Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NIC passthrough vs OS bridge

    Scheduled Pinned Locked Moved Virtualization
    29 Posts 3 Posters 5.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NollipfSenseN Offline
      NollipfSense @eiger3970 0
      last edited by

      @eiger3970-0 said in NIC passthrough vs OS bridge:

      May I ask if you're using Hypervisor VMM and running pfSense as a KVM?

      No, I am using Proxmox v8.04...I thought that's what you were using also.

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      E 1 Reply Last reply Reply Quote 1
      • E Offline
        eiger3970 0 @NollipfSense
        last edited by

        @NollipfSense
        Thanks, this explains the simplicity, which is a good feature of Proxmox. I used Proxmox for years.
        I've moved on to VMM and KVM for several reasons.

        E 1 Reply Last reply Reply Quote 0
        • E Offline
          eiger3970 0 @eiger3970 0
          last edited by

          @eiger3970-0
          Ok, I've figured out the topology of the network.
          Any suggestions how to configure it please?

          Network topology: NIC0->KVM router WAN, NIC1->KVM router LAN.
          First layer 2 network (Br0):
          Modem==(Host-NIC0)---Br0---Net1---PFSenseWAN(NIC0)

          Second layer 2 network (Br1):
          24 port SW==(Host-NIC1)---Br1---Net2---PFSenseLAN(NIC1)

          Virtual NIC 0:
          this NIC should be assigned to Br1, so your host will get ip/gw from FW like other clients.

          Host Ubuntu will manually create Br0 and Br1.
          I'm not sure how or where to create Net1 and Net2?

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            Patch @eiger3970 0
            last edited by Patch

            @eiger3970-0 yep
            That’s a standard pfsense install for a virtual machine.

            • Wan NIC connected to a virtual switch (a bridge). VM wan connected to the bridge by a virtual NIC.
            • structure repeated for the LAN using a different physical NIC, virtual switch (bridge) and virtual nic for pfsense VM.
            • hypervisor configuration added to connect it to the virtual switch (bridge) which pfSense LAN connects to.

            The variant are:

            1. pass through the WAN NIC. Doing so means your hypervisor is not exposed to the internet.
            2. pass through both NICs to pfsense, doing so means the hypervisor will need a third physical NIC and external physical switch to connect to your LAN (and in turn connect to the internet via the pfsense VM)
            E 1 Reply Last reply Reply Quote 1
            • E Offline
              eiger3970 0 @Patch
              last edited by

              @Patch Thank you.
              So, will the host Ubuntu have LAN and Internet access?
              My idea seems to enable the host Ubuntu to have LAN and Internet access via vNIC0.

              Your 1. variant is inline with my proposed setup right?
              Your 2. variant is not an option, as I only want 2 physical NICs, rather than 3 physical NICs.

              So, this is my understanding so the host Ubuntu, KVMs and LAN devices can have communication and Internet:
              NIC0, let's call it WAN (that is the interface which will access modem through Host's Br0)
              NIC1, let's call it LAN (provides internet access to the LAN-Wired/Wireless and even the host)

              First layer 2 network (Br0):
              Modem==(Host-NIC0)---Br0(Net1)---PFSenseWAN(NIC0)

              Second layer 2 network (Br1):
              24 port SW==(Host-NIC1)---Br1(Net2)---PFSenseLAN(NIC1)

              Virtual NIC 0 (vNIC0) on HOST:
              this vNIC should be assigned to Br1, so the host will get IP/GW from the FW like other clients.

              P 1 Reply Last reply Reply Quote 0
              • P Offline
                Patch @eiger3970 0
                last edited by Patch

                @eiger3970-0 said in NIC passthrough vs OS bridge:

                Your 1. variant is inline with my proposed setup right?

                No.
                You have passed zero NIC to any virtual machines. Your virtual machines are only connected by virtual NIC to virtual switches (ie a bridge). That is the normal way of configuring virtual machines. I probably should have labelled it option zero.

                The alternative 1) listed above pass the hardware of one physical NIC to one VM. Doing so means no other VM or hypervisor can access that NIC while that VM is running. The system cost for the WAN NIC may not be that high as often only the software router should access that NIC.

                Alternative 2) above passes the hardware of two physical NICs to one VM. Doing so means no other VM or hypervisor can access those 2 NICs while that VM is running. The system cost for which is your physical hardware needs at least 3 physical NIC. That cost is too high is some systems. I run Proxmox on a minicomputer with 6 physical NICs so I pass through a WAN and multiple LAN NICs to my pfsense VM.

                NollipfSenseN 1 Reply Last reply Reply Quote 1
                • NollipfSenseN Offline
                  NollipfSense @Patch
                  last edited by

                  @Patch said in NIC passthrough vs OS bridge:

                  Alternative 2) above passes the hardware of two physical NICs to one VM. Doing so means no other VM or hypervisor can access those 2 NICs while that VM is running. The system cost for which is your physical hardware needs at least 3 physical NIC. That cost is too high is some systems. I run Proxmox on a minicomputer with 6 physical NICs so I pass through a WAN and multiple LAN NICs to my pfsense VM.

                  Agree, and one can always link other VMs to the Linux bridge vmbr2...if the VM needs a port opened, then one can use HAproxy on pfSense. Alternative 2 is so flexible offering both external and internal switch expansion as well as control.

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  E 1 Reply Last reply Reply Quote 1
                  • E Offline
                    eiger3970 0 @NollipfSense
                    last edited by eiger3970 0

                    @NollipfSense
                    Ok, well according to your description, the network architecture I am looking for seems to be
                    Option2: hardware NIC0 and NIC1 passes to the KVM router pfSense.
                    Doing so means no other VM or hypervisor (also no host?) can access NIC0 or NIC1 while KVM router pfSense is running.
                    Why is a 3rd physical NIC2 needed?
                    The host, hypervisor, KVMs and LAN devices could connect by virtual NIC to virtual switches (ie a bridge)?
                    Option0: the normal way of configuration virtual machines with
                    NIC0 connected to virtual NIC to virtual switches (ie a bridge) and
                    NIC1 connected to virtual NIC to virtual switches (ie a bridge).

                    I simply need my Host, LAN devices and KVMs to communicate and have Internet, preferably with the simplest/most efficient network architecture (currently with 2 NICs available).

                    How are you 'passing' your NICs to the KVM. You mentioned you're on Proxmox, so it may be a case of just plugging in, but I'm trying to figure out how on Host Ubuntu, Hypervisor VMM and KVM router pfSense.

                    P 1 Reply Last reply Reply Quote 0
                    • P Offline
                      Patch @eiger3970 0
                      last edited by Patch

                      @eiger3970-0 said in NIC passthrough vs OS bridge:

                      Option2: hardware NIC0 and NIC1 passes to the KVM router pfSense.
                      ...
                      Why is a 3rd physical NIC2 needed?
                      The host, hypervisor, KVMs and LAN devices could connect by virtual NIC to virtual switches (ie a bridge)?

                      because while the hypervisior and other VM can be connected by virtual NIC to a virtual switch (bridge), that bridge can not be connected to a physical NIC or your physical switch without another physical NIC (which the hardware has not been passed through to a VM eg pfsense)

                      E 1 Reply Last reply Reply Quote 1
                      • E Offline
                        eiger3970 0 @Patch
                        last edited by

                        @Patch Ok.
                        I guess I'll have to setup something like this?

                        P 1 Reply Last reply Reply Quote 0
                        • P Offline
                          Patch @eiger3970 0
                          last edited by

                          @eiger3970-0 with two physical NICs, option 0 or 1 are most sensible.

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.