Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ToasterPC

Pages1 2
#1
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 30, 2026, 07:00:25 AM
Quote from: meyergru on January 29, 2026, 09:54:46 AMWhat is the question?

If that MTU works for you, you could probably distribute it network-wide with DHCP option 26 and there is also an RA option to send it, but as I said, IDK if those work for most clients.

Hmm, I'm not sure if this is the right way to frame it, but I'm wondering what's the proper way to describe the issue.

cURL will still fail even if the NIC's MTU is set to the proper value, and the only way to get ping to connect reliably is by setting the ICMP packet size in every run of it.

It looks like the problem resides in how the MTU is being handled when going from the LAN interface to the WAN, as even a device being physically the same as the VM (testing from the Proxmox host, that is) will suffer from the same problems that every downstream device has regardless of medium (be it WiFi, Ethernet, a VPN, or a combination of all of them).

From where I'm standing, I'm using two identical installations of the same software and hardware on every part of the chain, yet the issues are only reflected on one of them. I'd like to consider this a reproducible problem that might be a bug, but as you've mentioned, my connection to the outside world through my ISP is hard to come by for better or for worse.

I'd like to find a way to both figure out how and why this problem is happening in the first place and help out debug it in the event the problem is something reproducible.

The first thing I'm imagining as a potential first step is running packet captures simultaneously at every point in the chain, though as I'm not certain what to look for, I'm wondering if doing so could make more noise instead of actually being useful.

TL;DR: I think the problem is more complex than just setting the proper MTU value, and I'd like to know how to properly present my case for a bug report to be able to look into it.
#2
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 29, 2026, 03:07:44 AM
Bump
#3
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 26, 2026, 09:42:11 PM
Quote from: meyergru on January 24, 2026, 10:22:34 PMIf reducing the MTU size on your Windows client does not fix the problem, them maybe the MTU size is not the problem after all?
Honestly that's quite likely, though I'm still unsure on how to test for such a scenario.

Quote from: meyergru on January 24, 2026, 10:22:34 PMDid you try the ping to your OpnSense instance itself, too?
Yes, and it seems getting to the firewall itself has no issues with employing packets way above the interface MTU
Code Select
Pinging 10.10.1.1 with 10000 bytes of data:
Reply from 10.10.1.1: bytes=10000 time=2ms TTL=64
Reply from 10.10.1.1: bytes=10000 time=32ms TTL=64
Reply from 10.10.1.1: bytes=10000 time=14ms TTL=64
Reply from 10.10.1.1: bytes=10000 time=2ms TTL=64
Reply from 10.10.1.1: bytes=10000 time=2ms TTL=64
Ping statistics for 10.10.1.1:
    Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 32ms, Average = 10ms

Quote from: meyergru on January 24, 2026, 10:22:34 PMFor modern Windows versions, I think they automagically set the MTU size - IDK how they do that exactly, however. I do not have the problem, as both my WAN and LAN MTUs are 1500 bytes.
Tbh neither do I, but I do know how to set it manually if it's ever needed (thanks to this GitHub Gist):

From an Administrative Command Prompt/PowerShell session, use the following command to list the system's available interfaces and their current MTU values:
Code Select
netsh interface ipv4 show subinterfaces
Which in my case outputs the following:
Code Select
       MTU  MediaSenseState      Bytes In     Bytes Out  Interface
----------  ---------------  ------------  ------------  -------------
4294967295                1             0        169774  Loopback Pseudo-Interface 1
      1500                5             0             0  Onboard GbE
      1464                1    1872595478      40841253  WiFi
      1500                5             0             0  Local Area Connection* 1
      1500                5             0             0  USB 2.5GbE
      1280                1             0         17580  Tailscale
      1500                5             0             0  Local Area Connection* 2
     65535                5             0             0  Local Area Connection
      1500                1             0        120046  vEthernet (Default Switch)
      1500                1        189514        974851  vEthernet (WSL (Hyper-V firewall))
      1500                1          1968        151879  VMware Network Adapter VMnet1
      1500                1          1968        150820  VMware Network Adapter VMnet8
      1500                5             0             0  Bluetooth Network Connection
As such, after identifying the interface needing the change, the MTU can be set by using this other command:
Code Select
netsh interface ipv4 set subinterface "WiFi" mtu=1464
If everything went as expected, the output will be:
Code Select
Ok.
#4
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 24, 2026, 09:27:36 PM
Quote from: meyergru on January 24, 2026, 05:21:26 PMI would probably first try to make sure that the problematic downstream devices also use an MTU of 1492 bytes.
Okay, sounds reasonable.

