Forum Discussion

wrobelda's avatar
wrobelda
Copper Contributor
Aug 17, 2022

OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC

I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions.   Since a...
Kidd_Ip's avatar
Kidd_Ip
MVP
Oct 31, 2025

Try this:

 

  1. Use routed/NAT mode instead of transparent bridging
    • Give OPNSense a private IP on the Proxmox bridge.
    • Configure NAT or policy‑based routing on OPNSense to send traffic out via the host’s Azure NIC.
    • This is the most reliable pattern in Azure.
  2. Use an internal subnet + UDRs
    • Place your workload VMs behind OPNSense on an internal Proxmox bridge.
    • Assign OPNSense a private IP on that bridge and another on vmbr0.
    • Route all workload traffic through OPNSense, which then NATs to the Azure NIC.
  3. DHCP relay instead of direct lease
    • Don’t try to have OPNSense pull the Azure‑assigned public IP directly.
    • Let the host keep the Azure IP, and configure OPNSense to relay or NAT traffic through it.
  4. Use Azure‑supported NVAs
    • Azure’s supported pattern for firewalls/routers is to deploy them as NVAs (network virtual appliances) with their own NICs and UDRs, not by spoofing the host NIC.
    • If you want OPNSense to be the gateway, treat it like an NVA: give it its own NIC, and use Azure routing to send traffic through it.
rohankh's avatar
rohankh
Copper Contributor
Oct 31, 2025

Understood — here’s a different method that avoids MAC games entirely and works reliably in Azure:

Use OPNSense in “Routed / Private WAN” mode

Instead of trying to pass the public IP directly, treat OPNSense WAN as a private IP behind Proxmox and let Proxmox act as the “edge router”.

Steps

1. Give OPNSense a normal VM NIC

Do not spoof host MAC.
Just attach WAN NIC to vmbr0.

2. On Proxmox, give the VM its own IP

Example:

OPNSense WAN = 192.168.100.2/24 Proxmox vmbr0 = 192.168.100.1/24

3. Enable routing & NAT on Proxmox

echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE

4. OPNSense WAN gets private IP, LAN stays normal

Then OPNSense does its firewalling normally.

✅ What this gives you

FeatureResult
Public cloud IP stays on Proxmox✔️ Supported by Azure
OPNSense still runs as firewall/router✔️
No MAC spoofing needed✔️
DHCP issue disappears✔️

If you must expose public IP through OPNSense

Use 1:1 NAT on Proxmox:

iptables -t nat -A PREROUTING -d <public-ip> -j DNAT --to 192.168.100.2 iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to <public-ip>

This gives OPNSense the public IP externally without L2 passthrough.

Why this method works

Azure doesn’t allow true L2 transparency.
Trying to force MAC passthrough breaks switching.
Routed mode avoids layer-2 tricks completely.

If you'd like, I can send the exact config for:

  • Proxmox firewall + NAT rules
  • OPNSense WAN setup wizard
  • Azure NIC settings

 

Resources