Netgate SG-1000 microFirewall

Author Topic: Changing AdvLinkMTU when using NPt  (Read 538 times)

0 Members and 1 Guest are viewing this topic.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #15 on: December 28, 2017, 09:09:30 am »
Quote
AC3200 is acting as my main gateway, and I want to use it as DHCP server for local and VPN clients.

If they were using 6rd, there'd be no need for he.net.  Either method creates an IPv6 tunnel, but you wouldn't use both.  So, it's either 6rd or he.net.  Take your pick.

Offline FuN_KeY

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #16 on: December 29, 2017, 03:03:50 am »
I was able to capture the packet too big on wireshark. Everything looks good, except for my Windows 10 client that appear to ignore this value.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #17 on: December 29, 2017, 06:11:48 am »
I was able to capture the packet too big on wireshark. Everything looks good, except for my Windows 10 client that appear to ignore this value.

So, it continues to send 1500 byte packets, despite the too big message?  I certainly never had a problem running Windows on IPv6, back when I used a tunnel.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +3/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #18 on: December 29, 2017, 06:59:45 am »
I was able to capture the packet too big on wireshark. Everything looks good, except for my Windows 10 client that appear to ignore this value.

So, it continues to send 1500 byte packets, despite the too big message?  I certainly never had a problem running Windows on IPv6, back when I used a tunnel.

Agreed,, I have never had an issues with PMTUD on Winows since XP..


Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +3/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #19 on: December 29, 2017, 07:01:46 am »
I was able to capture the packet too big on wireshark. Everything looks good, except for my Windows 10 client that appear to ignore this value.

Any 3rd party firewall?/security software? Have you made any canges to the windows firewall.

Offline FuN_KeY

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #20 on: December 29, 2017, 11:02:55 am »
Nope, vanilla windows 10 (tested on the host and in a VM with a fresh windows install)

I did attach 2 captures. In the first one, one can see the packet too big. And in the second you can see some errors beyond my basic understanding of wireshark.

I did filter the capture over traffic towards a web site (www.swisscom.ch) + icmpv6. Sadly the website I am having problem with uses SSL, so the capture is not that clear.

If I edit the services.inc to let radvd advertise a MTU of 1280 (or even 1480 - despite the 6RD being configured to use 1280) everything works fine.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #21 on: December 29, 2017, 11:34:09 am »
I haven't seen those errors before either, however it appears something might be corrupting the Ethernet frames.  There's the malformed packet error, which means there was a problem somewhere causing bit errors in the frame.  That might also be the cause of the segment errors.  There's not enough info shown to know where the problem is coming from.  Do other computers have the same problem?  If only one has the problem, I'd suspect something like a defective NIC.  The 1480 MTU shows PMTUD is working.  What other equipment is there between the Windows computer and pfSense?  Again those malformed packet, frame check sequence incorrect errors make me suspect hardware.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +3/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #22 on: December 29, 2017, 11:51:14 am »
I just thought of something to. Is that the only site you have an issue with when you let it advertised a 1500 MTU. Because I noticed something from that site when I ran a certain test to it. I'll link and show it in a minute when I get a chance

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #23 on: December 29, 2017, 12:09:29 pm »
I just thought of something to. Is that the only site you have an issue with when you let it advertised a 1500 MTU. Because I noticed something from that site when I ran a certain test to it. I'll link and show it in a minute when I get a chance

The site shouldn't cause Ethernet frame errors, as he appears to be getting.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +3/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #24 on: December 29, 2017, 12:23:11 pm »
I just thought of something to. Is that the only site you have an issue with when you let it advertised a 1500 MTU. Because I noticed something from that site when I ran a certain test to it. I'll link and show it in a minute when I get a chance

The site shouldn't cause Ethernet frame errors, as he appears to be getting.
Agreed. But I'm wondering if there's not two issues and while that is of course a problem maybe not the problem for that site.

See this
https://www.ipv6alizer.se?address=https://www.swisscom.ch
Vs
https://www.ipv6alizer.se?address=https://Www.facebook.com

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #25 on: December 29, 2017, 12:32:42 pm »
Wow, the "Output" on that site is impossible to read, with the faint green text.  I had to cut 'n paste it into another app, to read it.  Why do some people create sites that are unreadable?

Offline FuN_KeY

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #26 on: December 30, 2017, 06:09:03 am »
Yep this is strange. I did some more testing, and I am also getting weird errors when I set router advertisement to 1280 (but traffic works, beside wireshark, everything is green)

I am unsure about bad hardware, as ipv4 works fine. Pretty much everything runs on VMs, on intel NICs. As IPv6 is not vital and that I do not see any easy way to get this sorted I might not invest too much effort in getting this working. In any case, I will report my findings here

In any case, thank everyone for the help.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +3/-0
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #27 on: December 30, 2017, 08:39:23 am »
Yep this is strange. I did some more testing, and I am also getting weird errors when I set router advertisement to 1280 (but traffic works, beside wireshark, everything is green)

I am unsure about bad hardware, as ipv4 works fine. Pretty much everything runs on VMs, on intel NICs. As IPv6 is not vital and that I do not see any easy way to get this sorted I might not invest too much effort in getting this working. In any case, I will report my findings here

In any case, thank everyone for the help.
You never mentioned if this effects any other site. Other then that one.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changing AdvLinkMTU when using NPt
« Reply #28 on: December 30, 2017, 11:08:17 am »
Quote
I am unsure about bad hardware, as ipv4 works fine.

If you're getting CRC errors, you have a hardware problem that has nothing to do with IP or web site.  It could be a bad NIC, switch port, cable connection, etc., but something physical is causing that.  Are you certain you don't see any similar errors with IPv4?  You can try pinging with different size packets to test and you can also force either IPv4 or IPv6 when testing.  Do you get similar errors if you use a different computer?