At the moment, I haven't tried setting DHCP option 26, but trying to ping while explicitly setting the ping from the VirtIO bridge is successful until an MTU of 1464:20/80.294/0.787 ms

Code Select
ping -c 10 -M do -s 1464 kindleforpc.s3.us-east-1.amazonaws.com
PING kindleforpc.s3.us-east-1.amazonaws.com (52.217.120.18) 1464(1492) bytes of data.
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=1 ttl=246 time=78.8 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=2 ttl=246 time=79.1 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=3 ttl=246 time=78.1 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=4 ttl=246 time=79.4 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=5 ttl=246 time=80.3 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=6 ttl=246 time=79.7 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=7 ttl=246 time=79.7 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=8 ttl=246 time=78.0 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=9 ttl=246 time=78.0 ms
1472 bytes from s3-us-east-1-r-w.amazonaws.com (52.217.120.18): icmp_seq=10 ttl=246 time=78.2 ms

--- kindleforpc.s3.us-east-1.amazonaws.com ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9002ms
rtt min/avg/max/mdev = 77.965/78.920/80.294/0.787 ms
Attempting to do the same from a Windows client yields the following results:
Code Select
ping -n 10 -l 1464 8.8.8.8                                                                                                                                                                                  ─╯

Pinging 8.8.8.8 with 1464 bytes of data:
Reply from 8.8.8.8: bytes=1464 time=11ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=9ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=9ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=8ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=8ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=9ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=8ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=8ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=12ms TTL=119
Reply from 8.8.8.8: bytes=1464 time=9ms TTL=119

Ping statistics for 8.8.8.8:
    Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 12ms, Average = 9ms
Though neither of them is receiving any instructions to set the MTU to anything in particular, and trying to set the NIC in Windows to any of the aforementioned values doesn't make a difference.

Assuming then that the problem is in communicating the proper MTU to every device, what would be the proper place to set this network-wide (e.g. in OPNsense, for example)?
#5
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 24, 2026, 05:16:59 PM
Quote from: meyergru on January 24, 2026, 09:26:09 AMI cannot test this, because I neither have the OpnSense VM on PVE nor an MTU of 1492, sorry.
Don't worry
So far, you've helped me narrow down the issue a lot, so thanks for everything either way.
However, I'm not sure if this problem has gotten to a point where perhaps a bug report or a different thread would be more appropriate.

MTU, MSS and PMTU do seem to be working correctly now, it's just the downstream devices that seem to still need something to get in line, and I'm honestly not sure where to begin looking for alternate solutions.

Assuming that either of those other options were viable, where would you begin and with which one would you pick?
#6
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 24, 2026, 02:43:36 AM
Bump
#7
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 21, 2026, 03:47:07 PM
Quote from: meyergru on January 21, 2026, 09:06:16 AMNot quite. Obviously, you can currently use an MTU of 1492 bytes only according to your tests. That I read from your previous posts and it hold true unless you succeed in applying the method explained here to enlarge that WAN MTU to 1500 bytes. In order to do that on a Proxmox VM, the whole chain ISP -> physical NIC -> Proxmox bridge -> OS NIC -> OS VLAN -> OS PPPoE WAN Interface must be configured right and capable to support 1500 bytes MTU on the WAN interface.

Without that, at least on the WAN side, you obviously need a 1492 bytes MTU, probably because of PPPoE involved in your WAN setup.

From there, you have two options:

1. Use a LAN MTU of 1500 bytes and employ MSS clamping (Firewall: Settings: Normalization) to adapt the mismatch of WAN vs. LAN MTU.
2. (Better) Use a LAN MTU of 1492 bytes, too.

Okay, so considering that I'm indeed not able to go past an MTU of 1492 on the WAN, I should set every underlying bridge and interface in Proxmox to the default value of 1500, and then within OPNsense set both the LAN and WAN values to 1492, such as that there's no need for normalization to be involved.

