I am virtualising my firewall, NAS and other services to reduce hardware diversity. Specifically I want to run at least PfSense and OpenMediaVault over Citrix Hypervisor (v8 at the time of writing).
This requires switching off network checksum offloading or passing through the WAN & LAN network ports directly to the PfSense virtual machine. I prefer the latter, suspecting that it provides a smaller pre-FW attack surface. This choice forgoes the ability to live migrate and/or stop/start the FW VM across servers.
The command I use is in the form:
xe vm-param-set other-config:pci=0/0000:04:01.0,0/0000:00:19.0 uuid=[vmuuid]
What I can't find anywhere is whether this command is persistent, or needs to be run at each boot of the PfSense VM? The command to prevent the Nework ports from being virtualised is embedded in grub.cfg, but this isn't. I'd like to be sure, and maybe even to know how this is persistent across reboots?
