Skip to main content
Network appliance VMs provide enterprise-grade routing, firewall, and network management capabilities within Proxmox VE.

Available Network Appliances

OPNsense

Advanced firewall and routing platform

OpenWrt

Powerful wireless router firmware

MikroTik RouterOS

Professional router operating system

OPNsense Firewall

OPNsense is an open-source firewall and routing platform based on FreeBSD, offering enterprise features. Script: opnsense-vm.sh 
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/vm/opnsense-vm.sh)"
1

Run the Script

Execute the command from Proxmox VE shell.
2

Configure Network Interfaces

The script creates:
  • WAN interface (first network device)
  • LAN interface (second network device)
You’ll configure which Proxmox bridge each connects to.
3

Set VM Resources

Configure:
  • VM ID
  • Hostname
  • CPU cores (recommended: 2-4)
  • RAM (recommended: 2-4 GB)
  • Disk size (recommended: 16-32 GB)
4

Complete Installation

Access OPNsense console to finish setup.

OPNsense Features

  • Stateful firewall
  • VPN (OpenVPN, WireGuard, IPsec)
  • Intrusion Detection/Prevention (IDS/IPS)
  • Traffic shaping
  • Web proxy with caching
  • Load balancing
  • High availability
  • Multi-WAN support
  • Plugin ecosystem

Initial OPNsense Setup

Username: root
Password: opnsenseWeb Interface:
  • Default LAN IP: 192.168.1.1
  • URL: https://192.168.1.1
# Via Proxmox VM console
# Login with root/opnsense

# Assign interfaces
1) Assign interfaces
2) Set interface IP address
8) Shell

Network Configuration

OPNsense requires at least two network interfaces:WAN (vmbr0): Internet-facing interface
LAN (vmbr1): Internal network interfaceIn Proxmox, create a second bridge or use VLANs to separate WAN/LAN traffic.
Use CaseCPURAMDisk
Home/Small Office2 cores2 GB16 GB
Medium Business4 cores4 GB32 GB
Enterprise8+ cores8+ GB64+ GB

OpenWrt Router

OpenWrt is a Linux-based router firmware with extensive package support and customization. Script: openwrt-vm.sh 
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/vm/openwrt-vm.sh)"
OpenWrt VM uses minimal resources (1 GB disk by default) and is perfect for testing or lightweight routing tasks.

OpenWrt Features

  • Package management (opkg)
  • Advanced routing protocols
  • QoS and traffic control
  • VPN support (OpenVPN, WireGuard)
  • Wireless management (with compatible hardware)
  • Extensive customization
  • Active community packages

Initial OpenWrt Setup

1

Access Web Interface

Default LAN IP: 192.168.1.1Navigate to: http://192.168.1.1
2

Set Root Password

First login has no password
  1. Click “Login” (no password needed initially)
  2. Go to System → Administration
  3. Set a root password
  4. Save & Apply
3

Configure Network

  1. Network → Interfaces
  2. Configure WAN interface (typically DHCP or Static)
  3. Configure LAN interface (default: 192.168.1.1/24)
  4. Save & Apply
4

Update Packages

# Via SSH or console
opkg update
opkg list-upgradable
opkg upgrade <package-name>

Network Configuration

Like OPNsense, OpenWrt benefits from separate WAN/LAN interfaces:
  • eth0 → WAN (vmbr0)
  • eth1 → LAN (vmbr1)
Configure during script execution or add interfaces later in Proxmox.

Common OpenWrt Packages

# WireGuard
opkg update
opkg install wireguard-tools luci-app-wireguard

# OpenVPN
opkg install openvpn-openssl luci-app-openvpn

MikroTik RouterOS CHR

MikroTik RouterOS Cloud Hosted Router (CHR) is a professional routing platform. Script: mikrotik-routeros.sh 
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/vm/mikrotik-routeros.sh)"
MikroTik CHR has licensing tiers based on performance. The free license is limited to 1 Mbps throughput.

