Go baremetal

You want it to be as simple as possible, to be as secure as possible.

Adding proxmox - or any abstraction layer - is now adding more layers that have potential security issues.

And everyone is scanning your IP for vulnerabilities 24/7.

Plus, in my case, I want a completely separate network for Guest Wifi, IoT, etc and only some stuff hitting the LAN / homelab.

I ran pfSense on proxmox for a few years. It was fine, but unnecessarily complicated. I switched to an Intel n6005 mini PC and I’ll never go back. Having a second device meant I was able to get rid of my Dell R720xd and switch to consumer hardware with no internet downtime. It means if something happens and I have to hard reboot my server, I don’t have to worry about my partner getting booted from a video call. Etc. Etc. The mini PC was under $200. It sips power. It’s silent. It’s a no-brainer.

A problem in proxmox means no router. Are you comfortable resolving issues without Internet access?

I’ve run OPNsense as a VM for a few years now. I have it set up on HA and have gone into PVE and noticed that it failed over and failed back without me noticing at all a week earlier. I like being able to snapshot it before updates, though updates are always flawless.

I have the 2 ethernet ports on each node named the same and that seems to work fine. I can also live migrate it without it dropping a ping in order to update the host node’s OS, then migrate back.

I wouldn’t do it any other way, but it might take some time to figure out how to set up so it fails over properly.

Pros: less physical hardware to deal with. If you can set up to where your VM can move across proxmox nudes, that improves resilience.

Cons: if you can’t fail over, you could get to where you need to fuss with the box where the Opnsense VM lives and have to also take down Opnsense.