OPNsense placement in VMware ESXi

[deodion]

If I put OPNsense in a VM,

what is the best practice for OPNsense placement in VMware ESXi related to other VMs being protected?

I have seen:
https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi

Assuming the above link is analogous to OPNsense,

Can I make
dSwitch A (port group: WAN) with uplink
dSwitch B (port group: LAN) NO uplink

Make the OPNsense VM has 2 vNICs (LAN and WAN)
and let other VMs in dSwitch B (LAN),

Question:

• Is above topology doable and correct?
• If someone can answer: is there any VMware features affecting VM in dSwitch B? like vMotion perhaps
• If I have standard switch, with VMkernel Adapter inside, can I move that to dSwitch B (separate port group says: MgmtPG)?

Thank you very much,

[fabian]

I would recommend the following setup:

OPNsense VM with at least 3 interfaces: Management, LAN and WAN.  DMZ-Interfaces as needed.

Management: Gives Access to the Webgui of OPNsense and ESXi and unfiltered Internet Access.
WAN: As you may think how this should be used
LAN: The computers which should have filtered network access (no access to management interfaces)

Management can reach anything
LAN -> DMZ, Internet (Filtered by Port)
DMZ -> Internet (maybe limited to a list of IPs, Ports)
WAN -> DMZ (if allowed)

[deodion]

You seem reffering management to vcenter as one of it?

Thanks for the answer btw..

[fabian]

Management is a VLAN in which includes
* the Management interface of the ESXi (Web and/or API endpoint for the client)
* the Management interface of OPNsense (GUI, SSH)
* your management computer (laptop or pc), which is usually not connected to this VLAN