MikroTik CHR License Levels

LicenseSpeed LimitPrice
Free1 MbpsFree
P11 Gbps$45
P1010 Gbps$95
P-UnlimitedUnlimited$250

Initial MikroTik Setup

1

Access Via Console

Login credentials:
  • Username: admin
  • Password: (blank - press Enter)
2

Access Via Winbox

Download Winbox from MikroTik.comConnect to VM’s MAC address (shows in neighbors)
3

Basic Configuration

# Set identity
/system identity set name=RouterOS-VM

# Set admin password
/user set admin password=newpassword

# Configure IP address
/ip address add address=192.168.88.1/24 interface=ether1

# Enable SSH
/ip service enable ssh
4

Apply License

If purchased, apply license key:
/system license renew account=your-account password=your-password

MikroTik RouterOS Features

  • Advanced routing (BGP, OSPF, RIP)
  • MPLS
  • VPN (L2TP, PPTP, OpenVPN, IPsec, WireGuard)
  • Firewall and NAT
  • Quality of Service (QoS)
  • Hotspot management
  • User management
  • Scripting engine
  • Extensive monitoring

Quick Configuration Example

# Configure WAN (DHCP client)
/ip dhcp-client add interface=ether1 disabled=no

# Configure LAN
/ip address add address=192.168.88.1/24 interface=ether2
/ip pool add name=dhcp_pool ranges=192.168.88.100-192.168.88.200
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=8.8.8.8
/ip dhcp-server add name=dhcp1 interface=ether2 address-pool=dhcp_pool disabled=no

# Setup NAT
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

Network Design Considerations

Bridge Configuration in Proxmox

For proper WAN/LAN separation, create multiple bridges in Proxmox:In Proxmox Web UI:
  1. Node → System → Network
  2. Create → Linux Bridge
  3. vmbr0: WAN (connected to internet-facing NIC)
  4. vmbr1: LAN (internal network)
  5. Apply configuration

VLAN Configuration

Alternatively, use VLANs on a single bridge:
# Proxmox: VM → Hardware → Network Device → Edit
# VLAN Tag: 10 (for WAN)
# VLAN Tag: 20 (for LAN)
Configure VLAN trunking on the physical switch.

High Availability Setup

1

Create Two VMs

Deploy two identical firewall VMs (OPNsense/MikroTik)
2

Configure Cluster

Set up HA clustering in the firewall OS
  • OPNsense: System → High Availability
  • MikroTik: /interface vrrp
3

Sync Configuration

Enable configuration synchronization between nodes
4

Test Failover

Simulate failure to verify automatic failover

Resource Allocation Guidelines

CPU Allocation

  • Basic testing
  • Lab environments
  • Low traffic (under 10 Mbps)
  • Home networks
  • Small office (1-10 users)
  • Traffic up to 100 Mbps
  • VPN usage
  • Medium business (10-50 users)
  • Traffic up to 1 Gbps
  • IDS/IPS enabled
  • Multiple VPN connections
  • Traffic shaping

Memory Recommendations

FirewallMinimumRecommendedAdvanced
OPNsense1 GB4 GB8+ GB
OpenWrt256 MB512 MB1 GB
MikroTik256 MB1 GB2+ GB

Troubleshooting

  • Verify WAN interface has IP address
  • Check default gateway configuration
  • Ensure NAT/masquerading is enabled
  • Verify firewall rules allow outbound traffic
  • Check DNS configuration
  • Verify LAN IP address configuration
  • Check network cable/bridge connection
  • Ensure client is on correct subnet
  • Try accessing via VM console first
  • Check firewall rules on WAN interface
  • Increase CPU cores
  • Disable CPU limit in Proxmox
  • Enable virtio network drivers
  • Disable IDS/IPS if not needed
  • Check for CPU throttling
  • Consider hardware offloading
  • Verify VPN port forwarding
  • Check firewall rules
  • Ensure certificates are valid
  • Verify routing configuration
  • Check logs for specific errors

Performance Optimization

# Enable VirtIO for better performance
# VM → Hardware → Network Device → Model: VirtIO

# Enable multi-queue for VirtIO
qm set <VMID> -net0 virtio,bridge=vmbr0,queues=4

Next Steps

Linux VMs

Deploy Linux virtual machines

Home Assistant

Set up home automation

VM Overview

Back to all VM scripts

Build docs developers (and LLMs) love

Get started for freeTalk to us