Running OPNsense on Proxmox VE

Why OPNsense on Proxmox?

OPNsense is a FreeBSD-based firewall and routing platform that offers a modern web interface, frequent security updates, and a rich plugin ecosystem. It is a popular alternative to pfSense, with a more open development model and features like Unbound DNS with DNS-over-TLS built in. Running OPNsense as a Proxmox VM lets you consolidate your network infrastructure, take snapshots before configuration changes, and leverage Proxmox's backup system for disaster recovery.

Preparing the Network

OPNsense needs at least two network interfaces: one for WAN (internet-facing) and one for LAN (internal). On your Proxmox host, you should have two bridges — one for each network. If you only have a single physical NIC, you can use VLAN-tagged sub-interfaces, but dedicated NICs are preferred.

Verify your bridges are configured in /etc/network/interfaces:

# WAN bridge - connected to your ISP-facing NIC
auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp1s0
    bridge-stp off
    bridge-fd 0

# LAN bridge - your internal network
auto vmbr0
iface vmbr0 inet static
    address 192.168.1.1/24
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0

Creating the OPNsense VM

Download the OPNsense DVD ISO (amd64) from the official website and upload it to Proxmox. Create the VM with VirtIO devices for best performance:

# Create the OPNsense VM
qm create 310 --name opnsense \
  --memory 2048 \
  --cores 2 \
  --cpu host \
  --bios ovmf \
  --machine pc-q35-9.0 \
  --efidisk0 local-lvm:1,efitype=4m \
  --scsihw virtio-scsi-pci \
  --scsi0 local-lvm:16 \
  --net0 virtio,bridge=vmbr1 \
  --net1 virtio,bridge=vmbr0 \
  --cdrom local:iso/OPNsense-24.7-dvd-amd64.iso \
  --ostype other \
  --boot order=ide2

qm start 310

OPNsense includes VirtIO drivers in its kernel, so no additional driver installation is needed. The VirtIO NICs will be detected as vtnet0 (WAN) and vtnet1 (LAN).

Installation and Initial Configuration

Open the VM console in Proxmox. OPNsense boots into a live environment first. Log in with the default credentials (installer / opnsense) to start the installation wizard. Select your target disk, choose UFS or ZFS filesystem, and let the installer complete.

After reboot, log in as root / opnsense and assign interfaces from the console menu:

## OPNsense Console - Interface Assignment

Enter an option: 1 (Assign interfaces)

Do you want to configure LAGGs? N
Do you want to configure VLANs? N

Enter the WAN interface name: vtnet0
Enter the LAN interface name: vtnet1

## Set LAN IP address
Enter an option: 2 (Set interface IP address)
Select LAN (2)
  IPv4 address: 192.168.1.1
  Subnet: 24
  Enable DHCP: y
  DHCP range: 192.168.1.100 - 192.168.1.254

Access the web GUI from a machine on the LAN by browsing to https://192.168.1.1. The default login is root / opnsense. Run through the setup wizard to set your hostname, DNS servers, timezone, and change the default password.

Configuring Unbound DNS

OPNsense ships with Unbound as its built-in DNS resolver. Unlike a simple forwarder, Unbound performs recursive DNS resolution and supports DNS-over-TLS for privacy. Configure it under Services > Unbound DNS > General:

• Enable Unbound and set the listening interfaces to LAN.
• Enable DNSSEC for validated DNS responses.
• Under DNS over TLS, add upstream resolvers for encrypted queries:

## DNS-over-TLS upstream servers (configure in the GUI)
Server: 1.1.1.1    Port: 853    Hostname: cloudflare-dns.com
Server: 9.9.9.9    Port: 853    Hostname: dns.quad9.net

With this setup, all DNS queries from your LAN clients are resolved by Unbound locally, and any queries that require upstream resolution are encrypted via TLS. This prevents your ISP from snooping on your DNS traffic.

Installing Plugins

OPNsense has an extensive plugin system accessible from System > Firmware > Plugins. Some essential plugins to consider:

• os-theme-cicada / os-theme-rebellion — Alternative UI themes for a better visual experience.
• os-wireguard — Modern VPN that is faster and simpler than OpenVPN for site-to-site or remote access.
• os-crowdsec — Collaborative intrusion prevention that shares threat intelligence across the community.
• os-haproxy — Reverse proxy and load balancer for exposing internal services safely.
• os-ntopng — Deep network traffic analysis and monitoring.

# You can also install plugins from the OPNsense shell
pkg install os-wireguard
pkg install os-haproxy

VLAN Segmentation

For network segmentation, create VLANs on the LAN interface. In the OPNsense web GUI, navigate to Interfaces > Other Types > VLAN and create your VLANs:

• Parent: vtnet1, Tag: 10, Description: Management
• Parent: vtnet1, Tag: 20, Description: IoT
• Parent: vtnet1, Tag: 30, Description: Guest

Assign each VLAN under Interfaces > Assignments, enable them, set static IPs, configure DHCP, and create firewall rules. Ensure the Proxmox bridge passes VLAN-tagged traffic by not setting a VLAN tag on the NIC in Proxmox (trunk mode).

Monitoring and Maintenance

OPNsense provides built-in monitoring dashboards for traffic, firewall states, and system health. On the Proxmox side, make sure to schedule regular VM backups. Since your firewall is critical infrastructure, consider taking a snapshot before every OPNsense firmware update so you can roll back if an update causes issues.

For keeping tabs on the OPNsense VM's health at the Proxmox level — confirming it is running, checking CPU load, or restarting it in an emergency — ProxmoxR gives you quick mobile access to your Proxmox host without needing to open a laptop. When your firewall is down, every second counts, and being able to restart it from your phone is invaluable.

OPNsense on Proxmox is a powerful combination that gives you enterprise-grade network security with the flexibility of virtualization. Start with the basics, add plugins as needed, and use Proxmox snapshots as your safety net for configuration experiments.