OPNsense Forum

Hey everyone. Noob here with networking and opnsense (freebsd too but arch experience). I built a firewall PC because of all the news about hacking of normal routers and part of me was thinking I need more flexibility. First, thank you to the creator of opnsense, I love it. This is my 1st built firewall PC switched from a 2020 dlink router to this.

So far I think everything is configured right. However though I can't load Wiki or Craigslist, all other websites work fine unless TLS is big? was trying to avoid posting, but AI can't help me right with this issue.

QuoteThis is starting to smell like MSS/TCP segmentation

Not MTU itself.

Specifically:

Small packets work
TCP connect works
DNS works
ICMP large packets work
Large TLS ClientHello disappears

That's a classic symptom of:

broken MSS clamping
packet reassembly issue
bad NIC offload interaction
upstream device mishandling segmented TCP

This is a huge clue.

What you pasted is the complete ClientHello being written:

write ... (1555 bytes => 1555)
...
wikipedia.org
...

And then... nothing.

No:

read from ...
ServerHello
Certificate

Nothing comes back.

That means:

Your machine successfully sends a 1555-byte TLS ClientHello, but the response never arrives.

I know as a noob I am missing something maybe someone can point me to right direction because I want to learn how to fix this issue without just direct answer (that's how I learn). Furthermore, I'm learning terms as I go here, my experience is PC building, overclocking but I find networking neat topic to learn!
This TLS issue was always a thing. AI told me to switch to DMZ zone but I quickly found out rogers likes to add DMZ (and other options) NOT in the router webgui but application for mobile (WTF?), after getting email/pass from roommate to login to Xfinity change DMZ to opnsense using the app (anger). TLS didn't change at all :(

Network topology diagram:
Roommates Router (Rogers) -> Reserved IP (opnsense) -> DMZ = Reserved IP opnsense
WAN incoming from router LAN
LAN outgoing to laptop only (arch linux / Win11)

specs:
Xeon W3680, HP FMB-0902 (ATX), KTH-PL313E/4G x4 ECC, Intel 82571EB/GB Dual 1G, PowerColor HD 2600 Pro 512m, SPARKLE ATX-400PN, WD2500BHTZ 10K 250GB, OPNsense

Topology
Internet
    │
Rogers XB6 (Technicolor CGM4140COM)
DMZ → OPNsense WAN (10.0.0.247 via DHCP)
    │
OPNsense
    │
LAN
    │
Single Linux laptop

The Rogers gateway is configured to place my OPNsense WAN IP (10.0.0.247) in the DMZ with reserved IP.

Symptoms
DNS resolution works.
TCP connection establishes successfully.
curl https://wikipedia.org hangs immediately after sending the TLS ClientHello.
openssl s_client also connects but never receives a ServerHello.
The same behavior occurs with multiple sites.

Example:

curl -4 -v https://wikipedia.org

* Host wikipedia.org:443 was resolved.
* Trying 198.35.26.224:443...
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

It never progresses beyond that point.

openssl s_client shows:

Connecting to 198.35.26.224
CONNECTED(00000003)

and then waits indefinitely.

Things I've already checked
MTU path tested with ping -M do and large packets succeed.
Disabled IDS/IPS completely.
Disabled hardware offloading.
Cleared firewall states.
WAN MTU override issue was corrected (I had accidentally enabled "Override MTU" on the DHCP client previously).
DNS works correctly.
Packet capture

Packet captures on both the WAN and LAN interfaces while reproducing the problem.

The interesting observation was:

The WAN interface showed the TLS connection attempt.
The LAN interface did not show the expected traffic for that same connection.

I'm not sure whether this indicates I captured on the wrong interface, whether hardware/driver behavior is affecting the capture, or whether it suggests bad configuration