i have proxmox machine with only one network port which is connected to asus AP. would appreciate advice on connection for opensense vm for that. should i create an additional vlan for opensense only? thank you!
Great tutorial, the only thing I would add is if you are going to run this in a production environment, you may want to go into options for the opnsense VM and change "Start at boot" to Yes.
Also, disabling the USB tablet as pointer under "Options", it makes CPU relax a while. Also, not related to but... do you notice degraded performance under OPNSense using VirtIO? Get tired of that and finally opted for doing PCI Passthrough as I have one of those mini PCs with 4 NICs, performance improved A LOT and iperf3 shows no lost packages anymore, which was the main issue for me.
Disabling the USB tablet as pointer under "Options", it makes CPU relax too and it's not needed for the OS. Also, not related to but... do you notice degraded performance under OPNSense using VirtIO? Get tired of that and finally opted for doing PCI Passthrough as I have one of those mini PCs with 4 NICs, performance improved A LOT and iperf3 shows no lost packages anymore, which was the main issue for me.
Hello Sir, I am struggling to get this setup you shown in the video running on my local, I followed same everything from scratch My WAN has a DHCP And i configured LAN same Dns also Still my machine cant reach internet I can ping my other devices connected to LAN but i cannot ping anything on other interfave WAN one What will be the issue here I am not getting it Please do help
@@sheridans No nothing was working, so i tried pfsense so i installed it And boom it worked without anything to do Out of the box it worked. So for now i am sticking to pfsense Will learn how things work in firewall And then will switch to OPNsense and fix the issue Thanks a lot for the reply
Hi Sam, why not do a PCI passthrough of the NICs instead of creating the bridges (vmbr). What's the benefit? Also Why did you set the multiqueue? Why the value of 8? Cheers
You certainly can do PCI pass through and recommend it for the wan if you can. Comes down to your use case, I wasn't in a position to pass through the nic due to my physical network setup (i believe i mentioned). Increasing the multiqueue for freebsd enables multi core cpu network packets, 8 is maximum iirc. It's usually recommended to set the Multiqueue to same number of cpu cores, but no more than 8. I usually set to 8 all time, it has been said that it can cause high cpu on vm if you set it higher than nunber of cpu cores, i haven't seen this being an issue
thanks for your tutorial, however wouldnt it be better to set the cpu type to HOST instead of x86x64-v2-AES? otherwise my opnsense vm is running perfectly, and i am able to get my full 2.5gb line speed.
Thanks for sharing, what happens if you only have one physical nic on your proxmox host machine?Can you assign one nic for both bridges the wan and lan ?
Thank you for this guide! I now have it working on my miniPC with 2 ethernet ports using your tutorial. Now I need to check some tutorials how to properly set up firewall settings :)
My ISP needs to use PPPOE with a VLAN ID. I am using OPNsense via Proxmox but I am unable to get my WAN to connect, I believe as I am misconfiguring the VLAN between PM and OPN. Can you help me shed any light on this?
@@sheridans thanks! This helped a lot, I have made the bridge vlan aware and added the ID into proxmox rather than OPNsense and I now can connect to my wan!
Great! But what is not clear to me how to access proxmox from the new net. I understand the initial proxmox is accessed from an other net (a point to point xlink connection?). I am right? How could migrate proxmox address in new net? How to add new bridge after opnsense initial configuration (where lan and wan are choosen)? Thanks
Proxmox should be accessible from your LAN. You can add bridges via proxmox, to add a new interface to OPNsense, power it off, go to the hardware tab, add a new nic and assigning it to the bridge created in proxmox
@@sheridans Thanks, this part in clear,. The problem for me is how to configure addional br/ports (i have 6 ports applaiance) ,I must configure dhpc server on every port? i want a single lan not a lan for each port/bridge: i don´t have a managed swicth to add, my net is small so i don´t need to config VLAN.
Hi thank you for your video. I’ve tried to do this. Got to web ui of opnsense. But my wan isn’t getting a ip from my modem. I currently run bare metal opnsense. But want to virtualise to get benefits of snapshots. Just can’t figure what I’ve done wrong
FYI, for those of you who are building a firewall appliance, with a Proxmox hypervisor, be careful if you choose a mini pc from Ali-Express. I found my came loaded with OPNsense, with UEFI malware for a backdoor to the Ethernet driver. This was a normal machine working well. Except it was being C2ed from China. I approached the assembler about this and they sent me another installer of their Ethernet drivers with their back door and controlled malware drivers. Be aware of the provenance of your firewall device and mini pcs!!
I want to set this up virtualized so I can learn before moving onto a bare Metal install. would this setup be the one you recommend that wouldn't affect my main network in other words only isolated to vms that connect to the Open sense WAN and nothing else?
This is similar to how I do, using a different IP range and then blocking anything from that IP range to main network (blocking on main network switch)
Multiqueue is related to multiple cpu threads handling packets. It's a recommended setting to pass them through to FreeBSD. Not sure what about this is unusable?
