Virtualization of pfSense on KVM went smoothly for the most part. PCI pass-through to a network card worked swimmingly, and I adore the new built-in virtio driver support.
Then I tried building a DMZ in pfSense so that I could run isolated guest VMs on the same host. I created an isolated virtual network on KVM, and added a virtio network interface to the pfSense VM. PfSense saw the new interface and automatically created the NAT rule for the DMZ, but I had to add a firewall rule allowing the DMZ traffic to flow. Finally, I moved a guest VM's network interface over to the new DMZ.
Very strange...I could ping other hosts and even Internet hosts. I could see the traffic flowing just fine through pfSense. But the Internet would not work. Finally, after trying a non-virtio network driver, I realized virtio was the problem.
In short, "Hardware Checksum Offloading" must be turned off in pfSense for virtio to work properly. Go to the System --> Advanced --> Networking tab in pfSense and turn off hardware checksum offloading. Reboot pfSense and PROFIT!
Warm regards go to this helpful article: https://doc.pfsense.org/index.php/VirtIO_Driver_Support
I'm not sure how much of this is still necessary as pfSense now has built-in virtio driver support, but disabling hardware checksum offloading is definitely required!
Yes, I know it's a security feature, but it's very frustrating for my colleagues that constantly download PDFs via Internet Explorer, confirming each and every ...
I hate spam. I detest it. And I'm not talking about the scrumptious processed meat product. I think you all know the spam I'm referring to—the kind peddling ...