OPNsense Forum

Hi everybody,

since weeks I have a strange problem.

My setup:
- German Telekom FTTH connection
- OPNsense with always up-to-date version
- IPv4/IPv6 dual stack
This is PPPoE to the fiber modem. DHCPv6 receives a /56 subnet. On the LAN interface it is identity association and RA by Dnsmasq.

My internet connection works completely fine. IPv4 and IPv6. With all my devices in different VLANS etc.
However I have reoccuring problems with servers from Microsoft.
I discovered it because my "apt update" on my Mint system hangs at the servers for VS Code (packages.microsoft.com).

Now for example. I am not able to open https://code.visualstudio.com/ from any of my devices.
https://microsoft.com/ did not work the whole day. However coming from google, https://www.microsoft.com/de-de just worked.


Also Ping:
mario@mint-vm:~$ ping packages.microsoft.com
PING packages.microsoft.com (2620:1ec:46::45) 56 data bytes
^C
--- packages.microsoft.com ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8182ms
Same with IPv4:
mario@mint-vm:~$ ping -4 packages.microsoft.com
PING packages.microsoft.com (13.107.246.45) 56(84) bytes of data.
^C
--- packages.microsoft.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4082ms

Yesterday I was able to go on https://code.visualstudio.com/
Today nothing loads.

My work laptop is also connected here but uses a Proxy from my company. There no problems at all.

I already disabled my firewalls:
- Zenarmor
- Crowdsec
No effect.

As you see from the ping: DNS resolving works. But the IPs are not reachable.
It is with all devices in my network. Android, Linux, Windows, etc..
When I am using the mobile network it works. So the servers are there, I am just not able to reach them from my home network.

I have no ideas where this is coming from. Any advice in which direction to investigate?


Cheers
Mario

With everything you've tried so far and the fact that DNS appears to be resolving correctly, I would be suspicious of some kind of ban on your IP. Does your ISP use dynamic assignment for your IPv4 WAN address? Maybe try to to connect via a VPN and see if the problem persists.

Lower your MTU to 1400.

FreeBSD 15 supposedly fixes this

Quote from: sopex8260 on March 19, 2026, 02:50:04 PMLower your MTU to 1400.

FreeBSD 15 supposedly fixes this

OK. Changed the MTU on the WAN to 1400. Now it works...
Thanks a lot. Can you explain it?

I can:

1. packages.microsoft.com does never respond to ping requests:

~# ping packages.microsoft.com
PING packages.microsoft.com (2620:1ec:46::45) 56 data bytes
^C
--- packages.microsoft.com ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10218ms

root@baremetal:~# ping -4 packages.microsoft.com
PING packages.microsoft.com (13.107.246.45) 56(84) bytes of data.
^C
--- packages.microsoft.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5150ms

That does not mean it does not work:

root@baremetal:~# nmap -Pn -p80,443 packages.microsoft.com
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-19 15:08 CET
Nmap scan report for packages.microsoft.com (13.107.213.45)
Host is up (0.0080s latency).
Other addresses for packages.microsoft.com (not scanned): 2620:1ec:bdf::45 2620:1ec:46::45 13.107.246.45

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

root@baremetal:~# nmap -Pn -p80,443 -6 packages.microsoft.com
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-19 15:10 CET
Nmap scan report for packages.microsoft.com (2620:1ec:bdf::45)
Host is up (0.014s latency).
Other addresses for packages.microsoft.com (not scanned): 2620:1ec:46::45 13.107.213.45 13.107.246.45

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

2. AFAIK, German Telekom always uses PPPoE "somewhere". In that, your maximum MTU can be limited to 1492 bytes. You did not say if that is a special business connection or what "fiber modem" you use. You can test what MTU is feasible for you - see this, point 9 (https://forum.opnsense.org/index.php?topic=42985.0).

With 1400. The packaging updating and the website of VS code works again.
You are right, still no ping. But the problem is solved.

The MTU field was empty, however it stated below: Calculated PPP MTU: 1492, so I thought this is fine for PPPoE.

I have a standard private FTTH connection by the German Telekom.

In between, I found out with curl that the connection to https://code.visualstudio.com/ worked with IPv4, but not with IPv&.

The automatic MTU calculation seems broken currently, also MTU sizes differ between IPv6 and IPv4. However, with IPv6, PMTUD is a mandatory feature, unlike IPv4. Thus, this should always work. If it does not, then likely your IPv6 setup is broken. See this (https://forum.opnsense.org/index.php?topic=45822.0).

Weird... really the only problems with this VS code or packages.microsoft.com sites.
IPv6 working with all other sites. Also the IPv6 test sites showing perfect results.

Quote from: gstyle on March 19, 2026, 03:26:53 PMWith 1400. The packaging updating and the website of VS code works again.
You are right, still no ping. But the problem is solved.

I am curious what the results would have been if you had used tracert/traceroute instead ?

Or first nslookup/dig to find out the correct IP Addresses used for the domain and then tracert/traceroute to all of those ?


Ping never shows the whole story...

I had similar issues with Microsoft and it's the DNSmasq RA MTU that needs to be manually set. If you use radvd instead, the issue goes away. But setting the dnsmasq RA MTU to a workable value also fixes it. As does clamping the WAN MSS value

It stopped working for me again also with the 1400 MTU

Seems I am not the only one:
https://www.reddit.com/r/ipv6/comments/1mp3gl2/certain_microsoft_websites_are_inaccessible_over/

Quote from: Boxer on March 19, 2026, 04:33:24 PMI had similar issues with Microsoft and it's the DNSmasq RA MTU that needs to be manually set. If you use radvd instead, the issue goes away. But setting the dnsmasq RA MTU to a workable value also fixes it. As does clamping the WAN MSS value

I set the RA MTU to 1452. Unfortunately this did not have an impact. Still not working.

Try clamping your mss to 1492

Quote from: Boxer on March 19, 2026, 05:15:11 PMTry clamping your mss to 1492

Under Firewall - Settings - Normalization ?

For the WAN interface?

Interfaces>wan

If it still doesn't work keep lowering your mss value until it does

Quote from: Boxer on March 19, 2026, 05:15:11 PMTry clamping your mss to 1492

This now seems to work.... Will test further