OPNsense Gateway Cutover — Execution Checklist¶
Date: 2026-02-21 Window: 30 minutes max Rollback time: ~2 minutes Alternative internet: Phone tethering (safety net only)
Before You Start¶
- [ ] Open Proxmox web UI:
https://192.168.0.237:8006 - [ ] Open this file on your phone (in case Mac loses connectivity)
- [ ] Have an Ethernet cable ready for nic1
- [ ] Announce: "Internet will be down for up to 30 minutes"
- [ ] Note current time: __
Step 1: Connect nic1 to Switch¶
Physical:Plug an Ethernet cable from Proxmoxnic1 (2nd port) into the MokerLink switch.
Verify from Mac terminal:
ssh [email protected] "ip link show nic1 | grep 'state UP'"
Expected: state UP
- [ ] nic1 shows UP
Step 2: Apply Proxmox Network Config¶
This moves management IP from vmbr0 → vmbr1 (now on the switch via nic1).
ssh [email protected] "sudo cp /etc/network/interfaces.cutover /etc/network/interfaces && sudo cp /etc/network/interfaces.d/vmbr1.cutover /etc/network/interfaces.d/vmbr1 && sudo ifreload -a"
Verify:
ssh [email protected] "ip -br addr show vmbr0 && ip -br addr show vmbr1"
Expected:
vmbr0— no IP (manual)-
vmbr1—192.168.0.237/24 -
[ ] vmbr0 has no IP
- [ ] vmbr1 has 192.168.0.237/24
- [ ] Proxmox web UI still works at
https://192.168.0.237:8006
Step 3: Swap Cables¶
Physical — two cable changes¶
- Unplug ISP Ethernet from TP-Link WAN port→ plug intoProxmox nic0
- Unplug the old switch cable from Proxmox nic0 (no longer needed)
Result: nic0 faces ISP modem, nic1 faces switch.
Internet is now DOWN for everyone. Clock is ticking.
- [ ] ISP cable in Proxmox nic0
- [ ] Old switch cable removed from nic0
Step 4: Verify OPNsense Gets Public IP¶
Open Proxmox web UI→ VM 100 (OPNsense) →Console.
In the OPNsense console (or web UI from the console browser):
- Dashboard → Interfaces → WAN → should show a public IP via DHCP
If no public IP: wait 30 seconds, then run in OPNsense console:
- [ ] OPNsense WAN has a public IP
If no public IP after 2 minutes → ROLLBACK (see bottom of this file)
Step 5: Switch TP-Link to AP Mode¶
From Mac (still connected to WiFi):
- Open
http://192.168.0.1(TP-Link admin) - Operation Mode → Access Point
- Set static IP: 192.168.0.2
- Apply (TP-Link reboots, ~1 minute)
- After reboot: move TP-Link cable from WAN portto aLAN port on the switch
WiFi will briefly drop and reconnect. Same SSID/password = auto-reconnect.
- [ ] TP-Link in AP mode
- [ ] TP-Link cable: LAN port → switch (NOT WAN port)
- [ ] Mac reconnected to WiFi
Step 6: Configure OPNsense LAN¶
From Proxmox web UI→ VM 100 (OPNsense) →Console:
Open OPNsense web UI inside the console (https://192.168.1.1):
6a. Change LAN IP¶
- Interfaces → LAN
- IPv4:
192.168.0.1/24 - Save → Apply
6b. Enable DHCP¶
- Services → DHCPv4 → LAN
- Enable: checked
- Range:
192.168.0.100–192.168.0.250 - DNS server:
192.168.0.10 - Gateway:
192.168.0.1 - Save
6c. Add Static Mappings¶
- Docker VM: MAC
BC:24:11:A8:E9:C5→192.168.0.10 - TP-Link AP: (get MAC from lease list) →
192.168.0.2 - Save → Apply
After applying, OPNsense LAN is at 192.168.0.1. Proxmox gateway now works.
- [ ] LAN IP changed to 192.168.0.1
- [ ] DHCP enabled (range .100–.250, DNS .10, gateway .1)
- [ ] Docker VM static mapping added
Step 7: Re-IP Docker VM¶
Docker VM's gateway (192.168.1.1) is gone. Fix from Proxmox:
ssh [email protected] "sudo qm guest exec 101 -- bash -c 'ip addr del 192.168.1.10/24 dev ens18; ip addr add 192.168.0.10/24 dev ens18; ip route add default via 192.168.0.1'"
If qm guest exec fails, use Proxmox web UI → VM 101 → Console, then:
sudo ip addr del 192.168.1.10/24 dev ens18
sudo ip addr add 192.168.0.10/24 dev ens18
sudo ip route add default via 192.168.0.1
Make it persistent:
ssh [email protected] "sudo qm guest exec 101 -- bash -c \"sed -i 's/192.168.1.10/192.168.0.10/g; s/gateway 192.168.1.1/gateway 192.168.0.1/g' /etc/network/interfaces\""
Or edit via Proxmox console if sed doesn't work.
Verify:
ssh [email protected] "ip addr show ens18 | grep inet && ping -c1 8.8.8.8"
- [ ] Docker VM at 192.168.0.10
- [ ] Docker VM has internet (ping 8.8.8.8)
Step 8: Verify — The Family Test¶
Internet¶
- [ ] Reconnect phone WiFi → gets 192.168.0.x IP
- [ ] Phone can browse the web
- [ ] Netflix works on TV (the real test)
Homelab¶
- [ ] SSH to Docker VM:
ssh docker-vm(Tailscale) orssh <[email protected]> - [ ] Pi-hole resolving:
ssh <[email protected]> "docker exec pihole dig google.com @127.0.0.1 +short" - [ ] Vaultwarden accessible
- [ ] Proxmox web UI:
https://192.168.0.237:8006 - [ ] OPNsense web UI:
https://192.168.0.1(from Mac) - [ ] Tailscale:
tailscale status
Announce: "Internet is back!"¶
- [ ] Note completion time: __
Rollback (If Anything Goes Wrong)¶
Before step 6 (OPNsense LAN still 192.168.1.x)¶
# 1. Revert Proxmox config
ssh [email protected] "sudo cp /etc/network/interfaces.original /etc/network/interfaces && sudo cp /etc/network/interfaces.d/vmbr1.original /etc/network/interfaces.d/vmbr1 && sudo ifreload -a"
# 2. Physical: ISP cable back to TP-Link WAN, switch cable back to Proxmox nic0, unplug nic1
# 3. TP-Link: reboot to restore router mode (if AP mode was applied)
After step 6 (OPNsense LAN already at 192.168.0.x)¶
- OPNsense console: Interfaces → LAN → change back to
192.168.1.1/24, Apply - Docker VM:
ip addr del 192.168.0.10/24 dev ens18; ip addr add 192.168.1.10/24 dev ens18; ip route add default via 192.168.1.1 - Then do the cable/config revert above
Nuclear option¶
Connect Mac to phone tethering, SSH to VPS, figure it out from there.