pfsense in HyperV with multiple NICs as LAN

  • Hello,

    I'm totally new to pfsense and I'm not really sure what the best practice is here.

    I have a HPE DL380 server (with Windows Server 2019 installed) with 4 NICs. I'm using this server as a Hyper-V host and want pfsense as a VM and I want it to be my router/gateway.

    Will I be able to use NIC Teaming on 3 of the NICs and use one for WAN?

    I've read that people don't recommend bridging because there's no hardware acceleration and instead either set a separate subnet for each NIC or jus use one NIC and connect a switch to that port.

    I'm not really a fan of using just one NIC and connect a switch to it so setting a separate subnet for each NIC seems more appropriate for me if NIC Teaming doesn't work.

    If using separate subnets, do I just have to enable each interface and add the subnet to it with the right IP, then enable DHCP for that interface and add firewall rules to allow any protocol to/from any dest./source?
    Or would have to do more than that?


  • Netgate Administrator

    @PatricF said in pfsense in HyperV with multiple NICs as LAN:

    Will I be able to use NIC Teaming on 3 of the NICs and use one for WAN?

    Sure you could configure 3 NICs in a lagg to use as LAN but why? If you only have one NIC as WAN the throughput will be limited to that WAN to LAN. Do you have multiple internal VLANs to route between?
    What do you plan to connect to this? Just multiple LAN clients? Internal VMs?


  • I just want to use the NICs as a switch really. I have a NAS and a RaspberryPi next to the server that I want to connect to the LAN then I have a cable running upstairs to a switch for my APs and other clients.

  • You want to either bridge or just assign each NIC to it's own subnet in your case. But if you wanted to team the LAN NICS, you can team them in Windows, create a v-switch pointing to the NIC team (I think it would be listed as "Microsoft Multiplexer" or similar) then point the pfSense LAN NIC to that v-switch. But that sounds like more than you want to do, as you'd still be limited to the WAN bandwidth anyway.

  • @provels maybe I didn't explain well in my first post but yes that's exactly what I mean about teaming (in Windows). But I don't understand what you mean by being limited to my WAN? What would get limited to my WAN? Yes I wont get any faster internet than my ISP provides if that's what you mean!?
    Or do you mean that my LAN somehow wont get 1Gbit if i don't have a 1Gbit connection to my ISP? And if so, how on earth would that be the case?

  • @PatricF said in pfsense in HyperV with multiple NICs as LAN:

    Yes I wont get any faster internet than my ISP provides if that's what you mean!?

    Yes. Teaming is for redundancy or bandwidth expansion, not to replace the utility of a switch.

  • Netgate Administrator

    Exactly you will end up with a (I assume) 3x 1Gbps LAN but that will only help if you have VLANs running on that and are routing between them. In that case you could potentially get > 1Gbps between VLAN subnets.


  • @PatricF I suppose you could try creating the Windows team ( create the new LAN v-switch pointing to it, then try plugging your NAS into one of the open ports and see if you have connectivity. Probably not but never tried. No warranty expressed or implied.

  • Netgate Administrator

    What are you actually trying to do here with the ports?

  • @stephenw10 I want 1 port for WAN and 3 ports for LAN just like I've said before. I can't quite understand how this would be anything weird or uncommon.
    Just like when you buy an of the shelf router and get 1 WAN port and 4 LAN ports but this seems to be something from an alien world with pfsense.
    Don't get me wrong, this might not be a supported setup with pfsense and maybe not what it's made for but I'm just having a little trouble understanding why.

  • @PatricF well, of the shelf routers have a routing module and usually a 5 port switch, glued together on the same pcb. In more "advanced" cases the switch is managed and can be assigned specific port to vlan for iptv or voip use.
    Now, pfsense is a firewall/router device and certainly not a managed switch.
    Please elaborate why you are trying to do this. Performance? Redanduncy?
    As a rule of thumb, try not to mix advanced features from different platforms
    eg laggs at the pf level, and bonding at windows level if possible
    It might work, but when in trouble, debugging the situation will not be easy.

    if you need just 3 lans use a dumb switch. If 1g for the wan is not enough, do teaming between the switch and pf. And/or use a 10g interface. Solutions that work all the time.

  • Thanks for the info. I understand that what I was asking is not possible.

  • Netgate Administrator

    Ah, OK. That is certainly possible. I was confused by the discussion of 'teaming' which is not what you want at all.

    You have two choices here:

    1. Pass though 3 three NIC to pfSense and bridge them. That will give your the behaviour you want but as (I now see) you initially said it's a very inefficient way of creating a switch. Bridging can be awkward in pfSense.
    2. Create a vswitch in hyper-v and connect all 3 to it. It's still doing it in software which is not as good as a real switch but at least it's trying to be a switch rather than a bridge. That also simplifies the pfSense config significantly that would then only have a single LAN interface internally connected to the vswitch.


Log in to reply