Return to Level1Techs.com

Struggling with configuring pfSense/Hyper-V

Hey all, having some issues assigning NICs with Hyper-V and pfSense. I have a Dell Poweredge 720xd that’s very underutilized so I thought I’d try and spin up some VMs, starting with pfSense. Where I get stuck is with NICs. How necessary is hardware pass-through or SR-IOV? Here’s what I’ve tried so far.

  1. Installed a NIC I had laying around(Broadcom 5709 Dual-port- Bcm5709cc0kpbg)
  2. Attempted HW Passthrough via Powershell, however at this point I realized the device wasn’t only a network device but a storage device(iSCSI) and a system device. Powershell kept giving me errors so I moved on to SR-IOV.
  3. Enabled SR-IOV for the two NICs and added them to the VM, upon booting pfSense sees the VMs but the links are always down, even when activity lights are present.

So that brings me to, is having hardware support necessary? I do have a Gb connection to the house that I regularly saturate, so I want to ensure I have all the performance I can get. If it isn’t necessary, how can I configure Hyper-V to use the NICs as is? Do they each need their own virtual switch?

Been awhile since I played with this setup, but the easiest way to get it working is to have 2 virtual switches, one that connects to your WAN connection and only the pfSense VM is connected to and the other that you connect to your physical switch, pfsense VM, and everything else on the box. This is assuming you want the pfsense VM to route for your whole network exclusively. Hardware support isn’t necessary as Hyper-V can emulate an Intel NIC for the pfsesne VM if need be (if I remember correctly).

1 Like

I’m not a hyper-v guy but i’d second the virtual switch approach.

This way you can use however many physical NICs at the hyper visor level to provide uplink redundancy, and use the in-host virtual switching to get potentially improved throughput (from network to network) rather than going in and out of the physical network.

Trunk ports and VLANs from the virtual switch to the physical switch. However that means you need a switch that is capable of setting up multiple VLANs (and have your WAN on one VLAN and your LAN side(s) on other VLANs).

Alternatively, another method rather than passing the NIC through directly you could also put the physical host adapter on a different virtual switch and do the isolation that way (as above).

It depends on what level of uplink redundancy you want, if you have everything on the same virtual switch with all your network adapters acting as trunks to your physical switch you can potentially get better throughput and it is impossible to plug the physical cables into the wrong NICs (as they’re all the same - the smarts are done in the virtual switch).

I’m a VMware guy normally, but from memory HyperV works similarly.

Definitely for what you’re doing though i wouldn’t bother messing with SR-IOV. It’s just not needed (and is just additional complexity), the emulated network adapters will be plenty fast enough - even up to 10 Gb ethernet and beyond.

edit:

one other note i’ll mention with PFSENSE. just be careful with it with regards to IPV6. Be sure to isolate it from your production environment / home network if you’re just playing with it and/or be sure to disable IPv6 on any interface that might have contact with the real network unless you KNOW what you’re doing.

if you have a pfsense LAN interface with IPv6 enabled facing a real network, it will send IPv6 router advertisements to your real network and will thus potentially re-route any IPv6 aware hosts on your network(s) via pfsense in your VM host.

I’ve broken my home network doing this before. :slight_smile:

So yeah… be aware of that. I’d hate to see someone do it at work and inadvertently break their prod environment :smiley:

TLDR: don’t bridge pfsense LAN interface to a real network without doing your homework

1 Like

I’m trying to P2V a linux server alongside a pfSense vpn client which spans/bridges to another network via a vpn tap. I have the pfSense setup working in physical, but when I virtualize it with hyper-v, it breaks.
I literally exported the config, and reloaded it onto the VM. I haven’t had much luck using Hyper-V for anything other than basic functions when it comes to pfSense.
I think there is an issue with port bridging in Hyper-v.