Messages

So, I reinstalled 25.1.12, and restored settings(from before upgrade). And it works fine, no need to set anything.
So I would say something changed from this version to 25.7 and it broke MSS clamping or something associated with that.

For IPv6 I don't have it, my ISP does not support it, and I blocked it in config.
As for script for 8.8.8.8:
./mtuScript.sh 8.8.8.8
Maximum MTU size: 1474

Script output:
./mtuScript.sh poczta.wp.pl
./mtuScript.sh: line 1: $: command not found
Maximum MTU size: 1474

./mtuScript.sh mail.google.com
./mtuScript.sh: line 1: $: command not found
Maximum MTU size: 1228

Ifconfig:

Code Select Expand

igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1512
        description: WAN_ONT (opt4)
        options=4e427bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 02:76:c6:01:35:0b
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Code Select Expand

vlan0.35: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
        ether 02:76:c6:01:35:0b
        groups: vlan
        vlan: 35 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Code Select Expand

pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (opt6)
        options=0
        inet 100.74.2.8 --> 213.158.195.232 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

I set it up exactly like in your screenshots, restarted the router, and I still get the broken behavior of forever loading page for at least this sites:
poczta.wp.pl
mail.google.com

Yes, first I used values you have provided, it did not work
then I executed the script to calculate MTU and it gave me 1492
I used it to calculate the MTU of other ones
PPPoE0 MTU 1492
VLAN0.35 MTU 1500
IGC0 MTU 1504

Is this wrong with the script output?
If yes could you tell me what values should I use? And where to set them?

I have set it up as in screenshots right now

So I set MTU to:
pppoe0      1500
vlan0.35   1508
igc0      1512

Restarted router (pc with opnsense)

Run the script and got MTU of 1492
And set MTU to this:
pppoe0      1492

Code Select Expand

pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN (opt6)
        options=0
        inet 100.73.222.158 --> 213.158.195.232 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>vlan0.35   1500

Code Select Expand

vlan0.35: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN_VLAN (opt8)
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
        ether 02:76:c6:01:35:0b
        groups: vlan
        vlan: 35 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc0      1504

Code Select Expand

igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1504
        description: WAN_INTERFACE (opt7)
        options=4e427bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 02:76:c6:01:35:0b
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Another restart of router + windows PC

And with MTU on PC being set to 9000 I still have problems with some https sites
They go away if it is set to 1400

Does any one know if the command "opnsense-revert -kr 25.1.12" can be used to revert to working version?
Or do I have to reinstall and restore?

So I followed you instructions and got 1476 using the mentioned script
And set the MTU to this values
pppoe0      1476
vlan0.35    1484
igc0        1486
But is is still not loading some https sites

Can I use "opnsense-revert -kr 25.1.12" to revert to least know working version from 25.7.1?

Do you also have to use vlan for PPPoE connection?
Also could you share your setup for PPPoE and WAN?
I tried to do the same an issue still persists on windows.

I found a hint

Code Select Expand

ping poczta.wp.pl -M want -s 1500
PING poczta.wp.pl (193.17.41.249) 1500(1528) bytes of data.
From router.ulanow.local.ulanow.local (192.168.1.1) icmp_seq=1 Frag needed and DF set (mtu = 1484)MTU on wan is set to 1492 and no MSS
And with MSS set to 1452 I'm able to do this:

Code Select Expand

ping poczta.wp.pl -M want -s 1456
PING poczta.wp.pl (193.17.41.249) 1456(1484) bytes of data.
1464 bytes from rev-249.go2.pl (193.17.41.249): icmp_seq=1 ttl=60 time=5.78 ms
1464 bytes from rev-249.go2.pl (193.17.41.249): icmp_seq=2 ttl=60 time=5.17 ms
1464 bytes from rev-249.go2.pl (193.17.41.249): icmp_seq=3 ttl=60 time=5.39 ms
^C
--- poczta.wp.pl ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.166/5.445/5.779/0.253 msBut with MTU 1484 and MSS 1444 I get no response for size 1452 but get fragmentation response for 1456:

Code Select Expand

ping poczta.wp.pl -M want -s 1456
PING poczta.wp.pl (193.17.41.249) 1456(1484) bytes of data.
From router.ulanow.local.ulanow.local (192.168.1.1) icmp_seq=1 Frag needed and DF set (mtu = 1476)
^C
--- poczta.wp.pl ping statistics ---
4 packets transmitted, 0 received, +1 errors, 100% packet loss, time 3067ms
root@proxmox:~# ping poczta.wp.pl -M want -s 1452
PING poczta.wp.pl (193.17.41.249) 1452(1480) bytes of data.
^C
--- poczta.wp.pl ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8231ms


So I spun up a ubuntu vm on proxmox to test if linux browser would work, and it does (linux.png).
So something broke for windows 10, or my windows install broke immediately after upgrade of OPNsense, in less then 5 minutes after.

After disabling http3/quic nothing changes, chrome is not able to open GMail or the other site(poczta.wp.pl), same on Firefox.
As for curl:

Code Select Expand

curl -vv http://ifconfig.me
09:47:54.658000 [0-0] * Host ifconfig.me:80 was resolved.
09:47:54.661000 [0-0] * IPv6: 2600:1901:0:b2bd::
09:47:54.663000 [0-0] * IPv4: 34.160.111.145
09:47:54.665000 [0-0] * [SETUP] added
09:47:54.667000 [0-0] *   Trying [2600:1901:0:b2bd::]:80...
09:47:54.669000 [0-0] * [SETUP] Curl_conn_connect(block=0) -> 0, done=0
09:47:54.674000 [0-0] * connect to 2600:1901:0:b2bd:: port 80 from :: port 56601 failed: Network unreachable
09:47:54.677000 [0-0] *   Trying 34.160.111.145:80...
09:47:54.679000 [0-0] * [SETUP] Curl_conn_connect(block=0) -> 0, done=0
09:47:54.685000 [0-0] * [SETUP] Curl_conn_connect(block=0) -> 0, done=1
09:47:54.687000 [0-0] * Connected to ifconfig.me (34.160.111.145) port 80
09:47:54.690000 [0-0] * using HTTP/1.x
09:47:54.692000 [0-0] > GET / HTTP/1.1
09:47:54.692000 [0-0] > Host: ifconfig.me
09:47:54.692000 [0-0] > User-Agent: curl/8.13.0
09:47:54.692000 [0-0] > Accept: */*
09:47:54.692000 [0-0] >
09:47:54.701000 [0-0] * Request completely sent off
09:47:54.819000 [0-0] < HTTP/1.1 200 OK
09:47:54.821000 [0-0] < Content-Length: 13
09:47:54.823000 [0-0] < access-control-allow-origin: *
09:47:54.825000 [0-0] < content-type: text/plain
09:47:54.827000 [0-0] < date: Sat, 02 Aug 2025 07:47:54 GMT
09:47:54.829000 [0-0] < via: 1.1 google
09:47:54.831000 [0-0] <
46.205.201.4609:47:54.833000 [0-0] * Connection #0 to host ifconfig.me left intactAnd curl to gmail:

