i’ve created my own wifi router & firewall using pci passthrough for the network card to a kvm/libvirt/qemu virtual machine running pfsense hosted on an ubuntu server and it works well enough; but the pci id changes roughly every other reboot.
i was thinking of adding another hack in the form of a bash script to launch the vm and then modify the virtual machine’s xml if there’s a problem and then attempt another relaunch; but this entire exercise has taught me the hard way that hack-on-top-of-hack-on-top-of-hack is impossible to remember and there will come a point where something will break and i’ll spend a couple of days relearning how to build my own router again.
any advice on how to make it all more mindless and/or graceful?
What does running pfsense in a virtual machine really give you? Consider setting up the ubuntu server as a router directly. The most important part is making sure you configure the firewall correctly (iptables or nftables). dnsmasq can handle dhcp requests and hostapd can provide wireless. Be careful that all services are listening only on appropriate network interfaces before you connect it to the internet.
It gives flexibility. Snapshots, migrations, etc.
i learned the hard way about a decade ago that i lack the patience and sufficient enough attention to detail to run a public facing server of any kind; so the biggest benefit of using pfsense is peace of mind.
the 2nd biggest benefit is a perpetually self auto updating firewall and significantly improved capacity without having buy to a new router every few years. i started this rebuild because i’m anticipating a gigabyte connection and the previous network adapter i was using for pci pass through would have been the biggest speed bottleneck.
the 3rd biggest benefit is that i also use the host as an everything server including backups, extra storage, internet accessible storage, print, media, torrent, automatic vpn, automatic ad blocker and tv via kodi and i don’t have to configure most of it since those capabilities are click-on-a-checkbox-to-turn-it-on easy thanks to the pfsense software.
finally: each time i have to do it, i learn at least one new thing about the foss ecosystems/projects related to the components/services that i have to build and how they’ve changed or how alternatives are needed since the last time i did it.
btw: the server is handling the dhcp and wifi using networkmanager because hostapd is about 25% slower and pfsense is only the firewall and most of those services i mentioned earlier.