with the demise of ESXi, I am looking for alternatives. Currently I have PfSense virtualized on four physical NICs, a bunch of virtual ones, and it works great. Does Proxmox do this with anything like the ease of ESXi? Any other ideas?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters ESXi VMWare virtual machine hypervisor HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol LTS Long Term Support software version LXC Linux Containers SSH Secure Shell for remote terminal access SSO Single Sign-On VPN Virtual Private Network ZFS Solaris/Linux filesystem focusing on data integrity nginx Popular HTTP server
10 acronyms in this thread; the most compressed thread commented on today has 28 acronyms.
[Thread #508 for this sub, first seen 13th Feb 2024, 06:05] [FAQ] [Full list] [Contact] [Source code]
No problem using multiple physical and virtual ports for a pfsense in proxmox
Admittedly I have not dug too deeply into Proxmox but its learning curve appears kinda steep.
its not too bad. i switched from esxi to proxmox about 2 years ago.
i run a virtualized opnsense with 2 nic’s passed through and another 2 virt, so it can be done
And in about 2 years you’ll switch to LXD/Incus. :P
Incus looks cool. Have you virtualised a firewall on it? Is it as flexible as proxmox in terms of hardware passthrough options?
I find zero mentions online of opnsense on incus. 🤔
Yes it does run, but BSD-based VMs running on Linux have their details as usual. This might be what you’re looking for: https://discuss.linuxcontainers.org/t/run-freebsd-13-1-opnsense-22-7-pfsense-2-7-0-and-newer-under-lxd-vm/15799
Since you want to run a firewall/router you can ignore LXD’s networking configuration and use your opnsense to assign addresses and whatnot to your other containers. You can created whatever bridges / vlan-based interface on your base system and them assign them to profiles/containers/VMs. For eg. create a
cbr0
network bridge usingsystemd-network
and then runlxc profile device add default eth0 nic nictype=bridged parent=cbr0 name=eth0
this will usecbr0
as the default bridge for all machines and LXD won’t provide any addressing or touch the network, it will just create aneth0
interface on those machines attached to the bridge. Then your opnsense can be on the same bridge and do DHCP, routing etc. Obviously you can passthrough entire PCI devices to VMs and containers if required as well.When you’re searching around for help, instead of “Incus” you can search for “LXD” as it tend to give you better results. Not sure if you’re aware but LXD was the original project run by Canonical, recently it was forked into Incus (and maintained by the same people who created LXD at Canonical) to keep the project open under the Linux Containers initiative.
I have another question, if you don’t mind: I have a debian/incus+opnsense setup now, created bridges for my NICs with systemd-networkd and attached the bridges to the VM like you described. I have the host configured with DHCP on the LAN bridge and ideally (correct me if I’m wrong, please), I’d like the host to not touch the WAN bridge at all (other than creating it and hooking it up to the NIC).
Here’s the problem: if I don’t configure the bridge on the host with either dhcp or a static IP, the opnsense VM also doesn’t receive an IP on that interface. I have a
br0.netdev
to set up the bridge, abr0.network
to connect the bridge to the NIC, and awan.network
to assign a static IP on br0, otherwise nothing works. (While I’m working on this, I have the WAN port connected to my old LAN, if it makes a difference.)My question is: Is my expectation wrong or my setup? Am I mistaken that the host shouldn’t be configured on the WAN interface? Can I solve this by passing the pci device to the VM, and what’s the best practice here?
Thank you for taking a look! 😊
Am I mistaken that the host shouldn’t be configured on the WAN interface? Can I solve this by passing the pci device to the VM, and what’s the best practice here?
Passing the PCI network card / device to the VM would make things more secure as the host won’t be configured / touching the network card exposed to the WAN. Nevertheless passing the card to the VM would make things less flexible and it isn’t required.
I think there’s something wrong with your setup. One of my machines has a
br0
and a setup like yours.10-enp5s0.network
is the physical “WAN” interface:root@host10:/etc/systemd/network# cat 10-enp5s0.network [Match] Name=enp5s0 [Network] Bridge=br0 # -> note that we're just saying that enp5s0 belongs to the bridge, no IPs are assigned here.
root@host10:/etc/systemd/network# cat 11-br0.netdev [NetDev] Name=br0 Kind=bridge
root@host10:/etc/systemd/network# cat 11-br0.network [Match] Name=br0 [Network] DHCP=ipv4 # -> In my case I'm also requesting an IP for my host but this isn't required. If I set it to "no" it will also work.
Now, I have a profile for “bridged” containers:
root@host10:/etc/systemd/network# lxc profile show bridged config: (...) description: Bridged Networking Profile devices: eth0: name: eth0 nictype: bridged parent: br0 type: nic (...)
And one of my VMs with this profile:
root@host10:/etc/systemd/network# lxc config show havm architecture: x86_64 config: image.description: HAVM image.os: Debian (...) profiles: - bridged (...)
Inside the VM the network is configured like this:
root@havm:~# cat /etc/systemd/network/10-eth0.network [Match] Name=eth0 [Link] RequiredForOnline=yes [Network] DHCP=ipv4
Can you check if your config is done like this? If so it should work.
Tossing in my vote for Proxmox. I’m running OPNsense as a VM without any issues. I did originally try pfSense, but didn’t like it for some reason (I genuinely can’t recall what it was).
Either way, Proxmox virtual networking has been relatively easy to learn.
pfSense, but didn’t like it for some reason
Probably the shitbirds at Netgate put you off it, understandably.