Code Select Expand

curl -vv https://mail.google.com/mail/u/0/
09:47:09.059000 [0-0] * Host mail.google.com:443 was resolved.
09:47:09.061000 [0-0] * IPv6: 2a00:1450:401b:800::2005
09:47:09.064000 [0-0] * IPv4: 216.58.208.197
09:47:09.066000 [0-0] * [HTTPS-CONNECT] adding wanted h2
09:47:09.068000 [0-0] * [HTTPS-CONNECT] added
09:47:09.072000 [0-0] * [HTTPS-CONNECT] connect, init
09:47:09.074000 [0-0] *   Trying [2a00:1450:401b:800::2005]:443...
09:47:09.077000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:47:09.079000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:47:09.082000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:47:09.084000 [0-0] * connect to 2a00:1450:401b:800::2005 port 443 from :: port 56557 failed: Network unreachable
09:47:09.088000 [0-0] *   Trying 216.58.208.197:443...
09:47:09.090000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:47:09.093000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:47:09.095000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:47:09.098000 [0-0] * schannel: disabled automatic use of client certificate
09:47:09.101000 [0-0] * ALPN: curl offers http/1.1
09:47:09.103000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:47:09.106000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:47:09.108000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:47:09.127000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:47:09.130000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:47:09.133000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:47:09.136000 [0-0] * ALPN: server accepted http/1.1
09:47:09.138000 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 63ms, 1st data: 38ms
09:47:09.141000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
09:47:09.143000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
09:47:09.146000 [0-0] * Connected to mail.google.com (216.58.208.197) port 443
09:47:09.150000 [0-0] * using HTTP/1.x
09:47:09.152000 [0-0] > GET /mail/u/0/ HTTP/1.1
09:47:09.152000 [0-0] > Host: mail.google.com
09:47:09.152000 [0-0] > User-Agent: curl/8.13.0
09:47:09.152000 [0-0] > Accept: */*
09:47:09.152000 [0-0] >
09:47:09.161000 [0-0] * Request completely sent off
09:47:09.188000 [0-0] < HTTP/1.1 302 Found
09:47:09.190000 [0-0] < Content-Type: application/binary
09:47:09.192000 [0-0] < Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
09:47:09.195000 [0-0] < Location: https://accounts.google.com/ServiceLogin?service=mail&passive=1209600&osid=1&continue=https://mail.google.com/mail/u/0/&followup=https://mail.google.com/mail/u/0/&emr=1
09:47:09.201000 [0-0] < Strict-Transport-Security: max-age=10886400; includeSubDomains
09:47:09.204000 [0-0] < Cross-Origin-Resource-Policy: same-site
09:47:09.206000 [0-0] < Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
09:47:09.212000 [0-0] < Date: Sat, 02 Aug 2025 07:47:09 GMT
09:47:09.215000 [0-0] < Server: ESF
09:47:09.217000 [0-0] < Content-Length: 0
09:47:09.219000 [0-0] < X-XSS-Protection: 0
09:47:09.221000 [0-0] < X-Frame-Options: SAMEORIGIN
09:47:09.223000 [0-0] < X-Content-Type-Options: nosniff
09:47:09.225000 [0-0] < Alt-Svc: clear
09:47:09.228000 [0-0] <
09:47:09.229000 [0-0] * Connection #0 to host mail.google.com left intactAnd to poczta.wp.pl:

