Opensense/Firewall on Proxmox VE vs dedicated device
from Gibberish9031@lemmy.ml to homelab@lemmy.ml on 22 Jan 2025 03:16
https://lemmy.ml/post/25059098

Hi everone, basically what the title says. I am just starting my homelab and I am somewhat conflicted on whether I should run Opensense in Proxmox or should I buy a n100 device dedicated for it. What are some of the pros and cons of doind either or. So far in my research I have only come across articles/forum posts explaining how to run Opensense in Proxmox.

#homelab

threaded - newest

bruhbeans@lemmy.ml on 22 Jan 2025 03:20 next collapse

Pros: less physical hardware to deal with. If you can set up to where your VM can move across proxmox nudes, that improves resilience.

Cons: if you can’t fail over, you could get to where you need to fuss with the box where the Opnsense VM lives and have to also take down Opnsense.

Gibberish9031@lemmy.ml on 22 Jan 2025 03:55 next collapse

Thank you for your response, I’ll keep your poniters in mind when ultimately making my decision.

qjkxbmwvz@startrek.website on 22 Jan 2025 04:21 collapse

proxmox nudes

No judgement here, you just keep doing what makes you happy.

ikidd@lemmy.world on 22 Jan 2025 03:44 next collapse

I’ve run OPNsense as a VM for a few years now. I have it set up on HA and have gone into PVE and noticed that it failed over and failed back without me noticing at all a week earlier. I like being able to snapshot it before updates, though updates are always flawless.

I have the 2 ethernet ports on each node named the same and that seems to work fine. I can also live migrate it without it dropping a ping in order to update the host node’s OS, then migrate back.

I wouldn’t do it any other way, but it might take some time to figure out how to set up so it fails over properly.

Gibberish9031@lemmy.ml on 22 Jan 2025 03:57 collapse

Interesting point definately something to keep in mind.

catloaf@lemm.ee on 22 Jan 2025 04:37 next collapse

A problem in proxmox means no router. Are you comfortable resolving issues without Internet access?

Gibberish9031@lemmy.ml on 22 Jan 2025 04:59 collapse

I have been thinking about this as well, but then I see so many people running Opensense in Proxmox and think maybe it’s not that big of an issue.

BlueEther@no.lastname.nz on 22 Jan 2025 09:06 next collapse

I run opnsense in proxmox, and have done for what must be coming up to 5 years.

Yes I have fucked up proxmox occasionally, but I use my ‘router’ as my wifi AP. If I have fucked up I can bring internet back up with a single cable swap and a quick config change on the router

gray@pawb.social on 22 Jan 2025 13:45 collapse

I ran opnsense in a VM for years with no issue, just recently went to dedicated hardware. Every now and then I’d want to replace a drive or swap the GPU in the host for jellyfin and taking the internet out with it sucks a lot.

Being able to snapshot opnsense is cool, but opnsense also has a very robust backup and restore system so idk.

thejevans@lemmy.ml on 22 Jan 2025 06:37 next collapse

I ran pfSense on proxmox for a few years. It was fine, but unnecessarily complicated. I switched to an Intel n6005 mini PC and I’ll never go back. Having a second device meant I was able to get rid of my Dell R720xd and switch to consumer hardware with no internet downtime. It means if something happens and I have to hard reboot my server, I don’t have to worry about my partner getting booted from a video call. Etc. Etc. The mini PC was under $200. It sips power. It’s silent. It’s a no-brainer.

AlternateRoute@lemmy.ca on 22 Jan 2025 06:46 next collapse

In my home lab I have them separate the OPNSense box has full performance on its own HW, only needs to be patched once in a while and is super stable.

I have managed to crash / lockup one of my proxmox hosts at least once while messing around with HW past though or by giving a guest enough cores to slow the whole box down.

Family never gets interrupted playing games or streaming Netflix with my lab separate from the critical internet service.

New versions of OPNsense installed with ZFS support snapshots before upgrading natively sort of taking one of the promox vm tricks out of the pro list making it neutral.

aseriesoftubes@lemmy.world on 22 Jan 2025 06:52 next collapse

I followed this guide and have had zero issues. I had to do it this way because Opnsense didn’t natively support my 10g NIC. I have Proxmox handle the hardware side of things and pass through a virtualized card to Opnsense (albeit with slightly reduced performance).

Cyber@feddit.uk on 22 Jan 2025 07:14 next collapse

Go baremetal

You want it to be as simple as possible, to be as secure as possible.

Adding proxmox - or any abstraction layer - is now adding more layers that have potential security issues.

And everyone is scanning your IP for vulnerabilities 24/7.

Plus, in my case, I want a completely separate network for Guest Wifi, IoT, etc and only some stuff hitting the LAN / homelab.

Smash@lemmy.self-hosted.site on 22 Jan 2025 09:04 next collapse

I have 2 OPNsense, one on each Proxmox cluster Node, no problems (full 1Gbit/s throughput)

trewq@lemm.ee on 22 Jan 2025 10:03 next collapse

One big advantage with proxmox is that you can restore from your backup and have opnsense up again in few minutes.

tofuwabohu@slrpnk.net on 22 Jan 2025 10:44 next collapse

I currently have the exact same question in my head. I think I’ll go the following route: Install opensense in a VM on my Proxmox host (it has 2 NICs) and just put my lab stuff behind it in it’s own lan. Everything connects to the router via firewall.

Benefits:

  • The rest of the lan (e.g. partner’s devices) do not rely on my firewall working
  • I don’t need to buy anything, I can switch to bare metal later if I need to and have figured out what exactly I need
Skydancer@pawb.social on 22 Jan 2025 13:08 next collapse

My solution: Both

Opnsense should support HA. If you’re using a vlan-capable switch, you can plug your ISP device into the switch and connext it to just these two machines.

By having a physical device, you get the stability advantages of a dedicated device. You can also test upgrades on the virtual router and roll back to the physical if needed. When something eventually goes wrong with the physical device (all hardware fails eventually), you fail over to the proxmox instance until you replace it and don’t have to rebuild the config from scratch.

MangoPenguin@lemmy.blahaj.zone on 22 Jan 2025 23:41 collapse

I used to, but I like having my internet stay up when I reboot Proxmox for updates, or shut it down for hardware changes and what not.

krolden@lemmy.ml on 23 Jan 2025 00:45 collapse

True but thats why you run a cluster with HA.

But it adds a lot of complications. Simplicity is usually best

MangoPenguin@lemmy.blahaj.zone on 23 Jan 2025 01:35 collapse

Yeah I used to do a proxmox cluster but it’s just so much more that can go wrong.