[Solved] Blocking some website's responses over IPsec Site-to-Site

[Wyrrrd]

I am setting up a site-to-site IPsec between two OPNsense machines (21.7) and want to access the internet from a client in the LAN of A, while the internet access is located on B.

I followed the configuration tutorial at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html to establish the IPsec tunnel. For ease of use, I configured a rule on both machines' "IPsec" interface to allow everything inbound. A has a default route via the tunnel address of B, B has a route to LAN of A via tunnel address of A and a default route via the internet router. (Obviously, the tunnel addresses are configured gateways, as stated in above tutorial.)

On A, I put a rule allowing access from LAN of A to all non-private IPs. The same is configured on B for LAN of B.

What bugs me now, is that I can only reach some, but not all websites from a client LAN of A (while all are accessible when I try connecting from A itself, so IPsec seems to work fine). The firewall log of A reports the requests passing, but the responses being blocked by "Default deny rule", completely ignoring my any-rule.



I cannot understand how google.com does not pass, but facebook.com does. Something must be different for those sites to be handled differently, but I cannot find the cause...

[Wyrrrd]

https://github.com/opnsense/core/issues/5156

Turns out it was a fragmentation error. Setting MSS to 1300 (and a corresponding MTU of 1340) on LAN-interface solved it.