PfSense in KVM without exposing the host OS



  • Is there any way to do this without exposing the OS running the hypervisor to the WAN?  I want to be able to run a linux application that cannot be virtualized because of PCI passthrough issues (mythtv) on the host OS alongside KVM, but still be protected behind the firewall.  Not an expert in Linux, KVM, or pfSense but am in the process of planning a build and want to figure out what's possible and what's not.



  • @mlrabbitt:

    Is there any way to do this without exposing the OS running the hypervisor to the WAN?

    You want pfSense to have exclusive control of the WAN NIC? I think a recent release of VirtualBox allows that (PCI pasthrough). I don't know if KVM allows that.



  • @wallabybob:

    You want pfSense to have exclusive control of the WAN NIC?

    Yes, and for the host OS to be able to connect to the LAN like every other device.  I want to use a dual port gigabit NIC card for the WAN and use the onboard NIC to connect to a switch to access the LAN.  KVM does PCI passthrough but my CPU doesn't support VT-d (core i3-2120) so I don't think that PCI passthrough will work.  Will do some testing tomorrow.  I was just curious to see if anyone had done a setup like this.



  • I've done this but I am using Xen rather than KVM and I expressly made sure my CPU and motherboard were VT-d capable in anticipation of this requirement.

    According to this:
    http://unix.stackexchange.com/questions/37047/pci-passthrough-without-vt-d

    You need a modified kernel on the guest in order to have passthrough without VT-d. This is for xen, but I imagine the same limitation will apply to KVM/virtualbox. Unfortunately, freeBSD and therefore pfSense are not really there with paravirtual drivers yet.

    Without PCI passthrough, you are likely to not get good performance through the WAN.

    Another way you could do it would be to disallow the host VM from obtaining an IP on the NIC. This will not prevent the host from being exposed to the traffic, for obvious reasons. I'm not sure, but you might be able to make the interface in "down" state but it still functions as a transparent bridge. You would probably also have to put a static route on the host.



  • Well, this certainly isn't a pfSense question, it's a general virtualization question.  Specifically, a "How to passthrough physical devices to a guest VM without VT-d" question.

    On the pfSense side, you should be able to isolate a NIC to a particular VM (or group of VMs) in most Hypervisors.  I haven't checked, but this probably works in KVM, I know it works in ESXi (in ESXi you do it with Virtual Switches.)  Even if you need VLAN support you can specify them within some Hypervisors (ESXi certainly.)

    Now you're left with your passthrough requirements for your tuner/capture card, which isn't a pfSense question.  Asking how to passthrough without VT-d would be best asked on a Virtualization forum, probably best at a forum dedicated to the Hypervisor you're expecting to work with.  Although, I'm pretty sure you'd need VT-d for PCI passthrough in KVM: http://docs.fedoraproject.org/en-US/Fedora/13/html/Virtualization_Guide/chap-Virtualization-PCI_passthrough.html  (you certainly do need it in ESXi.)



  • Thanks guys.  I looked into doing this through Xen and VirtualBox since both do PCI passthrough without VT-d.  Xen I found way too complicated to use as my linux skills are pretty basic and VirtualBox I found had poor performance and some incompatibility issues.  I ended up just buying a VT-d CPU since my mobo already supported VT-d.  I'm going to use either XCP or ESXi now and pass through the NIC to my BSD vm and pass through the tuner card to my Linux vm.



  • @mlrabbitt:

    Thanks guys.  I looked into doing this through Xen and VirtualBox since both do PCI passthrough without VT-d.  Xen I found way too complicated to use as my linux skills are pretty basic and VirtualBox I found had poor performance and some incompatibility issues.  I ended up just buying a VT-d CPU since my mobo already supported VT-d.  I'm going to use either XCP or ESXi now and pass through the NIC to my BSD vm and pass through the tuner card to my Linux vm.

    (insert big thumbs-up emoticon here)


Log in to reply