RFC 4638 client support (PPPoE MTU > 1492) - testing

pf3000

Tested this patch with apu1d (http://www.pcengines.ch/apu1d4.htm) running nanobsd 2.2.4, and seems to working. This time I set MTU 1500 in the WAN interface setting.

Before

[2.2.4-RELEASE][root@pfSense.localdomain]/root: ifconfig re0;ifconfig pppoe0
re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,linkstate>ether 00:0d:b9:33:78:70
        inet6 fe80::20d:b9ff:fe33:7870%re0 prefixlen 64 scopeid 0x1
        nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
        inet 208.64.38.204 --> 213.133.104.38 netmask 0xffffffff
        inet6 fe80::20d:b9ff:fe33:7870%pppoe0 prefixlen 64 scopeid 0xa
        nd6 options=21<performnud,auto_linklocal></performnud,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex,master></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

After

[2.2.4-RELEASE][root@pfSense.localdomain]/root: ifconfig re0 ; ifconfig pppoe0
re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1508
        options=82098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:0d:b9:33:78:70
        inet6 fe80::20d:b9ff:fe33:7870%re0 prefixlen 64 scopeid 0x1
        nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1500
        inet 208.64.38.116 --> 213.133.104.38 netmask 0xffffffff
        inet6 fe80::20d:b9ff:fe33:7870%pppoe0 prefixlen 64 scopeid 0xa
        nd6 options=21<performnud,auto_linklocal></performnud,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

After ping

[2.2.4-RELEASE][root@pfSense.localdomain]/root: ping -D -s 1472 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 1472 data bytes
1480 bytes from 8.8.4.4: icmp_seq=0 ttl=51 time=134.734 ms
1480 bytes from 8.8.4.4: icmp_seq=1 ttl=51 time=133.631 ms
1480 bytes from 8.8.4.4: icmp_seq=2 ttl=51 time=133.864 ms
1480 bytes from 8.8.4.4: icmp_seq=3 ttl=51 time=133.571 ms
1480 bytes from 8.8.4.4: icmp_seq=4 ttl=51 time=134.276 ms
^C
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 133.571/134.015/134.734/0.436 ms

David_W

@pf3000:

Tested this patch with apu1d (http://www.pcengines.ch/apu1d4.htm) running nanobsd 2.2.4, and seems to working.

That's good to know. My confidence in the patch is growing. So far, only gregb has failed to get this to work, and that is almost certainly down to his environment (a PPPoE <-> PPPoA bridge rather than end to end PPPoE with explicit RFC 4638 support from the ISP) rather than the patch.

It's notable how many offload features of the apu1d's re0 interface are unavailable in jumbo mode. You lose hardware checksumming and IPv4 TSO. This contrasts with the vmx interface in your other box and the igb interface in my box, both of which lose no offload features in jumbo mode.

David_W

I've just submitted pull requests against pfSense 2.3:

mpd5 changes: https://github.com/pfsense/FreeBSD-ports/pull/1
pfSense support: https://github.com/pfsense/pfsense/pull/1959

I have posted pointers to those pull requests on Redmine #4542. Hopefully RFC 4638 client support will appear in a future pfSense 2.3 build.

I have also submitted the mpd5 changes as FreeBSD PR 203695.

David_W

I've posted a 2.2.5-RELEASE version of the patch in a new thread (still amd64 full installs only).

M_Devil

Hi David,

I am looking forward to use the PPPoE MTU > 1492. Using a fiber PPPoE connection and can see the mtu=1492 on the WAN connection.

Using 2.3 snapshot for a few days now and wondering if/when your changes for using MTU > 1492 will hit the 2.3 snapshots.

David_W

All the necessary binary support is in the latest pfSense 2.3 snapshots, but the changes to pfSense itself have not been merged. There is a pull request open at https://github.com/pfsense/pfsense/pull/1959 , which I hope the pfSense team will merge to pfSense 2.3 in due course.

I've not been following pfSense 2.3 that closely in the past few weeks, but if the System Patches package is working, you should be able to install the patch using GitHub's diff feature. In System patches use URL https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/1959.diff with Path Strip Count 2 (not 1 as I earlier said in error) and Base Directory / . This is completely untested, but you're welcome to give it a go.

