I am currently setting up a k3s cloud test environement on a single physical machine with KVM and libvirt. To isolate the setup I choose a bridge for all the VMs and a pfsense to bridge it into the real world.

While testing I noticed that no updated were installed. Pinging worked and TCP from the pfsense itself worked too.

So was the NAT broken? According to this forum thread starting in 2015 the reason was the virtio network card.

The workaround

Using the e1000 driver works and is fast enough.