pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic

w0w

@stephenw10, what do you think?
I understand this cannot be show stopper since nobody else mentioned this issue so far, but...

netblues

@w0w

Yes he has.
I'm facing exactly the same under kvm

kvm issue

w0w

Quick assisted search...

1. September 2025 — checksum offload rework
   Commit 1c23d8f9f398 updates vtnet checksum-offload flag handling for TX/RX and adds new RX checksum statistics.

2. Late August–September — rxcsum fixes
   Patch series around commit 03da4395… (Bug 263229) fixes vtnet RX checksum validation issues.

3. October 2025 — hardware TCP LRO disabled by default
   Commits 3d548504c705 (stable/14) and e1a7840dd941 (stable/15):
   hardware TCP LRO is now disabled by default for vtnet.

4. Active bug reports related to vtnet + checksum offload

Bug 277718

Bug 259249

Bug 276760

Bug 235607

Should be something related to the new checksum implementation?

netblues

@w0w This goes too deep.

If you add another vm on proxmox and use the bridged lan as a gateway, it will also work.

Apart from ppp, the issue also occurs on openvpn client related traffic, but only when using dco offload.

So its not only pppoe related.

w0w

@netblues
Did you file this issue on Redmine already?

netblues

@w0w No, I havent.

Steven said would try to replicate the issue localy.

Perhaps a redmine is now appropriate.

stephenw10

Mmm, your report was only for policy routed traffic. Given this new data that could just be your setup though.

@w0w You say clients can ping DNS servers, is that locally or over the PPPoE?

This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.

netblues

@stephenw10
As the op says, it only happens on latest beta, which is also the case in what I see.
And looking at interface status everything mtu related looks fine my side too.

w0w

@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:

You say clients can ping DNS servers, is that locally or over the PPPoE?

8.8.8.8

@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:

This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.

I have been played with the MTU/MSS values without any luck.

I also tried almost all sysctl hw.vtnet settings

hw.vtnet.altq_disable: 1
hw.vtnet.lro_mbufq_depth: 0
hw.vtnet.lro_entry_count: 128
hw.vtnet.rx_process_limit: 1024
hw.vtnet.tso_maxlen: 65535
hw.vtnet.mq_max_pairs: 32
hw.vtnet.mq_disable: 0
hw.vtnet.lro_disable: 1
hw.vtnet.tso_disable: 1
hw.vtnet.fixup_needs_csum: 0
hw.vtnet.csum_disable: 1

What I did not try are those tunables... this will be next

dev.vtnet.X.rxcsum=0
dev.vtnet.X.txcsum=0
dev.vtnet.X.tso=0

w0w

said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:

dev.vtnet.X.rxcsum=0
dev.vtnet.X.txcsum=0
dev.vtnet.X.tso=0

Failed also.

marcosm

Would you share the content/output of the following when it's working and when it's not?

• Generated OpenVPN config, e.g.: /var/etc/openvpn/server1/config.ovpn
• Filter rules: pfctl -a '*' -se; pfctl -a '*' -sn; pfctl -a '*' -sr

You can upload it here:
https://nc.netgate.com/nextcloud/s/8CQAsHwwooTRAPt