Authorized NFS hosts/IPs with VLANs issue

Good day,

I am troubleshooting VLAN NFS issues. The issue:
When using VLANs in conjunction with NFS authorized hosts/networks, I have been unable to correctly configure IP restrictions. As an example:

-vlan800 with parent ix0
-vlan900 with parent ix0
-ix0 does not have an IP
-vlan800 IP: (client IP on PVE)
-vlan900 IP: (client IP on PVE)
-NFS v4 enabled on TrueNAS
-Two NFS shares, with one restricted to and the other restricted to

With this setup, one of the two shares will be inaccessible unless I add the second client IP to the authorized host list (in the specific NFS share config). This would result in one share that allows both and If I remove the authorized IP, the share is no longer accessible. This leads me to think that it’s a routing issue, but I don’t see how it can be.

On TrueNAS in the console I can see successful export requests from both client IP addresses, continuously, regardless of the write permission error I get on Proxmox when trying to add the NFS share (without the second IP added to the share in truenas).

I am not an expert, but I do have plenty of linux/unix experience. Perhaps I’ve missed something, or I’m going in the wrong direction. Either way, I’d appreciate any assistance.


Node00 - TrueNAS CORE (latest as of last week)
ASRock E3C246D4U
Xeon E-2288G
64gb ECC
X540-AT2 Dual Port 10g NIC

Node01 - Proxmox VE (latest as of last week)
Same exact hardware as node00. It has a different HBA, but that’s it.

Both nodes are connected via both X540 ports, directly.

PVE setup;
-ix0, (port 0 of the X540) will be connected to a bridge (vmbr2). This bridge has no VLANs, just a single IP on the bridge for access to NFS/iSCSI from the PVE host.
-ix1 will be connected to another bridge (vmbr3). This bridge will not have an IP, but will have multiple tagged connections to multiple VMs. This is for storage access from within a VM.

TrueNAS CORE setup;
-ix0 has a an IP in the same subnet as the static IP set on the bridge vmbr2. This connection works fine.
-ix1 does not have an IP assigned. The IP is assigned on the VLAN interfaces.
-Each VLAN has specific NFS shares that should be served. My implied configuration is to use IP restrictions for each share.