M_Devil

I use 2.3 in production environment (home) and I hasitate to go for your sugested solution.
Maybe I create an VM in my lab to test it and if succesfull, I give it a try.

Even better when pfSense team will merge your pull request into the project.

M_Devil

Tested on 2.3 built on Wed Dec 23 05:35:02 CST 2015 with System patches package

Fetch = ok, testing patch failed.

Patch can NOT be applied cleanly (detail)

/usr/bin/patch –directory=/ -t -p1 -i /var/patches/567e75dbd3c0c.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:

|diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
|index f7e60a6..8adadc0 100644
|--- a/src/etc/inc/interfaces.inc

+++ b/src/etc/inc/interfaces.inc
No file to patch.  Skipping...
Hunk #1 ignored at 1851.
Hunk #2 ignored at 1932.
Hunk #3 ignored at 3061.
Hunk #4 ignored at 3081.
Hunk #5 ignored at 3262.
Hunk #6 ignored at 3332.
Hunk #7 ignored at 4644.
7 out of 7 hunks ignored while patching src/etc/inc/interfaces.inc
done

Patch can NOT be reverted cleanly (detail)

/usr/bin/patch –directory=/ -f -p1 -i /var/patches/567e75dbd3c0c.patch --check --reverse --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:

|diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
|index f7e60a6..8adadc0 100644
|--- a/src/etc/inc/interfaces.inc

+++ b/src/etc/inc/interfaces.inc
No file to patch.  Skipping...
Hunk #1 ignored at 1851.
Hunk #2 ignored at 1924.
Hunk #3 ignored at 3047.
Hunk #4 ignored at 3063.
Hunk #5 ignored at 3195.
Hunk #6 ignored at 3228.
Hunk #7 ignored at 4540.
7 out of 7 hunks ignored while patching src/etc/inc/interfaces.inc
done

David_W

@M_Devil:

Tested on 2.3 built on Wed Dec 23 05:35:02 CST 2015 with System patches package

Fetch = ok, testing patch failed.

Patch can NOT be applied cleanly (detail)

/usr/bin/patch –directory=/ -t -p1 -i /var/patches/567e75dbd3c0c.patch --check --forward --ignore-whitespace

My mistake - path strip count needs to be 2 for 2.3. I've edited my earlier post accordingly.

M_Devil

No problem, i really appreciate your efforts.

My goal is to patch your RFC 4638 and PPP IPv6 fix.

Still not succesfull.

First patch PPP IPv6 with this test result

/usr/bin/patch –directory=/ -t -p1 -i /var/patches/567e80217400c.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:

|diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
|index b425434..caefa85 100644
|--- a/etc/inc/interfaces.inc

+++ b/etc/inc/interfaces.inc
Patching file etc/inc/interfaces.inc using Plan A...
Hunk #1 succeeded at 1984 with fuzz 1 (offset 166 lines).
Hunk #2 succeeded at 1853 (offset 2 lines).
Hunk #3 succeeded at 3265 (offset 226 lines).
done

The RFC 4638 path test gives this:

/usr/bin/patch –directory=/ -t -p2 -i /var/patches/567e809abd883.patch --check --forward --ignore-whitespace

Hmm...  Looks like a unified diff to me...
The text leading up to this was:

|diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
|index f7e60a6..8adadc0 100644
|--- a/src/etc/inc/interfaces.inc

+++ b/src/etc/inc/interfaces.inc
Patching file etc/inc/interfaces.inc using Plan A...
Hunk #1 succeeded at 1855 (offset 4 lines).
Hunk #2 succeeded at 1936 (offset 4 lines).
Hunk #3 succeeded at 3039 (offset -22 lines).
Hunk #4 succeeded at 3085 (offset 4 lines).
Hunk #5 succeeded at 3240 (offset -22 lines).
Hunk #6 succeeded at 3336 (offset 4 lines).
Hunk #7 succeeded at 4622 (offset -22 lines).
done

For the latter I used the Path Stripcount = 2

M_Devil

Sorry, i was incomplete.

