Possible PPPoE MTU / PMTUD Regression in 25.7.2 (FreeBSD 14.3)

Started by OrangeOrb, September 08, 2025, 04:20:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 08, 2025, 04:20:57 PM
Hi all

Firstly, I won't take credit for this. I've been working through it with ChatGPT when I've had a bit of spare time here and there, and ChatGPT helpfully put together the below based on things that we've looked at so far plus some workarounds we've attempted. The only other thing I should add is that these are Realtek NICs, the Realtek plugin is installed, and up until the last update this system was working absolutely fine and performing well.

Since updating to OPNsense 25.7.2-amd64 (FreeBSD 14.3-RELEASE-p2, OpenSSL 3.0.17) I've started to see issues that look like a regression in MTU / PMTUD handling over PPPoE.

Symptoms observed across multiple clients:

 - YouTube and other streaming services buffer with the spinning circle.
 - VMware Horizon (Blast protocol) frequently reports "Network Connection Unstable".
 - General browsing intermittently stalls until connections retry at smaller sizes.
 - Fedora clients in particular needed net.ipv4.tcp_mtu_probing=1 as a workaround.

What I've tested:

 - ping -M do -s 1472 1.1.1.1 fails ("Message too long"), confirming no path for full 1500B.
 - TCP SYN captures (tcpdump -ni pppoe0 'tcp[tcpflags] & (tcp-syn) != 0') show MSS 1452 being negotiated, which should be correct for PPPoE, but connectivity issues persist.
 - Lowering WAN MTU (1488, 1480, 1472) made no noticeable improvement.
 - Adding a scrub rule to clamp TCP MSS to 1452 helps TCP somewhat, but UDP services (e.g. Horizon Blast, YouTube) still show instability.

This suggests PMTUD is not working reliably through OPNsense since the 25.7.2 update.

Related reports:

 - OPNsense Forum thread on PPPoE MTU issues
 - GitHub FreeBSD/OPNsense issue reference - possibly related to PPPoE/fragmentation handling)

Questions:

 - Has anyone else on PPPoE noticed issues with 25.7.2 after the FreeBSD 14.3 update?
 - Is this a known regression being tracked by the core team?
 - Any recommended global workaround for UDP traffic (since MSS clamping only helps TCP)?

Happy to provide tcpdumps, MTR outputs, and further sysctl info if needed.

Thanks!
September 08, 2025, 09:26:28 PM #1
You know this, already?

I am not saying that nothing has changed w/r to PMTUD, however, some sites are know to have problems with that, so enlarging the MTU on your WAN interface (if feasible) will eliminate most of the problems that would usually fixed by using a smaller MTU and/or MSS clamping.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions