i've setup dualstack IPv4 & IPv6 across my lan.
IPv4 via my local ISP's gateway; IPv6 over a wireguard VPN link through a cloud
VM, using native IPv6.
shorewall(6)-lite is is place on all boxes.
afaict so far, all IPv6 traffic flows -- at least, I've had no widespread
issues browsing ...
test @
https://test-ipv6.com/
returns a "10/10" score, with notice of specific test pass
Test IPv6 large packet ok (0.290s) using ipv6
but, tests @
https://ipv6-test.com/
report an issue with icmp,
"1. Reconfigure your firewall
Your router or firewall is filtering ICMPv6 messages sent to your
computer. An IPv6 host that cannot
receive ICMP messages may encounter problems like some web pages
loading partially or not at all."
reading in more detail @
https://test-ipv6.com/faq_pmtud.html
if I test/exec locally
curl 'http://mtu1280.test-ipv6.com/ip/?size=1600&fill=xxx...xxx'
i _do_ in fact see the discussed "ICMP6, packet too big, mtu 1280,"
07:14:25.917394 IP6 2600:...:abcd.38660 >
mtu1280.master.test-ipv6.com.http: Flags [P.], seq 1349:1381, ack 1, win 85,
options [nop,nop,TS val 2374419897 ecr 16953028], length 32: HTTP
!! 07:14:25.919738 IP6 mtu1280.master.test-ipv6.com > 2600:...:abcd:
ICMP6, packet too big, mtu 1280, length 1240
07:14:25.919738 IP6 mtu1280.master.test-ipv6.com.http >
2600:...:abcd.38660: Flags [.], ack 1, win 232, options [nop,nop,TS val
16953037 ecr 2374419897,nop,nop,sack 1 {1349:1381}], length 0
the advice there
The preferred fix is to permit ICMPv6 Type 2 Packet Too Big messages.
Your router or firewall may be blocking these.
I notice the "mtu 1280" ...
checking link mtus on my
local,
ifconfig | grep mtu
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
& remote boxes
ifconfig | grep mtu
dummy0: flags=195<UP,BROADCAST,RUNNING,NOARP> mtu 1500
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
1280 is _not_ a set mtu
reading
Close Encounters of the ICMP Type 2 Kind(Near Misses with ICMPv6 Packet
Too Big (PTB))
https://tools.ietf.org/html/rfc7690
Path MTU Discovery
https://en.wikipedia.org/wiki/Path_MTU_Discovery#cite_note-4
it _appears_, iiuc, to be a fallback value.
I'm not clear if this "Too Big" packet issue's real, or a red-herring ... and
it's simply doing what it's supposed to be doing, falling back to a lower
value, &/or if there's *another* ICMP issue I'm missing
Is this^ an indication that I've misconfigured SW's IPv6 icmp rules?
What icmp* type allows for correct MTU discovery? Does it need to be
_explicitly_ set in SW?
I'm reticent to start blindly mss-clamping ...
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