Apply patch (both) is succesfull, put putting MTU=1500 on WAN PPPoE interface and reboot still gives MTU=1492 in status->interfaces

M_Devil

Checking ifconfig:

em2 (=NIC with 2 vlan's), MTU = 1508
pppoe1 on em2 (=WAN vlan), MTU = 1492

From log:
mpd_wan.conf:32: Unknown command: 'set pppoe max-payload 1500'. Try "help".

David_W

@M_Devil:

Checking ifconfig:

em2 (=NIC with 2 vlan's), MTU = 1508
pppoe1 on em2 (=WAN vlan), MTU = 1492

From log:
mpd_wan.conf:32: Unknown command: 'set pppoe max-payload 1500'. Try "help".

The RFC 4638 patch is behaving as I expect: configuring the MTU of the parent interface of the PPPoE interface to 8 more than the configured PPPoE MTU (to allow for the 8 byte PPPoE overhead) and setting 'set pppoe max-payload' in the mpd configuration.

The problem is that your mpd5 binary doesn't contain RFC 4638 support. The changes were merged back on 12 October and should have started to appear in snapshots shortly afterwards.

I checked that the necessary binary and kernel support exists in the latest builds of 2.3 by installing pfSense-LiveCD-2.3-ALPHA-amd64-20151228-0402.iso.gz (the latest at the time I tried this) and updating via the GUI. RFC 4638 worked correctly on those binaries.

What does pkg info -o net/mpd5 show (use a shell command prompt)? If the version is mpd5-5.7_4 or above, I'd expect the patch to be present. It definitely is not present in mpd5-5.7_3.

If you only have mpd5-5.7_3, when did you last update your binaries? gitsync only updates the script components, not the binaries. If your binaries are old enough not to include mpd5-5.7_4, then you may well find that an update leaves you with an installation that doesn't work correctly. Your best option in this scenario is probably to back up your config.xml, reinstall pfSense 2.3 from a recent snapshot and restore your config.xml.

M_Devil

Command:  pkg info -o net/mpd5 shows:

mpd5-5.7_4                    net/mpd5

So it should be present?

My last update is by GUI (so also updated binary?) and built on Wed Dec 23 05:35:02 CST 2015

I will update (by GUI) to latest snapshot now, will report back in a few minutes.

M_Devil

So, strange thing is:

After update without apply the patch, the log gives:
mpd_wan.conf:29: Error in 'set link mtu 1500': max MTU on type "pppoe" links is 1492

But after apply of the patch, the log gives:
mpd_wan.conf:32: Unknown command: 'set pppoe max-payload 1500'. Try "help".

What am I doing wrong?

One more test: I will skip your patch PPP IPv6, and only test the RFC 4638 patch. Will report back in a few minutes

Edit: No, same error about unknown command

Edit: I am on remote location now, so I cannot reinstall 2.3 on the moment and restore config.xml. Will try it when I am on location again

David_W

set pppoe max payload is the correct syntax for PPPoE MTU > 1492. The pfSense patch was working correctly before you uninstalled it - the problem was that mpd5 and/or the kernel on your system did not have working RFC 4638 support. You need the pfSense patch to ensure the parent interface MTU is set correctly and to ensure the correct mpd5 configuration syntax is used.

mpd5-5.7_4 is built using the RFC 4638 patch, but the resulting mpd5 binary will only support RFC 4638 if it was built on a machine with the RFC 4638 kernel patch installed. Unknown command: 'set pppoe max-payload 1500'. Try "help". implies that your mpd5-5.7_4 was built on a machine without the kernel patch.

If you don't want to try a total reinstall, try:
pkg upgrade -f net/mpd5

and answer y when asked. This should reinstall mpd5 from the pfSense-core repository (at the time of writing, this is identical to the version I tested and confirmed to be working earlier today assuming that you are using amd64).

If that doesn't give you working RFC 4638 support, try an Upgrade from the pfSense GUI, which should install the latest kernel - though back up your config.xml first. As I said earlier, an upgrade on a system that is too old might leave you with an unusable mess that you have to reinstall.