Code Select Expand

curl -vv https://poczta.wp.pl/w/mails
09:48:38.651000 [0-0] * Host poczta.wp.pl:443 was resolved.
09:48:38.656000 [0-0] * IPv6: (none)
09:48:38.658000 [0-0] * IPv4: 193.17.41.249
09:48:38.660000 [0-0] * [HTTPS-CONNECT] adding wanted h2
09:48:38.662000 [0-0] * [HTTPS-CONNECT] added
09:48:38.664000 [0-0] * [HTTPS-CONNECT] connect, init
09:48:38.666000 [0-0] *   Trying 193.17.41.249:443...
09:48:38.669000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:48:38.671000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:48:38.674000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:48:38.676000 [0-0] * schannel: disabled automatic use of client certificate
09:48:38.680000 [0-0] * ALPN: curl offers http/1.1
09:48:38.682000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:48:38.685000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:48:38.688000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:48:38.690000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
09:48:38.693000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
09:48:38.695000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
09:48:38.699000 [0-0] * ALPN: server accepted http/1.1
09:48:38.701000 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 34ms, 1st data: 23ms
09:48:38.704000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
09:48:38.706000 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
09:48:38.709000 [0-0] * Connected to poczta.wp.pl (193.17.41.249) port 443
09:48:38.712000 [0-0] * using HTTP/1.x
09:48:38.713000 [0-0] > GET /w/mails HTTP/1.1
09:48:38.713000 [0-0] > Host: poczta.wp.pl
09:48:38.713000 [0-0] > User-Agent: curl/8.13.0
09:48:38.713000 [0-0] > Accept: */*
09:48:38.713000 [0-0] >
09:48:38.723000 [0-0] < HTTP/1.1 302 Moved Temporarily
09:48:38.725000 [0-0] < Server: nginx
09:48:38.727000 [0-0] < Date: Sat, 02 Aug 2025 07:48:38 GMT
09:48:38.729000 [0-0] < Content-Type: text/html
09:48:38.731000 [0-0] < Content-Length: 138
09:48:38.734000 [0-0] < Connection: keep-alive
09:48:38.736000 [0-0] < Location: https://poczta.wp.pl/login/v1/reload
09:48:38.738000 [0-0] < Cache-Control: no-cache
09:48:38.740000 [0-0] < Accept-CH: device-memory, dpr, width, viewport-width, rtt, downlink, ect, sec-ch-ua, sec-ch-ua-platform, sec-ch-ua-mobile, sec-ch-ua-full-version-list, sec-ch-ua-platform-version, sec-ch-ua-arch, sec-ch-ua-bitness, sec-ch-ua-model
09:48:38.747000 [0-0] < Accept-CH-Lifetime: 604800
09:48:38.751000 [0-0] <
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
09:48:38.753000 [0-0] * Connection #0 to host poczta.wp.pl left intact

Sorry, screenshot was not showing up on phone, set MSS to 1452 and removed MTU and still the same.
Tried ping with size 1466 and it got proper response about it being too big:
ping -f poczta.wp.pl -l 1466
Pinging poczta.wp.pl [193.17.41.249] with 1466 bytes of data:
Packet needs to be fragmented but DF set.

And when I lowered the size to 1464 I got the response:
ping -f poczta.wp.pl -l 1464
Pinging poczta.wp.pl [193.17.41.249] with 1464 bytes of data:
Reply from 193.17.41.249: bytes=1464 time=6ms TTL=60
Reply from 193.17.41.249: bytes=1464 time=5ms TTL=60

All of this was done with MTU empty and MSS set to 1452

But browser is still not able to open Gmail or this site.
Maybe it is a problem with Path MTU Discovery, I run this command:
netsh interface ipv4 show destinationcache
and got this
PMTU Destination Address                           Next Hop Address
1492 193.17.41.249                                 192.168.1.1               <--poczta.wp.pl
1492 142.250.186.197                               192.168.1.1               <--mail.google.com

But the only change was the upgrade of OPNSense, could firewall filter out the protocol needed for this?
I have floating rules to allow all ICMP traffic.(see screenshot)
Do I need to add any more rules to make it work again?

Also without lowering MTU on windows from 9000 to 1400 I could not attach anything to this post was getting 408

Is your config also using PPPoE?
Because it works fine on 5G DHCP connection also for me, but fails on PPPoE

After updating to 25.7.1 I have problem with accessing https sites.
There were no changes to WAN/PPPOE conection settings, MTU is set to 1492 and MSS to 1456.
Previously it worked fine, now on windows 10 machine I have to set JumboFrames to 1400 to load Gmail.

Also I have backup connection 5G and when I disable PPPOE it works perfectly fine with MTU of 1500 and MSS 1500 (on windows PC JumboFrames are set to 9000)

I tried disabling normalization (Disable scrub interface) and adding rule in detailed settings added rule with max mtu set to 1456, but it did not work.

As for Path MTU Discovery, all ICMP traffic is enabled on all LAN and WAN interfaces in firewall.

Please let me know if some one has and idea how to fix that or need any more details.