Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 being fragments over OpenVPN

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    7 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bert64
      last edited by

      I have a number of OpenVPN users connected to pfsense 2.1 and using ipv6…
      These clients can ping6 internal hosts just fine, but attempting to make any TCP connections results in strange behaviour.
      The logs show packets with proto=fragment being received and accepted, and then show the resulting syn/ack being rejected, likely because its not recognising it as belonging to the earlier connection?

      Strangest thing is this used to work until i installed a newer snapshot (no rules have been changed since), working snapshot was from june 20 while non working snapshots were july 19 and july 25...

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Temporary solution is simple.  Roll back till they fix it.

        1 Reply Last reply Reply Quote 0
        • B
          bert64
          last edited by

          The snapshots which worked with ipv6 were very unstable, the new ones are stable but don't work correctly with ipv6… Also not entirely sure where to get a specific snapshot version from?

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            I always save my image for whatever versions I am using back 2 or 3 versions…  They are not big.

            1 Reply Last reply Reply Quote 0
            • B
              bert64
              last edited by

              Log excerpt:

              <local0.info>fw-pri/fw-pri 00:00:05.215012 rule 94/0(match): pass in on ovpns1: (hlim 64, next-header Fragment (44) payload length: 52) xxx:207::1000 > xxx:205:1::66: frag (0xa0da4097:0|44) 60898 > 22: Flags ~~, seq 2919816067, win 65535, options [mss 1070,nop,wscale 4,nop,nop,TS val 628175774 ecr 0,sackOK,eol], length 0

              <local0.info>fw-pri/fw-pri 00:00:00.000422 rule 5/0(match): block in on vr1: (hlim 64, next-header TCP (6) payload length: 40) xxx:205:1::66.22 > xxx:207::1000.60898: Flags [S.], cksum 0x3788 (correct), seq 127760165, ack 2919816068, win 14280, options [mss 1440,sackOK,TS val 124587168 ecr 628175774,nop,wscale 7], length 0

              Interestingly when the vpn is first connected, the first ipv6 connection is able to establish or the first ping6 will go through, after that nothing.</local0.info>~~</local0.info>

              1 Reply Last reply Reply Quote 0
              • B
                bert64
                last edited by

                And even more strangely, ping6 and ipv6 tcp connections from lan hosts to the vpn client works, just no traffic initiated by the vpn client.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  Maybe someone on IPV6 can help.  Poor me.  I'm stuck on boring old IPV4.
                  I was considering going to IPV6 but right now can't think of a good reason.

                  http://w3techs.com/technologies/details/ce-ipv6/all/all

                  I'm waiting on usage to top 4%

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.