Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: NikJen on September 02, 2025, 05:31:10 PM

Title: Opnsense somehow blocks ipv6 access to microsoft services
Post by: NikJen on September 02, 2025, 05:31:10 PM
I have a weird issue where (as far as I understand) multiple microsoft services (e.g js.monitor.azure.com) over ipv6 are unreachable. After a while my browser falls back to ipv4 and the website loads normal. For browsing this a pretty annoying but manageable. Where the issue really begins is with software that does not fall back on ipv4. They simply refuse to work...

My setup:
- Opnsense 25.7 running the latest patches
- Dual Stack configuration with both static ipv4 and static ipv6 prefix through pppeo and dhcpv6 on WAN interface
- Dual Stack with static ips on LAN
- Unbound DNS with dns over tls to quad9
- My PC gets its IPv6 over RA

Here is what I found out so far:
- Ipv6 works as expected. https://test-ipv6.com results in a perfect 10/10. Other IPv6 capable websites work flawlessly.
- DNS is not the issue. Tried different DNS setups, including configuring DNS on my pc directly and circumventing the Opnsense unbound DNS completely. After that the behavior was still the same.
- The firewall seems to be correctly configured: Live View with a filter on all my source addresses do not result in any blocked requests to microsoft services
- When running a curl command (eg. curl https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js -v) on my pc I wait forever. On the Opnsensebox however it goes through within a blink of an eye

I know this topic is rather strange and debugging remotely like that isn't easy. I would however very much appreciate every little input on how to fix this. I'm kinda desperate.

Thanks in advance
Title: Re: Opnsense somehow blocks ipv6 access to microsoft services
Post by: ProximusAl on September 02, 2025, 05:46:35 PM
I had a similar issue with portal.azure.com

My issue was because I get IPv6 over WireGuard Tunnel and the issue was MTU size.

Reducing the MTU to 1280 made it work.
Title: Re: Opnsense somehow blocks ipv6 access to microsoft services
Post by: Monviech (Cedrik) on September 02, 2025, 05:50:36 PM
If your connection is running PPPoE it is most likely an MSS issue.

I have the same issue with some sites, a good one to try is mail.yahoo.com, which will fail completely.

Some sites do not handle PMTUD correctly (an ICMP feature).

You can test this easily by lowering the MTU of your client OS network driver to e.g. 1400 and if things magically work thats the reason.
Title: Re: Opnsense somehow blocks ipv6 access to microsoft services
Post by: NikJen on September 02, 2025, 06:16:45 PM
Wow thank you very much! Lowering the MTU did the trick!
Title: Re: Opnsense somehow blocks ipv6 access to microsoft services
Post by: meyergru on September 02, 2025, 07:32:41 PM
Or try doing this (https://forum.opnsense.org/index.php?topic=45658.0).
Text only | Text with Images