help with VM / KVM config for a OPNsense firewall test environment

jata1 · Jul 28th 2025

Hi all - this question/topic has 2 parts - the first is the VM setup of opnsense in KVM and then I will probably need to finalise with the opnsense forum folks.

I am using opnsense (baremetal) as my router/firewall for my home network. It is all configured and working fine.

I want to create an opnsense VM using KVM that I can use to test stuff before making changes to my production router/firewall.

I have the opnsense VM setup and it is generally working as expected so I think I am close, I just wanted to check that I have VM (network interfaces in particular) correct.

Network interface 1 (WAN): br0 - bridge to OMV - this interface is correctly picking up a IP address from my main home network (as expected)
Network interface 2 (LAN): created a new network in KVM GUI (172.16.1.1). Then added this network interface using virtio linked to the KVM network

I have configured the VM as above and have been able to successfully get it up and running and with opnsense providing dhcp leases to VM clients with the same network as used for LAN in opnsense.

My issue is that I am having trouble connecting to opnsense GUI (on 172.16.1.1). I can ping this ip from the client VM but if I open a web session to the ip, it points to OMV GUI

So 172.16.1.1 in the client VM points to 192.168.1.3 (OMV server) and I did not expect this.

Anyone have any advice and tips? I'm thinking that my KVM network config for LAN is not quite right?

Thormir84 · Jul 28th 2025

Honestly, I wouldn't know how to help you; I also use OPNsense as a firewall (as a VM on KVM), but to avoid strange setups or issues like yours, I bought a 4-port ethernet card and associated it with the VM via passthrough.

GLOTRENDS ST7419 Scheda di rete Ethernet RJ45 a 4 porte da 2,5G compatibile con controller Intel 1226, interfaccia PCIE 3.0 X4, supporto Windows 11/10/Windows Server/Linux/ESX/VMware ESXi

Scheda di rete ethernet RJ45 a 4 porte da 2,5Gb (controller Intel 1226), interfaccia PCIe 3.0 X4, negoziazione automatica delle connessioni a velocità…

www.amazon.it

Krisbee · Jul 28th 2025

@jatal It's a while since I've done this kind of step up, but if you create a network via the KVM plugin it will typically have it's own internal DHCP etc, which you really don't want as you the Opnsense VM should control this (See: https://wiki.libvirt.org/VirtualNetworking.html ).

I'd create an additional bridge in OMV that has no IP or gateway. The LAN side of the opnsense VM connects to this additional bridge as does any other VM you want on the same "private network". Opnsense should control both DNS and DHCP on this LAN side "private network". Accessing the opnsense web ui is via another graphical VM on the "private network" in a default config.

As OMV is netplan based, having VLANS on LAN side is messy as netplan does not support VLAN aware bridges.

jata1 · Jul 28th 2025

Thanks. This is very helpful and will give it a try and read the doc you linked.

In the omv kvm network config you can create a network without dhcp and this is what I have done.

Also setup dhcp and dns on lan interface using opnsense as you described.

Can ping between vm clients on this network using ip address and name.local but not using the dhcp name yet.

I’m very close and will keep working on it.

Krisbee · Jul 28th 2025

Quote from jata1

In the omv kvm network config you can create a network without dhcp and this is what I have done.

OK, but is it doing NAT?

jata1 · Jul 28th 2025

Quote from Krisbee

OK, but is it doing NAT?

Yes I think it is doing nat

jata1 · Jul 29th 2025

Krisbee - thanks so much. All working great using a bridge in OMV.

I would never thought of creating a unassigned bridge in OMV to get this all working so massive thanks.

From the testing opnsense network I can:

access internet normally
test firewall rules and NAT on both WAN and LAN interfaces
normal (opnsense) dhcp / dns name resolution for testing network (172.16.1.1/24 - hostname.opn.lan)
access main network using ip and dns name (192.168.1.1/24 - hostname.lan)

The only thing that is tricky (and expected not to work) is access to the test network from the main network

jata1 · Jul 29th 2025

Quote from Krisbee

As OMV is netplan based, having VLANS on LAN side is messy as netplan does not support VLAN aware bridges.

I thought I would see if I could work VLANs through and you are correct - even a single vlan (with vlanid=1) used with the bridge network does not work correctly. VM clients do not get dhcp address in this config.

Anyway, I now have a simple opnsense test setup working well so thanks again for the assistance.

Krisbee · Jul 30th 2025

jata1 If you want your opnsense VM to support VLANS on the internal private network you will probably have to use "openvswitch". That means installing openvswitch-switch and its dependencies on OMV. Create a basic ovs bridge and then definine a "virtual network" based on the that ovs bridge. The definition is create in xml, either via the OMV UI or at the CLI using the appropriate virsh commands.

I've used this XML in the past:

Code

root@deb12:~# virsh net-dumpxml lab_ovs

<network>
 <name>lab_ovs</name>
 <uuid>6278643e-0bd0-410c-a03a-1ce56b769956</uuid>
 <forward mode='bridge'/>
 <bridge name='lab_ovs'/>
 <virtualport type='openvswitch'/>
 <portgroup name='vlan-01' default='yes'>
 </portgroup>
 <portgroup name='vlan-20'>
   <vlan>
     <tag id='20'/>
   </vlan>
 </portgroup>
 <portgroup name='vlan-30'>
   <vlan>
     <tag id='30'/>
   </vlan>
 </portgroup>
 <portgroup name='vlan-40'>
   <vlan>
     <tag id='40'/>
   </vlan>
 </portgroup>
 <portgroup name='vlan-50'>
   <vlan>
     <tag id='50'/>
   </vlan>
 </portgroup>
 <portgroup name='vlan-trunk'>
   <vlan trunk='yes'>
     <tag id='20'/>
     <tag id='30'/>
     <tag id='40'/>
     <tag id='50'/>
   </vlan>
 </portgroup>
</network>


root@deb12:~#

Display More

Where the ovs bridge is defined as:

Code

root@deb12:~# ovs-vsctl show

73fb0aec-2110-4c22-9075-569f6a9c5119

   Bridge lab_ovs
       Port lab_ovs
           Interface lab_ovs
               type: internal
   ovs_version: "3.1.0"
root@deb12:~

This ovs bridge replaces your previous no-vlan aware bridge in the LAN side of the opnsense VM.

Client VMs on the internal private vlan aware network can attach to a given port name, e.g. vlan-20. For example, using:

Code

<interface type="network">
  <mac address="52:54:00:99:a0:37"/>
  <source network="lab_ovs" portgroup="vlan-20"/>
  <model type="virtio"/>
  <link state="up"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

jata1 · Jul 30th 2025

Thanks for this.

I don’t really want to play with omv network config as I use this server for a load of home lab services etc.

I have opnsense VM working fine for the things I want to test.

One thing I am working on but I think Is very hard is to allow full access to devices on the test vm network from my main network. I think it can be done on a limited basis using NAT forwarding.

jata1 · Jul 30th 2025

Here is a simplistic overview of my network setup.

I was thinking that i could use outbound NAT rules to somehow connect home network to the testing VM network. The issue I think is that the WAN of the test network is not actually directly connected to the internet (it is double NAT)

Anyhow - this is just tinkering so that I better understand/learn networking and opnsense on both the WAN and LAN side.

Krisbee · Jul 31st 2025

How about using wireguard on the opnsense vm?

jata1 · Jul 31st 2025

Yep. I think that VPN might be the way to go to get it working.

Participate now!