DHCP fails to work after 9.0 upgrade?

V

vguttmann

New Member
Sep 7, 2025
2
0
1
We've got an installation of pfSense inside a Proxmox VM, and after upgrading to Proxmox 9.0, VMs inside the same cluster suddenly fail to get IPs via DHCP.
We don't have the firewall enabled either.

Does anyone know what's going on there?
 
You can run a packet capture (Diagnostics -> Packet Capture) on your pfSense box. You can even run it on the Proxmox boxes too if you install tcpdump.

  • DHCP is very well defined
  • You can't see network packets with your eyes - you need to use tcpdump
You own the gear, how on earth do you expect outsiders to work out what is wrong?

I remember when a network analyzer was an expensive laptop that costed (a lot) and had two RJ45 and a few other connections and a horrific interface.

Nowadays a software package called "ethereal" is a distant memory and we have wireshark. Its GPL open source, so completely free.

Please use wireshark and tcpdump. If you don't know how, then please learn or even ask. The functions they perform is way better than what used to cost at least £10,000 (with an annual sub on top).
 
Packet capture in pfSense is a good idea, I didn't even think about that.

Mostly this post was just to see if there's some obvious issue with the upgrade that I somehow didn't find. I'll try that and report back
 
I had a problem with DHCP after upgrading to PVE 9. Solved by enabling the datacentre firewall and open access from there.

Things I tried that didn't work.
Changing the client LXC's from debian12 to debian13.
I tried swapping to dhcpd-base and removing isc-dhcp-client but all that happened is that a temporary 168 address was assigned until the dhcp did succeed eventually, a few minutes later.
I ensured I didn't have firewall rules turned on within the LXC configuration, but that made non difference.
I added rules to accept DHCP traffic in the datacentre firewall rules without turning the firewall on. That made no difference.

Things that did work.
Manually setting the IP address to match the one that would have been offered through DHCP (though that's not a scalable solution and left the puzzle bugging me).

After exhausting the possibilities above, and snooping traffic to validate that the LXC network instance and the proxmox host interface were not seeing the DHCP messages that were obviously working fine with other devices on my network I turned on the datacentre firewall, with all traffic permitted (to replicate the behaviour of my intent that the proxmox firewall wasn't part of my security layering) and immediately the DHCP responses worked.
 
I asked chat-gpt about this, and received a very plausible observation that whilst my default configuration had both datacenter and client firewalls off I had failed to notice that the node firewall was still switched on. I'm not completely sure about this because my PVE 8.3.4 seems to be configured identically with 9.0.6 by default but if the move from debian12 to debian13 as a base for PVE changed the default firewall rule then that's a possibility.... or its a bug because having the same config should not change behaviour like that.
 
You must log in or register to reply here.
Top Bottom