That's an interesting idea. Would there be anything keeping me from using a my pfSense box as-is for native IPv4 connectivity while using a second box running OpenBSD or dare I say, Linux as my IPv6 gateway connected to HE via a 6in4 tunnel? Would I still be able to use pfSense's DHCPv6 server to create and maintain v6 leases?
Thanks again. On Thu, Aug 15, 2013 at 7:38 PM, Adam Thompson <[email protected]>wrote: > I'm very glad this email thread has occurred... I was hoping to deploy two > pfSense boxes as IPv6 routers. > Now I'm wondering if I should just put in OpenBSD at least for now? > -Adam > > > Adam Hunt <[email protected]> wrote: > > Thanks for the explanation Chris. I did run across a bug report that seems > to be exactly what we're running into ( > http://redmine.pfsense.org/issues/2129). > > Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne > 2.1 is based on? Also, are there any workarounds for those of us running > 2.1? I'm not sure when 2.2 will be tagged but it would great if there was > some way, maybe by adjusting the MTU and/or MSS values, that those of us > affected by this bug could use get their v6 tunnels up and running, even if > not at their theoretical peak efficiency. > > Thanks for all the help. I realize IPv6 support can be more than a little > tricky. I really appreciate all the work that everyone has done on pfSense, > it's a great tool. > > --adam > > > On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler <[email protected]> wrote: > >> On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson <[email protected]> >> wrote: >> > >> > Even weirder… >> > >> > Although I can successfully ping at payload sizes up to 1432, I see >> another more troubling problem: there’s a “hole” where it works >> > with payloads up to 1232, fails with payloads between 1233 and 1255 >> inclusive, then works again with payloads 1256 bytes and above. > WTF???? >> > >> >> The original scenario, the diff between 1232 and 1233 is that at 1233, >> the echo request no longer fits in the minimum IPv6 size, so it's >> fragmented. >> 20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag >> (0|1232) ICMP6, echo request, seq 2, length 1232 >> 20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag >> (1232|176) >> >> no response to the fragmented request. >> >> 20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6, >> echo request, seq 0, length 1408 >> 20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6, >> echo reply, seq 0, length 1408 >> >> bigger request that isn't fragmented is fine. >> >> If you don't specify -m on ping6 (at least with the FreeBSD ping6, >> others are likely similar), ping6 asks the kernel to fragment packets >> to fit the minimum IPv6 MTU, 1280. >> >> PF has issues with v6 fragmentation that we won't be able to address >> until 2.2, which is the root of the problem. >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
