Hyper-V Networking for pfSense

My Network Basics

I have Comcast Xfinity Internet which comes into my house via coaxial cable. That goes into my Zoom modem (Model 5341J). The Ethernet connection coming out of my modem is my WAN (Wide Area Network) connection. That goes into my Asus RT-AC87R wireless router. The router provides an Ethernet connection to two desktops and Wifi for various laptops, phones, and an Xbox.

My Hyper-V Setup

I have a basic desktop PC running Windows 10 Pro with Hyper-V enabled. The motherboard has one Ethernet port and I've added two more Ethernet ports with PCIe add-in cards.

Run pfSense in Hyper-V

I use all 3 network cards (NIC) in my PC to make this work. I'm sure there are other ways to do this, but this is how it makes sense to me. The Ethernet port on my motherboard I consider my management port and I don't make any changes to it or assign it to Hyper-V. It picks up a DHCP address from whatever it's plugged into and provides network connectivity just like any other Windows 10 PC. The second NIC is assigned as a virtual switch in Hyper-V as my pfSense WAN port. The third NIC is assigned as a virtual switch in Hyper-V as my pfSense LAN port. 

 

Understanding the basic concepts of network switches and how Hyper-V implements them is key to this system. Normally, a NIC has a MAC address and gets and IP address. However, once you assign a NIC to become a virtual switch in the Hyper-V Virtual Switch Manager, it is no longer a NIC and has become a basic unmanaged layer 2 switch. It does not have a MAC address or an IP address. As far your host Windows 10/Windows Server is concerned, it doesn't exist anymore. When you plug an Ethernet cable into the physical NIC, that network connectivity is passed directly to the virtual machines that you have assigned that virtual switch to. The virtual switch has unlimited ports so you can connect as many virtual machines to it as you want. Each virtual machine that you connect to the virtual switch will have its own MAC address and IP address. 

Status details of the physical NIC in the Hyper-V host. It's blank, because it's not a NIC any more; it's a layer 2 switch.

To create a virtual switch this way in Hyper-V Virtual Switch Manager, select External network, select the NIC that you want to convert to a virtual switch, and do not select "Allow management operating system to share this network adapter". Create one switch this way to be your WAN port and assign it to your pfSense virtual machine. This should be the only virtual machine that uses this virtual switch. In my situation, I installed and configured pfSense with only having the WAN port connected. Then I created the second virtual switch with the remaining NIC card and this acts as my pfSense LAN connection. I plugged this into a physical 8 port switch. Any devices I plug into the physical switch will get their internet through pfSense. Mostly likely you'll want to enable DHCP on pfSense so that those devices get IP addresses.

Configure Double NAT

Many people want to run pfSense in a home lab environment and I'm one of them. Basically, this means that pfSense is running inside my regular home network instead of being connected directly to the Internet. It's also called double NAT. My first step was configuring a static MAC address on my pfSense WAN NIC inside the virtual machine. The default is for Hyper-V to use dynamic MAC addresses, which isn't very useful in my situation. In order to do this, I had to power on the virtual machine, allow it to obtain a dynamic MAC address, then shut it down and change the setting in Hyper-V to static. Then I connected the WAN NIC/Virtual Switch to my Asus router with an Ethernet cable. The router uses DHCP to assign a 192.168.x.x IP address to the pfSense WAN NIC just like it would any other computer. After that, I found that MAC address in the DHCP lease list of the Asus router and set it to be a static reservation. So inside pfSense, the WAN port is set to get an IP address via DHCP, but on my router which is giving out the DHCP, it's set as the reservation so it will always be the same IP.

Normally when you plug in pfSense or any other router to the Internet, your ISP gives you a public facing IP address. For example, if you have Comcast, you might use one of these dynamic IP addresses, such as 75.74.X.X. With consumer Internet service, a bunch of people will probably be sharing that IP address with you. But in my situation, the Asus router is connected to the Internet and uses the public IP address from the ISP. The pfSense router can't use that address and besides it already got a local, private IP address, which in my case is a 192.168.X.X. If you're new to this it seems a bit strange, but for most things, it doesn't make any difference. pfSense accepts that address as its WAN address and uses it just like it would any other WAN address. If you try running some advanced networking configurations or run a web server inside the pfSense network, you might have some difficulty with this double NAT setup, but for all basic web usage, it's fine.

See the diagram of my network below. As I have it configured my Windows 10 Hyper-V host is connected to the physical switch that the pfSense LAN is connected to. Alternatively, I could plug the Hyper-V host into the Asus router and it would be on that network instead. Or I could get a 4th network card and plug the Hyper-V host into both and it would be in both networks at the same time. Either way, the host doesn't know or care that it's running pfSense and it's happy to receive Internet from it or from any other source.