I’m not a hyper-v guy but i’d second the virtual switch approach.
This way you can use however many physical NICs at the hyper visor level to provide uplink redundancy, and use the in-host virtual switching to get potentially improved throughput (from network to network) rather than going in and out of the physical network.
Trunk ports and VLANs from the virtual switch to the physical switch. However that means you need a switch that is capable of setting up multiple VLANs (and have your WAN on one VLAN and your LAN side(s) on other VLANs).
Alternatively, another method rather than passing the NIC through directly you could also put the physical host adapter on a different virtual switch and do the isolation that way (as above).
It depends on what level of uplink redundancy you want, if you have everything on the same virtual switch with all your network adapters acting as trunks to your physical switch you can potentially get better throughput and it is impossible to plug the physical cables into the wrong NICs (as they’re all the same - the smarts are done in the virtual switch).
I’m a VMware guy normally, but from memory HyperV works similarly.
Definitely for what you’re doing though i wouldn’t bother messing with SR-IOV. It’s just not needed (and is just additional complexity), the emulated network adapters will be plenty fast enough - even up to 10 Gb ethernet and beyond.
edit:
one other note i’ll mention with PFSENSE. just be careful with it with regards to IPV6. Be sure to isolate it from your production environment / home network if you’re just playing with it and/or be sure to disable IPv6 on any interface that might have contact with the real network unless you KNOW what you’re doing.
if you have a pfsense LAN interface with IPv6 enabled facing a real network, it will send IPv6 router advertisements to your real network and will thus potentially re-route any IPv6 aware hosts on your network(s) via pfsense in your VM host.
I’ve broken my home network doing this before.
So yeah… be aware of that. I’d hate to see someone do it at work and inadvertently break their prod environment
TLDR: don’t bridge pfsense LAN interface to a real network without doing your homework