Recent posts

#81
25.7, 25.10 Series / Re: in dnsmasq dhcp: leases: b...
Last post by knebb - Today at 08:44:29 AM
Ok, re-read the specs and can confirm the above offered "delete the ip on server" appears to be working. Although with a minor inconvinience:

For the server the IP is not assigned while it is still in use by the client.
So what happens when another client requests an IP address?
-client A has IP .12 and its leases got deleted on the server side
-client A still uses this IP as long as half of lease time hast not elapsed
-client B starts DHCPDISCOVER to get an IP
-server offers IP .12 to client B as it is marked as available
-client B sends an ARP request to check the IP
-client A sends ARP reply ("this is my IP")
-client B send DCHPDECLINE to server
-server marks this IP as "invalid" for further usage
-client B starts over with DHCPDISCOVER
-server offers different IP .13 to client B and client B uses this one...
-on the client A when half lease time has elapsed it'll ask for further usage of IP .12
-server declines further usage (as it is marked invalid) with DHCPNACK
-client A starts over with DHCPDISCOVER and will get a different IP .14

So indeed the protocol is fail-safe and you can delete a lease on the server side without any friction in the network.

The minor glicht I mentioned is the fact there is an IP address in use which (for the server) has not bee assigned. At least for half of lease time.
And this is not reflected in the server state...

And there is a second problem:
The IP will not be release or renewed before half of the lease time has passed. So when using a static lease for this client it will use the IP not earlier. And this is the same for both cases where I delete the lease on server side or create a static lease....

So I still do not REALLY see the advantage of such a "delete" functionality.


/KNEBB
#82
25.7, 25.10 Series / Re: How can I automatically re...
Last post by tessus - Today at 08:36:11 AM
Unfortunately none of the solutions here worked. The Renew DNS for Wireguard on stale connections cronjob doesn't work in my case, because wg reports the connection as active (not stale) even though the gateway is down. So the action that should be triggered to restart the wg service is not triggered.

My current workaround is rather hacky (hardcoded wg service id), but it works. I will look into the script that is triggered in the previous mentioned cronjob. When I first looked into it I saw that it determined the id automatically.

Without further ado...

Use pluginctl -S wireguard to find the id of the wireguard connection. Make a note of that id.
Check which sockets are in use for your GW monitoring: ls -la /var/run/dpinger_*.sock (Make a note of the one you want to monitor. e.g. /var/run/dpinger_INTERFACE_NAME.sock)

Create a file, e.g. /root/bin/check-wg.sh (permissions 0750) and replace the values for SOCKET and WIREGUARD_ID

#!/bin/sh

SOCKET=/var/run/dpinger_INTERFACE_NAME.sock
WIREGUARD_ID=ad78e2ad-7ed9-422d-a0b9-ee7ed2795a3

RES=$(cat $SOCKET |cut -d ' ' -f2-)
DT=$(date +"%Y-%m-%d %H:%M:%S %z")

if [[ "$RES" == "0 0 100" ]]; then
    echo -n "[$DT] "
    /usr/local/sbin/pluginctl -s wireguard restart $WIREGUARD_ID

    # If you don't use or want gotify notifications delete the following lines (except the fi)
    TOKEN="$(cat ~/.config/gotify/cli.json |jq -r .token)"
    URL="$(cat ~/.config/gotify/cli.json |jq -r .url)"
    TITLE="check-wg ($(hostname -s))"
    TEXT="Wireguard restarted"
    curl -m 10 -so /dev/null -X POST "${URL}/message?token=$TOKEN" -F "title=$TITLE" -F "message=$TEXT"
fi

Unfortunately you can't add a cronjob by using crontab -e, because any manually added entries will be removed (either after a reboot or firmware update - I didn't check which, but my entry wasn't persisted).

Thus create another file: /etc/cron.d/check-wg

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem

*/5 * * * * root /root/bin/check-wg.sh >>/var/log/check-wg.log

That's it.
#83
25.7, 25.10 Series / Re: Hostwatch - high disk writ...
Last post by OPNenthu - Today at 07:59:15 AM
Nice! 👍

I don't follow GitHub that closely and totally missed this.
#84
25.7, 25.10 Series / Re: hostwatch at 100% CPU
Last post by tessus - Today at 07:55:17 AM
Ok, I think this topic is done/solved.

I suspect that the service has a bug somewhere which causes the CPU to run amok. It is a pretty new service after all and it is easy to deactivate it.

Personally I don't need the service, but I understand that people have requested this feature. Who knows, maybe I will activate it again in the future. I am certain the devs will fix the current issues over time.

Patrick's explanation what the service does exactly was very helpful.
#85
Yes it can track temporary addresses because of this:

https://github.com/opnsense/hostwatch/issues/2
#86
25.7, 25.10 Series / Re: Hostwatch - high disk writ...
Last post by OPNenthu - Today at 07:18:09 AM
Quote from: Monviech (Cedrik) on January 17, 2026, 06:41:23 PM[...] the hostwatch daemon was mostly designed to discover IPv6 addresses, so that for example an IPv6 only captive portal is possible in the future.

Any consumer that needs a full picture of IPv6 addresses now has a fast sqlite database to work with.

The other things that happen with the data can still be fleshed out over time.

Ok, it just clicked.

Can this also track IPv6 temporary addresses?  If it will become possible to create a host alias that updates dynamically from ND data, or even update DNS so that firewall/unbound logs resolve to a host using privacy addresses...

Tempering my excitement :)
#87
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - Today at 06:35:29 AM
Correct, I also added IFNAME and NAINFO as well as finished the implementation of "new_raw_option_nnnnn" with a user which shows what else is there in the server response in raw hex format.

On my install I see this one for example:

new_raw_option_86=XXXXXXXXXXXXXXXXde396ffffed8ee9a

Once we ship the new version of dhcp6c we can start using these things.  IFNAME is pretty useful because we can stop building separate script files and use a static separate script, see https://github.com/opnsense/core/commit/e8f35e9dc


Cheers,
Franco
#88
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by Maurice - Today at 06:22:16 AM
@franco Nice! That's just the foundation though, correct? The dhcp6c_script doesn't do anything with this information yet, or does it?
#89
25.7, 25.10 Series / Re: hostwatch at 100% CPU
Last post by Panther2698 - Today at 05:19:39 AM
The fix was to disable automatic discovery as Partrick mentioned. The patch was definitely not professional. This was a very easy mistake to miss but completely avoidable, hopefully future patches dont brick and/or break our routers.... (Don't enable random features by default)
#90
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
Last post by ToasterPC - Today at 04:42:20 AM
Quote from: meyergru on January 18, 2026, 09:05:18 PMYes, that is expected if anywhere between you and 8.8.8.8 there is a limitation of 1492 bytes (probably imposed by your ISP). That also means your settings of 1512 do not work and you cannot use 1500 bytes MTU on either OpnSense WAN or LAN, you should set them to 1492 and be content with it.

Hmm, I understand.
Still, I find it a bit odd that under these conditions the older site was able to work at all, but, in any case, setting every interface and bridge involved to an MTU of 1492 in both Proxmox and OPNsense, followed by rebooting the VM didn't seem to fix the problem for downstream devices.

As an example, this is the cURL output of trying to acquire the Kindle for PC installer from a computer in the LAN:

curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"                                                                                                         ─╯
21:31:28.941631 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
21:31:28.941779 [0-0] * IPv6: (none)
21:31:28.941820 [0-0] * IPv4: 52.217.141.234, 52.217.162.210, 52.216.240.80, 3.5.11.193, 16.182.43.34, 54.231.235.34, 3.5.13.160, 52.217.200.218
21:31:28.941847 [0-0] * [HTTPS-CONNECT] adding wanted h2
21:31:28.941867 [0-0] * [HTTPS-CONNECT] added
21:31:28.941899 [0-0] * [HTTPS-CONNECT] connect, init
21:31:28.941943 [0-0] *   Trying 52.217.141.234:443...
21:31:28.942040 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.942057 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.942082 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:28.943317 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.943344 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.943363 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:28.946057 [0-0] * ALPN: curl offers h2,http/1.1
21:31:28.946644 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:31:28.946766 [0-0] * SSL Trust Anchors:
21:31:28.959938 [0-0] *   OpenSSL default paths (fallback)
21:31:28.960042 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:28.960083 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:28.960151 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:29.143547 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:29.143616 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:29.143661 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:30.144799 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:30.144852 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:30.144889 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:31.146133 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:31.146192 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:31.146225 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:32.147358 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:32.147471 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:32.147504 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:33.148706 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:33.148781 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:33.148818 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:34.149975 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:34.150035 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:34.150049 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:35.151166 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:35.151221 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:35.151251 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:36.152396 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:36.152456 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:36.152487 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:37.153634 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:37.153694 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:37.153708 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:38.154837 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:38.154894 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:38.154930 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:39.156122 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:39.156183 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:39.156215 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:40.157384 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:40.157449 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:40.157465 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:41.158668 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:41.158749 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:41.158804 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:42.159978 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:42.160070 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:42.160101 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:43.161245 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:43.161299 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:43.161332 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:44.162493 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:44.162561 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:44.162577 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:45.163758 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:45.163814 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:45.163843 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:46.165018 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:46.165106 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:46.165162 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:47.166352 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:47.166441 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:47.166503 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:48.167713 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:48.167813 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:48.167918 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:49.169152 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:49.169274 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:49.169343 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:50.170555 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:50.170622 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:50.170638 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:51.171800 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:31:51.171861 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:31:51.171898 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:31:52.105875 [0-0] * TLSv1.3 (OUT), TLS alert, decode error (562):
21:31:52.105986 [0-0] * TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
21:31:52.106047 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
21:31:52.106121 [0-0] * [HTTPS-CONNECT] connect -> 35, done=0
21:31:52.106192 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 35, done=0
21:31:52.106209 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(), filter returned 35
21:31:52.106258 [0-0] * closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading

If I try the same command from the router itself, the handshake is performed successfully, regardless of the MTU being 1512 or after changing everything to 1492:

sudo curl -vv "https://kindleforpc.s3.us-east-1.amazonaws.com/70980/KindleForPC-installer-2.8.70980.exe"
21:40:28.981882 [0-0] * Host kindleforpc.s3.us-east-1.amazonaws.com:443 was resolved.
21:40:28.981933 [0-0] * IPv6: (none)
21:40:28.981939 [0-0] * IPv4: 16.182.36.178, 52.216.37.154, 52.216.88.134, 54.231.163.106, 16.182.67.74, 54.231.132.178, 16.15.201.213, 16.15.191.19
21:40:28.981947 [0-0] * [HTTPS-CONNECT] adding wanted h2
21:40:28.981953 [0-0] * [HTTPS-CONNECT] added
21:40:28.981961 [0-0] * [HTTPS-CONNECT] connect, init
21:40:28.981974 [0-0] *   Trying 16.182.36.178:443...
21:40:28.982013 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:28.982021 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:28.982030 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.042533 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.042548 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.042555 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.063286 [0-0] * ALPN: curl offers h2,http/1.1
21:40:29.063387 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:40:29.063416 [0-0] * SSL Trust Anchors:
21:40:29.063427 [0-0] *   CApath: /etc/ssl/certs
21:40:29.063437 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.063446 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.063455 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.143735 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
21:40:29.143859 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
21:40:29.143878 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
21:40:29.144539 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
21:40:29.144551 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
21:40:29.144559 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
21:40:29.145112 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
21:40:29.145176 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
21:40:29.145197 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
21:40:29.145220 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
21:40:29.145254 [0-0] * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
21:40:29.145263 [0-0] * ALPN: server accepted http/1.1
21:40:29.145271 [0-0] * Server certificate:
21:40:29.145282 [0-0] *   subject: CN=s3.amazonaws.com
21:40:29.145290 [0-0] *   start date: Jul 20 00:00:00 2025 GMT
21:40:29.145299 [0-0] *   expire date: Jun 25 23:59:59 2026 GMT
21:40:29.145308 [0-0] *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
21:40:29.145320 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145329 [0-0] *   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145337 [0-0] *   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
21:40:29.145350 [0-0] *   subjectAltName: "kindleforpc.s3.us-east-1.amazonaws.com" matches cert's "*.s3.us-east-1.amazonaws.com"
21:40:29.145359 [0-0] * SSL certificate verified via OpenSSL.
21:40:29.145367 [0-0] * [HTTPS-CONNECT] connect+handshake h2: 163ms, 1st data: 161ms
21:40:29.145374 [0-0] * [SETUP] query ALPN
21:40:29.145381 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
21:40:29.145388 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
21:40:29.145396 [0-0] * Established connection to kindleforpc.s3.us-east-1.amazonaws.com (16.182.36.178 port 443) from 187.213.231.111 port 45196
21:40:29.145405 [0-0] * [HTTPS-CONNECT] query ALPN
21:40:29.145412 [0-0] * using HTTP/1.x
21:40:29.145433 [0-0] > GET /70980/KindleForPC-installer-2.8.70980.exe HTTP/1.1
21:40:29.145433 [0-0] > Host: kindleforpc.s3.us-east-1.amazonaws.com
21:40:29.145433 [0-0] > User-Agent: curl/8.17.0
21:40:29.145433 [0-0] > Accept: */*
21:40:29.145433 [0-0] >
21:40:29.145488 [0-0] * Request completely sent off
21:40:29.258847 [0-0] < HTTP/1.1 200 OK
21:40:29.258863 [0-0] < x-amz-id-2: p8U1WgWd11rwEnrNeb0r044EDI/E84CXm6DkU0TvAfva4EeYK5eWUOf5neCmEiHChEba0rI2rSo=
21:40:29.258870 [0-0] < x-amz-request-id: 8V0MHSM36PK4E00R
21:40:29.258875 [0-0] < Date: Mon, 19 Jan 2026 03:40:30 GMT
21:40:29.258881 [0-0] < Last-Modified: Thu, 21 Aug 2025 10:56:57 GMT
21:40:29.258887 [0-0] < ETag: "2b756dcc3905a9ff3aef6a0a57dd7c09-18"
21:40:29.258892 [0-0] < x-amz-server-side-encryption: AES256
21:40:29.258898 [0-0] < Accept-Ranges: bytes
21:40:29.258904 [0-0] < Content-Type: application/octet-stream
21:40:29.258910 [0-0] < Content-Length: 298242024
21:40:29.258915 [0-0] < Server: AmazonS3
21:40:29.258921 [0-0] <
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
21:40:29.258942 [0-0] * client returned ERROR on write of 16384 bytes
21:40:29.258951 [0-0] * closing connection #0

Is there something else that could be the root of the issue aside from the MTU of the WAN?