OpnSense on Proxmox vs bare metal install? - eviltoast

I’m going to set out on installing OpnSense for the first time. I see some people put OpnSense on Proxmox and pass through a pcie network card. Besides the power of backing up and restoring, are there other advantages to this?

My planned OpnSense box is an old Dell Optiplex. It has the normal ethernet port on the motherboard as well as a 4-port PCIe network card that I added. So I’d probably use the PCIe network ports for OpenSense, and reserve the onboard ethernet port for troubleshooting if I royally mess up.

I’m still a proxmox newbie, but I think I can manage the PCIe passthrough. I’m just not sure what other complications that will introduce to my OpnSense and networking learning curve. So I thought I’d ask first and see if some of the disadvantages or advantages would push me one way or the other. I’m afraid of locking myself out of OpnSense because of incorrectly configured networking as I’m learning.

  • citizen@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Separate device for opnsense is better. It’s more secure and you can have proper physical network segmentation. You would want to do that if your budget allows. This also allows you to have a stable network while you’re playing with proxmox. Having a solid network core is important. Everything expands and build on top of that.

    You can still achieve network segmentation on proxmox but you have to careful and have enough phisical NICs. You can mess things up easily if you start using proxmox firewall. You still need to do updates on both opnsense and proxmox so reboots will be needed. I would say opnsense needs more reboots than proxmox.

    As for backups snapshotting is nice to have. Opnsense allows you to backup configuration. You can setup daily backups to Git repo. As long as you restore to the same hardware (same number and order of NICs) you will be ok. Restoring to different device requires changes in config. Config is XML file.