Date: Tue, 10 Dec 2024 02:42:31 +0000 From: Robert <0x1eef@protonmail.com> To: Souji Thenria <mail@souji-thenria.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPv6 MTU discovery - packet too big Message-ID: <ixyedl5vintdgcbuctemlqnbefcu3yzq7xxyxfha43hkiairg6@74t262kgtwp3> In-Reply-To: <D67JA9B6KWZ8.M2G1BLK8A6KZ@souji-thenria.net> References: <D67JA9B6KWZ8.M2G1BLK8A6KZ@souji-thenria.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 09, 2024 at 07:47:05PM -0300, Souji Thenria wrote: > Hey all, >=20 > On a VPS, I want to create separate jails for most services and assign > each jail a public IPv6 address. However, I ran into an MTU issue, where > the external interface of the host system sends multiple ICMPv6 > messages, stating that the received packets are too big to a remote > server I tried to connect to from inside a jail. And the other server is > ignoring these messages. >=20 > I'm running FreeBSD 14.1-RELEASE on that server and use Bastille to > manage my jails. >=20 > The setup is as follows: > <epair1> -- <eapir0> -- <bridge> -- <ext_inter> >=20 > ext_inter: This interface is connected to the internet and has a public > IPv6 address. It is NOT connected to the bridge. >=20 > bridge: The bridge acts as default gateway for the jails and has a > public IPv6 address assigned to it. >=20 > epair0: Is a member of the bridge. >=20 > epair1: This interface is passed to the jail, and a public IPv6 address i= s > assigned inside the jail. >=20 > The idea is that the jails can communicate over the bridge with each > other, and when communicating with hosts on the internet, the traffic is > routed over the ext_inter interface. > All interfaces have an MTU of 1500 configured. >=20 >=20 > The Problem: > When I try to connect to, e.g. a web server, the ext_inter interface > sends a lot of ICMPv6 packets saying: > ICMP6, packet too big, mtu 1500, length 1240 >=20 > When I make the same request from the host itself, it works without any > issues. I suspect that this is because the ext_inter interface has the > 'JUMBO_MTU' option set, allowing packets to pass with a larger MTU. > However, this shouldn't happen since the bridge and epair0/1 don't have > this option. >=20 > I can also confirm that the ICMP messages pass the firewall and reach > the remote server. However, all servers I tried seemed to ignore that > message and resent their packets without fragmenting them to a fitting > size. >=20 >=20 > Does anyone know what the issue might be, or have they had a similar > problem and been able to solve it? >=20 Hi ! I'm no expert on this, but I had a similar experience. I came across something similar when I set up pppoe on my router, where all LAN computers have an MTU of 1500 but pppoe expects messages to fit within 1492 or less. I solved via pf.conf on the router: match out on any from $lan:network scrub (max-mss 1440) The OpenBSD man page has a section touching on the topic: https://man.openbsd.org/pppoe#MTU/MSS_NEGOTIATION I hope this might help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ixyedl5vintdgcbuctemlqnbefcu3yzq7xxyxfha43hkiairg6>