Connectivity Issues with MTU/MSS over 6RD

IPv6
Log in to reply
  • S

    Hi

    I sucessfully confurgured my pfSense so that I have IPv6 connectivity trought my ISP.

    Settings on WAN:
    IPv4: DCHP
    IPv6: 6rd Tunnel

    6rd Prefix, 6RD Border relay and 6RD IPv4 Prefix length is filled out with the values for my ISP. Working correclty. WAN Interface get his IPv6 address.

    Settings on LAN:
    IPv4: static
    IPv6: Track Interface (WAN, Prefix ID 0)

    On DHCPv6/RA I've only set the "Router Mode" to "assisted".

    Some ICMPv6 roules inbound to wan address and to LAN network.
    ICMPv6 outbound rule.
    Rule for Traffic (ipv4 and ipv6) with ports 80, 443… and so on.

    Now the problem is, I can connect to ipv6 ips with Ping, ssh or http but some sites/hosts I can't connect to.

    What I found out... If i set the MSS value on WAN interface to 1232, then I can connect to all hosts i tested. I don't like to set this because it also applies to all IPv4 connectivites.

    So connected with ssh to my pfsense and noticed that I have now a new interface named "wan_stf" with the IPv6 address assigned to with a MTU 1280.

    wan_stf: flags=4041 <up,running,link2>metric 0 mtu 1280
        inet6 2a02:xxxx:xxxx:xxxx:: prefixlen 28
        nd6 options=1 <performnud>v4net 92.xx.xx.xx/32 -> tv4br 193.5.xx.x</performnud></up,running,link2>

    WAN interface:

    em0: flags=8a43 <up,broadcast,running,allmulti,simplex,multicast>metric 0 mtu 1500
        options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:xx:xx:xx
        hwaddr 00:0c:29:xx:xx:xx
        inet6 fe80::20c:29ff:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
        inet 92.xx.xx.xx netmask 0xfffffc00 broadcast 92.xx.xx.xx
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,allmulti,simplex,multicast>

    Why it does only work if I set the MSS to 1232 on WAN interface?
    Do I have to configure some other stuff to get it work without special MSS settings on interface?

    If you need more infos about my config .. or some logs let me know. :)

    Thank you.

    0
  • D

    How do you change the MSS on an interface? Did you mean MTU?

    I'd suggest trying again with all ICMP for IPv6 allowed to/from LAN & WAN in the firewall.

    If you have a Linux machine, try the tracepath6 command to a hostname that's giving you trouble. Usually it will tell you where the MTU on the link changes. Ideally run the command from the otherside to you as well for even more information on the PMTU.

    And maybe increase the MTU of wan_stf to 1480 (but only if you're not using PPPoE). FreeBSD also seems to have MTUs per route.
    For example, these commands can help you see what routes there are along with the diagnostics->routes page:
    netstat -r -n
    route -6 get default

    BTW the 1232 I think comes from the (1280B MTU - 20B IPv4 6rd header - 28B tcp header)?

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2021 Rubicon Communications, LLC | Privacy Policy