So here is my setup. I have PfSense virtualized in KVM on Debian 9. I have 3 NICs bridged and given to PfSense (WAN, LAN, OPT1). I have this tested and working behind my current router from my ISP. Now, when I want to roll this out, I will have my ISP router simply forward all traffic to my host machine, which in turn should forward it to my PfSense box. Am I able to guarantee that my PfSense VM takes priority over it’s host? Is that possible? Can I force my host machine to NOT take DHCP from my ISP, send the DHCP address to my WAN PfSense port and then have my host machine take only a static IP from PfSense? It seems pointless to have my host machine open to the world when I want all the security features of PfSense to apply to the host machine as well.
I have configured it to where my host machine gets an IP from PfSense, and from within my PfSense LAN, I can access my host fine. For security reasons, I would like to know if I can force the situation above. One idea I had was to PCIe passthrough NICs and assign it as WAN and LAN, hook the host machine up to a switch connected to LAN, and have it take the IP from there, however, my computer doesn’t support VT-d for passthrough.
I get it, this is more complicated than running PfSense on bare metal. I will do that if I have to, but first I want to know if I have to.