Mullvad WireGuard crashing; moved from pfSense

[MyUsername0861]

Hello
Long time lurker, first time poster.

New to OPNsense but used pfSense for years.  I am pulling my hair out and need some advice.

Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.

I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily).  After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running!  It is a beast and I love it!  Rock solid.... until... I fired up the Raspberry Pi.  Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.

I have attached an image of my setups as they progressed through my troubleshooting.  Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.

I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.

I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct.  I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command).  I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.

A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did.  Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence.  This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections.  I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".

Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)

Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.

Any and all advice welcomed.  I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.

(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!

[OPNenthu]

Are you running your VP2440 with coreboot or AMI?  If coreboot, there is an open TSB for the 2.5GbE ports related to ASPM:

https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf

Not sure if this is the issue in your case, though.

[MyUsername0861]

Thanks OPNenthu!  It's a start.
I am indeed running coreboot and was unaware of this issue/TSB!

I am adding the Tunable and rebooting now and will report back.

[MyUsername0861]

I have an update!
I can't confirm any of this for certain but I believe I have had two simultaneous issues with one masking the other.

First, thank you SO much for sharing that TSB, OPNenthu!  It was almost certainly a contributing factor.
So, since my last post I added the Tunable temporary correction for the TSB issue and while my connection was "stronger" and the VPN didn't fall over as quickly as it had, it did eventually crash out a few more times.  I then decided to move my network back to "Setup 2" (with the Raspbery Pi connecting it's own VPN and behind the managed switch) but this time I connected the LAN and WAN both to the SFP's as opposed to the ETH ports. (I then had no traffic flowing through the OPNsense/VP2440 ETH ports.)
Now, I had to really push to saturate the line before the WAN would ultimately start building up with Ping Loss but if I dialed it back somewhat, it would stay connected and start getting back to a normal connection latency!

TL;DR: The VP2440 TSB was definitely an issue but I think I may have also been over saturating my bandwidth and with both issues in tandem, the VPN was never able to repair itself like it can using the SFPs.
So for now, the setup stays as is until there is a fix for the TSB and I can try again.  Again, short of the TSB, this never happened with my pfSense but I also can't say for sure that I had the bandwidth pegged as much as I have been with the OPNsense.


Thanks again OPNenthu! I'm really not sure I'd have found that TSB without you so I'm glad I posted here.
Will update again it anything changes in case anyones following along.

[OPNenthu]

Glad that helped somewhat, as one piece of the puzzle :)