Is Vt-d required for virtualization?



  • Hi!

    I'm building an esxi white box that is small form factor and was wondering if vt-d is needed.  The current box I'm looking at only has 2 nics, so I'm not sure how it would work with pfsense. If needed I can look toward a slightly bigger build with more nics. Any info would be greatly appreciated.

    Forgot to add that this will be my first time using pfsense so I don't plan on doing anything too fancy, VPN, QOS, monitoring.

    Thanks!



  • VT-d is for passthrough of physical hardware (storage controller, NIC, etc.) to a VM.  Unless you're doing that, no, it's not required.



  • @Jason:

    VT-d is for passthrough of physical hardware (storage controller, NIC, etc.) to a VM.  Unless you're doing that, no, it's not required.

    Hi Jason,

    I understand that, I just wasn't sure if I needed to passthrough a NIC for pfsense.



  • Hi there,

    Technically speaking, you can run pfSense in virtualization with only 1 physical NIC, so long as you have a switch that can support VLANs.  On the VM side of things, you can present as many virtual NICs to your virtualized pfSense as you wish, and tag them with VLANs inside the VM.

    You really only need to pass-through physical NICs with VT-D if you think your I/O will be quite high.  As you are considering virtualization, I'm assuming this isn't for the core firewall/router of an enterprise, and rather is for either a SMB or home environment.

    For typical bandwidth, you should be OK in virtualization.  I am able to pull down over 150Mbit of Internet facing bandwidth via a pfSense running in ESXi, with vNICs.

    I'm assuming you want more than 2 NICs because you have multiple WAN conections.  If yes, you might want to keep your LAN traffic and WAN traffic on separate physical NICs as you said you will have 2.  Assuming you are using ESXi, create two vSwitches - one for VM/LAN traffic, and one for Internet/WAN traffic.  Set your WAN vSwitch to trunking mode by setting the VLAN ID to 4095, and add as many vNICs to the VM on the WAN vSwitch as you require, and inside pfSense you can assign the proper VLAN to them.  Then match that setup on your VLAN capable switch and you could have as many WAN connections as you would like via only the 1 physical port.

    ie.:

    Your design might change depending on the kind of traffic you are looking to segment, but the approach would likely be similar to the above.

    Of course - if you actually can get gear with more physical NICs, it would almost certainly be higher performing, but it isn't required for most typical cases with moderate I/O requirements.

    – Phob



  • @Phobia:

    Hi there,

    Technically speaking, you can run pfSense in virtualization with only 1 physical NIC, so long as you have a switch that can support VLANs.  On the VM side of things, you can present as many virtual NICs to your virtualized pfSense as you wish, and tag them with VLANs inside the VM.

    You really only need to pass-through physical NICs with VT-D if you think your I/O will be quite high.  As you are considering virtualization, I'm assuming this isn't for the core firewall/router of an enterprise, and rather is for either a SMB or home environment.

    For typical bandwidth, you should be OK in virtualization.  I am able to pull down over 150Mbit of Internet facing bandwidth via a pfSense running in ESXi, with vNICs.

    I'm assuming you want more than 2 NICs because you have multiple WAN conections.  If yes, you might want to keep your LAN traffic and WAN traffic on separate physical NICs as you said you will have 2.  Assuming you are using ESXi, create two vSwitches - one for VM/LAN traffic, and one for Internet/WAN traffic.  Set your WAN vSwitch to trunking mode by setting the VLAN ID to 4095, and add as many vNICs to the VM on the WAN vSwitch as you require, and inside pfSense you can assign the proper VLAN to them.  Then match that setup on your VLAN capable switch and you could have as many WAN connections as you would like via only the 1 physical port.

    ie.:

    Your design might change depending on the kind of traffic you are looking to segment, but the approach would likely be similar to the above.

    Of course - if you actually can get gear with more physical NICs, it would almost certainly be higher performing, but it isn't required for most typical cases with moderate I/O requirements.

    – Phob

    Got it! Thanks so much Phob!



  • Higher end NICs, like the i350, support having "virtual hardware" NICs. The i350 supports up to 8 virtual NICs per port, each with their own frame size, VLANS, and interrupts. They work exactly like separate physical NICs and report to the host as desperate NICs.

    In this case, you can use the VT-D, or whatever, and pass through the "hardware" virtual NIC directly to the guest and get rid of the overhead of passing it through the host. Because guests are not really aware of each other, the i350 specifically, has an internal switch, and can switch traffic between these virtual NICs without having them go out to the switch and it does this at the full PCIe 2.1x4 speed(2GB/s full-duplex).


Log in to reply