Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    MSS has to be set manually for IPv6 to work correctly with PPPoE

    Scheduled Pinned Locked Moved IPv6
    14 Posts 3 Posters 787 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chrcoluk @jpns
      last edited by

      @jpns system->advanced->networking, scroll to bottom, toggle it and reboot. Needs a recent version of pfSense.

      pfSense CE 2.8.1

      J 1 Reply Last reply Reply Quote 0
      • J Offline
        jpns @chrcoluk
        last edited by

        @chrcoluk I don't see it in CE 2.8.1. Is it only in the beta version?

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          jpns @jpns
          last edited by

          said in MSS has to be set manually for IPv6 to work correctly with PPPoE:

          @chrcoluk I don't see it in CE 2.8.1. Is it only in the beta version?

          Never mind - the GUI option suddenly appeared (very weird) and I enabled it but it hasn't fixed the issue. I still have to disable tcpmssfix and set my MSS to a low value or IPv6 just does not work properly. I actually discovered earlier that 1452 is too high, and sometimes it still wouldn't work 100% of the time, so I have now lowered it to 1440.

          C 1 Reply Last reply Reply Quote 0
          • C Offline
            chrcoluk @jpns
            last edited by chrcoluk

            @jpns Was TCPmssfix setting it to 1452?

            Overhead for IPv6 is 60 bytes, so absolute maximum on a 1492 MTU would be 1432.

            Also if you include timestamps IPv4 is better at 1440.

            Unlike MTU this doesnt need to be a high as possible mentality, it doesnt start high and work its way down, any modern stack will work fine providing you give it a MSS thats compatible with your setup.

            I just looked a the the 2.8.x filter.inc code and default behaviour if using if_pppoe and leaving MSS box unpopulated, it will apply a 40 byte overhead for IPv4 and 60 byte overhead for IPV6 via SCRUB rules.

            Some info here, referenced in the code.

            https://redmine.pfsense.org/issues/11409

            pfSense CE 2.8.1

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jpns @chrcoluk
              last edited by

              @chrcoluk I'm not sure what TCPmassfix was setting it to - how do you find out?

              It seems like I have more underlying issues:

              Pinging ipv6.l.google.com [2a00:1450:4009:c0f::65] with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Reply from 2a00:1450:4009:c0f::65: time=2356ms
Reply from 2a00:1450:4009:c0f::65: time=11ms
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.

              I have now gone to if_pppoe with TCPmssfix enabled and no MSS manually set. IPv6 seems to be working fine now, but I will see if it lasts.

              J 1 Reply Last reply Reply Quote 0
              • J Offline
                jpns @jpns
                last edited by

                said in MSS has to be set manually for IPv6 to work correctly with PPPoE:

                @chrcoluk I'm not sure what TCPmassfix was setting it to - how do you find out?

                It seems like I have more underlying issues:

                Pinging ipv6.l.google.com [2a00:1450:4009:c0f::65] with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Reply from 2a00:1450:4009:c0f::65: time=2356ms
Reply from 2a00:1450:4009:c0f::65: time=11ms
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.

                I have now gone to if_pppoe with TCPmssfix enabled and no MSS manually set. IPv6 seems to be working fine now, but I will see if it lasts.

                Yep, here we go. After about an hour of it working perfectly, it just stops working for no reason:

                Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=16ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Request timed out.
Request timed out.

                and if I reset the PPPoE connection:

                Request timed out.
Request timed out.
Destination host unreachable.
Request timed out.
Request timed out.
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=15ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=16ms
Reply from 2a00:1450:4009:c0f::65: time=13ms
Reply from 2a00:1450:4009:c0f::65: time=14ms
Reply from 2a00:1450:4009:c0f::65: time=12ms
Reply from 2a00:1450:4009:c0f::65: time=13ms

                IPv4 stays working perfectly all the time throughout this. Anyone know what could be wrong?

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  chrcoluk @jpns
                  last edited by chrcoluk

                  @jpns you seem to have underlying ipv6 problems, possibly at the ISP level, MSS will have no impact on 32byte UDP/ICMP pings.

                  It is a mechanism for large TCP packets.

                  I think the only way to see what legacy TCPMSSfix is doing is to inspect packet headers, its one reason I dont like using it. However on if_pppoe, it uses scrub rules, so this command should tell you what it is configuring max-mss to.

                  'grep max-mss /tmp/rules.debug'

                  But this wont be causing problems on your pings, something else is going on there.

                  pfSense CE 2.8.1

                  J 1 Reply Last reply Reply Quote 1
                  • J Offline
                    jpns @chrcoluk
                    last edited by

                    @chrcoluk said in MSS has to be set manually for IPv6 to work correctly with PPPoE:

                    @jpns you seem to have underlying ipv6 problems, possibly at the ISP level, MSS will have no impact on 32byte UDP/ICMP pings.

                    It is a mechanism for large TCP packets.

                    I think the only way to see what legacy TCPMSSfix is doing is to inspect packet headers, its one reason I dont like using it. However on if_pppoe, it uses scrub rules, so this command should tell you what it is configuring max-mss to.

                    'grep max-mss /tmp/rules.debug'

                    But this wont be causing problems on your pings, something else is going on there.

                    I think you are right. From further testing it appears that this specific client has issues with IPv6. Other clients are working just fine.

                    1 Reply Last reply Reply Quote 0
                    • I Offline
                      IonutIT
                      last edited by

                      Can I hijack this thread to ask about something similar?

                      My ISP has a very bad implementation of RFC4638 "baby jumbo frames". It properly supports MTU 1500 for IPv4, but hasn't bothered to make the same work over IPv6 where my MTU seems to be 1492.

                      I was wondering how can I make this work with 1500 for IPv4 and 1492 for IPv6. At one point you could send MTU info over RAs, but it seems that option has been taken out from recent versions of pfSense+.

                      Any other ideas? I know I could just use 1492 for both stacks and call it a day, but not having to fragment every big packets that goes outside my network does sound like a pretty good deal, even though it's just for IPv4.

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        chrcoluk @IonutIT
                        last edited by

                        @IonutIT MTU is a per interface value, so you have the same MTU for both stacks.

                        Just to confirm, you are saying when you set MTU to 1500, IPv6 can not deliver unfragmented 1500 byte packets?

                        If your ISP has set MTU too low to support a proper baby jumbo frames configuration, then I think you only have two options.

                        Run the 1492 MTU, or use single IPv4 stack only with 1500 MTU.

                        If you think you wont ever use large UDP packets, then you could just rely on MSS fix for IPv6 to at least ensure TCP is ok. But if you do this make sure you disable use of QUIC on your network. I wouldnt go down this route.

                        pfSense CE 2.8.1

                        I 1 Reply Last reply Reply Quote 0
                        • I Offline
                          IonutIT @chrcoluk
                          last edited by

                          @chrcoluk said in MSS has to be set manually for IPv6 to work correctly with PPPoE:

                          Just to confirm, you are saying when you set MTU to 1500, IPv6 can not deliver unfragmented 1500 byte packets?

                          Yup. I can send 1500 bytes over IPv4 no issue, but can't send more than 1492 bytes over IPv6. Tried contacting my ISP, just got a Level 1 boilerplate answer "It's a feature that will be implemented at some point".

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.