something bad happens or goes down for OPNsense at least I have a gateway assigned to proxmox to get back into it. I guess it just depends on risk factor then.

The gateway of OPNsense has to be the IP of your router or whatever you connect to to get internet access.
For the PVE host you got two option. Either use the same gateway as OPNsense, then your PVE management in on the WAN side and not protected by OPNsense. Or you set the IP address of your OPNsenses LAN side as the gateway for your PVE host. Then PVE management is on the lan side but you won't be able to download/update something when your OPNsense fails to run.

Not sure what is 192.168.10.1 or 192.168.11.2. Your didn't described your network layout in detail.

However it is definitely not out of the question if somebody wanted to set both gateways to the same gateway IP, you could. But if you wanted the protection by OPNSense or not

Correct?

No problem to have different OSs to use the same gateway. You just shouldn't use more than one gateway per OS,