I just attached the host NIC to OPNSense and then have a vxlan in proxmox to make the VM network separate from the rest of my home network. Both the host NIC and the vxlan virtual NIC are attached to the VM.
The OPNsense VM acts as a router between the two networks. I host all my shit on the VM network under *.internal.legit.tld and use LetsEncrypt + Traefik to issue SSL certs which work without having to load a CA cert everywhere because I own legit.tld
The only bastard was having to adjust the MTU everywhere within the VM network, that caught me out a couple of times
Proxmox requires subtracting 50 from the MTU so it can store it’s vxlan information in the packet.
From the docs:
It’s super annoying but I couldn’t see another way of having vms be able to talk to each other transparently regardless of which node they are on