OPNsense + KVM: Looking for VLAN best practices

quin · June 29, 2023, 10:48:34 AM

Hi,

I would like to run a OPNsense Firewall as a virtual guest on a Linux KVM Hypervisor.
The Hypervisor is connected with 2x 10G Fiber to a Switch.

Now the question is how to best configure VLANs:

My first idea was to have a network bridge for each VLAN on the Hypervisor and this seems to work fine. But adding each VLAN to the firewall with a own interface creates a lot of interfaces. Also it will require to reboot the firewall guest and I would like to avoid this.
Example: Interface A+B (eth0/1) -> Team (team0) -> VLAN (team0.100) -> Bridge (br.team0.100) added to the VM for each VLAN
ChatGPT suggested to create a single bridge on the hypervisor and connect this bridge (without any VLANs)
Example: Interface A+B (eth0/1) -> Team (team0) -> Bridge (br.team0) added to the VM, VLANs configured in OPNsense

I couldn't find many guides about the second approach, but it sounds better, because a new VLAN would not require a guest reboot and it doesn't create lots of interfaces on the hypervisor. So I wonder if there is any best practices for this?

Thanks.

sorano · June 29, 2023, 10:57:49 AM

I use the latter approach (in ESXi) for the reason you mention, no need to restart when adding new vlan interfaces, another reason is that hypervisors can have an upper limit on the amount of interfaces per vm.

quin · June 29, 2023, 11:04:05 AM

Hi!

Are there any downsides to this?

I just wonder why every guide takes the first approach.

Patrick M. Hausen · June 29, 2023, 11:04:45 AM

I'd recommend PCIe passthrough if you have enough interfaces.

OPNsense + KVM: Looking for VLAN best practices

quin

June 29, 2023, 10:48:34 AM Last Edit: June 29, 2023, 10:50:25 AM by quin

sorano

June 29, 2023, 10:57:49 AM #1

quin

June 29, 2023, 11:04:05 AM #2

Patrick M. Hausen

June 29, 2023, 11:04:45 AM #3