For the past few years, I’ve been running pfSense (and more recently OPNsense) in a virtual machine within Proxmox. This has been running fine with a single onboard Intel NIC. A few months ago, I upgraded to a machine that has a CPU that supports hardware-accelerated transcoding, has more SATA ports, and has more PCI slots for future expansion. With the goal of having a dedicated NIC for WAN, I bought an inexpensive 1Gbps PCIe NIC (TG-3468) despite reading about some of the concerns around Realtek NICs (sluggish performance, driver instability, and in some cases system crashes).

I’ve been running a Realtek NICs reliably on Linux and Windows desktops, so I figured I could make it work without too much effort, but it turns out Realtek NICs really can be problematic when it comes to FreeBSD-based routers, and some commonly documented workarounds did not solve my problems.

Environment

My environment consists of:

  • Proxmox 8.4
  • OPNsense 25.1 (Virtual Machine)
  • Ethernet controller: Intel Corporation Ethernet Connection (5) I219-LM
  • Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)

Goal

The goal is to upgrade the OPNsense router from a single NIC to two NICs, where each NIC is dedicated to:

  1. WAN: the connection to the internet (via the ONT)
  2. LAN: the internal network for computers, phones, iot devices, etc.

Having two separate physical interfaces for WAN and LAN creates clear, physical separation between the untrusted external network and trusted internal network at the hardware level. This also should improve performance and throughput since the same physical connection is no longer shared between WAN and LAN.

Device Passthrough

For maximum performance and reduced hypervisor overhead, passing through a physical NIC for WAN directly to the VM seemed to make the most sense, so I passed it through to the OPNsense VM.

passthrough

passthrough-add-pci

After adding the PCI device, I restarted the OPNsense VM and re-configured the WAN to use this device.

I received the WAN IP and everything appeared to be working. After running it for a couple of hours, I checked my instance of speedtest-tracker noticed that the download speeds were significantly slower than historical records:

speedtest-tracker

After switching the WAN back to the original shared NIC, the download speeds returned to more average download speeds.

Realtek drivers

After some searching, I read that installing the OPNsense plugin os-realtek-re can help with stability issues.

After installing this plugin and ensuring the kernel module was loaded by following the post-install instructions, the throughput was still much slower than I was expecting.

I was starting to think that there might be a problem with the NIC itself (and began the process to return it to the vendor).

Virtualized NIC with a Linux bridge

As one last shot, I created Linux Bridge in the Proxmox GUI with the Realtek NIC and passed it through to the OPNsense VM:

linux-bridge

linux-bridge-add-network-device

After re-configuring the WAN interface in OPNsense to use the newly added network device, the download and upload speeds returned to average levels. This also bypasses the need for installing Realtek FreeBSD drivers on the OPNsense VM, since the network device is virtual and managed on the Proxmox host.

Conclusion

Although I am not sure why passing through a Realtek NIC to an OPNsense VM causes so much degradation in throughput, I am glad that there is a workaround. If I get my hands on another NIC, I will try to see if the issue can be reproduced.