M_Devil

pkg upgrade -f net/mpd5 did the trick.  :D

Indeed the pkg upgrade ask for reinstall and then it worked!

Thank you for your support!

Will report back if this is stable.

David_W

It's good to know that a forced reinstall of mpd5 was sufficient to resolve your issue, as that might help others. If anyone else has a similar problem, I suggest pkg upgrade -fy net/mpd5 (the additional y means there's no confirmation required, so the command will work from the 'Execute shell command' part of Diagnostics -> Command Prompt).

The PPP log should indicate whether you successfully negotiated an MTU of 1500. To test whether MTU 1500 is working, try ping -D -s 1472 -c 10 8.8.4.4

If things are working correctly, you'll successfully send 10 1500 byte packets (1472 byte payload, 8 byte ICMP overhead and 20 byte IPv4 overhead) to Google DNS, and Google DNS will send 10 back. You can experiment with another destination instead of 8.8.4.4.

If things are not working correctly, you'll get packet loss and/or complaints about 'frag needed and DF set'.

The IPv6 test, if you have native IPv6 support, is ping6 -D -s 1452 -c 10 www.google.com

In this case, you send 1500 byte packets (1452 byte payload, 8 bytes ICMPv6 overhead and 40 byte IPv6 overhead) and the remote end sends 72 bytes back - that's the way that ICMPv6 echo request and reply works.

M_Devil

Edit: Seems IPv4 is using my VPN connection. Dont know how to initiate ping from 'normal' WAN connection. Trying to sort it out

Not sure, IPv4 gives error about wrong total length, IPv6 look ok.

IPv4 ping test

ping -D -s 1472 -c 10 8.8.4.4

PING 8.8.4.4 (8.8.4.4): 1472 data bytes
72 bytes from 8.8.4.4: icmp_seq=0 ttl=50 time=9.585 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=1 ttl=50 time=14.571 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=2 ttl=50 time=11.723 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=3 ttl=50 time=11.371 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=4 ttl=50 time=12.727 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=5 ttl=50 time=10.302 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=6 ttl=50 time=10.242 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=7 ttl=50 time=9.858 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=8 ttl=50 time=13.165 ms
wrong total length 92 instead of 1500
72 bytes from 8.8.4.4: icmp_seq=9 ttl=50 time=11.564 ms
wrong total length 92 instead of 1500

–- 8.8.4.4 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.585/11.511/14.571/1.522 ms

IPv6 ping test

ping6 -D -s 1452 -c 10 www.google.com
PING6(1500=40+8+1452 bytes) 2001:984:XXX:X:XXXX:XXXX:XXXX:XXXX–> 2a00:1450:4013:c01::6a
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=0 hlim=56 time=7.557 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=1 hlim=56 time=7.748 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=2 hlim=56 time=7.806 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=3 hlim=56 time=7.651 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=4 hlim=56 time=7.720 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=5 hlim=56 time=7.801 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=6 hlim=56 time=7.736 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=7 hlim=56 time=7.717 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=8 hlim=56 time=7.772 ms
72 bytes from 2a00:1450:4013:c01::6a, icmp_seq=9 hlim=56 time=7.590 ms

--- www.google.com ping6 statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 7.557/7.710/7.806/0.081 ms

Online MTU check on http://www.letmecheck.it/mtu-test.php gives good IPv4 en IPv6 MTU (1500)

David_W

@M_Devil:

Not sure, IPv4 gives error about wrong total length, IPv6 look ok.

All wrong total length 92 instead of 1500 means is that the Google server handling traffic to 8.8.4.4 in  your location is configured to respond with shorter packets than 1500 bytes. Try some different destinations by IP address or DNS name. Hopefully you'll find something that responds with 1500 bytes.

The server you are reading this on:

• responds to ping -D -s 1472 -c 10 forum.pfsense.org with 1480 bytes (1500 bytes when you add in the 20 byte IPv4 header)

• responds to ping6 -D -s 1452 -c 10 forum.pfsense.org with 1460 bytes (1500 bytes when you add in the 40 byte IPv6 header)

Everything else you posted is as expected.