OPNsense on Proxmox works, but passthrough matters
I’ve seen OPNsense run well as a VM on Proxmox, but only when the network card is handed through properly. If you leave the host in the middle of the traffic path, you are giving away the main reason for doing it.
OPNsense is a firewall and routing platform built on FreeBSD. Proxmox is a virtualisation host that lets you run it as a VM. That gives you one place to manage the box, but the useful part is PCI passthrough: assign a physical NIC directly to the OPNsense VM and stop Proxmox touching it.
With an N150 processor and 2.5G networking, this sort of setup can push sensible throughput for a home lab. It suits the kind of network where you want to test VLANs, VPNs, and traffic rules without buying another box just for the firewall.
Why I bother with it in a homelab
Home networks have got more awkward. There are more devices, more cloud dependence, and more things that want to talk to the internet all at once. Running OPNsense in Proxmox gives me room to change things without pulling apart the whole network.
That matters when I want to try firewall rules, VLANs, or VPN changes without committing to dedicated hardware straight away. It is also easier to recover from a bad config when the firewall is a VM and not the only thing standing between me and a dead network.
N150 boxes are attractive for a reason
The N150 has enough going on for a small firewall build, and the 2.5G ports make it a decent fit for a lab or a small home setup. Fanless boxes are appealing too. They stay quiet, which is handy if the firewall lives under a desk or in a cupboard that already has too many blinking lights.
The trade-off is heat. Small form factor hardware still needs some airflow, even if there is no fan screaming away beside it. If the case is boxed in, temperatures can climb under load.
Getting NIC passthrough working in Proxmox
For passthrough, I start with IOMMU in the BIOS. Without that, there is no clean way to hand the hardware over to the VM.
Once that is enabled, the Proxmox side needs the PCI device assigned to the OPNsense VM. In practice that means editing the VM configuration and adding the relevant device ID.
After that, OPNsense should see the NIC in the web interface. If it does not, the passthrough is not right and the host is still in the way somewhere. When it is set correctly, performance is close to a dedicated firewall box.
There are enough Proxmox and OPNsense threads on this already, and the Proxmox Support Forum has useful troubleshooting notes if the device refuses to show up.
Heat is the bit people ignore
Small fanless firewalls are neat until they sit in a warm corner and start cooking. I would not trust one jammed in a closed shelf with no airflow.
OPNsense can monitor system temperatures, so it is worth checking CPU and system readings instead of assuming the box is fine because it is quiet. Thermal paste and decent contact between parts also matter more than people like to admit.
If the box is running hot, move it. That is usually a better fix than pretending the case design is magical.
The VENOEN Micro Firewall Appliance Review has some practical notes on keeping these little systems in better shape.
Once it is up, keep the setup boring
After installation, I would keep the OPNsense config plain: firewall rules, VLANs, and whatever else you actually need. Update it regularly so you are not sitting on old fixes and old problems.
The attraction here is not novelty. It is having a firewall setup that I can change, watch, and fix without having to rip apart the rest of the lab.