Hi, just watched it back and started waffling a bit; sorry about that. I added the additional interface trying to explain that in most cases you'd want to pass an interface directly through to opnSense for you WAN. I was unable as my lan and wan were on the same switch port (vlan) due to the configuration of my network.
@@sheridans thanks for this. Found one of my old Dell DA-300 hubs that happens to have a network port. So I just basically plugged it there to get a second interface.
@@sheridanscurrently I have an Asus router but I would like to see if I could replace it with a proxmox setup and have OPNsense running on a virtual machine. Currently I have IP passthrough enabled from my modem to go to the router with DHCP enabled. How would I go about replacing the router altogether and just use the OPNsense on Proxmox?
i've followed your steps but somehow opnsense has no access to the internet, i don't know why my isp router is blocking it since it's connected to a lan port and should be just another device for it to route traffic to
Usually, you'd set your ISP router in bridge mode; though it should work either way. Is the opnsense picking up a dhcp address from your isp router? can you ping the router from opnsense?
@@sheridans the isp router has no bridge mode; opnsense gets an IP and i can see the device from the isp gui but opnsense can only reach the isp router. i was able to setup an AP with no effort, i can't understand why opnsense is not being routed
Great tutorial! I am at 13:40. How in the world did you managed to put an asterisk in that box?
Spacebar
i have proxmox machine with only one network port which is connected to asus AP. would appreciate advice on connection for opensense vm for that. should i create an additional vlan for opensense only? thank you!
You could create a vlan yes and assign a linux bridge to it
Great tutorial, the only thing I would add is if you are going to run this in a production environment, you may want to go into options for the opnsense VM and change "Start at boot" to Yes.
Quite correct, I forgot to mention this 👍
Also, disabling the USB tablet as pointer under "Options", it makes CPU relax a while.
Also, not related to but... do you notice degraded performance under OPNSense using VirtIO?
Get tired of that and finally opted for doing PCI Passthrough as I have one of those mini PCs with 4 NICs, performance improved A LOT and iperf3 shows no lost packages anymore, which was the main issue for me.
Disabling the USB tablet as pointer under "Options", it makes CPU relax too and it's not needed for the OS.
Also, not related to but... do you notice degraded performance under OPNSense using VirtIO?
Get tired of that and finally opted for doing PCI Passthrough as I have one of those mini PCs with 4 NICs, performance improved A LOT and iperf3 shows no lost packages anymore, which was the main issue for me.
Hello Sir, I am struggling to get this setup you shown in the video running on my local,
I followed same everything from scratch
My WAN has a DHCP
And i configured LAN same
Dns also
Still my machine cant reach internet
I can ping my other devices connected to LAN but i cannot ping anything on other interfave WAN one
What will be the issue here
I am not getting it
Please do help
Can you ping internet by IP to rule out dns?
@@sheridans No nothing was working, so i tried pfsense so i installed it
And boom it worked without anything to do
Out of the box it worked. So for now i am sticking to pfsense
Will learn how things work in firewall
And then will switch to OPNsense and fix the issue
Thanks a lot for the reply
Hi Sam, why not do a PCI passthrough of the NICs instead of creating the bridges (vmbr). What's the benefit? Also Why did you set the multiqueue? Why the value of 8? Cheers
You certainly can do PCI pass through and recommend it for the wan if you can. Comes down to your use case, I wasn't in a position to pass through the nic due to my physical network setup (i believe i mentioned).
Increasing the multiqueue for freebsd enables multi core cpu network packets, 8 is maximum iirc.
It's usually recommended to set the Multiqueue to same number of cpu cores, but no more than 8. I usually set to 8 all time, it has been said that it can cause high cpu on vm if you set it higher than nunber of cpu cores, i haven't seen this being an issue
thanks for your tutorial, however wouldnt it be better to set the cpu type to HOST instead of x86x64-v2-AES? otherwise my opnsense vm is running perfectly, and i am able to get my full 2.5gb line speed.
Yes, use the host setting to get full features, my bad.
Thanks for sharing, what happens if you only have one physical nic on your proxmox host machine?Can you assign one nic for both bridges the wan and lan ?
You can assign vlans for each
Thank you for this guide! I now have it working on my miniPC with 2 ethernet ports using your tutorial. Now I need to check some tutorials how to properly set up firewall settings :)
Glad you have it working 💪
Thank you a lot Sheridan ! Your video helped me a lot.
Take care
Glad it helped, thanks for taking the time to leave your feedback, highly appreciated.
My ISP needs to use PPPOE with a VLAN ID. I am using OPNsense via Proxmox but I am unable to get my WAN to connect, I believe as I am misconfiguring the VLAN between PM and OPN.
Can you help me shed any light on this?
have you passed the nic directly to opnsense or part of a bridge? if it's part of a bridge have you made it vlan aware when passing adding it to VM?
