Date: Mon, 09 Dec 2024 23:47:05 +0100 From: "Souji Thenria" <mail@souji-thenria.net> To: <freebsd-questions@freebsd.org> Subject: IPv6 MTU discovery - packet too big Message-ID: <D67JA9B6KWZ8.M2G1BLK8A6KZ@souji-thenria.net>
next in thread | raw e-mail | index | archive | help
--e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Hey all, On a VPS, I want to create separate jails for most services and assign each jail a public IPv6 address. However, I ran into an MTU issue, where the external interface of the host system sends multiple ICMPv6 messages, stating that the received packets are too big to a remote server I tried to connect to from inside a jail. And the other server is ignoring these messages. I'm running FreeBSD 14.1-RELEASE on that server and use Bastille to manage my jails. The setup is as follows: <epair1> -- <eapir0> -- <bridge> -- <ext_inter> ext_inter: This interface is connected to the internet and has a public IPv6 address. It is NOT connected to the bridge. bridge: The bridge acts as default gateway for the jails and has a public IPv6 address assigned to it. epair0: Is a member of the bridge. epair1: This interface is passed to the jail, and a public IPv6 address is assigned inside the jail. The idea is that the jails can communicate over the bridge with each other, and when communicating with hosts on the internet, the traffic is routed over the ext_inter interface. All interfaces have an MTU of 1500 configured. The Problem: When I try to connect to, e.g. a web server, the ext_inter interface sends a lot of ICMPv6 packets saying: ICMP6, packet too big, mtu 1500, length 1240 When I make the same request from the host itself, it works without any issues. I suspect that this is because the ext_inter interface has the 'JUMBO_MTU' option set, allowing packets to pass with a larger MTU. However, this shouldn't happen since the bridge and epair0/1 don't have this option. I can also confirm that the ICMP messages pass the firewall and reach the remote server. However, all servers I tried seemed to ignore that message and resent their packets without fragmenting them to a fitting size. Does anyone know what the issue might be, or have they had a similar problem and been able to solve it? Regards, Souji -- Souji Thenria Website: www.souji-thenria.net --e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSG4/SRE6pqved9MLdAFYmA9YTsaAUCZ1dzaQAKCRBAFYmA9YTs aI8dAP0RW3hg7OaZPMQM1fZUvKKQeFkaWUzNamQtBwWRo3x3NgD/V33QW3NeIfGZ qcSr2lxioOuCZ3JKzsJbAdV+cz7V5w8= =YMMn -----END PGP SIGNATURE----- --e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D67JA9B6KWZ8.M2G1BLK8A6KZ>