Can't get pfSense bridge to work with VF NIC

nazar-pc

I created a virtual function (VF) devices (SR-IOV) on Intel 82599ES NIC and assigned them to pfSense VM.
One of the interfaces is LAN and is supposed to be connected to both external devices and to the host where pfSense VM is running, but I can't get it to work.

If pfSense is booted with the VF assigned to LAN, I can reach pfSense from the outside, but communication with host is blocked and I have not found a solution around it. So I decided to create a virtio interface and bridge it in pfSense.

When I do that (LAN assigned to the bridge, both bridged interfaces are up, but without IP addresses), all traffic starts flowing through virtio interface and physical interface is completely ignored for some reason, no matter STP settings I was configuring with cost/priority.

Interestingly, if I temporarily re-assign LAN from the bridge to the VF, LAN stops working until pfSense reboot, which I was not able to identify the root cause of.

Also interestingly, despite VF is ignored when added to the bridge, creating VLAN on it works fine, connection from external machine works no problem, so I suspect the interface as such is working. Maybe there is a way to force communication with a particular IP/MAC address to use a specific network interface in pfSense?

nazar-pc

I also tried blocking traffic for this device on the virtio path, but then pfSense becomes unreachable, which I guess indicates the bridge somehow breaks VF device (ixv driver)?

viragomann

@nazar-pc said in Can't get pfSense bridge to work with VF NIC:

If pfSense is booted with the VF assigned to LAN, I can reach pfSense from the outside, but communication with host is blocked and I have not found a solution around it.

Yeah, if you pass through the hardware to a VM, the host cannot use it anymore.

One of the interfaces is LAN and is supposed to be connected to both external devices and to the host where pfSense VM is running, but I can't get it to work.

You should rather create a bridge in Proxmox, connect the hardware NIC to it and assign and IP and connect the virtual interface of the VM, if you want to access both devices over the single NIC.

nazar-pc

@viragomann said in Can't get pfSense bridge to work with VF NIC:

Yeah, if you pass through the hardware to a VM, the host cannot use it anymore.

That is 100% not true.
As I mentioned, I pass through VF, SR-IOV is designed just for this.
Host device remains and is supposed to be able to talk to guests and to the outside.

@viragomann said in Can't get pfSense bridge to work with VF NIC:

You should rather create a bridge in Proxmox, connect the hardware NIC to it and assign and IP and connect the virtual interface of the VM, if you want to access both devices over the single NIC.

That is exactly the description of the virtio interface I have, but it is slow, just ~1.3 Gbps in pfSense due to multiple reasons (issues opened for years and little if any progress is happening on them, so I wanted to pass through the physical hardware).
On Linux virtio interfaces trivially push over 10 Gbps, but not in pfSense.