pfSense VM - PCI passthrough and VLAN’s


So I am trying to set up pfSense to replace a UniFi UDM Pro which I have decided is not worth the time as its full of bugs. After watching hours of Tom’s videos I have decided to switch and have two Dell R220’s to start me of in the world of XCP-ng VM’s.

My questions is, if I set up PCI pass through for a 4 port network card to the pfSense VM, do I still need to set up a vif for each VLAN. Ideally I want to set up two pfSense VM’s, one on each server in a HA configuration and then use the 2 built in Broadcom Nic’s for the management and other VM traffic. The attached image would only work if VLAN’s work natively with he PCI passthrough.

The main reason for the pfSense HA is so I don’t loose my internet when I break or crash one of the XCP-ng hosts. Any advice or ideas would be really welcome.

If you pass through the network card then it does not even show up inside of XCP-NG which also means in pfsense you treat it like a normal network card. Aslo, HA requires at least three IP addresses for each interface pair. So you will need at least three static WAN addresses.

Thank you for replying so quickly. I have one WAN IP so was thinking of putting it through an Edge Router X on the WAN Side and either forwarding a few ports or turning on a DMZ.

This is more for a home network so if the network goes down its only going to be my girlfriend complaining. Just like the idea of trying to see if I can make it work and it would be useful when restarting a host. I just cannot justify running 3 computers 24/7 so challenging myself to do it on two as I don’t have enough RAM in one host to run all my VM’s on one.

Would you suggest setting it up any differently as I did think about HA in XCP-ng as I could live with the 5 mins that it would take to spin up pfSense on a different host?

HA requires shared storage between the hosts, but it does work well. I prefer to run my pfsense on real hardware and only virtualize for lab work or very special use cases.

Why not just use the edge router for your main and setup pfsense in a lab learning config.

I virtualize my pfSense with xcp-ng. The only time pfSense goes down per se — is with xcp-ng upgrades which occur about 2 times a year. I’ve only done minor upgrades with xcp-ng (like 8.0->8.1) and haven’t done a major upgrade yet like (8->9 (which isn’t out yet – just an example)). Supposedly major upgrades are more complicated. In all honestly since its Home based, I’d just back up you config and say xcp-ng went down for whatever reason, just reinstall pfSense. This wouldn’t be suitable for a business however if you can survive the “wife factor” for a little bit, I think its a totally workable scenario.

I have a 1Gbps WAN connection and like having DPI and Some sort of infusion protection turned on. The Edge router X cannot process that much data and I’m really limited with the UniFi UDM Pro until the fix the software.

So taking this a step further, is their any further security benefit to having the network card managed by the VM instead of the host if I set up PCI pass through?

So… Funny you mention this Tom, any reason why the passed through network interfaces still show up in XOA?

I followed this guide from official docx

when I get to step 4) both devices that i have “hidden” from dm0 are shown when I execute the command

[23:25 xcp-ng-hp-00 ~]# xl pci-assignable-list
[23:25 xcp-ng-hp-00 ~]# 

Running lspci, shows the network interfaces, and also shows up in XOA.

[23:25 xcp-ng-hp-00 ~]# lspci
03:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
03:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
04:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
04:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
[23:26 xcp-ng-hp-00 ~]# 

eth0 and eth1 show up in XOA after I removed them in xcp-ng per docx.

Here is the bootup of pfsense in XOA with PCI supposedly passed through. Pfsense seems to pick them up, bce0, but I do not see bce1, then after bootup comes up and shows no interfaces found and halts.

I have not really done any pass through testing in XCP-NG, so I am not sure.