I've been slowly trying to get this fixed for a few years now... I'm
running Debian Sid, Shorewall6 5.0.15.6, and Squid 3.5.23. My ISP provides
native IPv6 (Comcast).
I had my system setup to use Squid + TPROXY using IPv6, and it was working
great. However, a couple of years ago, it simply stopped working, and I’ve
been trying to figure out why ever since. When I try to use
IPv6+TPROXY+Squid, most sites simply “hang” and never load. I’ve been
trying to research it myself, and I think I can say that it appears to be
an ICMP Path MTU issue.
I can reproduce the error with test-IPv6.com(They suggest a curl command
at http://test-ipv6.com/faq_pmtud.html') Non- TPROXY connections work fine,
whether connecting directly or if their http proxy is configured. However
it appears that when I use TPROXY, there are issues with Path MTU Detection
from the internet to my clients.
When I try the test URL from test-ipv6.com, and check the packet dump using
the following:
$ sudo tcpdump '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp port 80)'
I see messages along the lines of:
<timestamp> IP6 {remote addr} > {my IPv6 addr}: ICMP6, packet too big, MTU
1280, length 1240
“shorewall6 show | grep -i icmp” shows the expected allow for ICMP:
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */
It looks to me like the ICMPv6 packets should be getting handled passed
through correctly; however as the packet dumps show, that does not appear
to be the case.
Does anyone have an idea how I can figure out what is happening so I can
get it working again?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
