Hi everone, basically what the title says. I am just starting my homelab and I am somewhat conflicted on whether I should run Opensense in Proxmox or should I buy a n100 device dedicated for it. What are some of the pros and cons of doind either or. So far in my research I have only come across articles/forum posts explaining how to run Opensense in Proxmox.
You must log in or # to comment.
I have 2 OPNsense, one on each Proxmox cluster Node, no problems (full 1Gbit/s throughput)
I ran pfSense on proxmox for a few years. It was fine, but unnecessarily complicated. I switched to an Intel n6005 mini PC and I’ll never go back. Having a second device meant I was able to get rid of my Dell R720xd and switch to consumer hardware with no internet downtime. It means if something happens and I have to hard reboot my server, I don’t have to worry about my partner getting booted from a video call. Etc. Etc. The mini PC was under $200. It sips power. It’s silent. It’s a no-brainer.
Go baremetal
You want it to be as simple as possible, to be as secure as possible.
Adding proxmox - or any abstraction layer - is now adding more layers that have potential security issues.
And everyone is scanning your IP for vulnerabilities 24/7.
Plus, in my case, I want a completely separate network for Guest Wifi, IoT, etc and only some stuff hitting the LAN / homelab.
I followed this guide and have had zero issues. I had to do it this way because Opnsense didn’t natively support my 10g NIC. I have Proxmox handle the hardware side of things and pass through a virtualized card to Opnsense (albeit with slightly reduced performance).
In my home lab I have them separate the OPNSense box has full performance on its own HW, only needs to be patched once in a while and is super stable.
I have managed to crash / lockup one of my proxmox hosts at least once while messing around with HW past though or by giving a guest enough cores to slow the whole box down.
Family never gets interrupted playing games or streaming Netflix with my lab separate from the critical internet service.
New versions of OPNsense installed with ZFS support snapshots before upgrading natively sort of taking one of the promox vm tricks out of the pro list making it neutral.
Pros: less physical hardware to deal with. If you can set up to where your VM can move across proxmox nudes, that improves resilience.
Cons: if you can’t fail over, you could get to where you need to fuss with the box where the Opnsense VM lives and have to also take down Opnsense.
proxmox nudes
No judgement here, you just keep doing what makes you happy.
Thank you for your response, I’ll keep your poniters in mind when ultimately making my decision.
A problem in proxmox means no router. Are you comfortable resolving issues without Internet access?
I have been thinking about this as well, but then I see so many people running Opensense in Proxmox and think maybe it’s not that big of an issue.
I run opnsense in proxmox, and have done for what must be coming up to 5 years.
Yes I have fucked up proxmox occasionally, but I use my ‘router’ as my wifi AP. If I have fucked up I can bring internet back up with a single cable swap and a quick config change on the router
I’ve run OPNsense as a VM for a few years now. I have it set up on HA and have gone into PVE and noticed that it failed over and failed back without me noticing at all a week earlier. I like being able to snapshot it before updates, though updates are always flawless.
I have the 2 ethernet ports on each node named the same and that seems to work fine. I can also live migrate it without it dropping a ping in order to update the host node’s OS, then migrate back.
I wouldn’t do it any other way, but it might take some time to figure out how to set up so it fails over properly.
Interesting point definately something to keep in mind.
