Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change in visible LAN IP after upgrade to 2.4.5

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    3 Posts 1 Posters 355 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darcey
      last edited by darcey

      Due to physical constraints I have a bit of a strange set up. With WAN and a LAN (vlans) sharing the same physical interface. Since installing 2.4.4 a few months back, everything's worked as I had hoped. After upgrading to 2.4.5, all seemed fine. But I then noticed a change/quirk I'm struggling to understand.

      Here are the details and I'd be grateful if anyone could point out what might be causing it.

      pfSense is virtualised.

      Proxmox host

      #/etc/network/interfaces

auto lo
iface lo inet loopback

iface enp5s0 inet manual

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
	address  192.168.0.3
	netmask  24
	gateway  192.168.0.1
	bridge-ports enp5s0
	bridge-stp off
	bridge-fd 0
#LAN

auto vmbr1
iface vmbr1 inet manual
	bridge-ports eno1
	bridge-stp off
	bridge-fd 0
	bridge-vlan-aware yes
	bridge-vids 2-4094
#VLANs (INCL WAN)

      Switch

      • VDSL modem VLAN 40
      • Other network devices, including access point, VLAN 10
      • Trunk connected to port proxmox host physical network port en01

      pfSense VM

      • vtnet0 -> vmbr0
      • vtnet1 -> vmbr1 (->switch/trunk)

      pfSense interfaces

      • LAN = Bridge [LAN0(vtnet0), LAN10(vtnet1.10)]
      • WAN = pppoe [vtnet1.40]

      A series of containers and VM's are connected to Proxmox host's bridge vmbr0, as does the proxmox host itself.

      One of these VMs is a pihole and it is the configured DNS server (via pfSense DHCP static leases) for a laptop, phone, tablet & tv.

      observed changes 2.4.4 - 2.4.5

      This all worked as expected under pfSense 2.4.4-3. Pihole reporting discerned the various client IPs.

      After upgrading to 2.4.5, everything stll works, with the exception that pihole sees the pfsense host IP rather than the actual client making the DNS request, when that client's connection is via the bridge/VLAN.
      To confirm difference in behaviour, I ran tcpdump on the pihole VM and pfsense host whilst pfsense was running 2.4.4, then 2.4.5:

      Under 2.4.4, DNS client IP is the real client IP.
      Under 2.4.5, client IP is pfsense (192.168.0.1), if the client comes via the VLAN component of the bridge interface.

      Traffic other than DNS shows the expected client LAN IP under both versions of pfSense.

      I have exported the xml config under both instances of pfsense and cannot see any significant changes, just those where the upgrade has wrapped numerous attributes with CDATA tags.
      Had I started with pihole with pfSense 2.4.5, due to lack of knowledge, I probably would not have noticed it.

      1 Reply Last reply Reply Quote 0
      • D
        darcey
        last edited by

        Just an update. This time I upgraded from 2.4.4-3 to 2.4.5-1.
        I performed the upgrade as before, on a restored copy of my pfsense installation. Therefore, apart from the upgrade target, all else should be equal.
        This time however I do not see the post-upgrade issue I described above. I looked at the release notes, nothing struck me as potentially related to the issue I experienced. But all is well now! Thanks.

        1 Reply Last reply Reply Quote 0
        • D
          darcey
          last edited by darcey

          OK, it seem this is not working after all and I am really struggling to understand why.

          The issue exists under 2.4.5 and 2.4.5-1. But not 2.4.4-3.

          • the LAN interface is a bridge comprising vtnet0 and vtnet1.10.
          • vtnet1.10 currently carries traffic, via managed switch, from an Asus access point (both Wireless and wired).
          • pfSense is a Proxmox VM with vtnet0 & vtnet1 on Proxmox bridges. Latter bridge is set 'VLAN aware'.
          • All devices on the bridge are in the same subnet 192.168.0.0/24.
          • pfSense's IP on LAN (bridge) interface is 192.168.0.1.

          Under pfSense 2.4.4-3, hosts connected to vtnet0 (eg proxy, pihole) see the real IP of incoming connections from clients on vtnet1.10. No problem.

          Under pfSense 2.4.5+, this is also true. Other than for DNS traffic: Hosts on vtnet0 will always see the pfsense LAN IP 192.168.0.1 as the remote device. The DNS replies are still successfully received. The effect is something akin to NAT between the two component interfaces of the bridge, but only for DNS traffic.

          I have dumped the nat & firewall rules from the command line and do not see anything that might target DNS specifically in this situation. As I say, it worked OK under pfSense 2.4.4-3. The pihole could discern the ip addresses of all the clients. Now it only sees those on vtnet0 and for those on vtnet1.10, it only ses the pfsense LAN IP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.