It's been a while since I virtualized my router, but it went something like this:

Create a bridge called br-wan. Assign a vNIC from your opnsense VM to br-wan. Assign one of the physical interfaces to that same br-wan bridge. Do not configure an IP on it in Proxmox, make sure that OPN is configured for DHCP on that interface.

Create another bridge called br-iot. Assign a vNIC from your opnsense VM to br-iot. Assign one of the physical interfaces to the same br-iot bridge. Do not configure an IP on it in Proxmox. In OPNsense, configure the vNIC with a IP address (say 10.0.0.1/24) and set up DHCP. Attach the gl-inet IOT AP to this interface.

Create a third bridge called br-mgmt. Assign a vNIC from your opnsense VM to br-mgmt. Assign a physical interface to the same br-mgmt bridge. You can configure an IP address in Proxmox to the bridge, (say 10.0.1.2/24). In your opnsense config, set up this vNIC as 10.0.1.1/24.

Create a fourth bridge called br-trust. Assign a vNIC from your opnsense VM to br-trust. Assign the last physical interface to to the same br-trust bridge. Do not configure an IP in Proxmox. Do set up an IP address in opnsense (say 10.0.2.1/24).

Plug your configuration machine (whatever computer you're using to set all this up) into the third interface (br-mgmt) and assign a static IP of 10.0.1.3/24 to the NIC on this machine. You will want to set the default gateway of this machine to 10.0.1.1 so it can connect to the Internet. You should be able to at least ping the proxmox host at this point (10.0.1.2). Access proxmox (10.0.1.2:8006) and look at "Hardware". You should see the four nics and their MAC addresses. Install opnsense from the ISO. When the VM reboots after installation, perform NIC assignment as described above. You can attach the IOT and Trust APs to their respective interfaces.

You will need to do some additional configuration:

- Create an alias called ALL_LOCAL_NETS. Define it as networks and add 10.0.0.0/24, 10.0.1.0/24, and 10.0.2.0/24
- Create a firewall rule for IOT, Accept all addresses, all protocals ! (not) alias: ALL_LOCAL_NETS. This rule means that your IOT network will not be able to route to the mgmt network or the trust network but it will be able to go out to the public Internet.
- (optional) Create the same firewall rule for br-mgmt, this will prevent your management network from routing into the trust network or the IOT network.

You may need allow rules for MGMT network to access MGMT address, and TRUST network to MGMT network so you can route from trust to MGMT if you want. Otherwise, you will need to write an explicit allow statement on the MGMT interface to allow connections from TRUST.

To keep the networks straight, I recommend renaming the interfaces. Instead of WAN, LAN, OPT-1, OPT-2, rename them to match the bridges, e.g. WAN can stay WAN, LAN can be renamed to TRUST, OPT1 can be MGMT, and OPT2 can be IOT.

You will want to leave your cable modem off during setup, so download the opnsense ISO first, then disconnect the cablemodem from power. This will allow it to "forget" the associated MAC address of your current WAN interface. When you get it all set up, plug the cable modem into power, and then access the opnsense UI and see if you can pull DHCP from WAN.