pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic
-
Also changing VrtIO to RTL8139 or E1000 also passes traffic to the clients behind the NAT.
So to replicate, create VM that uses VirtIO cards/bridges and do simple config WAN-PPPoE/LAN on the latest pfSense beta, try speedtest on pfSense itself by installing speedtest-go and the try to reach the internet on any LAN client.
Should I report this one on the Redmine? -
@stephenw10, what do you think?
I understand this cannot be show stopper since nobody else mentioned this issue so far, but... -
-
Quick assisted search...
-
September 2025 — checksum offload rework
Commit 1c23d8f9f398 updates vtnet checksum-offload flag handling for TX/RX and adds new RX checksum statistics. -
Late August–September — rxcsum fixes
Patch series around commit 03da4395… (Bug 263229) fixes vtnet RX checksum validation issues. -
October 2025 — hardware TCP LRO disabled by default
Commits 3d548504c705 (stable/14) and e1a7840dd941 (stable/15):
hardware TCP LRO is now disabled by default for vtnet. -
Active bug reports related to vtnet + checksum offload
Bug 277718
Bug 259249
Bug 276760
Bug 235607
Should be something related to the new checksum implementation?
-
-
@w0w This goes too deep.
If you add another vm on proxmox and use the bridged lan as a gateway, it will also work.
Apart from ppp, the issue also occurs on openvpn client related traffic, but only when using dco offload.
So its not only pppoe related.
-
@netblues
Did you file this issue on Redmine already? -
@w0w No, I havent.
Steven said would try to replicate the issue localy.
Perhaps a redmine is now appropriate.
-
Mmm, your report was only for policy routed traffic. Given this new data that could just be your setup though.
@w0w You say clients can ping DNS servers, is that locally or over the PPPoE?
This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.
-
@stephenw10
As the op says, it only happens on latest beta, which is also the case in what I see.
And looking at interface status everything mtu related looks fine my side too. -
@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:
You say clients can ping DNS servers, is that locally or over the PPPoE?
8.8.8.8
@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:
This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.
I have been played with the MTU/MSS values without any luck.
I also tried almost all sysctl hw.vtnet settings
hw.vtnet.altq_disable: 1 hw.vtnet.lro_mbufq_depth: 0 hw.vtnet.lro_entry_count: 128 hw.vtnet.rx_process_limit: 1024 hw.vtnet.tso_maxlen: 65535 hw.vtnet.mq_max_pairs: 32 hw.vtnet.mq_disable: 0 hw.vtnet.lro_disable: 1 hw.vtnet.tso_disable: 1 hw.vtnet.fixup_needs_csum: 0 hw.vtnet.csum_disable: 1What I did not try are those tunables... this will be next
dev.vtnet.X.rxcsum=0 dev.vtnet.X.txcsum=0 dev.vtnet.X.tso=0 -
dev.vtnet.X.rxcsum=0
dev.vtnet.X.txcsum=0
dev.vtnet.X.tso=0Failed also.
-
Would you share the content/output of the following when it's working and when it's not?
- Generated OpenVPN config, e.g.:
/var/etc/openvpn/server1/config.ovpn - Filter rules:
pfctl -a '*' -se; pfctl -a '*' -sn; pfctl -a '*' -sr
You can upload it here:
https://nc.netgate.com/nextcloud/s/8CQAsHwwooTRAPt - Generated OpenVPN config, e.g.:
