PVE Node Router and SDN

The smallest size router would be to set up a Linux Server as a router on a minimal VM, and using the CLI.
But, we want an GUI, that's why we use OPNsense.

Why use a Router and SDN

One use case is to simulate a custom environment and the networking for it.

Simulate a SOHO environment

Setting up a NGFW in one VM and use SDN to simulate the internal networking. Use a set of VM/CT to simulate workstations. Setting up VLAN access and firewall rules is better simulated before implementation.

Creating a Restricted Lab on a LAN

In an office environment, you can create a restricted and secure environment by routing the Lab stuff so it doesn't interact with the normal traffic and normal users can't access the Lab. Typically, an office with on-site SW development and production on the same network. My personal experience of such a setup was great. R&D and SW Development could access any data on the official network for getting test data, but the test versions stayed secure in the lab environment.

Set up SDN

We are about to generate an internal subnet on a node for all VM/CT to use. The Router is to be connected to a wan or an internal network, or both. All depending on the use case.

Create an SDN network and a subnet

All names and IP numbers should be according to your network strategy.

Go to Datacenter→ SDN → ZONES and

1. Create a Sinple Zone called OPNzone then
2. Create a VNet, called OPNvnet alias NETpve1 (in Datacenter→SDN→VNets)
3. Select the VNet and create it's subnet with 10.10.1.0/24 and GW 10.10.1.1.
4. Then return to Datacenter→SDN and activate

Install and Setup OPNsense

Install OPNsense on a VM, as we are to use FreeBSD and potentially have it facing the Internet. You can see my OPNsense blog post for details.

Installation is done using the console of the VM. Credentials: user installer and password opnsense then do the installation and change the root password before rebooting.
Setting up the OPNsense will then be done using a Desktop on that node on IP 192.168.1.1.

• WAN1: a dedicated (passed) USB NIC, it will show up after the initial installation as ue0
• WAN2: a bridge like vmbr0 for connection to the local LAN (Optional)
• LAN: we use the OPNvnet we created in SDN

Use a VM for Setting up and Testing

For testing and setting up the OPNsense instance, we use a Desktop VM of our choice.
For me, it's a minimalistic Alpine Desktop VM, see my post: Install an Alpine Desktop VM.

Leave the DHCP on for detecting the IP, it will change during the setup of OPNsense.

Virtual Machine sizing

• Processor: 1 or more virtual cores
• RAM: Minimum required RAM is ≥ 4 GB
• Install method: ISO
• Install target: Minimum recommended virtual disk size of 8 GB

Configuring OPNsense

Using the Desktop VM, open a browser to 192.168.1.1 (default for OPNsense). Start the configuration of your OPNsense router. User: root and the password set by installation.
Now we shall change that and update the system and the rest of the configuration.

1. Run the Wizard System→Configuration→Wizard and set the General information like host name, language, TZ, language and DNS
   1. Set the gateway (the main gateway of your lab for internet), should be there automatically.
      Choose if you are to use IPv4 and/or IPv6
   2. Set the new LAN address. Check the SDN and use the IP for that gateway
      Choose if you are to use IPv4 and/or IPv6
   3. Set the new password for root
2. Reboot the OPNsense VM
3. Reboot the test VM
4. Login using the new IP
   1. test with ip r for the new IP
   2. pinging your upstream router by IP
   3. ping by FQDN something like google.com
5. Update the system and install your plugins, go to System→Firmware→Status
   1. Click 🔁 Check for updates and do the update!
   2. Add the os-qemu-guest-admin, os-iperf and others from the community plugin
6. If you have more WAN and/or LAN connections, set up and test
   1. In Basic configuration →Lock check ☑️ Prevent interface removal
   2. In Generic configuration set the right parameters for your network
      1. IPv4 Configuration Type set None/Static IPv4/DHCP
      2. IPv6 Configuration Type set None/Static IPv6/SLAAC/6rd Tunnel/6to4 Tunnel/Track Interface
      3. If you don't use IPv6, just set to None
   3. Save your settings and Apply changes
7. Set up the firewall rules and other tools

References

OPNsense ^[1] Alpine ^[2]