<![CDATA[Some sites don't load, using PPPoE]]>Hello everyone
I'm very new to pfsense (or any BSD), but I'm trying to set it up to be a firewall to a small network.

I got most of it working, but some sites won't load. I've had a similar problem in another platform years ago, and I remember the MTU was wrong, but I've double checked that and it seems correct.

My setup:

  • pfsense 2.0.2-RELEASE

  • ALIX board - alix2d13

  • DSL line attached to a modem in bridge mode

  • Using PPPoE on pfsense, MTU of 1500 on vr0 (wan port), 1492 on pppoe1

What works:

  • SSH to outside world

  • I can "dig" everything

  • most sites (google.com, pcengines.ch, twitter.com)

What doesn't:

  • some sites (yahoo.com, microsoft.com, flattr.com). The browser keeps loading on a blank page for a long time

What I've already done:

  • Disable hardware checksum offload

  • restart interfaces, pppoe, pfsense, modem…

  • After setting MTU to 1500, ping works with packets up to 1464 bytes, so the MTU should be 1492. After setting MTU to 1492, situation persists

  • Packet analysis with Wireshark. On working sites, I get a small HTTP response. On sites that don't work, there's TCP fragments of 1506 bytes, but wireshark doesn't identify any packet as being HTTP

    Here's my ifconfig (vr1 is LAN):

    vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 0]
	inet6 fe80::20d:b9ff:fe2a:b5f0%vr0 prefixlen 64 scopeid 0x1 
	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 1]
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fe80::20d:b9ff:fe2a:b5f1%vr1 prefixlen 64 scopeid 0x2 
	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether [CENSORED MAC 2]
	inet6 fe80::20d:b9ff:fe2a:b5f2%vr2 prefixlen 64 scopeid 0x3 
	nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
	status: no carrier
ath0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290
	ether [CENSORED MAC 3]
	media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
	status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33200
pppoe1: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
	inet6 fe80::20d:b9ff:fe2a:b5f0%pppoe1 prefixlen 64 scopeid 0x9 
	inet 85.246.162.252 --> 194.65.169.248 netmask 0xffffffff 
	nd6 options=43 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></broadcast,simplex,multicast></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

    I'm a bit lost as to what I can do to debug this  :-\ any help is welcome

]]>https://forum.netgate.com/topic/52274/some-sites-don-t-load-using-pppoeRSS for NodeTue, 14 Apr 2026 12:52:10 GMTThu, 24 Jan 2013 03:47:13 GMT60<![CDATA[Reply to Some sites don't load, using PPPoE on Fri, 25 Jan 2013 20:13:09 GMT]]>@cmb:

Almost certainly because you need a lower value for MSS clamping.

Yes! Setting Interfaces->WAN->MSS to 1492 (or lower) solves this.
Now I can finally move on to more important configuration… Thank you so much!  ;D

]]>https://forum.netgate.com/post/374856https://forum.netgate.com/post/374856Fri, 25 Jan 2013 20:13:09 GMT<![CDATA[Reply to Some sites don't load, using PPPoE on Fri, 25 Jan 2013 04:36:47 GMT]]>Almost certainly because you need a lower value for MSS clamping.

]]>https://forum.netgate.com/post/374668https://forum.netgate.com/post/374668Fri, 25 Jan 2013 04:36:47 GMT<![CDATA[Reply to Some sites don't load, using PPPoE on Thu, 24 Jan 2013 22:39:38 GMT]]>@slu:

DNS work?

Actually, PPPoE was returning 127.0.0.1 as the DNS server, but I went ahead and added them manually, and everything seems correct on the DNS level. As I mentioned, I can "dig" all hosts, including the sites that don't work

]]>https://forum.netgate.com/post/374640https://forum.netgate.com/post/374640Thu, 24 Jan 2013 22:39:38 GMT<![CDATA[Reply to Some sites don't load, using PPPoE on Thu, 24 Jan 2013 13:48:08 GMT]]>DNS work?

http://forum.pfsense.org/index.php/topic,57020.0.html

]]>https://forum.netgate.com/post/374534https://forum.netgate.com/post/374534Thu, 24 Jan 2013 13:48:08 GMT