AT&T (and other ISP's) 6rd ipv6 mtu issues



  • I have recently started changing to pfsense for my site-to-site VPN's and am running into an issue.  As we all know when you are using a 6rd tunnel with an IPv4 MTU of 1500 the maximum IPv6 packet size is 1480.  There is currently no way to configure this with the GUI (or any other way that I know of) of pfsense.

    The proper fix for this would be enabling the configuration of the IPv6 Neighbor Discovery protocol.  The maximum MTU that the ND protocol should advertise is 1480.  This should be configurable through the gui but the option is missing.

    Is there a possible command line workaround for this now?

    Edit:  I would also like to point out that this is an issue I ran into with RouterOS.  The fix was also configuring the NDP for a maximum MTU of 1480 and the fix worked great.



  • I've got quite similar issues. By default working with 6rd and my providers gateway, i had lots of fragmented packages as well as packet loss. Therefore connecting to encrypted ipv6 websites was real slow. After analyzing the traffic with wireshark, my provider told me to set the mtu for ipv6 traffic to 1472.

    I configured this by setting the mtu on the wan_stf interface and have the radv service distribute this mtu value with its route advertisements. Since pfsense seems to be unable to do such things by default, I used the patch plugin (https://doc.pfsense.org/index.php/System_Patches) and applied the following crude patch:

    BEWARE: Only apply this patch, if you are able to deduct its consequences. I am only using the 6rd gateway of my provider for any IPv6 traffic. This might not apply to you. I applied this patch to version 2.3.2-RELEASE-p1

    
    diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
    index 4388ef9..4e8e970 100644
    --- a/src/etc/inc/interfaces.inc
    +++ b/src/etc/inc/interfaces.inc
    @@ -3756,6 +3756,7 @@ function interface_6rd_configure($interface = "wan", $wancfg) {
            pfSense_interface_flags($stfiface, IFF_LINK2);
            mwexec("/sbin/ifconfig {$stfiface} inet6 {$rd6prefix}/{$rd6prefixlen}");
            mwexec("/sbin/ifconfig {$stfiface} stfv4br " . escapeshellarg($wancfg['gateway-6rd']));
    +       mwexec("/sbin/ifconfig {$stfiface} mtu 1472");
            if ($wancfg['prefix-6rd-v4plen'] >= 0 && $wancfg['prefix-6rd-v4plen'] <= 32) {
                    mwexec("/sbin/ifconfig {$stfiface} stfv4net {$ip4address}/" . escapeshellarg($wancfg['prefix-6rd-v4plen']));
            }
    diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc
    index 64c40af..46d10be 100644
    --- a/src/etc/inc/services.inc
    +++ b/src/etc/inc/services.inc
    @@ -161,7 +161,7 @@ function services_radvd_configure($blacklist = array()) {
    
                    $mtu = get_interface_mtu($realif);
                    if (is_numeric($mtu)) {
    -                       $radvdconf .= "\tAdvLinkMTU {$mtu};\n";
    +                       $radvdconf .= "\tAdvLinkMTU 1472;\n";
                    } else {
                            $radvdconf .= "\tAdvLinkMTU 1280;\n";
                    }
    @@ -363,7 +363,7 @@ function services_radvd_configure($blacklist = array()) {
                    }
                    $mtu = get_interface_mtu($realif);
                    if (is_numeric($mtu)) {
    -                       $radvdconf .= "\tAdvLinkMTU {$mtu};\n";
    +                       $radvdconf .= "\tAdvLinkMTU 1472;\n";
                    } else {
                            $radvdconf .= "\tAdvLinkMTU 1280;\n";
                    }
    
    

    I hope this might help someone with similar issues. Of course it would be nice if the mtu could be adapted on the pfSense web interface.


Log in to reply