Forum Discussion
OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC
I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions. Since a...
Try this:
- Use routed/NAT mode instead of transparent bridging
- Give OPNSense a private IP on the Proxmox bridge.
- Configure NAT or policy‑based routing on OPNSense to send traffic out via the host’s Azure NIC.
- This is the most reliable pattern in Azure.
- Use an internal subnet + UDRs
- Place your workload VMs behind OPNSense on an internal Proxmox bridge.
- Assign OPNSense a private IP on that bridge and another on vmbr0.
- Route all workload traffic through OPNSense, which then NATs to the Azure NIC.
- DHCP relay instead of direct lease
- Don’t try to have OPNSense pull the Azure‑assigned public IP directly.
- Let the host keep the Azure IP, and configure OPNSense to relay or NAT traffic through it.
- Use Azure‑supported NVAs
- Azure’s supported pattern for firewalls/routers is to deploy them as NVAs (network virtual appliances) with their own NICs and UDRs, not by spoofing the host NIC.
- If you want OPNSense to be the gateway, treat it like an NVA: give it its own NIC, and use Azure routing to send traffic through it.