Assuming that's the case, the TLS handshake in cURL still fails for downstream devices (even for the Debian CLI of the Proxmox host itself:
Code Select
curl -vv "https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/unifi-os-server.sh"
08:40:10.365721 [0-0] * Host raw.githubusercontent.com:443 was resolved.
08:40:10.365823 [0-0] * IPv6: 2606:50c0:8002::154, 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8001::154
08:40:10.365842 [0-0] * IPv4: 185.199.109.133, 185.199.111.133, 185.199.110.133, 185.199.108.133
08:40:10.365868 [0-0] * [HTTPS-CONNECT] adding wanted h2
08:40:10.365884 [0-0] * [HTTPS-CONNECT] added
08:40:10.365902 [0-0] * [HTTPS-CONNECT] connect, init
08:40:10.365940 [0-0] *   Trying [2606:50c0:8002::154]:443...
08:40:10.366006 [0-0] * Immediate connect fail for 2606:50c0:8002::154: Network is unreachable
08:40:10.366026 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.366042 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.366056 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0 socks
08:40:10.366082 [0-0] *   Trying [2606:50c0:8003::154]:443...
08:40:10.366109 [0-0] * Immediate connect fail for 2606:50c0:8003::154: Network is unreachable
08:40:10.366134 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.366156 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.366179 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0 socks
08:40:10.366203 [0-0] *   Trying [2606:50c0:8000::154]:443...
08:40:10.366229 [0-0] * Immediate connect fail for 2606:50c0:8000::154: Network is unreachable
08:40:10.366251 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.366274 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.366294 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0 socks
08:40:10.366320 [0-0] *   Trying [2606:50c0:8001::154]:443...
08:40:10.366345 [0-0] * Immediate connect fail for 2606:50c0:8001::154: Network is unreachable
08:40:10.366372 [0-0] *   Trying 185.199.109.133:443...
08:40:10.366412 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.366429 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.366451 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:10.367839 [0-0] * ALPN: curl offers h2,http/1.1
08:40:10.368293 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
08:40:10.373316 [0-0] *  CAfile: /etc/ssl/certs/ca-certificates.crt
08:40:10.373335 [0-0] *  CApath: /etc/ssl/certs
08:40:10.373401 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.373418 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.373439 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:10.426522 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.426532 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.426543 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:10.566743 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:10.566760 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:10.566778 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:11.567835 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:11.567871 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:11.567886 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:12.569072 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:12.569102 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:12.569111 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:13.570290 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:13.570320 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:13.570330 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:40:14.571508 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:40:14.571540 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:40:14.571549 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
Attempting to do the same TLS handshake under these conditions does succeed for the OPNsense VM:
Code Select
sudo curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"
08:41:04.788684 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
08:41:04.788742 [0-0] * IPv6: (none)
08:41:04.788748 [0-0] * IPv4: 16.15.188.88, 16.15.183.33, 52.216.114.22, 52.216.58.250, 16.15.203.218, 16.15.192.221, 3.5.24.218, 16.15.218.61
08:41:04.788755 [0-0] * [HTTPS-CONNECT] adding wanted h2
08:41:04.788762 [0-0] * [HTTPS-CONNECT] added
08:41:04.788770 [0-0] * [HTTPS-CONNECT] connect, init
08:41:04.788782 [0-0] *   Trying 16.15.188.88:443...
08:41:04.788818 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:41:04.788824 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:41:04.788832 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
08:41:04.851700 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:41:04.851716 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:41:04.851726 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
08:41:04.873268 [0-0] * ALPN: curl offers h2,http/1.1
08:41:04.873357 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
08:41:04.873384 [0-0] * SSL Trust Anchors:
08:41:04.873392 [0-0] *   CApath: /etc/ssl/certs
08:41:04.873400 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:41:04.873407 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:41:04.873415 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
08:41:04.957856 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
08:41:04.957985 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
08:41:04.957997 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
08:41:04.958649 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:41:04.958659 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
08:41:04.958667 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
08:41:04.959173 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
08:41:04.959236 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
08:41:04.959258 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
08:41:04.959274 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
08:41:04.959305 [0-0] * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
08:41:04.959315 [0-0] * ALPN: server accepted http/1.1
08:41:04.959323 [0-0] * Server certificate:
08:41:04.959334 [0-0] *   subject: CN=s3.amazonaws.com
08:41:04.959343 [0-0] *   start date: Jul 20 00:00:00 2025 GMT
08:41:04.959350 [0-0] *   expire date: Jun 25 23:59:59 2026 GMT
08:41:04.959359 [0-0] *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
08:41:04.959372 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
08:41:04.959382 [0-0] *   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
08:41:04.959389 [0-0] *   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
08:41:04.959402 [0-0] *   subjectAltName: "kindleforpc.s3.us-east-1.amazonaws.com" matches cert's "*.s3.us-east-1.amazonaws.com"
08:41:04.959413 [0-0] * SSL certificate verified via OpenSSL.
08:41:04.959421 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 170ms, 1st data: 169ms
08:41:04.959428 [0-0] * [SETUP] query ALPN
08:41:04.959434 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
08:41:04.959441 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
08:41:04.959457 [0-0] * Established connection to kindleforpc.s3.us-east-1.amazonaws.com (16.15.188.88 port 443) from 187.224.2.21 port 21719
08:41:04.959464 [0-0] * [HTTPS-CONNECT] query ALPN
08:41:04.959471 [0-0] * using HTTP/1.x
08:41:04.959492 [0-0] > GET /70980/KindleForPC-installer-2.8.70980.exe HTTP/1.1
08:41:04.959492 [0-0] > Host: kindleforpc.s3.us-east-1.amazonaws.com
08:41:04.959492 [0-0] > User-Agent: curl/8.17.0
08:41:04.959492 [0-0] > Accept: */*
08:41:04.959492 [0-0] >
08:41:04.959528 [0-0] * Request completely sent off
08:41:05.078851 [0-0] < HTTP/1.1 200 OK
08:41:05.078863 [0-0] < x-amz-id-2: 3GV71S4y4G9s3w/HS3IFTdUoPJD7o7xfksXIHMhul9CIH1uOJsPnJm3A2mVIra6H6Zu5B38QL3HQ0dCqoIjkAeeO1tivc07n
08:41:05.078869 [0-0] < x-amz-request-id: 5CBHKGN17KSBEABE
08:41:05.078881 [0-0] < Date: Wed, 21 Jan 2026 14:41:06 GMT
08:41:05.078887 [0-0] < Last-Modified: Thu, 21 Aug 2025 10:56:57 GMT
08:41:05.078893 [0-0] < ETag: "2b756dcc3905a9ff3aef6a0a57dd7c09-18"
08:41:05.078898 [0-0] < x-amz-server-side-encryption: AES256
08:41:05.078904 [0-0] < Accept-Ranges: bytes
08:41:05.078910 [0-0] < Content-Type: application/octet-stream
08:41:05.078916 [0-0] < Content-Length: 298242024
08:41:05.078921 [0-0] < Server: AmazonS3
08:41:05.078927 [0-0] <
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your
Warning: terminal anyway, or consider "--output <FILE>" to save to a file.
08:41:05.078952 [0-0] * client returned ERROR on write of 16384 bytes
08:41:05.078962 [0-0] * closing connection #0
If packets are not being modified nor fragmented by now, where else could the issue lie?

