Can't connect to VSCode Server via IPv6 from clients but from pfSense

b_chris

Hi,
I noticed that I can't contact the VSCode server via IPv6 anymore. When trying the following command, I running into a timeout:

curl -6 -v https://update.code.visualstudio.com/

At first I thought this might be a problem with the server. But executing the very same command directly on pfSense works perfectly fine. I tried it on multiple machines on multiple VLANs. Typically I have a rule to allow internet access like this in place:

When I turn logging on for this rule, I can see, that pfSense allows the connection.

I'm completely lost and don't really know how the debug this behaviour.
How can I configure pfSense, so that the connection works?

Side fact: The problem seams to only exist with the VSCode server. The curl command works e.g. with google.com. But still: Why is VSCode working directly on pfsense?!?

Thank you everyone
Chris

patient0

@b_chris said in Can't connect to VSCode Server via IPv6 from clients but from pfSense:

I noticed that I can't contact the VSCode server via IPv6 anymore

What is returned on a client if you try to resolve it? For it resolves to CNAMES. And do you use pfblocker or more general, what DNS server are you using? Maybe they block this query?

$ host update.code.visualstudio.com
update.code.visualstudio.com is an alias for vscode-update-g6gcb6ggdthkctd9.z01.azurefd.net.
vscode-update-g6gcb6ggdthkctd9.z01.azurefd.net is an alias for star-azurefd-prod.trafficmanager.net.
star-azurefd-prod.trafficmanager.net is an alias for shed.dual-low.s-part-0032.t-0009.t-msedge.net.
shed.dual-low.s-part-0032.t-0009.t-msedge.net is an alias for azurefd-t-fb-prod.trafficmanager.net.
azurefd-t-fb-prod.trafficmanager.net is an alias for dual.s-part-0044.t-0009.fb-t-msedge.net.
dual.s-part-0044.t-0009.fb-t-msedge.net is an alias for s-part-0044.t-0009.fb-t-msedge.net.
s-part-0044.t-0009.fb-t-msedge.net has address 13.107.253.72
s-part-0044.t-0009.fb-t-msedge.net has IPv6 address 2620:1ec:29:1::72

b_chris

@patient0
Resolving seams to work:

# curl -6 -v https://update.code.visualstudio.com/
* Host update.code.visualstudio.com:443 was resolved.
* IPv6: 2620:1ec:bdf::60
* IPv4: (none)
*   Trying [2620:1ec:bdf::60]:443...
* Connected to update.code.visualstudio.com (2620:1ec:bdf::60) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (OUT), TLS handshake, Client hello (1):

Also with host command:

# host update.code.visualstudio.com
update.code.visualstudio.com is an alias for vscode-update-g6gcb6ggdthkctd9.z01.azurefd.net.
vscode-update-g6gcb6ggdthkctd9.z01.azurefd.net is an alias for star-azurefd-prod.trafficmanager.net.
star-azurefd-prod.trafficmanager.net is an alias for shed.dual-low.s-part-0017.t-0009.t-msedge.net.
shed.dual-low.s-part-0017.t-0009.t-msedge.net is an alias for s-part-0017.t-0009.t-msedge.net.
s-part-0017.t-0009.t-msedge.net has address 13.107.246.45
s-part-0017.t-0009.t-msedge.net has IPv6 address 2620:1ec:bdf::45

Gertjan

@b_chris

Silly question but I have to ask it :
is IPv6 set up for the LAN (or VLAN, same thing) ?
Does that LAN has a own reserved /64 prefix ? Do you use the DHCPv6 server on that LAN - or do you use SLAAC (never used that myself).
Does the device on the LAN get an IPv4 (of course) and an IPv6 ?
If it's a windows pC, type

config /all

and check if it has it's own IPv6 (which must be part of the the LANs prefix /664)
Etc.

If you suspected your firewall (pfSense), put a master Ipv6 PASS rule at the top on the firewall rule LAN interface - and from now on you can rule out the firewall.

b_chris

@Gertjan
Sure, the hosts have an IPv6 address ;) I'm using DHCPv6 which works fine. Also pining the VSCode host works just fine:

# ping6 update.code.visualstudio.com
PING6(56=40+8+8 bytes) 2003:XXXX:XXXX:XX20::cc20:59 --> 2620:1ec:bdf::60
16 bytes from 2620:1ec:bdf::60, icmp_seq=0 hlim=59 time=8.166 ms
16 bytes from 2620:1ec:bdf::60, icmp_seq=1 hlim=59 time=8.472 ms

I already tried an allow everything rule for IPv6 on the very top of the ruleset which also triggers (I get a Pass-message in the logs) but still won't make the initial command (curl) work via IPv6. IPv4 works fine (but I refuse to just deactivate IPv6 completely...).

b_chris

After a longer debug session with ChatGPT (feels weird...) it seams to be an MTU problem specifically with the VSCode server?!? When I change the MTU on a test machine from 1500 to 1480 everything works fine.
The proposed solution from ChatGPT was, to change the Interface on pfSense and set the MSS to 1452 (because I'm on PPPoE with a MTU of 1492 on the WAN side).

This really seams to work now. But on the other hand it feels so wrong to manually set the MSS stuff....
Is this a dirty workaround or a meaningful solution? Any other suggestions?

Thanks