@@sheridans thanks! This helped a lot, I have made the bridge vlan aware and added the ID into proxmox rather than OPNsense and I now can connect to my wan!
Awesome 👌
Great! But what is not clear to me how to access proxmox from the new net. I understand the initial proxmox is accessed from an other net (a point to point xlink connection?). I am right? How could migrate proxmox address in new net? How to add new bridge after opnsense initial configuration (where lan and wan are choosen)? Thanks
Proxmox should be accessible from your LAN. You can add bridges via proxmox, to add a new interface to OPNsense, power it off, go to the hardware tab, add a new nic and assigning it to the bridge created in proxmox
@@sheridans Thanks, this part in clear,. The problem for me is how to configure addional br/ports (i have 6 ports applaiance) ,I must configure dhpc server on every port? i want a single lan not a lan for each port/bridge: i don´t have a managed swicth to add, my net is small so i don´t need to config VLAN.
Edit the proxmox bridge and add all the ports you want to include
Hi thank you for your video. I’ve tried to do this. Got to web ui of opnsense. But my wan isn’t getting a ip from my modem. I currently run bare metal opnsense. But want to virtualise to get benefits of snapshots. Just can’t figure what I’ve done wrong
Thank you Sheridan Computing. There is gold in this tutorial. 🎉
FYI, for those of you who are building a firewall appliance, with a Proxmox hypervisor, be careful if you choose a mini pc from Ali-Express.
I found my came loaded with OPNsense, with UEFI malware for a backdoor to the Ethernet driver. This was a normal machine working well. Except it was being C2ed from China.
I approached the assembler about this and they sent me another installer of their Ethernet drivers with their back door and controlled malware drivers.
Be aware of the provenance of your firewall device and mini pcs!!
You're very welcome! Thank you for taking the time to leave feedback
look like solution for me :) TY
❤
Hope it helps
I want to set this up virtualized so I can learn before moving onto a bare Metal install. would this setup be the one you recommend that wouldn't affect my main network in other words only isolated to vms that connect to the Open sense WAN and nothing else?
This is similar to how I do, using a different IP range and then blocking anything from that IP range to main network (blocking on main network switch)
I would like to know what the diagram of this tutorial is so I can understand.
Lots of glossing over settings makes this unusable. Such as the queue settings on WAN
Multiqueue is related to multiple cpu threads handling packets. It's a recommended setting to pass them through to FreeBSD. Not sure what about this is unusable?
thank you very much! Greatly helped, especially with that qemu-agent remark. Hope, you're doing well, sir!
Glad it helped, brings purpose and encouragement for the videos, much appreciated 🙏
Thank you!
Welcome, thanks for commenting. I did a live stream on these yesterday 😀
you lost me at 8:25. good video overall. What where you doing with the 3rd port and why did you remove another we just made?
Hi, just watched it back and started waffling a bit; sorry about that. I added the additional interface trying to explain that in most cases you'd want to pass an interface directly through to opnSense for you WAN. I was unable as my lan and wan were on the same switch port (vlan) due to the configuration of my network.
I can ping the ip inside opnsense with ping host but it doesn’t open on browser
You could try resetting the gui via console
Thanks for the tutorial, my lab ip4 didn’t open on the browser after installation, please what can I do?
that's kind of hard to diagnose from youtube comments, can you ping the ip?
Thanks for your response I can ping it inside opnsense but didn’t open webgui on browser
Thanks!!
And yourself for saying so 👍
what is the default password for opnsense installer?
one is not defined when VM is created.
To install: installer with pass opnsense, normal login, root with pass opnsense
@@sheridans cheers.
I only have one interface, how do i go about it? i'm stuck. i can't access the interface.
Your device only has 1 physical interface? Ideally you need more for a firewall
@@sheridans thanks for this. Found one of my old Dell DA-300 hubs that happens to have a network port. So I just basically plugged it there to get a second interface.
Once I am done with setting all this up do i just unplug my old router and plug the wan into the configured wan port in OPNsense?
I don't know what your current setup is or how your current router connects to the internet
@@sheridanscurrently I have an Asus router but I would like to see if I could replace it with a proxmox setup and have OPNsense running on a virtual machine. Currently I have IP passthrough enabled from my modem to go to the router with DHCP enabled. How would I go about replacing the router altogether and just use the OPNsense on Proxmox?
@@orion4502Depends on your internet connection and whether you'd need a modem attached.
i've followed your steps but somehow opnsense has no access to the internet, i don't know why my isp router is blocking it since it's connected to a lan port and should be just another device for it to route traffic to
Usually, you'd set your ISP router in bridge mode; though it should work either way. Is the opnsense picking up a dhcp address from your isp router? can you ping the router from opnsense?
@@sheridans the isp router has no bridge mode; opnsense gets an IP and i can see the device from the isp gui but opnsense can only reach the isp router.
i was able to setup an AP with no effort, i can't understand why opnsense is not being routed
So you can ping the ISP routers local address?
@@sheridans yes