P.D. I'm not sure how relevant this could be, but the only reason I'm currently able to post to the forum is that I'm using a WireGuard road-warrior tunnel to the old site, in which regardless of the current site issues, encapsulating traffic through the VPN interface from the client device makes it able to go through and connect to problematic websites.
#8
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 21, 2026, 03:04:02 AM
Quote from: meyergru on January 20, 2026, 09:59:12 PMIn theory, MSS should be set to MTU-40, but OpnSense does some trickery with the input value, so I would not set it at all.
Quote from: Patrick M. Hausen on January 20, 2026, 10:01:43 PMSet it to the MTU and OPNsense will use MTU - 40 for IPv4 and MTU - 60 for IPv6 which is the reason why you do not put the effective MSS in that field. Because that is different for both protocols.
Okay, so from what I'm gathering, only the MTU should be set in OPNsense itself, and both the Proxmox VirtIO interfaces and their bridges (in WAN and LAN) should stay at the default 1500 MTU value in order to have OPNsense make the corresponding calculations for each protocol.

Do I have the right of it?
#9
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 20, 2026, 09:52:48 PM
Quote from: meyergru on January 20, 2026, 08:41:08 AMThat is because OpnSense itself contacts internet sites via its WAN interface (and the MTU of that). Your LAN devices contact OpnSense with their respective LAN MTU size, which should match. If it does not, there is MSS clamping (if enabled) or else it can go wrong.
Okay, in that case from what I understood, both the bridges and interfaces within Proxmox and OPNsense should have the MTU set to the biggest stable value given by the script (1492 in my case). For the MSS, should it also be set everywhere to 1492? Or perhaps to something lower/higher in order to account for the overhead reductions of each protocol (IPv4 or IPv6)?
#10
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 20, 2026, 03:35:56 AM
Quote from: meyergru on January 19, 2026, 09:58:57 AMPotentially yes, but depending on working PMTUD, some sites work with the wrong MTU and some do not.
I do agree that there might be a discrepancy between different websites and their implementations, though what strikes me as odd from the Kindle example is that the OPNsense VM was able to even identify who signed the certificate, yet no end device can ever complete the handshake.

Even if I try to remove other possible candidates like the APs or managed switches from the middle or restarting the affected devices to wipe any sort of potential caching, everything points to the problem existing only on the jump between the LAN and the WAN.

As I do realize this problem might be somewhere else though, I wonder if starting a new thread would be appropriate. Also, if need be, I could provide some packet captures through either TCPdump or Wireshark, though I'm not sure what to look for in them in the event that they proved useful.

In any case, please let me know what the best course of action would be to continue troubleshooting, and thanks for all the advice so far!
#11
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 19, 2026, 04:42:20 AM
Quote from: meyergru on January 18, 2026, 09:05:18 PMYes, that is expected if anywhere between you and 8.8.8.8 there is a limitation of 1492 bytes (probably imposed by your ISP). That also means your settings of 1512 do not work and you cannot use 1500 bytes MTU on either OpnSense WAN or LAN, you should set them to 1492 and be content with it.

Hmm, I understand.
Still, I find it a bit odd that under these conditions the older site was able to work at all, but, in any case, setting every interface and bridge involved to an MTU of 1492 in both Proxmox and OPNsense, followed by rebooting the VM didn't seem to fix the problem for downstream devices.

As an example, this is the cURL output of trying to acquire the Kindle for PC installer from a computer in the LAN:

Code Select
curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"                                                                                                         ─╯
21:31:28.941631 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
21:31:28.941779 [0-0] * IPv6: (none)
21:31:28.941820 [0-0] * IPv4: 52.217.141.234, 52.217.162.210, 52.216.240.80, 3.5.11.193, 16.182.43.34, 54.231.235.34, 3.5.13.160, 52.217.200.218
21:31:28.941847 [0-0] * [HTTPS-CONNECT] adding wanted h2
21:31:28.941867 [0-0] * [HTTPS-CONNECT] added
21:31:28.941899 [0-0] * [HTTPS-CONNECT] connect, init
21:31:28.941943 [0-0] *   Trying 52.217.141.234:443...
21:31:28.942040 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.942057 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.942082 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:28.943317 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.943344 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.943363 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:28.946057 [0-0] * ALPN: curl offers h2,http/1.1
21:31:28.946644 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:31:28.946766 [0-0] * SSL Trust Anchors:
21:31:28.959938 [0-0] *   OpenSSL default paths (fallback)
21:31:28.960042 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.960083 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.960151 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:29.143547 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:29.143616 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:29.143661 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:30.144799 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:30.144852 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:30.144889 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:31.146133 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:31.146192 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:31.146225 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:32.147358 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:32.147471 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:32.147504 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:33.148706 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:33.148781 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:33.148818 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:34.149975 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:34.150035 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:34.150049 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:35.151166 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:35.151221 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:35.151251 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:36.152396 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:36.152456 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:36.152487 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:37.153634 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:37.153694 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:37.153708 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:38.154837 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:38.154894 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:38.154930 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:39.156122 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:39.156183 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:39.156215 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:40.157384 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:40.157449 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:40.157465 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:41.158668 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:41.158749 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:41.158804 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:42.159978 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:42.160070 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:42.160101 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:43.161245 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:43.161299 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:43.161332 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:44.162493 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:44.162561 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:44.162577 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:45.163758 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:45.163814 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:45.163843 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:46.165018 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:46.165106 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:46.165162 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:47.166352 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:47.166441 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:47.166503 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:48.167713 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:48.167813 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:48.167918 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:49.169152 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:49.169274 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:49.169343 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:50.170555 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:50.170622 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:50.170638 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:51.171800 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:51.171861 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:51.171898 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:52.105875 [0-0] * TLSv1.3 (OUT), TLS alert, decode error (562):
21:31:52.105986 [0-0] * TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
21:31:52.106047 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
21:31:52.106121 [0-0] * [HTTPS-CONNECT] connect -> 35, done=0
21:31:52.106192 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 35, done=0
21:31:52.106209 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(), filter returned 35
21:31:52.106258 [0-0] * closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
If I try the same command from the router itself, the handshake is performed successfully, regardless of the MTU being 1512 or after changing everything to 1492:

Code Select
sudo curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"
21:40:28.981882 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
21:40:28.981933 [0-0] * IPv6: (none)
21:40:28.981939 [0-0] * IPv4: 16.182.36.178, 52.216.37.154, 52.216.88.134, 54.231.163.106, 16.182.67.74, 54.231.132.178, 16.15.201.213, 16.15.191.19
21:40:28.981947 [0-0] * [HTTPS-CONNECT] adding wanted h2
21:40:28.981953 [0-0] * [HTTPS-CONNECT] added
21:40:28.981961 [0-0] * [HTTPS-CONNECT] connect, init
21:40:28.981974 [0-0] *   Trying 16.182.36.178:443...
21:40:28.982013 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:28.982021 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:28.982030 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.042533 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.042548 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.042555 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.063286 [0-0] * ALPN: curl offers h2,http/1.1
21:40:29.063387 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:40:29.063416 [0-0] * SSL Trust Anchors:
21:40:29.063427 [0-0] *   CApath: /etc/ssl/certs
21:40:29.063437 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.063446 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.063455 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.143735 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
21:40:29.143859 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
21:40:29.143878 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
21:40:29.144539 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.144551 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.144559 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.145112 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
21:40:29.145176 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
21:40:29.145197 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
21:40:29.145220 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
21:40:29.145254 [0-0] * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
21:40:29.145263 [0-0] * ALPN: server accepted http/1.1
21:40:29.145271 [0-0] * Server certificate:
21:40:29.145282 [0-0] *   subject: CN=s3.amazonaws.com
21:40:29.145290 [0-0] *   start date: Jul 20 00:00:00 2025 GMT
21:40:29.145299 [0-0] *   expire date: Jun 25 23:59:59 2026 GMT
21:40:29.145308 [0-0] *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
21:40:29.145320 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145329 [0-0] *   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145337 [0-0] *   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145350 [0-0] *   subjectAltName: "kindleforpc.s3.us-east-1.amazonaws.com" matches cert's "*.s3.us-east-1.amazonaws.com"
21:40:29.145359 [0-0] * SSL certificate verified via OpenSSL.
21:40:29.145367 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 163ms, 1st data: 161ms
21:40:29.145374 [0-0] * [SETUP] query ALPN
21:40:29.145381 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
21:40:29.145388 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
21:40:29.145396 [0-0] * Established connection to kindleforpc.s3.us-east-1.amazonaws.com (16.182.36.178 port 443) from 187.213.231.111 port 45196
21:40:29.145405 [0-0] * [HTTPS-CONNECT] query ALPN
21:40:29.145412 [0-0] * using HTTP/1.x
21:40:29.145433 [0-0] > GET /70980/KindleForPC-installer-2.8.70980.exe HTTP/1.1
21:40:29.145433 [0-0] > Host: kindleforpc.s3.us-east-1.amazonaws.com
21:40:29.145433 [0-0] > User-Agent: curl/8.17.0
21:40:29.145433 [0-0] > Accept: */*
21:40:29.145433 [0-0] >
21:40:29.145488 [0-0] * Request completely sent off
21:40:29.258847 [0-0] < HTTP/1.1 200 OK
21:40:29.258863 [0-0] < x-amz-id-2: p8U1WgWd11rwEnrNeb0r044EDI/E84CXm6DkU0TvAfva4EeYK5eWUOf5neCmEiHChEba0rI2rSo=
21:40:29.258870 [0-0] < x-amz-request-id: 8V0MHSM36PK4E00R
21:40:29.258875 [0-0] < Date: Mon, 19 Jan 2026 03:40:30 GMT
21:40:29.258881 [0-0] < Last-Modified: Thu, 21 Aug 2025 10:56:57 GMT
21:40:29.258887 [0-0] < ETag: "2b756dcc3905a9ff3aef6a0a57dd7c09-18"
21:40:29.258892 [0-0] < x-amz-server-side-encryption: AES256
21:40:29.258898 [0-0] < Accept-Ranges: bytes
21:40:29.258904 [0-0] < Content-Type: application/octet-stream
21:40:29.258910 [0-0] < Content-Length: 298242024
21:40:29.258915 [0-0] < Server: AmazonS3
21:40:29.258921 [0-0] <
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
21:40:29.258942 [0-0] * client returned ERROR on write of 16384 bytes
21:40:29.258951 [0-0] * closing connection #0
Is there something else that could be the root of the issue aside from the MTU of the WAN?
#12
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 18, 2026, 08:06:47 PM
Quote from: meyergru on January 18, 2026, 09:06:28 AMI have never seen any such big MTUs. With 1.1.1.1, I did not get any conclusive results. Try 8.8.8.8.

