Not able to connect to some website
-
@jeff_wuyo said in Not able to connect to some website:
I setup 3 DHCP server on LAN
huh? But you bridged them?
my ISP gives me /64 prefix
Yeah you got some weirdness setup there for sure.
If your wanting to use IPv6 behind pfsense, but your ISP does not do delegation of a prefix to use behind a router. Prob better to just get a IPv6 tunnel from hurricane electric. Here you can get a /48 to use how you wish. On your different segments behind pfsense.
I am not exactly clear what your doing with your bridging - but can tell you for sure if what you want is switch, then get a switch vs doing anything with a bridge.
-
@jeff_wuyo WAN interface MTU + MSS entered correctly?
e.g.
-
@nonick said in Not able to connect to some website:
@jeff_wuyo WAN interface MTU + MSS entered correctly?
I think you shouldn't reduce the value of MSS, it is done by pfSense, see the explanation under it.
-
@bob-dig said in Not able to connect to some website:
I think you shouldn't reduce the value of MSS, it is done by pfSense, see the explanation under it.
Unfortunately not, it's a bug in pfSense.
-
@nonick said in Not able to connect to some website:
Unfortunately not, it's a bug in pfSense.
And where is the redmine to that? I sure do not need to edit my mtu or mss values? Are you on some sort of say PPPoE connection or something where standard mtu does not work?
Unless your on some isp connection that requires something lower, there should be no need to edit those.
-
@nonick said in Not able to connect to some website:
Unfortunately not, it's a bug in pfSense.
Maybe it is fixed? That's why I think it is.
-
@johnpoz said in Not able to connect to some website:
but can tell you for sure if what you want is switch
Yes, what I want is indeed switch. I also want to have different subnet, or rather different network to manage other device. Perhaps I should get a managed switch.
huh? But you bridged them?
Yeah, it's the way I figure out how to make all port have IPv6 connectivity. The way I do it is against my knowledge about how router and switch work, it just looks wrong. The machine which pfSense runs on has 4 ports, thus I want to make it works as router/switch. But if I bridged them and assign bridge0, only IPv4 worked, no IPv6 connectivity. Assigning bridge to me is more correct way to do it, but I'll lose IPv6.
@nonick said in Not able to connect to some website:
WAN interface MTU + MSS entered correctly?
No. I leave it blank, which would be default. I'm not fully understand MTU and MSS, thus I ignore it for now.
-
@jeff_wuyo said in Not able to connect to some website:
Perhaps I should get a managed switch.
Doesn't have to be a full managed switch, you can get a 8 port gig smart switch (does vlans) and some other limited features of a fully managed switch. For very reasonable price, there are many on the market in the $40 price range.
But yes if your goal is to segment your network - a vlan capable switch is going to be be helpful ;) Next would be a access point that can also do vlans. If you want your wireless clients to be on different networks as well.
While a bridge does have use cases, trying to turn interfaces into switch ports is not really a good use for a bridge. You can fry up a hamburger patty and "call" it steak - but its not a very "good" steak ;)
-
@johnpoz said in Not able to connect to some website:
trying to turn interfaces into switch ports is not really a good use for a bridge
That's true. I'm asking pfSense for too much lol.
The topic is altered.
Is the bridge-thingy I did causing my TLS connection to change? Hard to tell I think. I might reset pfSense and test again eventually. For now, I think I can still tinkering around. -
@jeff_wuyo said in Not able to connect to some website:
I'm asking pfSense for too much lol
Not so much that - but bridging is not switching. While it may mimic a switch in some aspects. Its not really switching..
There are some valid use cases where sure bridging is the solution - but wanting switch ports is not one of them ;)
-
@bob-dig
I set my MTU 6000 on both WAN and LAN. The reason I chose big MTU is I always see some lost fragment package, and according to how IPv6 handle package exceed MTU, I assume that the package is large. I could be totally wrong, if so, please do correct me.
Beside the adjustment above, I didn't bridge any interface together this time.
For the sake of convenience, I just prepare the data I sniffed. Please use wireshark for more detail.- File1
I was able to connect to archlinux, the handshake was successful, but not able load the site properly.
