HAOS sets interface MTU as 9000 bytes, causes an issue with certificate expiry monitoring #6432
Description
Describe the issue you are experiencing
Attempting to use the certificate expiry device for the FQDN results in packets leaving HAOS with an on-wire MTU of 1528 bytes. When I use the 'Advanced SSH & Web Termianl' add-on (with protection disabled) I'm able to see the default MTU of 9000 bytes and can then change it there to 1500.
Thereafter the certificate expiry checks work.
PS: The 1528 byte size is as per a Wireshark dissected packet capture, which is the on-wire size. This includes the 14 byte etherent src/dst addresses. This is in essence 10 bytes larger than what it should be and IMHO a bug with HA OS 16.3 / Home Assistant Supervisor 2025.12.3.
PPS: It's common to see an on-wire frame size of 1514 bytes (packet has MTU of 1500 bytes) or 1518 bytes (Should it have a VLAN tag), but the VM doesn't use VLANs.
Before (problematic):
➜ ~ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp6s18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP qlen 1000
link/ether de:92:14:15:30:47 brd ff:ff:ff:ff:ff:ff
Afterwards (working):
➜ ~ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp6s18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether de:92:14:15:30:47 brd ff:ff:ff:ff:ff:ff
Command used to reduce MTU:
ip link set enp6s18 mtu 1500
Problem is that this isn't permanent.
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Steps to reproduce the issue
- Create a certificate expiry device that attempts to connect to a FQDN and port to validate
- The natting is done on a router, which alters both the destination IP (redirecting it back to the Home Assistant instance) and changing the source IP (so that replies flow back to the firewall doing the destination IP NAT). This is referred to as a hair-pin NAT.
- Capture traffic and observe several retransmits, where packets have an on-wire size of 1528 bytes.
...
Anything in the Supervisor logs that might be useful for us?
Unfortunately not.System information
System Information
| version | core-2025.12.3 |
|---|---|
| installation_type | Home Assistant OS |
| dev | false |
| hassio | true |
| docker | true |
| container_arch | amd64 |
| user | root |
| virtualenv | false |
| python_version | 3.13.9 |
| os_name | Linux |
| os_version | 6.12.51-haos |
| arch | x86_64 |
| timezone | Africa/Johannesburg |
| config_dir | /config |
Home Assistant Community Store
| GitHub API | ok |
|---|---|
| GitHub Content | ok |
| GitHub Web | ok |
| HACS Data | ok |
| GitHub API Calls Remaining | 5000 |
| Installed Version | 2.0.5 |
| Stage | running |
| Available Repositories | 2554 |
| Downloaded Repositories | 12 |
Home Assistant Cloud
| logged_in | false |
|---|---|
| can_reach_cert_server | ok |
| can_reach_cloud_auth | ok |
| can_reach_cloud | ok |
Home Assistant Supervisor
| host_os | Home Assistant OS 16.3 |
|---|---|
| update_channel | stable |
| supervisor_version | supervisor-2025.12.3 |
| agent_version | 1.7.2 |
| docker_version | 28.3.3 |
| disk_total | 30.8 GB |
| disk_used | 8.3 GB |
| nameservers | 8.8.4.4, 8.8.8.8 |
| healthy | true |
| supported | true |
| host_connectivity | true |
| supervisor_connectivity | true |
| ntp_synchronized | true |
| virtualization | kvm |
| board | ova |
| supervisor_api | ok |
| version_api | ok |
| installed_addons | File editor (5.8.0), Let's Encrypt (5.4.9), ESPHome Device Builder (2025.11.5), Music Assistant (2.6.3), YT Music PO Token Generator (1.2.2), Advanced SSH & Web Terminal (22.0.3), SolarSynkV3 (3.0.31) |
Dashboards
| dashboards | 6 |
|---|---|
| resources | 3 |
| views | 15 |
| mode | storage |
Network Configuration
| adapters | lo (disabled), enp6s18 (enabled, default, auto), hassio (disabled), docker0 (disabled), vethcd92e08 (disabled), veth57f22fb (disabled), veth0c3ab96 (disabled), veth1939c46 (disabled), veth6848319 (disabled), veth23d0f34 (disabled) |
|---|---|
| ipv4_addresses | lo (127.0.0.1/8), enp6s18 (10.239.240.100/23), hassio (172.30.32.1/23), docker0 (172.30.232.1/23), vethcd92e08 (), veth57f22fb (), veth0c3ab96 (), veth1939c46 (), veth6848319 (), veth23d0f34 () |
| ipv6_addresses | lo (::1/128), enp6s18 (fe80::11b:a5dc:8af:9d9e/64), hassio (fe80::e4f2:daff:fedc:79e9/64), docker0 (fe80::89f:34ff:febe:1753/64), vethcd92e08 (fe80::e868:73ff:fea7:88b2/64), veth57f22fb (fe80::742a:f7ff:fe86:58ac/64), veth0c3ab96 (fe80::fcad:19ff:fe68:2442/64), veth1939c46 (fe80::905b:b6ff:fe8d:bf94/64), veth6848319 (fe80::cc52:43ff:feca:51dd/64), veth23d0f34 (fe80::846d:23ff:feb8:77c5/64) |
| announce_addresses | 10.239.240.100, fe80::11b:a5dc:8af:9d9e |
Recorder
| oldest_recorder_run | November 30, 2025 at 2:54 AM |
|---|---|
| current_recorder_run | December 16, 2025 at 12:59 PM |
| estimated_db_size | 1726.52 MiB |
| database_engine | mysql |
| database_version | 11.8.3 |
Sonoff
| version | 3.9.3 (7c75c46) |
|---|---|
| cloud_online | 0 / 27 |
| local_online | 13 / 13 |
Supervisor diagnostics
Can't create the entity so I can't obtain debug logs. Attempting to create the device (certificate check) simply times out.
Additional information
No response