IPv6 being fragments over OpenVPN



  • I have a number of OpenVPN users connected to pfsense 2.1 and using ipv6…
    These clients can ping6 internal hosts just fine, but attempting to make any TCP connections results in strange behaviour.
    The logs show packets with proto=fragment being received and accepted, and then show the resulting syn/ack being rejected, likely because its not recognising it as belonging to the earlier connection?

    Strangest thing is this used to work until i installed a newer snapshot (no rules have been changed since), working snapshot was from june 20 while non working snapshots were july 19 and july 25...



  • Temporary solution is simple.  Roll back till they fix it.



  • The snapshots which worked with ipv6 were very unstable, the new ones are stable but don't work correctly with ipv6… Also not entirely sure where to get a specific snapshot version from?



  • I always save my image for whatever versions I am using back 2 or 3 versions…  They are not big.



  • Log excerpt:

    <local0.info>fw-pri/fw-pri 00:00:05.215012 rule 94/0(match): pass in on ovpns1: (hlim 64, next-header Fragment (44) payload length: 52) xxx:207::1000 > xxx:205:1::66: frag (0xa0da4097:0|44) 60898 > 22: Flags ~~, seq 2919816067, win 65535, options [mss 1070,nop,wscale 4,nop,nop,TS val 628175774 ecr 0,sackOK,eol], length 0

    <local0.info>fw-pri/fw-pri 00:00:00.000422 rule 5/0(match): block in on vr1: (hlim 64, next-header TCP (6) payload length: 40) xxx:205:1::66.22 > xxx:207::1000.60898: Flags [S.], cksum 0x3788 (correct), seq 127760165, ack 2919816068, win 14280, options [mss 1440,sackOK,TS val 124587168 ecr 628175774,nop,wscale 7], length 0

    Interestingly when the vpn is first connected, the first ipv6 connection is able to establish or the first ping6 will go through, after that nothing.</local0.info>~~</local0.info>



  • And even more strangely, ping6 and ipv6 tcp connections from lan hosts to the vpn client works, just no traffic initiated by the vpn client.



  • Maybe someone on IPV6 can help.  Poor me.  I'm stuck on boring old IPV4.
    I was considering going to IPV6 but right now can't think of a good reason.

    http://w3techs.com/technologies/details/ce-ipv6/all/all

    I'm waiting on usage to top 4%