Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intermittent Connectivity Issues with specific sites on pfSense – Need Help with NAT/MTU/MSS Troubleshooting

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 819 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marcos20
      last edited by

      Hi everyone,

      I'm experiencing intermittent connectivity issues with certain websites when routing traffic through my pfSense firewall (version 2.7.0-RELEASE). For example, sites like "www.detran.rs.gov.br" and some Microsoft properties sometimes load very slowly or only partially (e.g., missing CSS files), and at other times they don’t load at all.

      Here’s what I’ve already tried:

      MTU Adjustments:
    Lowered the WAN MTU to 1350 and 1400.

MSS Clamping:
    Set MSS to 1360 (calculated as MTU minus 40 bytes).

Hardware Offloading:
    Disabled Hardware Checksum Offload, TCP Segmentation Offload (TSO), and Large Receive Offload (LRO).

Firewall Optimization & Scrub Options:
    Switched to Conservative optimization and toggled the Scrub settings.

NAT/State Resets:
    Reviewed outbound NAT rules and performed state resets.

Direct Testing on the pfSense Box:
    Running curl -v https://www.detran.rs.gov.br from the pfSense shell returns a successful connection with a proper TLS handshake.

Packet Captures:
    Captures (via Wireshark) show repeated SYN retransmissions, suggesting the handshake isn’t completing reliably. The issue doesn’t seem to be due to oversized packets (none exceeding 1500 bytes).

Other Checks:
    Verified that no proxies, pfBlockerNG, IDS/IPS, or additional filtering services are active.
    DNS resolution is functioning correctly.
    Attempted temporarily disabling the firewall with pfctl -d (which caused loss of connectivity, so it wasn’t a viable option).

      Despite all these efforts, the issue remains intermittent and seems isolated to specific destinations, while other sites load normally.

      Has anyone experienced a similar problem or have any suggestions for further troubleshooting steps? Any insight into what might be causing these issues—be it in the NAT processing, possible hardware/driver quirks, or external factors—would be greatly appreciated.

      Thanks in advance for your help!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Could be an IPv6 vs v4 issue. Do you have any IPv6 enabled at all?

        Do these sites fail consistently? Always resolving to the same IP?

        That site also fails to load completely for me but that's coming from the UK. It may have some geoblocking.

        M 1 Reply Last reply Reply Quote 0
        • M
          marcos20 @stephenw10
          last edited by

          @stephenw10 Hi,

          Thanks for your response. I have IPv6 completely disabled on my network, so everything is running over IPv4 only. The problematic sites consistently resolve to the same IP address (for example, www.detran.rs.gov.br always resolves to 200.198.128.227).I'm experiencing this issue from within Brazil, and it's intermittent even on sites that don't seem to have geoblocking applied (detran.rs it's a brazilian site).

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @marcos20
            last edited by

            @marcos20 said in Intermittent Connectivity Issues with specific sites on pfSense – Need Help with NAT/MTU/MSS Troubleshooting:

            (for example, www.detran.rs.gov.br

            Not a good example. This is a gov.br site ( ! ), so normally they should not produce web site with that much 'syntax errors'.
            More then 120 seconds are needed to load the file, and I know, I'm in from, but it was the site having a hard time outputting the info, not the transatlantic fiber cables.

            I tend to think your pfSense has no issues. It's just a fact that some web sites are ... well .... less well build 😊

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M 1 Reply Last reply Reply Quote 0
            • M
              marcos20 @Gertjan
              last edited by

              @Gertjan Hi,

              Thanks for your input I totally agree that ideally they should be built better. However, I also manage another company that uses Pfsense with nearly identical configurations, and we’re encountering similar issues accessing Microsoft sites. Moreover, when I bypass the firewall, those sites, although sometimes slow, perform much better than they do behind the firewall.

              This leads me to believe that there might be something in our configuration contributing to the problem, or maybe it's just a packet routing problem, even though the two Pfsense setups are on different ISPs. Any further insights would be greatly appreciated!

              Best regards.

              GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
              • GertjanG
                Gertjan @marcos20
                last edited by

                @marcos20

                Your own 'ancient' PC with two NICs using 2.7.2, or a small box like this using 24.11, with default settings (change only the password) will work out of the box without issues.
                If you see differently, I'm very confident the issue isn't pfSense.

                Tell us more about your setup.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @marcos20
                  last edited by

                  @marcos20 that site doesn't seem to load in firefox

                  get these errors

                  ff.jpg

                  but loads fine in edge

                  edge.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Same. But only on the second attempt. Seems to be badly coded! Maybe firefox use is very low in Brazil? Been a while since I've seen something like that. Browser specific failures usually only hit Internet Explorer.

                    Do you have a different example site @marcos20?

                    1 Reply Last reply Reply Quote 0
                    • w0wW
                      w0w
                      last edited by w0w

                      Try mtupath
                      mtupath www.detran.rs.gov.br

                      I have had similar problems some time ago, this was happening with IPv6 enabled but some sites were ipv4 only, so after mtupath discovery I have changed the MSS to 1352

                      BTW I have zero problems opening www.detran.rs.gov.br in firefox also, but not in edge.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.