So the PC connected to opnsense is running proxmox for it's OS? Create a bridge for each physical interface, then add a tagged interface to it for the one connected to opnsense; Eg, vmbr2 could have enp2s0.100 and enp9s1f0 as members. Just add .vlanid to the end of the interface name in the bridge settings in proxmox, and don't make the bridges vlan aware. If vmbr0 is vlan aware then just add vmbr0.100 instead of enp2s0.100 With that setup the server will switch packets between the vlans on enp2s0 and the other interfaces. Don't need to put any VMs on the bridges
Will add: this is using the PC like a switch, you're probably better off using an actual switch with vlan configuration instead
So first thing, an open port isn't a bad thing most of the time. And a malware infection doesn't need open ports, nor does modern malware try to open ports.
How did they check for these open ports? Did they log in the router and check? Run a scan from an external service?
The most common explanation for unknown open ports on a router in a home network will be a feature called "universal plug and play" or UPnP for short. This allows IOT devices to ask the router for a port to be opened, and by default most home routers will do just that. Devices like security cameras etc often do that so you can access the video from a phone or something. Games also sometimes use UPnP to open ports for multiplayer.
It's considered good security practice to disable UPnP as a lot of devices don't really protect the services they expose through UPnP; but that still doesn't make open ports an indication of malware.
On the subject of games, is there anyone in the house that might try to host a game server? Even something as simple as minecraft doesn't need any additional software and a Google search for how "friends can't connect to Minecraft game" will show instructions on how to set up port forwarding etc.