Damn that's a lot of acronyms.
I was hoping that someone could please help dig me out of this rabbit hole I've been in for days trying to figure out the best practice for my setup.
I have a 2-port SR-IOV-capable I350 NIC, and a separate e1000 (I think) port that's built into the single-node box I'm running Proxmox on. At the moment I use the i350 for lan/wan and the e1000 for Proxmox management access.
On this node I have pfSense, and will want to install a few other services like Jellyfin, AdGuard Home or PiHole, and maybe an external-facing webserver.
I've been trying for a while to wrap my head around the best way to go about this, and I've seen it advocated to put the VMs on one VLAN, the LAN devices on another, have another for management.
At the moment the WAN is passed directly to pfSense via iommu.
What I'm stuck on is how best to set up the links between the other VMs and pfSense, and the VMs Inc pfSense to the LAN port.
Some thoughts:
- Are SR-IOV VFs on the same PF/port and VLAN bridged?
- If so, how does this stack up against vBridges, either Linux or DPDK+OVS? As there'd be most traffic routed between VMs for PiHole/AdGuard, this guide has me thinking DPDK+OVS would be a good fit. If some VMs would benefit from direct LAN access though to avoid, eg Jellyfin traffc being processed by the firewall.. should I have some VFs for that, and a OVS switch to link the VMs to Proxmox for WAN access?
- I'll need some kind of internal switching if I want the VMs to only access the internet via the pfsense VM, even if their LAN access can be passed through via vlan-tagged virtual functions.
- DPDK and OVS seemed like it would be a good fit but I'm not sure how that would work with VLANS...
I feel like I'm getting stuck in the weeds a bit too much here but just want to make sure I'm not losing performance unnecessarily. I'm on modest hardware so trying to squeeze the most out of it!
If anyone could help me figure out the best way I can put this together I'd really appreciate it.
Thank you.
I was hoping that someone could please help dig me out of this rabbit hole I've been in for days trying to figure out the best practice for my setup.
I have a 2-port SR-IOV-capable I350 NIC, and a separate e1000 (I think) port that's built into the single-node box I'm running Proxmox on. At the moment I use the i350 for lan/wan and the e1000 for Proxmox management access.
On this node I have pfSense, and will want to install a few other services like Jellyfin, AdGuard Home or PiHole, and maybe an external-facing webserver.
I've been trying for a while to wrap my head around the best way to go about this, and I've seen it advocated to put the VMs on one VLAN, the LAN devices on another, have another for management.
At the moment the WAN is passed directly to pfSense via iommu.
What I'm stuck on is how best to set up the links between the other VMs and pfSense, and the VMs Inc pfSense to the LAN port.
Some thoughts:
- Are SR-IOV VFs on the same PF/port and VLAN bridged?
- If so, how does this stack up against vBridges, either Linux or DPDK+OVS? As there'd be most traffic routed between VMs for PiHole/AdGuard, this guide has me thinking DPDK+OVS would be a good fit. If some VMs would benefit from direct LAN access though to avoid, eg Jellyfin traffc being processed by the firewall.. should I have some VFs for that, and a OVS switch to link the VMs to Proxmox for WAN access?
- I'll need some kind of internal switching if I want the VMs to only access the internet via the pfsense VM, even if their LAN access can be passed through via vlan-tagged virtual functions.
- DPDK and OVS seemed like it would be a good fit but I'm not sure how that would work with VLANS...
I feel like I'm getting stuck in the weeds a bit too much here but just want to make sure I'm not losing performance unnecessarily. I'm on modest hardware so trying to squeeze the most out of it!
If anyone could help me figure out the best way I can put this together I'd really appreciate it.
Thank you.
Last edited: