Hyper-V discrete device assignment NIC

andipandi

Following up on a suggestion from

https://forum.pfsense.org/index.php?topic=122801.msg679590#msg679590

I configured a broadcom NIC (supported as far as I know) to be disrectely assigned to my pfSense guest.

I do not see it though.

Has anyone managed to make this work with a NIC?

I have following available, and want to directly assign 1 for the WAN port:

Intel l217-LM
Intel 82576 (Dual Port)
Broadcom NetXtreme BCM5721

I am asking for your experience, if there is any, since I also understood that the discrete assignment feature is still a bit experimental in Hyper-V.

Taiidan

I have lots of experience with IOMMU, which is the technology used for this.
Intel refers to it as VT-d and AMD refers to it as AMD-Vi.

It is not experimental at all.

I need specs of your computer first.
If iommu is advertised please check the bios for configuration enablement as sometimes it is not on by default.

Notes:
Running pfsense on a platform that uses vmm netcode is a bad idea, a configuration mis-step could be fatal security wise so if you are going to use virtualization you should always attach dedicated sr-iov (no other vm's) physical network interfaces for pfsense, running other guests is bad too but if you can't afford another computer then have all your other guests running shared sr-iov network interfaces to a switch.

SR-IOV devices (nics, hba, raid controller etc) have an increased security level versus a regular more primitive attached device.

Most intel platforms don't properly support IOMMU, even the server ones due to a lack of PCI-e ACS support.

Most OEM's don't care if this is broken, especially if you are using a non server/workstation board which is why I recommend coreboot supported motherboards if you want to do this. (buying a server from dell, hpe, etc that supports sr-iov is also an option.)

Your nic must generally support function level reset to be attached, and a lot of desktop (realtek) nics don't play nice with iommu attachment anyway.

https://blogs.technet.microsoft.com/jhoward/2012/03/12/everything-you-wanted-to-know-about-sr-iov-in-hyper-v-part-1/

andipandi

Thanks a lot!

So I guess this will just not run on my hardware (Dell Poweredge T20 - plus the NICs mentioned above. This is a cheap system, but it counts as a server).

I set some NICs to SRV-IO now. I also set them to not have the "Shared usage with administrative OS" (or similar, my version is not English), which is an option for the switch. I enabled the SRV-IO both on the switch and for the guest when assigning.

I don't see much of a difference though. I don't think I can change throughput too much, plus, my line is reasonably slow (25/5MBit/s).

I am concerned about security though, so.. does SRV-IO help with that at all? Does the option to prevent sharing with the host help?

And yes, I am planning to run other VMs on the machine as well.

Mixing up ethernet slots should not be too big a problem, I will label the cables, slots and other people will not touch this - that is the plan.

Taiidan

I still need your processor.

If you have a pentium then it isn't going to work it doesn't support IOMMU.

It seems dell has maybe disabled sr-iov so that this doesn't compete with their higher end devices.

andipandi

Processor is a Xeon E3-1225v3.

I could enable SRV-IO (it worked), just noticed a slight drop in throughput, maybe 5%, though I cannot say for sure, since I did not make extensive tests switchting there and back again. (I only have the slow connection.)

So, with no performance increase, does SRV-IO give any benefits, especially when it comes to security?

As for IOMMO/discrete assignment, after some problems and not being able to boot the VM for a while, I want to refrain from further experiments, I would assume right now it is not supported with my hardware.

Taiidan

You aren't using SR-IOV unless you are forwarding the virtual functions instead of the physical functions, it will say "Virtual Function" for the device you wish to forward and each port on a supported device will have a certain amount of them AFIAK your intel 82576 has 7 per two ports and as an earlier more primitive NIC you can only forward two ports at once either with physical or virtual functions.

There are security benefits from IOMMU and more from SR-IOV assignment, you are free to search for whitepapers on this topic.

IOMMU is supported on your hardware, if there is some kind of problem that isn't why.

andipandi

Thanks again!

I googled "SR-IOV Hyper-V NIC security" and slight variations several times but not a single hit on the first 2 pages was about security, all were about performance. Do you have any pointers?

This is the best article I have found so far https://blogs.technet.microsoft.com/jhoward/2012/03/21/everything-you-wanted-to-know-about-sr-iov-in-hyper-v-part-8/ but it only mentions SR-IOV security flaws rather than it improving security.

Also, I found out that I can check whether a NIC supports SR-IOV via
  Get-NetAdapterSriov
even though all NICs say that SR-IOV was enabled successfully, only the 82576 actually comes up as supported.

As for IOMMU, I am still not sure. Yes, the hardware components support it, but the BIOS also could disable it, and there is no such option on the Dell, also, googling came up with mixed results.