User access issues on specific internet-uplink + vlan combination

[intelliIT]

I think i have a bit of a doozy here.

I have a couple of road-warriors connected via Wireguard to my OPNsense. The OPNsense is behind a DSL Router+Modem with my VPN ports forwarded.

I'm experiencing an issue with a specific intranet subnet (`10.9.0.0/24`) while connected via a WireGuard VPN from a Windows client using a DSL internet connection. This only happens for one user. He is using Vodafone DSL.

# Symptoms:

* HTTP/HTTPS traffic to `10.9.0.0/24` fails (e.g. SSL handshake failure).
* Ping and DNS requests to `10.9.0.0/24`succeed.
* Any traffic to a different subnet (e.g., `10.12.0.0/24`) works without issues.
* Switching to a different internet uplink (e.g. mobile hotspot) resolves the issue.

Both subnets are on the same switching hardware and use the same link to the OPNsense, they are separated by VLANs.

I have verified all the basic stuff, like configs, routing, NAT, fw-policies, etc. I am not to sure about MTU as I get traffic to work, but the more "complex" applications seem to fail. I see packets and requests but the handshakes dont succeed. I will try to get a packet-capture as soon as the user is using this uplink again.

Any ideas?
I have no hope of getting help from the ISP.