I am setting up a site-to-site IPsec between two OPNsense machines (21.7) and want to access the internet from a client in the LAN of A, while the internet access is located on B.
I followed the configuration tutorial at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html) to establish the IPsec tunnel. For ease of use, I configured a rule on both machines' "IPsec" interface to allow everything inbound. A has a default route via the tunnel address of B, B has a route to LAN of A via tunnel address of A and a default route via the internet router. (Obviously, the tunnel addresses are configured gateways, as stated in above tutorial.)
On A, I put a rule allowing access from LAN of A to all non-private IPs. The same is configured on B for LAN of B.
What bugs me now, is that I can only reach some, but not all websites from a client LAN of A (while all are accessible when I try connecting from A itself, so IPsec seems to work fine). The firewall log of A reports the requests passing, but the responses being blocked by "Default deny rule", completely ignoring my any-rule.
(https://forum.opnsense.org/index.php?action=dlattach;topic=24234.0;attach=18262)
I cannot understand how google.com does not pass, but facebook.com does. Something must be different for those sites to be handled differently, but I cannot find the cause...
https://github.com/opnsense/core/issues/5156
Turns out it was a fragmentation error. Setting MSS to 1300 (and a corresponding MTU of 1340) on LAN-interface solved it.