OPN on Hetzner vSwitch w/public subnet, natted VMs can't browse internet

[feedt]

Good morning forum, i'm trying to integrate OPN (latest stable) as a firewall on my XCPNG (xen) cluster on Hetzner but cannot get VM behind it browsing web.

Some tech stuff: on Hetzner, each physycal host is connected in a vswitch (vlan) with a public subnet binded to it ( https://docs.hetzner.com/robot/dedicated-server/network/vswitch/ ). So, in a guest vm, if we attach his interface to the vswitch/vlan (MTU 1400) and give an ip from the public subnet, the VM can browse with this new public ip (tested, working).

The problem: i made the same exact configuration for the WAN side of OPNsense istance with some VM connected to the LAN (behind NAT) and those VM can only ping/resolve external addresses but got timeout when browsing internet. Tried reset, pfctl -d, review ruleset but nothing seems help

Any hint? Thank you

[feedt]

Resolved, the problem was the MTU of 1400 for the vSwitch that's need to be set at VM level, leaving the default (1500) on the virtual nic at hypervisor level