Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security implications of using macvtap instead of PCI passthrough for VM

    General pfSense Questions
    1
    1
    941
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      garibaldi
      last edited by

      I have a server with 3 physical NICs and the motherboard does not support PCI passthrough (Vt-d). I would like to set up a pfSense KVM VM on the server (host OS is Ubuntu) and connect one of the physical NICs directly to my WAN, the second to a WiFi AP, and the third to my LAN. Since I cannot use PCI passthrough, I was looking at the available macvtap modes, and it looks like "private" would give me the most security, particularly on the WAN port. What are the security concerns with running pfSense with a NIC on the host connected directly to the Internet (with no other firewall)? If I am using macvtap "private" mode, it seems like the concern would be a bug in the macvtap driver that allows access to the physical host. However, wouldn't these (or even worse) be true if using PCI passthrough? Is this is a safe setup?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.