pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic
-
I've used the same Proxmox VM template for IPFire and everything works as expected.
I also tried installing 2.8 from scratch, and it works just fine.
Only the latest beta plus fails to pass traffic to clients. -
Also changing VrtIO to RTL8139 or E1000 also passes traffic to the clients behind the NAT.
So to replicate, create VM that uses VirtIO cards/bridges and do simple config WAN-PPPoE/LAN on the latest pfSense beta, try speedtest on pfSense itself by installing speedtest-go and the try to reach the internet on any LAN client.
Should I report this one on the Redmine? -
@stephenw10, what do you think?
I understand this cannot be show stopper since nobody else mentioned this issue so far, but... -
-
Quick assisted search...
-
September 2025 — checksum offload rework
Commit 1c23d8f9f398 updates vtnet checksum-offload flag handling for TX/RX and adds new RX checksum statistics. -
Late August–September — rxcsum fixes
Patch series around commit 03da4395… (Bug 263229) fixes vtnet RX checksum validation issues. -
October 2025 — hardware TCP LRO disabled by default
Commits 3d548504c705 (stable/14) and e1a7840dd941 (stable/15):
hardware TCP LRO is now disabled by default for vtnet. -
Active bug reports related to vtnet + checksum offload
Bug 277718
Bug 259249
Bug 276760
Bug 235607
Should be something related to the new checksum implementation?
-
-
@w0w This goes too deep.
If you add another vm on proxmox and use the bridged lan as a gateway, it will also work.
Apart from ppp, the issue also occurs on openvpn client related traffic, but only when using dco offload.
So its not only pppoe related.
-
@netblues
Did you file this issue on Redmine already? -
@w0w No, I havent.
Steven said would try to replicate the issue localy.
Perhaps a redmine is now appropriate.
-
Mmm, your report was only for policy routed traffic. Given this new data that could just be your setup though.
@w0w You say clients can ping DNS servers, is that locally or over the PPPoE?
This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.
-
@stephenw10
As the op says, it only happens on latest beta, which is also the case in what I see.
And looking at interface status everything mtu related looks fine my side too. -
@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:
You say clients can ping DNS servers, is that locally or over the PPPoE?
8.8.8.8
@stephenw10 said in pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic:
This feels like it might be an MTU/MSS issue if the virtual NIC is reporting the wrong value somehow.
I have been played with the MTU/MSS values without any luck.
I also tried almost all sysctl hw.vtnet settings
hw.vtnet.altq_disable: 1 hw.vtnet.lro_mbufq_depth: 0 hw.vtnet.lro_entry_count: 128 hw.vtnet.rx_process_limit: 1024 hw.vtnet.tso_maxlen: 65535 hw.vtnet.mq_max_pairs: 32 hw.vtnet.mq_disable: 0 hw.vtnet.lro_disable: 1 hw.vtnet.tso_disable: 1 hw.vtnet.fixup_needs_csum: 0 hw.vtnet.csum_disable: 1What I did not try are those tunables... this will be next
dev.vtnet.X.rxcsum=0 dev.vtnet.X.txcsum=0 dev.vtnet.X.tso=0 -
dev.vtnet.X.rxcsum=0
dev.vtnet.X.txcsum=0
dev.vtnet.X.tso=0Failed also.
-
Would you share the content/output of the following when it's working and when it's not?
- Generated OpenVPN config, e.g.:
/var/etc/openvpn/server1/config.ovpn - Filter rules:
pfctl -a '*' -se; pfctl -a '*' -sn; pfctl -a '*' -sr
You can upload it here:
https://nc.netgate.com/nextcloud/s/8CQAsHwwooTRAPt - Generated OpenVPN config, e.g.:
-
@marcosm Since I'm the only one reporting the issue with openvpn,
I have uploaded the requested info.However, testing further reveals that dco enabled client connection doesn't work only if the vpn is established over pppoe internet connection.
if the dco enabled openvp connection uses dhcp wan, then openvpn works fine.
So, opevpn client without dco works over pppoe connection from a non virtual pc, while at the same time , the same pc can only ping anything on the Internet but fails on anything else.
