[m463]

I run proxmox and have set up VLANs.

The router port to the proxmox machine is set up for tagged packets that isolate incoming/outgoing traffic.

After that my VMs and Containers are easily set up to "live" on one or more networks.

For me the firewall rules on the router determine what traffic can be relayed between vlans through the router.

I'm pretty sure you could set up opnsense running in a container or vm to do the same thing, selectively passing traffic from one vlan to another.

[heatmiser]

i have a similar setup with a PM box and a Ubiquiti Dream Machine Pro. i provision VMs with a Terraform provider, have a script that processes Terraform outputs into an Ansible inventory INI file to handle configuration. i find it pretty straightforward and could take it further by scripting my VLAN setup but changes so infrequently i don't mind doing it manually.