I am new to OPNsense. I have installed Proxmox v9 on a Lenovo M82, which has one NIC and an USB Ethernet adapter. It was connected to my existing LAN 192.168.1.0/24, and it was able to ping, nslookup and download its updates. I added two additional VMBRs to the VM config and named these (WAN, LAN, DMZ).
Then I installed OPNsense 25.7.2 maybe it was .1 and when I updated it, it become .2. During the CLI install part I assigned vtnet to the valid interfaces. WAN: vtnet1; LAN: vtnet0; optional: DMZ = vtnet2. I reassigned the LAN network to 192.168.2.0/24, WAN to 192.168.1.0/24, DMZ to 192.168.3.0/24. OPNsense added its auto-generated rules to all three networks.
The WAN is on the private network 192.168.1.0/24 going via .1 through a FRITZbox
The DMZ is not configured and indicates that: no rules have been defined.
I can access the LAN on 192.168.2.100; an address that has been assigned by dnsmasq where did add a DHCP range (100-200).
root@pve1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP group default qlen 1000
link/ether 00:23:24:a0:3c:3c brd ff:ff:ff:ff:ff:ff
altname enp0s25
altname enx002324a03c3c
3: enx00e04c896ad5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr1 state UP group default qlen 1000
link/ether 00:e0:4c:89:6a:d5 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:23:24:a0:3c:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.2/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::223:24ff:fea0:3c3c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:e0:4c:89:6a:d5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e0:4cff:fe89:6ad5/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f052:9aff:feb1:66c3/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i0 state UNKNOWN group default qlen 1000
link/ether 36:e5:d3:e9:a7:76 brd ff:ff:ff:ff:ff:ff
8: fwbr100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c2:b0:4a:94:c3:0f brd ff:ff:ff:ff:ff:ff
9: fwpr100p0@fwln100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether a6:5b:2c:2c:a0:a3 brd ff:ff:ff:ff:ff:ff
10: fwln100i0@fwpr100p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
link/ether c2:b0:4a:94:c3:0f brd ff:ff:ff:ff:ff:ff
11: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i1 state UNKNOWN group default qlen 1000
link/ether 72:06:d2:90:5b:06 brd ff:ff:ff:ff:ff:ff
12: fwbr100i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 12:f4:74:8e:01:27 brd ff:ff:ff:ff:ff:ff
13: fwpr100p1@fwln100i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
link/ether 22:c8:5e:1c:12:fc brd ff:ff:ff:ff:ff:ff
14: fwln100i1@fwpr100p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i1 state UP group default qlen 1000
link/ether 12:f4:74:8e:01:27 brd ff:ff:ff:ff:ff:ff
15: tap100i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i2 state UNKNOWN group default qlen 1000
link/ether ea:55:0d:c0:dd:63 brd ff:ff:ff:ff:ff:ff
16: fwbr100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000
link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000
link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#
link/ether ea:55:0d:c0:dd:63 brd ff:ff:ff:ff:ff:ff
16: fwbr100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000ult qlen 1000
link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000default qlen 1000
link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000ult qlen 1000
link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000default qlen 1000
link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#
I can telnet from my machine (um890) to ports 8006 and 22:
telnet 192.168.2.2 8006
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
^[
HTTP/1.0 400 bad request
Cache-Control: max-age=0
Connection: close
Date: Wed, 03 Sep 2025 13:56:20 GMT
Pragma: no-cache
Server: pve-api-daemon/3.0
Content-Length: 11
Expires: Wed, 03 Sep 2025 13:56:20 GMT
bad requestConnection closed by foreign host.
# [2025-09-03 23:56] maxg@um890 ~ $
telnet 192.168.2.2 22
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
SSH-2.0-OpenSSH_10.0p2 Debian-7
^[
Invalid SSH identification string.
Connection closed by foreign host.
What seems right to me, the Proxmox cannot ping the Google DNS, while OPNsense can. It can nslookup though.
I added a 192.168.2.2 to any rule in LAN assuming the Proxmox host on 192.168.2.2) would be able to ping, but it can't.
root@pve1:~# nslookup 8.8.8.8
8.8.8.8.in-addr.arpa name = dns.google.
Authoritative answers can be found from:
root@pve1:~# ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2059ms
root@pve1:~# ss -tuln | grep :8006
tcp LISTEN 0 4096 *:8006 *:*
root@pve1:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 49678 packets, 21M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35490 packets, 23M bytes)
pkts bytes target prot opt in out source destination
I would kindly invite some help, hints. pointers on what I am missing or where to go. I am happy to provide further information to aid trouble-shooting, but there is lots of it (and I don't know where to start).
Did you follow this (https://forum.opnsense.org/index.php?topic=44159.0) guide for starters?
Also, if you have another router in front of OpnSense, you will only be able to use networks behind it if you either use NAT on OpnSense or put routes in your router to every subnet behind OpnSense. This is all in here (https://forum.opnsense.org/index.php?topic=39556.0) (in german), see trap #1.
Thanks MeyerG(u)ru :)
I actually read this post, but did not even understand half of it; however, at the time (actually a few days ago) I though this is interesting stuff and book-marked it, and I read it when I have set-up OPNsense and understand it (at least a bit) better.
Since posting I did some further research, and changed Firewall | NAT | Outbound to manual and added a rule (Interface: WAN, Source: 192.168.2.0/24, Translation: 192.168.1.2).
I also did pick up that the Proxmox VMBRs had firewall=1 set. Silly me accepted the default, but pondered why it would firewall it, rather than OPNsense.
In any case, I find this firewall business quite challenging... it is easily buggered up.
Again, thank you.
Now that I have working, yet very basic config, I trash it and rebuild based on my notes. The ultimate proof the documentation is right.
Actually, that are (at least) two of my howtos that are applicable to your situation (which I linked above, or - come to think of it: three, if you count this one (https://forum.opnsense.org/index.php?topic=47099.0)).
OpnSense is like an onion: you will find more and more layers of things you did not know before, from hardware to routing to firewalling to reverse proxies, TLS certificates, VPNs, virtual machines and much more... take a look at the tutorial section, many topics are covered there in much more detail than in the documentation.