What if I passthrough a NIC?

[lumox]

Hi,
Ok, I have to post the same images one more time :
this is my network setup in Proxmox:




LAN and VLANs in pfSense:




The Proxmox's VMs are connected via vmbr1 to VLAN1 (192.168.10.0/24)
If I plug any device to the enp5s1 NIC it goes on LAN (192.168.5.0/24) and gets its own ip regularly (for the record, I haven't yet managed to set up VLANS and trunk port on my DD-WRT device).

I was wondering what would happens (both to any physical devices connected virtually to it and those on VLAN1) if I passthrough the enp5s1 physical NIC directly to pfsense?

Couldyou help me figure it out?
Thanks

 

[Dunuin]

If you passthrough enp5s1 to the pfsense VM that NIC doesn't exists on your host anymore. So your vmbr1 would be connected to nothing and no other VMs will have access to your LAN (or only indirect over that pfsense VM if it is running and setup as the gateway).

 

[lumox]

If you passthrough enp5s1 to the pfsense VM that NIC doesn't exists on your host anymore. So your vmbr1 would be connected to nothing and no other VMs will have access to your LAN (or only indirect over that pfsense VM if it is running and setup as the gateway).

ok,
I need to make sure that I'm getting it right
I don't think I got exactly what is going to happen to VMs in proxmox if I passthrough the NIC.
Would the same physical devices connected to the same NIC still have access to the LAN and get their IPs from pfsense?

Internal VMs won't have access to LAN anymore, and not to VLAN10 either? Would they be totally isolated or could I create a new vmbr for them? But if proxmox can't see the NIC anymore it wouldn't be possibile to create a new vmbr on the same NIC, I guess.
Thanks

 

[Dunuin]

ok,
I need to make sure that I'm getting it right
I don't think I got exactly what is going to happen to VMs in proxmox if I passthrough the NIC.
Would the same physical devices connected to the same NIC still have access to the LAN and get their IPs from pfsense?

No. If you only got 2 NICs and one NIC is only for your WAN and you passthough the other NIC to your pfsense VM, your PVE host only got that WAN NIC left and there is no NIC to connect your host over your switch to your LAN.
So any guest on that host and even the host itself could only access the LAN indirectly by sending requests to your pfsense VM and that pfsense VMs would need to route all the packets over the switch to your LAN, because the pfsense VM is the only thing that got a physical connection to your LAN.

 

[lumox]

No. If you only got 2 NICs and one NIC is only for your WAN and you passthough the other NIC to your pfsense VM, your PVE host only got that WAN NIC left and there is no NIC to connect your host over your switch to your LAN.

ok, this is clear

So any guest on that host and even the host itself could only access the LAN indirectly by sending requests to your pfsense VM and that pfsense VMs would need to route all the packets over the switch to your LAN, because the pfsense VM is the only thing that got a physical connection to your LAN.

Please still bear with me

still something I'm struggling to figure out properly here.
Please let's go on by making some examples

1) I'll passthrough the second NIC. What happens to the swith or any PC connected to the second NIC? Can they acces internet as they do before?

2) Other than pfsense, Will the internal linux and windows VMs be totally isolated? Is there eanything I can do to "fix" it? Which setup exactly?

Thanks

 

[Dunuin]

ok, this is clear


Please still bear with me

still something I'm struggling to figure out properly here.
Please let's go on by making some examples

1) I'll passthrough the second NIC. What happens to the swith or any PC connected to the second NIC? Can they acces internet as they do before?
2) Other than pfsense, Will the internal linux and windows VMs be totally isolated? Is there eanything I can do to "fix" it? Which setup exactly?

Thanks

If you make sure that this NIC will be used for your LAN inside your pfsense that should work. But then you got the problem that no other VM can access your LAN. For that your pfsense would need another virtio NIC connected to vmbr1. But than your pfsense would got 2 NICs in the same (LAN) subnet and that is bad. So in that case you would need to create another subnet (some kine of DMZ) that is used with the virtio NIC that is attached to vmbr1, so other VMs would still not be part of your LAN but only part of that DMZ.

Why do you want to passthrough the NIC at all? Shouldn't be a noticable performance improvement anyways if you only got a Gbit NIC. Virtio should have no problem to allow the full Gbit bandwidth. So you just make it unnecessary complicated.

 

[lumox]

If you make sure that this NIC will be used for your LAN inside your pfsense that should work.

Yes, the LAN I created in pfsense. In a few words, I don't want that anything would change at least for the physical device (a switch) connected to the physical NIC (the LAN on subnet 192.168.5.0/24 now) once I passthrough it to pfSense.

But then you got the problem that no other VM can access your LAN. For that your pfsense would need another virtio NIC connected to vmbr1. But than your pfsense would got 2 NICs in the same (LAN) subnet and that is bad. So in that case you would need to create another subnet (some kine of DMZ) that is used with the virtio NIC that is attached to vmbr1, so other VMs would still not be part of your LAN but only part of that DMZ.

I think I get it now! Thanks

Why do you want to passthrough the NIC at all? Shouldn't be a noticable performance improvement anyways if you only got a Gbit NIC. Virtio should have no problem to allow the full Gbit bandwidth. So you just make it unnecessary complicated.

No need at all at the moment. It would be Just for learning purpose, but I think you're right; it is unnecessary complicated.
Thanks again