pfSense VM on Proxmox: PPPoE only works when parent NIC is PCI passthrough — virtual NIC breaks LAN→WAN traffic
-
I’m running pfSense as a VM on Proxmox. WAN is PPPoE.
If the PPPoE parent interface is a PCI passthrough NIC, everything works.
If I switch the parent to any virtual NIC (VirtIO/e1000) on a Proxmox bridge, pfSense connects via PPPoE and gets an IP, but not all traffic passes. pfSense itself can ping using pppoe0, clients can ping DNS servers, but can't open pages on the internet.What I verified:
PPPoE session establishes normally on the virtual NIC, ookla speedtest on pfSense itself runs just fine.
NAT rules are ok.
Offloading disabled inside pfSense (Checksum/TSO/LRO)
Separate bridges for WAN and LAN
Proxmox firewall disabled
Multiqueue on/off tested
If_pppoe/mpd testedKey issue:
Works with pci passthrough and virtually not working.Looking for ideas: VirtIO/iflib bug? Proxmox bridge issue? Offload problem on the host?
Can anyone replicate issue on the latest version? -
I've used the same Proxmox VM template for IPFire and everything works as expected.
I also tried installing 2.8 from scratch, and it works just fine.
Only the latest beta plus fails to pass traffic to clients. -
Also changing VrtIO to RTL8139 or E1000 also passes traffic to the clients behind the NAT.
So to replicate, create VM that uses VirtIO cards/bridges and do simple config WAN-PPPoE/LAN on the latest pfSense beta, try speedtest on pfSense itself by installing speedtest-go and the try to reach the internet on any LAN client.
Should I report this one on the Redmine? -
@stephenw10, what do you think?
I understand this cannot be show stopper since nobody else mentioned this issue so far, but... -
-
Quick assisted search...
-
September 2025 — checksum offload rework
Commit 1c23d8f9f398 updates vtnet checksum-offload flag handling for TX/RX and adds new RX checksum statistics. -
Late August–September — rxcsum fixes
Patch series around commit 03da4395… (Bug 263229) fixes vtnet RX checksum validation issues. -
October 2025 — hardware TCP LRO disabled by default
Commits 3d548504c705 (stable/14) and e1a7840dd941 (stable/15):
hardware TCP LRO is now disabled by default for vtnet. -
Active bug reports related to vtnet + checksum offload
Bug 277718
Bug 259249
Bug 276760
Bug 235607
Should be something related to the new checksum implementation?
-
-
@w0w This goes too deep.
If you add another vm on proxmox and use the bridged lan as a gateway, it will also work.
Apart from ppp, the issue also occurs on openvpn client related traffic, but only when using dco offload.
So its not only pppoe related.
-
@netblues
Did you file this issue on Redmine already? -
@w0w No, I havent.
Steven said would try to replicate the issue localy.
Perhaps a redmine is now appropriate.
