From nobody Mon Dec 09 22:47:05 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y6cSP4wCDz5gtp3 for ; Mon, 09 Dec 2024 22:47:17 +0000 (UTC) (envelope-from mail@souji-thenria.net) Received: from alisa.souji-thenria.net (alisa.souji-thenria.net [188.68.37.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y6cSN3Xk8z4QVX for ; Mon, 9 Dec 2024 22:47:16 +0000 (UTC) (envelope-from mail@souji-thenria.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=souji-thenria.net header.s=20231116 header.b=el8CTtRv; spf=pass (mx1.freebsd.org: domain of mail@souji-thenria.net designates 188.68.37.165 as permitted sender) smtp.mailfrom=mail@souji-thenria.net; dmarc=pass (policy=quarantine) header.from=souji-thenria.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=souji-thenria.net; s=20231116; t=1733784427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W334I1wnQMaRPDX71IkG3ObG5SExJ38NjhlInIuHcto=; b=el8CTtRvJ401VopvrXy8DX7WFv1jessbKrJpv8yzAjccoZpDWwYNt+q9B9qajqS8knboGN 3Ya9WnyBmG4ANfNXPx8ChLdGb0ZowTaZE/KKtUUM4m4teaLCAbcGOgl1AbIZD5YIcamDFW XMBycwa3180O2XlcGWLoyuhWIzcyWU25Y3At391SDWK+YMXrc0MSMCrR2hxid6ZfjazLNF X44VoKGTwIhxO5xOqPNxS6Zqgf+Ova2BWGTPkSgQ3PWQmA/sK7aYTdwKiVW3H0h4idgSol nxjQJb/X4AWt+R1V1L3A3/KEYM1xf7QOF4C+vDj6eGTxQLQhqAbHexqov5CDLYu6lIGICD DVqmWgITVZ26eIec58hOdkEHarAVpMFsjw4baHW0IIIa48tWDEUb8Dcom79OPVMm6cgYew C3/AfxR/5a0Ez0H9k3yRCYimSncEPjeR0DyMpzyFTi3XEvFL54DbnFBYHFG5tOI6sEjEhM N/bLwH4qdK2ocFgA+uTY1VQykigTzRL68MHgtY9kz/R/g1wIQbPrW9Xv7pKnn2zH6ZCVi0 vhVeZ7WDdYKIep1zufOOnoCeNLGOxcT1OKeWdFsBAiqbEHs6+7El2ZUPqq/14OdPQ3vcN9 1ewIUr23RG1OFbB4Cq3Ap1WqdMUMpCcxOhnz93Q0v+xhXX1cnNvmA= Received: by alisa.souji-thenria.net (OpenSMTPD) with ESMTPSA id ec7c97da (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Mon, 9 Dec 2024 23:47:05 +0100 (CET) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary=e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4; micalg=pgp-sha512; protocol="application/pgp-signature" Date: Mon, 09 Dec 2024 23:47:05 +0100 Message-Id: Subject: IPv6 MTU discovery - packet too big From: "Souji Thenria" To: Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-5.47 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.969]; DMARC_POLICY_ALLOW(-0.50)[souji-thenria.net,quarantine]; MV_CASE(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[souji-thenria.net:s=20231116]; ONCE_RECEIVED(0.10)[]; DKIM_TRACE(0.00)[souji-thenria.net:+]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MISSING_XM_UA(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:197540, ipnet:188.68.36.0/22, country:DE]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~] X-Rspamd-Queue-Id: 4Y6cSN3Xk8z4QVX X-Spamd-Bar: ----- --e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Hey all, On a VPS, I want to create separate jails for most services and assign each jail a public IPv6 address. However, I ran into an MTU issue, where the external interface of the host system sends multiple ICMPv6 messages, stating that the received packets are too big to a remote server I tried to connect to from inside a jail. And the other server is ignoring these messages. I'm running FreeBSD 14.1-RELEASE on that server and use Bastille to manage my jails. The setup is as follows: -- -- -- ext_inter: This interface is connected to the internet and has a public IPv6 address. It is NOT connected to the bridge. bridge: The bridge acts as default gateway for the jails and has a public IPv6 address assigned to it. epair0: Is a member of the bridge. epair1: This interface is passed to the jail, and a public IPv6 address is assigned inside the jail. The idea is that the jails can communicate over the bridge with each other, and when communicating with hosts on the internet, the traffic is routed over the ext_inter interface. All interfaces have an MTU of 1500 configured. The Problem: When I try to connect to, e.g. a web server, the ext_inter interface sends a lot of ICMPv6 packets saying: ICMP6, packet too big, mtu 1500, length 1240 When I make the same request from the host itself, it works without any issues. I suspect that this is because the ext_inter interface has the 'JUMBO_MTU' option set, allowing packets to pass with a larger MTU. However, this shouldn't happen since the bridge and epair0/1 don't have this option. I can also confirm that the ICMP messages pass the firewall and reach the remote server. However, all servers I tried seemed to ignore that message and resent their packets without fragmenting them to a fitting size. Does anyone know what the issue might be, or have they had a similar problem and been able to solve it? Regards, Souji -- Souji Thenria Website: www.souji-thenria.net --e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSG4/SRE6pqved9MLdAFYmA9YTsaAUCZ1dzaQAKCRBAFYmA9YTs aI8dAP0RW3hg7OaZPMQM1fZUvKKQeFkaWUzNamQtBwWRo3x3NgD/V33QW3NeIfGZ qcSr2lxioOuCZ3JKzsJbAdV+cz7V5w8= =YMMn -----END PGP SIGNATURE----- --e8f8c120815756db8a3a82ac172e964a67925e76304ef05c6453966cd3b4--