OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC

Question

I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions.

Since azure VMs don't support vIOMMU (note the "v" in vIOMMU stands for virtualized IOMMU, for L2 instances), I cannot pass the interface further from Proxmox to OPNSense, so I need to get by using bridges.

The host configuration is:
– eth0
– vmbr0 with eth0 assigned to it

The configuration is:

auto vmbr0
iface vmbr0 inet manual
    bridge-ports eth0
    bridge-stp off
    bridge-fd 0
​&nbsp;The guest configuration is:– VirtIO NIC attached to vmbr0, with MAC overridden using same address as the eth0– Firewall: NO– MAC Filter: NORunning dhclient on eth0 or vmbr0 correctly discovers and assigns an IP address.Now, I am trying to get the OPNSense in a VM to get that IP address instead and to relay its traffic via the vmbr0 transparently outside of the host. I have done something very similar previously between OpenWRT running in a VM and another VM, using OpenWRT's "trivial relay" (kmod-trelay, see https://forum.openwrt.org/t/howto-kmod-trelay/49610/2, also https://github.com/openwrt/openwrt/commit/c3bba7f8c61ee98265bcffef8ee86e22aa89bbe9), and despite that this particular case is much simpler, I can't get the VM to communicate with the ISP properly. I tried simply by spoofing the eth0's MAC address by setting the OPNSense VM's interface to it, but that's not enough.I also checked the traffic on both ends using tcpdump, and, interestingly, vmbr0 does see the DHCP requests coming from the VM, and the ISP does respond, but that response never reaches the VM, nor the tap interface corresponding to the VM that Proxmox assigned to the bridge.What am I missing here?&nbsp;&nbsp;

kidd_ip · Answer

Try this:
&nbsp;

Use routed/NAT mode instead of transparent bridging

Give OPNSense a private IP on the Proxmox bridge.
Configure NAT or policy‑based routing on OPNSense to send traffic out via the host’s Azure NIC.
This is the most reliable pattern in Azure.

Use an internal subnet + UDRs

Place your workload VMs behind OPNSense on an internal Proxmox bridge.
Assign OPNSense a private IP on that bridge and another on vmbr0.
Route all workload traffic through OPNSense, which then NATs to the Azure NIC.

DHCP relay instead of direct lease

Don’t try to have OPNSense pull the Azure‑assigned public IP directly.
Let the host keep the Azure IP, and configure OPNSense to relay or NAT traffic through it.

Use Azure‑supported NVAs

Azure’s supported pattern for firewalls/routers is to deploy them as NVAs (network virtual appliances) with their own NICs and UDRs, not by spoofing the host NIC.
If you want OPNSense to be the gateway, treat it like an NVA: give it its own NIC, and use Azure routing to send traffic through it.

rohankh · Answer

Understood — here’s a different method that avoids MAC games entirely and works reliably in Azure:✅ Use OPNSense in “Routed / Private WAN” modeInstead of trying to pass the public IP directly, treat OPNSense WAN as a private IP behind Proxmox and let Proxmox act as the “edge router”.Steps1. Give OPNSense a normal VM NICDo not spoof host MAC.Just attach WAN NIC to vmbr0.2. On Proxmox, give the VM its own IPExample:OPNSense WAN = 192.168.100.2/24 Proxmox vmbr0 = 192.168.100.1/243. Enable routing &amp; NAT on Proxmoxecho 1 &gt; /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE4. OPNSense WAN gets private IP, LAN stays normalThen OPNSense does its firewalling normally.✅ What this gives youFeatureResultPublic cloud IP stays on Proxmox✔️ Supported by AzureOPNSense still runs as firewall/router✔️No MAC spoofing needed✔️DHCP issue disappears✔️If you must expose public IP through OPNSenseUse 1:1 NAT on Proxmox:iptables -t nat -A PREROUTING -d &lt;public-ip&gt; -j DNAT --to 192.168.100.2 iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to &lt;public-ip&gt;This gives OPNSense the public IP externally without L2 passthrough.Why this method worksAzure doesn’t allow true L2 transparency.Trying to force MAC passthrough breaks switching.Routed mode avoids layer-2 tricks completely.If you'd like, I can send the exact config for:Proxmox firewall + NAT rulesOPNSense WAN setup wizardAzure NIC settings&nbsp;

rohankh · Answer

&nbsp;1. Give OPNSense a normal VM NICDo not spoof host MAC.Just attach WAN NIC to vmbr0.2. On Proxmox, give the VM its own IPExample:OPNSense WAN = 192.168.100.2/24 Proxmox vmbr0 = 192.168.100.1/243. Enable routing &amp; NAT on Proxmoxecho 1 &gt; /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE4. OPNSense WAN gets private IP, LAN stays normalThen OPNSense does its firewalling normally.✅ What this gives youFeatureResultPublic cloud IP stays on Proxmox✔️ Supported by AzureOPNSense still runs as firewall/router✔️No MAC spoofing needed✔️DHCP issue disappears✔️If you must expose public IP through OPNSenseUse 1:1 NAT on Proxmox:iptables -t nat -A PREROUTING -d &lt;public-ip&gt; -j DNAT --to 192.168.100.2 iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to &lt;public-ip&gt;This gives OPNSense the public IP externally without L2 passthrough.Why this method worksAzure doesn’t allow true L2 transparency.Trying to force MAC passthrough breaks switching.Routed mode avoids layer-2 tricks completely.If you'd like, I can send the exact config for:Proxmox firewall + NAT rulesOPNSense WAN setup wizardAzure NIC settings

Forum Discussion

OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC

3 Replies

1. Give OPNSense a normal VM NIC

2. On Proxmox, give the VM its own IP

3. Enable routing & NAT on Proxmox

4. OPNSense WAN gets private IP, LAN stays normal

✅ What this gives you

If you must expose public IP through OPNSense

Why this method works

✅ Use OPNSense in “Routed / Private WAN” mode

Steps