Virtual PfSense on KVM - VirtIO Network Issues

Virtualization of pfSense on KVM went smoothly for the most part.  PCI pass-through to a network card worked swimmingly, and I adore the new built-in virtio driver support.

Then I tried building a DMZ in pfSense so that I could run isolated guest VMs on the same host.  I created an isolated virtual network on KVM, and added a virtio network interface to the pfSense VM.  PfSense saw the new interface and automatically created the NAT rule for the DMZ, but I had to add a firewall rule allowing the DMZ traffic to flow.  Finally, I moved a guest VM's network interface over to the new DMZ.

Very strange...I could ping other hosts and even Internet hosts.  I could see the traffic flowing just fine through pfSense.  But the Internet would not work.  Finally, after trying a non-virtio network driver, I realized virtio was the problem.

In short, "Hardware Checksum Offloading" must be turned off in pfSense for virtio to work properly.  Go to the System --> Advanced --> Networking tab in pfSense and turn off hardware checksum offloading.  Reboot pfSense and PROFIT!

Warm regards go to this helpful article: https://doc.pfsense.org/index.php/VirtIO_Driver_Support

I'm not sure how much of this is still necessary as pfSense now has built-in virtio driver support, but disabling hardware checksum offloading is definitely required!