Sure thing! I'll attach the results below:

Known working site:
Code Select
sudo ./mtu_freebsd.sh 8.8.8.8
Maximum MTU size: 1492Current site:
Code Select
sudo ./mtu_freebsd.sh 8.8.8.8
Maximum MTU size: 1492
The MTU seems like it gave an expected result then, though I'm not sure how or why.
#13
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
January 18, 2026, 12:05:01 AM
Hey, thanks for the help!

Quote from: meyergru on January 17, 2026, 09:33:12 AMI would first try if the MTU size is the culprit first (it may also be HTTP/2 over UDP). Use the utility from this post: https://forum.opnsense.org/index.php?topic=45658.0 to find if the 1500 byte MTU is valid from your OpnSenses.

After using the mtu_freebsd.sh script on both sites inside their respective OPNsense VMs, the following results came out:

Known working site:
Code Select
sudo ifconfig
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN (wan)
        options=0
        inet REDACTED --> REDACTED netmask 0xffffffff
        inet6 fe80::1%pppoe0 prefixlen 64 scopeid 0x27
        inet6 fc00:1020:25:28e7::1 prefixlen 64 autoconf pltime 604800 vltime 2592000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
sudo ./mtu_freebsd.sh 1.1.1.1
Maximum MTU size: 45580
Current site:
Code Select
sudo ifconfig
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN_FTTH (wan)
        options=100000<NETMAP>
        inet REDACTED --> REDACTED netmask 0xffffffff
        inet6 fe80::1%pppoe0 prefixlen 64 scopeid 0x7
        inet6 fc00:1020:27:5359::1 prefixlen 64 autoconf pltime 604800 vltime 2592000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

sudo ./mtu_freebsd.sh 1.1.1.1
Maximum MTU: 25060
As for the points you mentioned in the article, I believe I might be doing things properly
Quote from: meyergru on January 17, 2026, 09:33:12 AMP.S.: I skip all of the obvious problems, like Realtek adapters, Proxmox underneath with mini jumbo frames, etc. Most of that is covered in the linked article and this one: https://forum.opnsense.org/index.php?topic=44159.0
In the following screenshot, the WAN bridge interfaces for both sites are shown (left is the current one, and right is the currently working example):

And in this one, the LAN bridge interfaces with the same order:

The VLAN tag is being applied at the Proxmox level, and not within OPNsense itself, yet under these conditions only the older site is able to reliably connect to the Internet. The only other thing that comes to mind as a difference is that the older site needs me to reload the WAN interface in order to be able to complete the PPPoE handshake, while the new one will achieve so without manual intervention.

I'm uncertain if that could point to a bigger problem, but aside from that the next steps remain clouded for me.

What else should I keep an eye out for?
#14
25.7, 25.10 Series / New site PPPoE PMTU woes
January 17, 2026, 02:36:42 AM
Heya everyone!

So, it seems that this year is the year of PPPoE headaches for me. I'd like to illustrate for a bit in order to know what to do next.

I'm using OPNsense 25.7.11 through Proxmox 9.1.4 at two different sites, both of them operating with a Realtek RTL9601D-based SFP to APC Gigabit fiber module (DFP-34X-2C2) and being connected to an identical SKU of the Minisforum MS-01 (13th gen Core i9 and 32GB of RAM).

Both the LAN and WAN bridges are using the VirtIO driver and a multiqueue equal to the VM's number of cores (20 or 6, with 6 being the intended default but not changed in the older site in order to reduce variables while troubleshooting), with the LAN bridge having an MTU of 1500 and the WAN one having it set to 1512 on the hypervisor side.

Within OPNsense, the LAN and the WAN's MTU are explicitly set to 1500, and that's about where the similarities end (The first site was deployed as it is today around June of last year, and the site that has issues in the middle of December).

However, attempting to make the connection stable in the new site has proven challenging, as for the time being several websites that rely upon TLS 1.3 seem to time out during the handshake when tested from an end device, though not from the firewall itself:

