Use VM as router (OPNSense) - Pull Proxmox IP from VM's DHCP

[nic.aslett]

Hello all, I am trying to set up OPNSense on my Proxmox server and disallow Proxmox from accessing the internet directly, as it's plugged directly into the modem.
I am still learning - excuse me if this is a simple request

Expectations:
-----------------------------------------------------------------------------------------------------------
Server boots into Proxmox - No IP configurations, no connection to WAN
Proxmox loads OPNSense VM
OPNSense DHCP distributes IP to Proxmox
I can access Proxmox on my network
-----------------------------------------------------------------------------------------------------------

Any thoughts?

 

[Dunuin]

Any thoughts?

1.) I wouldn't use DHCP and use a static IP for the PVE host. That way you can access the webUI from LAN even if the OPNsense VM fails to boot. Otherwise you are locked out.
2.) If you don't want the PVE to use the WAN NIC, just don't assign a IP to that WAN NIC/bridge.

 

[nic.aslett]

1.) I wouldn't use DHCP and use a static IP for the PVE host. That way you can access the webUI from LAN even if the OPNsense VM fails to boot. Otherwise you are locked out.
2.) If you don't want the PVE to use the WAN NIC, just don't assign a IP to that WAN NIC/bridge.

Thanks for your response Dunuin!

1.) I can set it to static - good call.
2.) I am unsure how this would work.. If the WAN doesn't have an address, how will it determine an IP from the modem?

 

[nic.aslett]

I set the static IP for the network device that is plugged into my network for Proxmox.
I have set up the manual connections for the WAN.
All is good to go. Thank you for the fast resolve.

 

[Dunuin]

Only the OPNsense VM needs an IP on the WAN, not the PVE host itself.

 

[Pandry]

I've done the configuration you're talking about in the past
While it's possible, I would advise against it, since it's error prone and would block your entire hypervisor

If you really want, here's what I would do:

1. Install proxmox
2. Create a new bridge. The server should have 2 (or more) bridges, one for connecting the physical port to the firewall, and one for connecting the VMs and the proxmox hypervisor. I will assume the names vmbr0 for the "WAN Bridge" and vmbr1 for the "LAN Bridge"
3. Create a router/firewall VM and connect it (with 2 vNICs) to both the vmbr0 and vmbr1
4. Configure the VM with the public IP in the NIC connected to the WAN
5. Remove the IP from the WAN bridge and assign it to the LAN bridge. This is a do or die situation: if you do something wrong here, you're locked out and need to restore the file via physical console

I hope I've been clear

I would advise towards making a test in a VM first

 

[mannymore]

Im trying the same thing but I am a bit lost.

I have an ISP router (gateway 10.0.0.138) sending a LAN cable to my Proxmox PC (WAN?). Proxmox has Opnsense VM with a gateway address of 192.168.1.1. I have a LAN cable from Proxmox PC to a wireless bridge set to AP mode.

I can connect to my wireless network and get internet connection. However, I am still able to access my ISP router (10.0.0.138) as well as Opnsense from 2 different IPs, 192.168.1.1, and 10.0.0.112 (the one provided by ISP and active in its network list). I also noticed my TrueNAS VM was also reachable via an IP provided by Opnsense (192.168.1.40) and ISP Router (10.0.0.113).

I fixed TrueNAS by removing the WAN vmbr from its Network page. But, how do I fix this? Or should I leave it as is?