Opensense/Firewall on Proxmox VE vs dedicated device
Hi everone, basically what the title says. I am just starting my homelab and I am somewhat conflicted on whether I should run Opensense in Proxmox or should I buy a n100 device dedicated for it. What are some of the pros and cons of doind either or. So far in my research I have only come across articles/forum posts explaining how to run Opensense in Proxmox.
I ran pfSense on proxmox for a few years. It was fine, but unnecessarily complicated. I switched to an Intel n6005 mini PC and I'll never go back. Having a second device meant I was able to get rid of my Dell R720xd and switch to consumer hardware with no internet downtime. It means if something happens and I have to hard reboot my server, I don't have to worry about my partner getting booted from a video call. Etc. Etc. The mini PC was under $200. It sips power. It's silent. It's a no-brainer.
I used to, but I like having my internet stay up when I reboot Proxmox for updates, or shut it down for hardware changes and what not.
True but thats why you run a cluster with HA.
But it adds a lot of complications. Simplicity is usually best
Yeah I used to do a proxmox cluster but it's just so much more that can go wrong.
A problem in proxmox means no router. Are you comfortable resolving issues without Internet access?
I have been thinking about this as well, but then I see so many people running Opensense in Proxmox and think maybe it's not that big of an issue.
I ran opnsense in a VM for years with no issue, just recently went to dedicated hardware. Every now and then I’d want to replace a drive or swap the GPU in the host for jellyfin and taking the internet out with it sucks a lot.
Being able to snapshot opnsense is cool, but opnsense also has a very robust backup and restore system so idk.
I run opnsense in proxmox, and have done for what must be coming up to 5 years.
Yes I have fucked up proxmox occasionally, but I use my 'router' as my wifi AP. If I have fucked up I can bring internet back up with a single cable swap and a quick config change on the router
Pros: less physical hardware to deal with. If you can set up to where your VM can move across proxmox nudes, that improves resilience.
Cons: if you can't fail over, you could get to where you need to fuss with the box where the Opnsense VM lives and have to also take down Opnsense.
proxmox nudes
No judgement here, you just keep doing what makes you happy.
Thank you for your response, I'll keep your poniters in mind when ultimately making my decision.
My solution: Both
Opnsense should support HA. If you're using a vlan-capable switch, you can plug your ISP device into the switch and connext it to just these two machines.
By having a physical device, you get the stability advantages of a dedicated device. You can also test upgrades on the virtual router and roll back to the physical if needed. When something eventually goes wrong with the physical device (all hardware fails eventually), you fail over to the proxmox instance until you replace it and don't have to rebuild the config from scratch.
Go baremetal
You want it to be as simple as possible, to be as secure as possible.
Adding proxmox - or any abstraction layer - is now adding more layers that have potential security issues.
And everyone is scanning your IP for vulnerabilities 24/7.
Plus, in my case, I want a completely separate network for Guest Wifi, IoT, etc and only some stuff hitting the LAN / homelab.
I currently have the exact same question in my head. I think I'll go the following route: Install opensense in a VM on my Proxmox host (it has 2 NICs) and just put my lab stuff behind it in it's own lan. Everything connects to the router via firewall.
Benefits:
One big advantage with proxmox is that you can restore from your backup and have opnsense up again in few minutes.
I have 2 OPNsense, one on each Proxmox cluster Node, no problems (full 1Gbit/s throughput)
I followed this guide and have had zero issues. I had to do it this way because Opnsense didn’t natively support my 10g NIC. I have Proxmox handle the hardware side of things and pass through a virtualized card to Opnsense (albeit with slightly reduced performance).
In my home lab I have them separate the OPNSense box has full performance on its own HW, only needs to be patched once in a while and is super stable.
I have managed to crash / lockup one of my proxmox hosts at least once while messing around with HW past though or by giving a guest enough cores to slow the whole box down.
Family never gets interrupted playing games or streaming Netflix with my lab separate from the critical internet service.
New versions of OPNsense installed with ZFS support snapshots before upgrading natively sort of taking one of the promox vm tricks out of the pro list making it neutral.
I've run OPNsense as a VM for a few years now. I have it set up on HA and have gone into PVE and noticed that it failed over and failed back without me noticing at all a week earlier. I like being able to snapshot it before updates, though updates are always flawless.
I have the 2 ethernet ports on each node named the same and that seems to work fine. I can also live migrate it without it dropping a ping in order to update the host node's OS, then migrate back.
I wouldn't do it any other way, but it might take some time to figure out how to set up so it fails over properly.