Hello,
Does the network setup with external switching shown below make sense? Or does it introduce unnecessary complexity?
Currently, I run my OPNsense firewall on bare metal, which I prefer. I plan to upgrade my hardware and am willing to virtualize OPNsense under Proxmox VE or XCP-ng to run some VMs on the same machine. I will use PCI passthrough for the WAN port. I had the idea of implementing PCI passthrough for the 10 GBit LAN port, including VLANs as well. This way, all internal traffic would not be affected by the virtualized switch (Linux bridge). Only traffic to the VM and to the management port would go through the virtualized switch. Essentially, the network flow would be as if the OPNsense router and the Proxmox virtualization host were two separate physical machines connected to the same physical switch.
Is this kind of setup used in practice?
Are there any reasons not to do it this way?
My question is generic. I am referring to OPNsense and Proxmox. However, you can replace these with pfSense and XCP-ng or VMware if you are more familiar with those systems.
Edit:
Not to get misunderstood, I added a second view. On the right side the external LAN traffic is going through the linux bridge of the hypervisor. On the left side the external LAN traffic is going via PCI passthrough directly to the firewall/router. Traffic to WAN and inter-vlan traffic goes out and in again the host.
Does the network setup with external switching shown below make sense? Or does it introduce unnecessary complexity?
Currently, I run my OPNsense firewall on bare metal, which I prefer. I plan to upgrade my hardware and am willing to virtualize OPNsense under Proxmox VE or XCP-ng to run some VMs on the same machine. I will use PCI passthrough for the WAN port. I had the idea of implementing PCI passthrough for the 10 GBit LAN port, including VLANs as well. This way, all internal traffic would not be affected by the virtualized switch (Linux bridge). Only traffic to the VM and to the management port would go through the virtualized switch. Essentially, the network flow would be as if the OPNsense router and the Proxmox virtualization host were two separate physical machines connected to the same physical switch.
Is this kind of setup used in practice?
Are there any reasons not to do it this way?
My question is generic. I am referring to OPNsense and Proxmox. However, you can replace these with pfSense and XCP-ng or VMware if you are more familiar with those systems.
Edit:
Not to get misunderstood, I added a second view. On the right side the external LAN traffic is going through the linux bridge of the hypervisor. On the left side the external LAN traffic is going via PCI passthrough directly to the firewall/router. Traffic to WAN and inter-vlan traffic goes out and in again the host.
Last edited:
