Hypervisor configuration not adding 2 NICs for virtual pfSense

eiger3970 0 · Mar 24, 2023, 5:58 AM

I am trying to build:
1 bridged router.
2 physical wired NICs for WAN and LAN.
1 machine running Debian based OS, running hypervisor KVM/Qemu/Virt manager.
1 VM router pfSense.

The machine sees the 2 NICs, however the hypervisor seems to set up 1 virtual bridge?
I think I need 2 bridges to see the 2 NICs?
Here's my network topology: .
Configuring the network has a few options like
GUI: Virtual Manager.
TUI: Network scripts, Nmcli tool or Virsh command.
I tried the GUI, but Virtual Manager seems to show 1 NIC using Virtual Network Interface with a Network source: Virtual network 'default':NAT. I'm wondering why Virtual Manager only shows 1 NIC and a NIC unrelated to my 2 physical NICs?
Virtual manager has an option in Virtual Network Interface Network source to select Host device enp2s0:macvtap. Maybe this should be selected for 1 of my 2 physics NICs?
Creating a new VM in the hypervisor offers an option at Network selection as default, Virtual network 'default':NAT, however maybe I should select the option: Host device enp2s0:macvtap, Source mode: Bridge?
Regardless, after selecting enp2s0:macvtap, the VM router pfSense installs and only shows 1 LAN (vtnet0) -> v4: 192.168.1.1/24.
In VM router pfSense install, I select 1) Assign interfaces and the only valid interfaces are:
vtnet0 52:54:00:6c:84:7a VirtIO Networking Adapter.
This interface is Virtual Manager's NIC MAC address, not any of my 2 physical NICs' MAC addresses?

I tried the TUI Network scripts, creating this file in /etc/network/interfaces, however same issue?

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

# ip -c a, for interface details.
# loopback device.
auto lo
iface lo inet loopback

# WAN port (NIC1, top of case with I/O shield stuff).
auto enp3s0
iface enp3s0 inet manual

# LAN port (NIC2, bottom of case at PCIe slot).
auto enp2s0
iface enp2s0 inet manual

# WAN bridge pfSense is connected with veth0.  Veth0 is the FreeBSD Network Interface Name for virtio Network devices.
auto virbr0
iface virbr0 inet static
  bridge_ports enp3s0
  bridge_stp off
  bridge-fd 0

# LAN bridge pfSense is connected with veth1.
# Gateway is pfSense.
auto virbr1
iface virbr1 inet static
  address 192.168.1.120/24
  gateway 192.168.1.170
  bridge_ports enp2s0
  bridge-stp off
  bridge-fd 0
  bridge-pvid 4095
  bridge-vlan-aware yes
  bridge-vids 1-4044
# Save, exit and restart networking service:~$ sudo systemctl restart NetworkManager > Enter.

What am I doing wrong please?

viragomann · Mar 25, 2023, 9:28 AM

@eiger3970-0
You have set up two virtual bridges, virbr0 and virbr1, each using one of the NICs as slave.

In the VMM VM network configuration then select "brigde device" at source and enter the desired bridge below manually.

The "virtual network" settings in VMM is for configuring virtual networks, isolated or natted.
An isolated network can be used as DMZ for instance. A natted won't be needed, if running pfsense as a router within a VM.

eiger3970 0 · Mar 25, 2023, 9:28 AM

This post is deleted!

eiger3970 0 · Mar 25, 2023, 9:38 AM

@viragomann That fixed the hypervisor/VMM seeing the 2 NICs.
Now, my host machine cannot ping the VM and vice versa. My host machine needs to ping the VM router, so I can load a browser and configure the VM router.

My VM router can ping the LAN printer and google.com though.
Maybe I need to install a 3rd NIC for the host machine to be on the LAN?

Here's my updated network topology:

viragomann · Mar 25, 2023, 10:55 AM

@eiger3970-0
No, there is no additional interface needed for this.
It's not clear from this map, where the host is connected to now. But from the network settings above, it should be vibr1, which is LAN.
So any traffic from the host to any other subnet or internet has to pass pfSense. Therefore you have to set the pfSense LAN IP as default gateway on all devices. Check if this is done correctly.

Also consider that you have to allow access from outside on the devices in the virtual network. By default this is blocked by their own firewalls. Or maybe disable their firewalls for testing purposes.

eiger3970 0 · Mar 25, 2023, 12:08 PM

@viragomann the 1st post with the /etc/network/interfaces file is no longer used, as the VMM's GUI setup the bridges nicely.
Here are the current /etc/network/interfaces files I have tried to ping 192.168.1.1 on the VM router from 192.168.1.120 on the VMM host machine are:

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

auto lo
iface lo inet loopback

auto enp3s0
iface enp3s0 inet static
  address 192.168.1.120/24
  gateway 192.168.1.1

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet static
  address 192.168.1.120/24
  gateway 192.168.1.1

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

auto lo
iface lo inet loopback

auto macvtap1@enp2s0
iface macvtap1@enp2s0 inet static
  address 192.168.1.120/24
  gateway 192.168.1.1

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

auto lo
iface lo inet loopback

auto macvtap1
iface macvtap1 inet static
  address 192.168.1.120/24
  gateway 192.168.1.1

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:

auto lo
iface lo inet loopback

auto vtnet1
iface vtnet1 inet static
  address 192.168.1.120/24
  gateway 192.168.1.1

I updated the network topology a little to make it clearer?