Hi,
I believe with just one port for opnsense (on a min-pc) we can still do vlans (with tagging I believe?) but how effective is that for segregating and isolating proxmox machines?
Say I want to keep a VPN machine isolated, from other virtual machines? How would you do that? Do you have any tips for running such a system?
Your opnsense will have WAN (ethernet port) and your LAN side will be all virtualized. There’s no problem having VLAN 10 with 192.168.10.0/24 for your main vms and then VLAN 20 with 192.168.20.0/24 for your VPN machine. Setup deny rules in the firewall to stop the VLANs from communicating.
If this is inside your current home network you will end up with double NAT though.If the opnsense interface on the WAN VLAN has a public routable IP address there shouldn’t be a problem with double NAT. Double NAT should only be a problem if they have a crappy ISP that’s using CGNAT.
Edit: never mind, I reread your comment. We’re saying the same thing essentially.
If you dont want to do a router on a stick, mabe your minipc has a WiFi socket you’re not using. You can get an m.2 A key to gigabit Ethernet adapter. Theyre mostly realtek chips but in my experience they work fine in opnsense.
It’s perfectly effective, they become fully isolated from each other. Yes vlans would work if they’re all on the same host. If they’re not on the same host you would need a vlan capable switch, or at least one that’ll pass tagged packets through.