IPv6 - WAN MTU and MSS



  • Hi,

    I have noticed somethign strange while setting up pfsense 2.3.4 with my Teksavvy DSL connection.  IPv4 works perfectly and in the WAN interface section I don't need to specify MTU but just MSS of 1492 (which the router subtracts 40 from to get 1452).

    Some IPv6 sites do not load properly with this value.  For some reason 1472 works for MSS but nothing higher.  For example, teksavvy.com and http://ipv6-test.com/ do not load.  I disabled the windows 10 firewall to allow ICMPv6 packets in and put an allow-all rule in my WAN for for all types of ICMPv6 but that didn;t change anything.

    For some reason the packet too large / fragment messages are not being sent and/or received properly.  Is there a know bug that I'm not aware of or is something else weird going on?  I would assume that my MSS should still be set to 1492 and then the router should subtract the requisite 40 bytes?

    Thanks!



  • Hi,

    How do you connect your IPv6 (and IPv4) on WAN ?
    I use a PPPOE IPv4 connection and he.net IPv6, so I have to adapt MTU also.



  • I connect via PPPoE.

    Also, I've fixed the problem but I think there is a bug.

    When I set my LAN, OPT1, and OPT2 interface MTU's to 1492 (while leaving MSS blank) the problem web pages load properly.

    I think in IPv4, pfsense knows how to fragment the packets properly between the various interfaces.  However, in IPv6 pfsense doesn't fragment properly between interfaces.



  • Unlike with IPv4, psSense should not be fragmenting any IPv6 packet.  That's a violation of the specs.  On IPv6 use of path MTU discovery is mandatory.  What happens if you set the MTU to something smaller?  The minimum IPv6 MTU of 1280 is a good place to start.



  • I understand that in IPv6 it is up to each endpoint to determine the best path MTU so that the packets don't get fragmented or dropped.

    My observations are that if I leave my LAN, OPT1, and OPT2 MTU and MSS blank (i.e. 1500) then in order to not have issues with some sites not loading properly I have to set the WAN MSS to 1472 or lower which makes no sense to me at this moment.



  • Please don't confuse MTU and MSS.  They're related, but different values.  If you're on ADSL, you'd normally set the MTU for 1492.  The default (1500) should not be used with ADSL.  I don't know why you're setting MSS, as you generally don't have to do that.  MTU is what you normally set.  So, set MTU to 1492 and everything should work, as you appear to have discovered before.



  • Here's a Wikipedia article about MSS:
    https://en.wikipedia.org/wiki/Maximum_segment_size

    Please note where it says:

    The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header (unlike, for example, the MTU for IP datagrams).[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment

    The MSS field is a 32 bit value, which means the MSS could be as much as 65K bytes.  This is entirely legal, but it would force fragmentation, when the packets are created.  On the other hand, if you don't specify the MSS, it will be determined automagically, when the two ends set up the TCP connection, based on the interface and path MTUs.

    So, bottom line, DON'T TOUCH THE MSS!!!