Change in visible LAN IP after upgrade to 2.4.5

  • Due to physical constraints I have a bit of a strange set up. With WAN and a LAN (vlans) sharing the same physical interface. Since installing 2.4.4 a few months back, everything's worked as I had hoped. After upgrading to 2.4.5, all seemed fine. But I then noticed a change/quirk I'm struggling to understand.

    Here are the details and I'd be grateful if anyone could point out what might be causing it.

    pfSense is virtualised.

    Proxmox host

    auto lo
    iface lo inet loopback
    iface enp5s0 inet manual
    iface eno1 inet manual
    auto vmbr0
    iface vmbr0 inet static
    	netmask  24
    	bridge-ports enp5s0
    	bridge-stp off
    	bridge-fd 0
    auto vmbr1
    iface vmbr1 inet manual
    	bridge-ports eno1
    	bridge-stp off
    	bridge-fd 0
    	bridge-vlan-aware yes
    	bridge-vids 2-4094


    • VDSL modem VLAN 40
    • Other network devices, including access point, VLAN 10
    • Trunk connected to port proxmox host physical network port en01

    pfSense VM

    • vtnet0 -> vmbr0
    • vtnet1 -> vmbr1 (->switch/trunk)

    pfSense interfaces

    • LAN = Bridge [LAN0(vtnet0), LAN10(vtnet1.10)]
    • WAN = pppoe [vtnet1.40]

    A series of containers and VM's are connected to Proxmox host's bridge vmbr0, as does the proxmox host itself.

    One of these VMs is a pihole and it is the configured DNS server (via pfSense DHCP static leases) for a laptop, phone, tablet & tv.

    observed changes 2.4.4 - 2.4.5

    This all worked as expected under pfSense 2.4.4-3. Pihole reporting discerned the various client IPs.

    After upgrading to 2.4.5, everything stll works, with the exception that pihole sees the pfsense host IP rather than the actual client making the DNS request, when that client's connection is via the bridge/VLAN.
    To confirm difference in behaviour, I ran tcpdump on the pihole VM and pfsense host whilst pfsense was running 2.4.4, then 2.4.5:

    Under 2.4.4, DNS client IP is the real client IP.
    Under 2.4.5, client IP is pfsense (, if the client comes via the VLAN component of the bridge interface.

    Traffic other than DNS shows the expected client LAN IP under both versions of pfSense.

    I have exported the xml config under both instances of pfsense and cannot see any significant changes, just those where the upgrade has wrapped numerous attributes with CDATA tags.
    Had I started with pihole with pfSense 2.4.5, due to lack of knowledge, I probably would not have noticed it.

  • Just an update. This time I upgraded from 2.4.4-3 to 2.4.5-1.
    I performed the upgrade as before, on a restored copy of my pfsense installation. Therefore, apart from the upgrade target, all else should be equal.
    This time however I do not see the post-upgrade issue I described above. I looked at the release notes, nothing struck me as potentially related to the issue I experienced. But all is well now! Thanks.

  • OK, it seem this is not working after all and I am really struggling to understand why.

    The issue exists under 2.4.5 and 2.4.5-1. But not 2.4.4-3.

    • the LAN interface is a bridge comprising vtnet0 and vtnet1.10.
    • vtnet1.10 currently carries traffic, via managed switch, from an Asus access point (both Wireless and wired).
    • pfSense is a Proxmox VM with vtnet0 & vtnet1 on Proxmox bridges. Latter bridge is set 'VLAN aware'.
    • All devices on the bridge are in the same subnet
    • pfSense's IP on LAN (bridge) interface is

    Under pfSense 2.4.4-3, hosts connected to vtnet0 (eg proxy, pihole) see the real IP of incoming connections from clients on vtnet1.10. No problem.

    Under pfSense 2.4.5+, this is also true. Other than for DNS traffic: Hosts on vtnet0 will always see the pfsense LAN IP as the remote device. The DNS replies are still successfully received. The effect is something akin to NAT between the two component interfaces of the bridge, but only for DNS traffic.

    I have dumped the nat & firewall rules from the command line and do not see anything that might target DNS specifically in this situation. As I say, it worked OK under pfSense 2.4.4-3. The pihole could discern the ip addresses of all the clients. Now it only sees those on vtnet0 and for those on vtnet1.10, it only ses the pfsense LAN IP.

Log in to reply