In this case, IPv6 for archlinux.org is [2a01:4f9:c010:6b1f::1] - File2 is too large to upload, I put it at google drive.
In this example, I connect to multiple site, youtube.com [2404:6800:4012:2::200e], archlinux.org [2a01:4f9:c010:6b1f::1], and ipv6-test.com [multiple IPv6]. Only archlinux.org could not establish connection. Occasionally seeing pfSense complain to MyPC that the package is too large.
It seems like I always losing package from archlinux.org, as least that's what I saw on wireshark. Maybe wireshark is interpret the information wrong. Due to the lack of knowledge, I can't tell anymore form the data. I hope someone can point out a thing or two.
- File1
-
@jeff_wuyo The maximum MTU for WAN-Interface is 1500 bytes (Ethernet maximum MTU size). With PPPoE connections, the PPPoE header increases the frame size by 8 bytes, so must lower the MTU to 1492.
You can test it with it, if it still doesn't work then set the MSS value additionally to 1452 or 1432. -
Nope, didn't work. I set MTU to 1492 on WAN, MyPC just falls back to IPv4. Pure IPv6 site e.g. v6.facebook.com just can't connect. I can't ping using IPv6. Setting MSS to 1452 or 1432 doesn't help either.
Here's some test I run.
@nonick said in Not able to connect to some website:
The maximum MTU for WAN-Interface is 1500 bytes
If that's so, why am I seeing package length way over 1500 when I setup my network as Modem/Router? Is wireshark just showing sum of multiple packages? (I should mention the Modem/Router is provided by my ISP, it's using PPPoE as well.) Here is an example.
-
@jeff_wuyo said in Not able to connect to some website:
I set my MTU 6000 on both WAN and LAN.
Well no wonder your having issues.. That is just borked..
-
@jeff_wuyo said in Not able to connect to some website:
I set my MTU 6000 on both WAN and LAN.
While you can do what you want on your own LAN, you should go with what your ISP requires on the WAN side.
-
@nonick said in Not able to connect to some website:
(Ethernet maximum MTU size)
Not any more. That ended with frame expansion in the late '90s and these days jumbo frames of several KB are possible.
-
@jknott said in Not able to connect to some website:
jumbo frames of several KB are possible.
While this is true - I highly doubt all his devices on his lan are using jumbo of 6000.. Devices like printer and for sure any iot normally have zero support for jumbo.
And typical nics/drivers support only a couple of sizes..
What I will say is pulling some arbitrary number like 6000 out of the air and setting your mtu to that is going to cause you grief that is for sure..
-
@jknott said in Not able to connect to some website:
Not any more. That ended with frame expansion in the late '90s and these days jumbo frames of several KB are possible.
That's right, I wrote on the WAN interface.
The maximum MTU for WAN-Interface is 1500 bytes
-
If one sets a DHCP server to provide whatever MTU size, wouldn't the device accept that value? I know there will be issues with WiFi. BTW, I've been around long enough to remember when 576 was a common MTU size.
-
@jknott said in Not able to connect to some website:
provide whatever MTU size, wouldn't the device accept that value?
No there is nothing saying they would even look or accept such values. Look at windows and search domain as perfect example. So option 119 of dhcp allows for assigning search domains, but not until windows 10 in a later build did windows accept such an option.
Just because dhcp server offers the ability to hand out some option, doesn't mean clients would request or even accept an option. And stuff like iot devices normally have base min to "work" in their network stack anyway..
Using non standard frame sizes is something that can really mess up a network if not all the devices are setup and validated to use and understand these non standard frame sizes. Just because say the switch will pass them, doesn't mean the device is smart enough to leverage or use them..
And sure and the hell wouldn't use 6000?
Can pretty much promise you issues he is seeing is related to such settings.. If anything PPPoE connection most likely would want something lower than the standard 1500 because of the overhead..
I would suggest he moves his lan back to 1500, and then get with his ISP for the proper setup for his wan connection.. A common pppoe mss clamp size is like 1452.. But for optimal working with his ISP he should contact them for proper setup.