Forum Discussion
OPNSense nested in a Proxmox VM, trying to spoof VM NIC to transparently relay to host NIC
I am trying to set up OPNSense VM inside a Proxmox, which is running in a Azure VM with nesting enabled. I have my reasons to do it, so please spare me the "why not go native" questions. Since a...
1. Give OPNSense a normal VM NIC
Do not spoof host MAC.
Just attach WAN NIC to vmbr0.
2. On Proxmox, give the VM its own IP
Example:
OPNSense WAN = 192.168.100.2/24 Proxmox vmbr0 = 192.168.100.1/24
3. Enable routing & NAT on Proxmox
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
4. OPNSense WAN gets private IP, LAN stays normal
Then OPNSense does its firewalling normally.
✅ What this gives you
| Feature | Result |
|---|---|
| Public cloud IP stays on Proxmox | ✔️ Supported by Azure |
| OPNSense still runs as firewall/router | ✔️ |
| No MAC spoofing needed | ✔️ |
| DHCP issue disappears | ✔️ |
If you must expose public IP through OPNSense
Use 1:1 NAT on Proxmox:
iptables -t nat -A PREROUTING -d <public-ip> -j DNAT --to 192.168.100.2 iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to <public-ip>
This gives OPNSense the public IP externally without L2 passthrough.
Why this method works
Azure doesn’t allow true L2 transparency.
Trying to force MAC passthrough breaks switching.
Routed mode avoids layer-2 tricks completely.
If you'd like, I can send the exact config for:
- Proxmox firewall + NAT rules
- OPNSense WAN setup wizard
- Azure NIC settings