I'm very glad this email thread has occurred... I was hoping to deploy two pfSense boxes as IPv6 routers. Now I'm wondering if I should just put in OpenBSD at least for now? -Adam
Adam Hunt <[email protected]> wrote: >Thanks for the explanation Chris. I did run across a bug report that seems to >be exactly what we're running into (http://redmine.pfsense.org/issues/2129). > > >Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne 2.1 >is based on? Also, are there any workarounds for those of us running 2.1? I'm >not sure when 2.2 will be tagged but it would great if there was some way, >maybe by adjusting the MTU and/or MSS values, that those of us affected by >this bug could use get their v6 tunnels up and running, even if not at their >theoretical peak efficiency. > > >Thanks for all the help. I realize IPv6 support can be more than a little >tricky. I really appreciate all the work that everyone has done on pfSense, >it's a great tool. > > >--adam > > > >On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler <[email protected]> wrote: > >On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson <[email protected]> wrote: >> >> Even weirder… >> >> Although I can successfully ping at payload sizes up to 1432, I see another >> more troubling problem: there’s a “hole” where it works >> with payloads up to 1232, fails with payloads between 1233 and 1255 >> inclusive, then works again with payloads 1256 bytes and above. > WTF???? >> > >The original scenario, the diff between 1232 and 1233 is that at 1233, >the echo request no longer fits in the minimum IPv6 size, so it's >fragmented. >20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag >(0|1232) ICMP6, echo request, seq 2, length 1232 >20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag (1232|176) > >no response to the fragmented request. > >20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6, >echo request, seq 0, length 1408 >20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6, >echo reply, seq 0, length 1408 > >bigger request that isn't fragmented is fine. > >If you don't specify -m on ping6 (at least with the FreeBSD ping6, >others are likely similar), ping6 asks the kernel to fragment packets >to fit the minimum IPv6 MTU, 1280. > >PF has issues with v6 fragmentation that we won't be able to address >until 2.2, which is the root of the problem. > >_______________________________________________ >List mailing list >[email protected] >http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
