Conditions: OPNsense running behind a Hetzner firewall (such as on their dedicated root servers)
Symptoms: OPNsense update attempts were extremely slow and ultimately would fail, usually with a `No Route To Host` error. Further testing showed that any TCP connections out from OPNsense had an approximately 50% chance of failing with either `No Route To Host` or timing out.
Cause: Hetzner's default firewall rules for established connections expect the ephemeral ports to be in the range of 32768–65535. OPNsense, by default, creates ephemeral ports in the range of 1024-65535. Therefore, ~50% of outbound TCP connections will fail at random as their return traffic is blocked.
Resolution (taken from https://forum.proxmox.com/threads/strange-issues-with-proxmox-and-opnsense-on-hetzner-root-server.135609/#post-601879 by alh):
- change ephemeral port range in Hetzner stateless firewall to 1024-65535
- change the settings in OPNsense for the port range on the outbound nat ("Translation / port")
- change the settings in OPNsense globally by changing System > Settings > Tunables: net.inet.ip.portrange.first