Path MTU Hole?
Shadow Hawkins on Sunday, 20 January 2013 16:54:39
Running the ICSI Netalyzr I'm getting:
"Your system can not send or receive fragmented traffic over IPv6.
The path between your network and our system supports an MTU of at least 1280 bytes. The path between our system and your network has an MTU of 1280 bytes. The bottleneck is at IP address [SiXXS POP IPv6 Address]. The path between our system and your network does not appear to handle fragmented IPv6 traffic properly."
Any ideas?
(Running aiccu on an OpenBSD box in a one-to-one NAT)
Path MTU Hole?
Jeroen Massar on Sunday, 20 January 2013 17:10:24
This is not a Path MTU hole, Netalyzr is just telling you that between your end of the tunnel and the PoP there is a MTU of 1280.
What is interesting is the next portion though "The path between our system and your network does not appear to handle fragmented IPv6 traffic properly." as that would indicate that some system on the path is dropping ICMPv6 Packet Too Big packets.
As such, do check where that happens, thus check your firewall rules, ICMP is important. See the FAQ for the details.
Note that sixxsd does not drop ICMP or any other kind of packet, especially as that would make tunneling fail quite horribly as every tunnel has a lower MTU than 1500. Do also note that one can change the MTU, see the FAQ for the details.
Path MTU Hole?
Shadow Hawkins on Sunday, 20 January 2013 18:21:09
You were right, I was dropping "Too Big" ICMP packets.
Now that I'm not, with "pass in inet6 proto icmp6 all" in my pf.conf, it still seems to be happening.
Path MTU Hole?
Jeroen Massar on Sunday, 20 January 2013 21:33:37 with "pass in inet6 proto icmp6 all" in my pf.conf
But where in the config, rule ordering is very important. Also, it needs to be active for things to work.
it still seems to be happening
What seems to happen?
Path MTU Hole?
Shadow Hawkins on Thursday, 24 January 2013 16:36:32
Might be a pf configuration issue.
# pfctl -s rules
Will show how pf is interpreting and ordering the rules in pf.conf. My rule for this is slightly different, I've got it configured as
pass proto ipv6-icmp from any to any
AAUI this will permit it to pass through if ipv6 routing is enabled. pass in will only allow it as far as your OpenBSD router.
Posting is only allowed when you are logged in. |