Router-On-A-Stick configuration with a Firewall VM on ESXi and a Physical Switch ?!


I have the following in my lab.

  • Physical Managed Switch

  • Physical ESXi server (connected to port 5 on switch)

  • Windows 10 VM running on ESXi Server (connected to vmnic1, port 6 on TP-Link)

  • OPNsense Firewall VM running on ESXi Server (connected to vmnic1, port 6 on TP-Link)

The OPNsense Firewall VM can do Sub-Interfaces, and VLAN tags.

I'm looking to have Router-On-A-Stick configuration where the Router VM is running inside ESXi while the switch is physical. All VLAN configurations will be on the physical switch. I have read that VLAN configurations must be done on either the physical switch or vSwitch, not both.

The way I see it the traffic flowing this case is as follows:

  • Traffic from Windows 10 VM will come to vSwitch11 (VLAN 11 vSwitch connected to vmnic1, port 6 on physical switch)
  • Traffic from Port 6 will go to Port 5 on physical switch (Port 5 is trunk and is vmnic0 in ESXi)
  • Firewall VM vNIC is vmnic0 will receive VLAN11 traffic

My question is whether its possible to have Router-On-A-Stick, and will traffic ever leave ESXi vSwitch ?

Thank You

