Hi,

I believe with just one port for opnsense (on a min-pc) we can still do vlans (with tagging I believe?) but how effective is that for segregating and isolating proxmox machines?

Say I want to keep a VPN machine isolated, from other virtual machines? How would you do that? Do you have any tips for running such a system?

  • anamethatisnt@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    9 months ago

    Your opnsense will have WAN (ethernet port) and your LAN side will be all virtualized. There’s no problem having VLAN 10 with 192.168.10.0/24 for your main vms and then VLAN 20 with 192.168.20.0/24 for your VPN machine. Setup deny rules in the firewall to stop the VLANs from communicating.
    If this is inside your current home network you will end up with double NAT though.

    • mangaskahn@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      9 months ago

      If the opnsense interface on the WAN VLAN has a public routable IP address there shouldn’t be a problem with double NAT. Double NAT should only be a problem if they have a crappy ISP that’s using CGNAT.

      Edit: never mind, I reread your comment. We’re saying the same thing essentially.

  • Shadow@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    It’s perfectly effective, they become fully isolated from each other. Yes vlans would work if they’re all on the same host. If they’re not on the same host you would need a vlan capable switch, or at least one that’ll pass tagged packets through.