I am in the process of setting up a virtualized OPNsense firewall on Proxmox on a Thinkcentre 720q. The proxmox host has 3 network interfaces.
- A dual NIC gigabit card where one interface is for WAN and other for LAN, say eth1 and eth2
- Another interface which came with the PC itself, say eth3
PS: I also have a switch for all my other devices.
After some research, I have understood that
- Passing (pass-through) the NIC to the OPNsense VM is better for performance
- Passing it through removes the interface from the host OS
- If passing is not done correctly, you may lose access to Proxmox.
My questions are
- How do I set eth2 to be the LAN port and also use it connect to proxmox?
- If I use point #1 (eth2 for LAN), how much will the throughput of eth2 be affected? (My ISP provides me symmetrical 320 Mbps link speed)
- If I use point #1, will local traffic (traffic handled by my switch) be affected?
- (Optional/Experimental) Since I have a spare port (eth3), can I use it for special purpose (a dedicated management port which will work even if OPNsense is down)?
- If I use point #4, my switch will have two ethernet connections from the proxmox host. Will this cause loops and kill my network?
You can answer this selectively by mentioning the question number.
If you have a better idea regarding how to setup OPNsense on Proxmox, please share.
Edit: Thank you for all your responses! It seems I have to study a lot. Let me answer a few questions
- I am not managing workloads for a dozen of people with strict SLAs. I’m just doing it for my family and myself.
- I understand the point that something as critical as a firewall should have its own hardware. However, I just want to experiment with few VMs on Proxmox. I want to setup Proxmox once and let it be.
- I eventually want to get into VLANs but that is not a priority right now. My future plan is to integrate this with some Omada access points.
- I’ve added a diagram of what I want to do. Please forgive my crude drawing as it’s the best I can do for now.

Please let me know if you want some more information


You cannot pass the nic through and still use it in proxmox - it loses all access to the nic. So if you want to go that route I recommend you to use eth3 as dedicated port for proxmox.
For (2) - affected in which way? Compared to which baseline? Are you concerned that your machine cannot keep up with 320Mbps? I doubt that.
For (3) - depends on your local network setup. Do you use vlans that need routing? Then it goes via OPNsense. Otherwise if all devices are in the same subnet, it likely will not.
For (5) - no loops. You’re not routing traffic between eth3 and eth2.
I need a clarification here.
If you have any resources regarding this setup, please share.
Thank you for your response.
Edit: Changed WLAN to WAN
I think you have a typo here, eth1 is WAN not WLAN? you can configure eth3 to have a hardcoded ip. E.g. 192.168.1.2 - OPNsense must be aware that this ip has been assigned to a device so that the DHCP server doesn’t assign it to a different device. When the VM goes down you can still configure the network manually on your PC and access proxmox directly. Regarding routing tables, devices on the same subnet are routed directly, all other destinations usually go via the router. So 192.168.1.0/24 (Assuming /24 subnet) will work fine even if the router goes down as long as the connected device have a valid IP address in this segment. This is why the hardcoded ip will still work.
I use this setup myself, with the complication that I am using vlans. So for this to work I need to connect to the correct physical port on my switch, but you do not have this additional complexity.
I saw that you added the detail that you’re also running another vm - AFAIR you could route that via the management port as well with via proxmox without added complexity.