Not everyone thinks you should virtualize your OPNsense or pfSense, and with good reason. There's a solid argument to be made that running your network on bare metal is safer and more predictable, but tools like Proxmox and even ESXi are mature and robust enough that many people use those platforms to virtualize their router and firewall. I'm one of those people, and here's why I do it.

5 More varied driver support

And sometimes better, too

One of the most important reasons people opt to virtualize OPNsense and pfSense is for the improved driver support. They both run on FreeBSD, which is similar to Linux but not exactly the same. In the case of hardware, there are drivers built for Linux that have no FreeBSD equivalent, meaning that you might not even be natively able to use FreeBSD in the first place. That's the situation I find myself in, where my NIC has a Linux driver but no FreeBSD driver. Thanks to Proxmox, I can bridge the Ethernet adapter to my OPNsense virtual machine, and it all works just fine.

As well, drivers might simply be better on Linux. Given the ubiquity of Linux, many companies prioritize supporting it, and while FreeBSD maintains binary compatibility with Linux on the software side of things through Linuxlator, drivers are different. For example, Linux-only interfaces such as eBPF/XDP have their own FreeBSD equivalent in Netmap, but it's not as simple as just recompiling the same drivers for a different operating system. While this is not the case for all hardware, a lot of NICs will simply run better in Linux if passed through to OPNsense rather than run natively. This depends entirely on the hardware you use, of course.

If the FreeBSD drivers are good enough, though, you can do a full PCI passthrough of your NIC to the VM, so that it can be used as if it were a native piece of hardware. That way, you can get the other benefits of using Proxmox while still getting the benefits of a bare metal NIC. Just make sure not to pass through your LAN NIC if you're using other containers or VMs, as they won't be able to access your network.

4 Rollbacks and backups

Easy to go back if you made a mistake

One other great benefit of OPNsense is the support for rollbacks through snapshots. If you mess something up in your configuration, you can go back to the way things were in an instant. When trying to swap my WAN and LAN adapters, I messed up my configuration, and had to go back to what I had before... except I couldn't get into my OPNsense control panel. I was able to restore the snapshot I had taken in Proxmox before trying to make the switch, and I had everything back working again.

In the same way, you can automate backups, too. Simply setting up a cron entry with proxmox-backup-client means you can automate scheduled backups so that your data is always safe. It's a great system, and it's so easy to quickly go back to a working configuration if you break something.

3 Easier migration

It's basically copy and paste

If you want to migrate your entire setup to another machine, you can do so with minimal effort. Because everything is virtualized, including your NICs, you can migrate your OPNsense VM to another device with ease. You might need to change the adapters that are being bridged to the VM or replace the PCI passthrough of your NIC, but aside from that, you can get it up and running in just a few minutes.

In terms of adaptability, a virtualized OPNsense instance makes it incredibly easy to move from one device to another. OPNsense has backups built in so that you can restore it easily on a client, but a VM makes it even easier.

2 Hosting other services

It doesn't just need to be an OPNsense box

While I'd never recommend hosting anything advanced alongside your virtualized OPNsense router, you can still do some experimentation. In the case of my Ugreen NAS DXP4800 Plus, I have four 4TB HDDs inside it that I can access remotely. Hosting a basic Nextcloud instance alongside it is easy, or you can even use built-in tools like NFS or SMB to share those drives on your network.

If you were confident in your configuration, you could even set up a Home Assistant OS instance alongside your OPNsense deployment. So long as you're not hosting anything that could entirely kill the machine it's running on (or might require you to restart the machine itself), then there isn't a huge amount of risk in running one or two other things alongside your primary OPNsense VM, too.

1 Better PPPoE performance

A surprising benefit

This one is specific to those who use PPPoE, but you'll probably get better performance on a PPPoE connection on OPNsense if you virtualize it. This is because the Linux-based host takes those PPPoE frames and forwards them through the virtual bridge to your OPNsense instance, and the VM can process those incoming packets across all cores.

This is a slightly more niche benefit, as not everyone will have a PPPoE connection. However, if you do have one, you might get better performance out of virtualizing your routing and firewall platform. Consistent data streams will still be kept to a core at a time, as this can then ensure strict packet ordering for protocols that require it.