From the OPNsense CLI over SSH:
Code Select
curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"
19:26:35.099305 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
19:26:35.099350 [0-0] * IPv6: (none)
19:26:35.099356 [0-0] * IPv4: 54.231.167.26, 52.217.195.90, 52.217.126.146, 16.182.68.210, 54.231.163.122, 54.231.129.162, 16.15.223.27, 52.217.175.26
19:26:35.099363 [0-0] * [HTTPS-CONNECT] adding wanted h2
19:26:35.099369 [0-0] * [HTTPS-CONNECT] added
19:26:35.099376 [0-0] * [HTTPS-CONNECT] connect, init
19:26:35.099388 [0-0] *   Trying 54.231.167.26:443...
19:26:35.099420 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
19:26:35.099426 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
19:26:35.099433 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
19:26:35.149399 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
19:26:35.149411 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
19:26:35.149418 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
19:26:35.181027 [0-0] * ALPN: curl offers h2,http/1.1
19:26:35.181111 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
19:26:35.181138 [0-0] * SSL Trust Anchors:
19:26:35.181146 [0-0] *   CApath: /etc/ssl/certs
19:26:35.181163 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
19:26:35.181169 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
19:26:35.181177 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
19:26:35.261761 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
19:26:35.261896 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
19:26:35.261905 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
19:26:35.261913 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
19:26:35.261932 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
19:26:35.261948 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
19:26:35.262632 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
19:26:35.262643 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
19:26:35.262651 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
19:26:35.262665 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
19:26:35.262707 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
19:26:35.262729 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
19:26:35.262747 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
19:26:35.262779 [0-0] * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
19:26:35.262788 [0-0] * ALPN: server accepted http/1.1
19:26:35.262796 [0-0] * Server certificate:
19:26:35.262807 [0-0] *   subject: CN=s3.amazonaws.com
19:26:35.262815 [0-0] *   start date: Jul 20 00:00:00 2025 GMT
19:26:35.262822 [0-0] *   expire date: Jun 25 23:59:59 2026 GMT
19:26:35.262830 [0-0] *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
19:26:35.262842 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
19:26:35.262849 [0-0] *   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
19:26:35.262856 [0-0] *   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
19:26:35.262868 [0-0] *   subjectAltName: "kindleforpc.s3.us-east-1.amazonaws.com" matches cert's "*.s3.us-east-1.amazonaws.com"
19:26:35.262875 [0-0] * SSL certificate verified via OpenSSL.
19:26:35.262883 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 163ms, 1st data: 162ms
19:26:35.262889 [0-0] * [SETUP] query ALPN
19:26:35.262895 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
19:26:35.262902 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
19:26:35.262910 [0-0] * Established connection to kindleforpc.s3.us-east-1.amazonaws.com (54.231.167.26 port 443) from REDACTED port 32147
19:26:35.262917 [0-0] * [HTTPS-CONNECT] query ALPN
19:26:35.262923 [0-0] * using HTTP/1.x
19:26:35.262944 [0-0] > GET /70980/KindleForPC-installer-2.8.70980.exe HTTP/1.1
19:26:35.262944 [0-0] > Host: kindleforpc.s3.us-east-1.amazonaws.com
19:26:35.262944 [0-0] > User-Agent: curl/8.17.0
19:26:35.262944 [0-0] > Accept: */*
19:26:35.262944 [0-0] >
19:26:35.262986 [0-0] * Request completely sent off
19:26:35.370870 [0-0] < HTTP/1.1 200 OK
19:26:35.370883 [0-0] < x-amz-id-2: x7vjvAVKD4GJmkBItssh7dZPYxr2nGKHGcQZdEkdefrqA+4qn1qGxKfffbtz0TrlqlERwAQO+C4=
19:26:35.370890 [0-0] < x-amz-request-id: HBD9SQZDBSGBHD0Z
19:26:35.370896 [0-0] < Date: Sat, 17 Jan 2026 01:26:36 GMT
19:26:35.370902 [0-0] < Last-Modified: Thu, 21 Aug 2025 10:56:57 GMT
19:26:35.370907 [0-0] < ETag: "2b756dcc3905a9ff3aef6a0a57dd7c09-18"
19:26:35.370913 [0-0] < x-amz-server-side-encryption: AES256
19:26:35.370918 [0-0] < Accept-Ranges: bytes
19:26:35.370924 [0-0] < Content-Type: application/octet-stream
19:26:35.370934 [0-0] < Content-Length: 298242024
19:26:35.370940 [0-0] < Server: AmazonS3
19:26:35.370948 [0-0] <
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your
Warning: terminal anyway, or consider "--output <FILE>" to save to a file.
19:26:35.370973 [0-0] * client returned ERROR on write of 16384 bytes
19:26:35.370988 [0-0] * closing connection #0
From an end device (Dell laptop and Realtek NIC on Windows and WSL2):

