I run one OPNsense on each of my two proxmox cluster nodes, even with DPI I never had problems reaching 1000MBit/s

I went with a dedicated mini PC with one of those motherboards that are designed for building a network appliance. It has been running very smoothly for a few years, and I just log in occasionally to run system updates.

I want my network and Internet connection to continue working, regardless of my tinkering with home server stuff.

I did not run OPNSense, but I have a direct comparison for pfSense as VM on Proxmox VE vs pfSense on a ~400€ official pfSense physical appliance.

I do not feel any internet-speed or LAN-speed differences in the 2 setups, I did not measure it though. The change VM -> physical appliance was not planned.

Running a VM-firewall just got tiring fast, as I realized that Proxmox VE needs a lot more reboot-updates than pfsense does. And every time you reboot your pfSense-VM-Hypervisor, your internet’s gone for a short time. Yes, you’re not forced to reboot. I like to do it anyway, if it’s been advised by the people creating the software I use.

Though I gotta say, the pfSense webinterface is actually really snappy and fast when running on an x86 VM. Now that I have a Netgate 2100 physical pfSense appliance, the webinterface takes a looooong time to respond in comparison.

I guess the most important thing is to test it for yourself and to always keep an easy migration-path open, like exporting firewall-settings to a file so you can migrate easily, if the need arises.

[EDIT] - Like others, I also would advice heavily against using the the same hypervisor for your firewall and other VMs. Bare-Metal is the most “uncomplicated” in terms of extra workload just to have your firewall up and running, but if you want to virtualize your firewall, put that VM on its own hypervisor.

I run opnsense in proxmox for a couple reasons. 1) I can snapshot the VM prior to upgrading, in case of an issue I can just rollback. 2) backups, I can backup the whole VM, which includes all the plugins, Not just the base opnsense config. 3) I don’t run anything on bare metal except my laptop.

I run Proxmox on my router (an Intel NUC) with an OpenWRT VM (though I used to run OPNSense, and might try going back to it later). It makes things more complicated, but I’m familiar enough with Proxmox that I’m okay with that complexity.

Setup right, I don’t think you’d experience any performance hit in terms of your network, and your 8th gen i7 is likely better than my Celeron J4025, so I imagine your Web UIs will be fast enough even virtualized.

I virtualized my router because it let me experiment with different router options way more easily (I could switch from OPNSense to OpenWRT and fall back on my old OPNSense VM if I messed anything up, I could setup VLANs in a cloned VM and fallback to my old VM if I couldn’t get it working, etc.). I’m a very indecisive person loll. But if there’s no reason for you to virtualize it, then I wouldn’t bother unless you just want to.

I vaguely remember my Intel NIC gave problems with OPNSense, but running virtualized meant I could use Linux drivers (via Proxmox) and give OPNSense a VirtIO NIC that it would be happy with. Oh, and it’s nice being able to run the Unifi Web Server in an LXC on the router so it doesn’t go down whenever I mess with my server PC.

Personally, I only run network-specific things on my Proxmox instance on the router (so, OpenWRT/OPNSense, and the Unifi Web Server). My more home-lab stuff is run on a completely separate machine. Like others have said, I don’t want my internet to go down when I mess with my server.

If you do end up virtualizing ur router, in my personal experience using VirtIO network devices for the VM seems to work best for me (the E1000 seemed to hamper my upload/download speeds quite a bit, VirtIO made it pretty much line-speed — that could just be OpenWRT quirks or my NIC, idk).

In my opinion core infrastructure like the router should not be virtualized. I want to be able to work on my proxmox server or reboot it without bringing down the whole network. And if there is a problem with my proxmox server I now have the additional headache of having the network down too and my IPKVMs don’t work.

Virtualizing the router adds a point of failure and set of dependencies for a critical component of your network. And you already have a good purpose-built hardware and no stated problems. So why virtualize?

Some years ago i posted something simillar to your post, in conclusion it is safe to run on a vm and have the ethernet ports pointed to it, i personally use bare metal since im still not too familiar with opnsense to start thinking of migrating to a vm