Thanks for the explanation Chris. I did run across a bug report that seems to be exactly what we're running into ( http://redmine.pfsense.org/issues/2129).
Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne 2.1 is based on? Also, are there any workarounds for those of us running 2.1? I'm not sure when 2.2 will be tagged but it would great if there was some way, maybe by adjusting the MTU and/or MSS values, that those of us affected by this bug could use get their v6 tunnels up and running, even if not at their theoretical peak efficiency. Thanks for all the help. I realize IPv6 support can be more than a little tricky. I really appreciate all the work that everyone has done on pfSense, it's a great tool. --adam On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler <[email protected]> wrote: > On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson <[email protected]> > wrote: > > > > Even weirder… > > > > Although I can successfully ping at payload sizes up to 1432, I see > another more troubling problem: there’s a “hole” where it works > > with payloads up to 1232, fails with payloads between 1233 and 1255 > inclusive, then works again with payloads 1256 bytes and above. > WTF???? > > > > The original scenario, the diff between 1232 and 1233 is that at 1233, > the echo request no longer fits in the minimum IPv6 size, so it's > fragmented. > 20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag > (0|1232) ICMP6, echo request, seq 2, length 1232 > 20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag > (1232|176) > > no response to the fragmented request. > > 20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6, > echo request, seq 0, length 1408 > 20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6, > echo reply, seq 0, length 1408 > > bigger request that isn't fragmented is fine. > > If you don't specify -m on ping6 (at least with the FreeBSD ping6, > others are likely similar), ping6 asks the kernel to fragment packets > to fit the minimum IPv6 MTU, 1280. > > PF has issues with v6 fragmentation that we won't be able to address > until 2.2, which is the root of the problem. > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
