Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense on Proxmox - use PCI Direct or Paravirtualized?

    Scheduled Pinned Locked Moved Virtualization
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bearhntrB
      bearhntr
      last edited by

      I am looking to move pfSense to a Proxmox install. The box is setup to access IOMMU and has a 4-port NIC installed. Port 0 on there is WAN, port 1 is LAN, and the on-board NIC is used for the Proxmox console access.

      I am questioning if I should used PCI Direct port for WAN, and set the LAN to para-virtualized, as there are other VMs on this box which will need access to the LAN. This would allow them a 10GB or 100GB connection to this port.

      I do not see a reason that the WAN port connecting to the modem's 1GB connection to be virtual.

      Looking for suggestions.

      P 1 Reply Last reply Reply Quote 0
      • P
        Patch @bearhntr
        last edited by

        @bearhntr
        The advantage of using wan pass through is it decreases the exposure surface of your router. Only pfsense handles wan traffic (not your hypervisor).

        The pfsense VM can be easily updated and snap shots used to enable reverting to a prior version should that fail.

        Updating Proxmox hypervisor involves more risk as reverting to the prior version is more difficult should the update fail, and at that time you loose your normal internet access (as the Proxmox VM isn’t running).

        In practice I maintain a backup physical router should a Proxmox update fail. However the potential inconvenience persists so in practice I’m more cautious and update Proxmox less frequently. Increasing the value of not exposing Proxmox directly to the internet.

        I also use Pass through for the pfsense lan nics as the single board computer has 6 so plenty for other functions.

        bearhntrB 1 Reply Last reply Reply Quote 0
        • bearhntrB
          bearhntr @Patch
          last edited by

          @patch

          Somewhat understand your answer. I have tried passing 2 ports of the 4-port NIC card as separate ports to pfSense VM (see below - 1:00.0 and 1:00.1) - but when the VM starts, only one of them is seen.

          7ebdcfc5-dc63-422f-91f2-953f786cdc1d-image.png

          This is why I asked can I just pass-thru the WAN port and use paravirtualized as the LAN port? Any advantages to this? Disadvantages I understand if I have to backup or restore, I cannot unless everything is virtualized.

          I have pfSense running on an HP T620+ ThinClient which once I move - will be stored as a backup router/firewall in case something happens with Proxmox.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.