Code Select
curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"
18:52:27.097487 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
18:52:27.097634 [0-0] * IPv6: (none)
18:52:27.097689 [0-0] * IPv4: 52.217.139.154, 52.217.196.234, 52.217.93.120, 52.216.208.226, 52.217.226.210, 52.217.112.98, 16.15.217.226, 54.231.128.2
18:52:27.097748 [0-0] * [HTTPS-CONNECT] adding wanted h2
18:52:27.097894 [0-0] * [HTTPS-CONNECT] added
18:52:27.098019 [0-0] * [HTTPS-CONNECT] connect, init
18:52:27.098131 [0-0] *   Trying 52.217.139.154:443...
18:52:27.098331 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:27.098636 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:27.098725 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:27.100955 [0-0] * ALPN: curl offers h2,http/1.1
18:52:27.101507 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
18:52:27.101648 [0-0] * SSL Trust Anchors:
18:52:27.118431 [0-0] *   OpenSSL default paths (fallback)
18:52:27.118558 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:27.118661 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:27.118727 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:27.299109 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:27.299170 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:27.299213 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:28.300450 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:28.300538 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:28.300617 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:29.301858 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:29.301947 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:29.302014 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:30.303232 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:30.303327 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:30.303383 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:31.304561 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:31.304648 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:31.304720 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:32.305930 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:32.306021 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:32.306129 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:33.307289 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:33.307364 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:33.307425 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:34.308663 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:34.308752 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:34.308814 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:35.310021 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:35.310105 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:35.310177 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:36.311406 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:36.311510 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:36.311598 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:37.313018 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:37.313118 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:37.313204 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:38.314446 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:38.314535 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:38.314612 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:39.315853 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:39.315948 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:39.316018 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:40.317219 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:40.317305 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:40.317377 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:41.318575 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:41.318675 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:41.318706 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:42.319851 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:42.319933 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:42.320004 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:43.321172 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:43.321260 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:43.321331 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:44.322544 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:44.322631 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:44.322692 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:45.323905 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:45.323995 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:45.324071 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:46.325426 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:46.325520 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:46.325592 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:47.326809 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:47.326893 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:47.326980 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:48.328225 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:48.328315 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:48.328389 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:49.329580 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:52:49.329668 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
18:52:49.329741 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
18:52:50.262208 [0-0] * TLSv1.3 (OUT), TLS alert, decode error (562):
18:52:50.262297 [0-0] * TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
18:52:50.262365 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
18:52:50.262431 [0-0] * [HTTPS-CONNECT] connect -> 35, done=0
18:52:50.262510 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 35, done=0
18:52:50.262583 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(), filter returned 35
18:52:50.262667 [0-0] * closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
As for interface configurations, this is the output of both ifconfig on the router and ip a on the laptop:

OPNsense:
Code Select
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
        ether bc:24:11:71:71:2b
        inet 10.10.1.1 netmask 0xffffe000 broadcast 10.10.31.255
        inet6 fe80::be24:11ff:fe71:712b%vtnet0 prefixlen 64 scopeid 0x1
        inet6 REDACTED prefixlen 64
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
        ether bc:24:11:e3:db:1e
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0 metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=0 metric 0 mtu 33152
        options=0
        groups: pflog
pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN_FTTH (wan)
        options=100000<NETMAP>
        inet REDACTED --> REDACTED netmask 0xffffffff
        inet6 fe80::1%pppoe0 prefixlen 64 scopeid 0x7
        inet6 fc00:1020:27:5359::1 prefixlen 64 autoconf pltime 604800 vltime 2592000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
zen0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=4080000<LINKSTATE,MEXTPG>
        groups: tun zenvpngroup
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tailscale0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
        options=4080000<LINKSTATE,MEXTPG>
        inet REDACTED netmask 0xffffffff broadcast REDACTED
        inet6 REDACTED prefixlen 48
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 66361
Laptop:

Code Select
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 10.255.255.254/32 brd 10.255.255.254 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 72:c6:10:61:e4:70 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 66:28:03:c8:ef:bd brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
    inet6 ::10.255.255.254/96 scope host
       valid_lft forever preferred_lft forever
    inet6 ::127.0.0.1/96 scope host
       valid_lft forever preferred_lft forever
6: loopback0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:bc:b8:0e brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
8: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:15:5d:ef:f4:21 brd ff:ff:ff:ff:ff:ff
9: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 60:18:95:4b:d1:eb brd ff:ff:ff:ff:ff:ff
10: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
11: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:18:d5:39 brd ff:ff:ff:ff:ff:ff
    inet 169.254.254.112/16 brd 169.254.255.255 scope link noprefixroute eth4
       valid_lft forever preferred_lft forever
    inet6 fe80::a8c1:ef8b:51d7:e7cb/64 scope link nodad noprefixroute
       valid_lft forever preferred_lft forever
24: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:b6:d0:3c:20:58 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.10/19 brd 10.10.31.255 scope global noprefixroute eth5
       valid_lft forever preferred_lft forever
    inet6 fd7a:cff:96ed:f11e:3d48:3842:3a2a:dd6b/128 scope global nodad noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fd7a:cff:96ed:f11e:466a:8418:ee8f:7aaa/64 scope global nodad deprecated noprefixroute
       valid_lft forever preferred_lft 0sec
    inet6 fe80::ac9c:f777:9253:c052/64 scope link nodad noprefixroute
       valid_lft forever preferred_lft forever
40: eth6: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 5a:ee:39:8d:cf:14 brd ff:ff:ff:ff:ff:ff
41: eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:cd:ac:fb brd ff:ff:ff:ff:ff:ff
    inet 10.20.1.3/32 brd 10.20.1.3 scope global noprefixroute eth7
       valid_lft forever preferred_lft forever
    inet6 c0de:f00b:47aa:aaaa:201::3/128 scope global nodad noprefixroute
       valid_lft forever preferred_lft forever

Given that both network topologies are identical down to Layer 3, and that reinstalling the OS made no difference, I'm starting to think I'm at the end of my rope in regard to where to look next. Is there something else I could try to narrow down the root cause?


Thanks in advance!
#15
25.7, 25.10 Series / Re: PPPoE link only comes up after reload
December 14, 2025, 07:02:53 AM
Bump
Pages1 2