On 06/30/2017 07:47 PM, Sam wrote: > Hi again. > > Spent the last week getting my home network(s) online with IPv6. I think > I'm on the finishing stretch. One last issue has popped up that I am not > sure how to fix. > > I'm running squid in transparent proxy mode via tproxy. Had it like that > for years on ipv4. > > I've pretty much just followed the guide at the bottom here: > http://shorewall.org/Shorewall_Squid_Usage.html > > I've attached a shorewall6 dump for good measure > > Before I enabled the tproxy rules over ipv6 (and thus not using squid), > all tests on this site passed: http://test-ipv6.com/ > > Once I got the tproxy rules enabled, one test started failing. > > That was the "Test IPv6 large packet" test. Your browser basically > fetches a url with 1600 characters in it. I shortened it and added it > here: http://preview.tinyurl.com/y9vy2j3u > > I can fetch that url fine without squid and tproxy. But once it is > enabled, I can't. Looking at tcpdump, I see the request made goes out of > my wan nic, what comes back is an icmp "packet too big" response. That > icmp packet then flows back out (through shorewall) to the computer on > the lan that made the request. I'm thinking since squid intercepted the > HTTP request, that the icmp response should be going to squid. So I > don't know if this is just an issue of iptable rules or something else > at play here. Any thoughts? Googling for squid + mtu+ ipv6 + tproxy > doesn't give me too many results other than someone with the same issue > here (which never responds back with what the fix was): > http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-Timeouts-on-Select-Websites-td4657073.html > > > > I've not found any websites that are proxied that don't work. Only issue > seems to be with the ipv6 test website. So perhaps I can ignore this... >
FWIW, my configuration also fails this test and I've noticed no problems. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
