From nobody Tue Dec 10 02:42:31 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y6jh00Mtyz5h8Jw for ; Tue, 10 Dec 2024 02:42:40 +0000 (UTC) (envelope-from 0x1eef@protonmail.com) Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y6jgz51GTz4ngm for ; Tue, 10 Dec 2024 02:42:39 +0000 (UTC) (envelope-from 0x1eef@protonmail.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1733798556; x=1734057756; bh=fus3g7r0yG+xjsE9udJSdWOTl8oZh1D7z3h8ez1xArg=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=Gwh9WZjfex0zSHunLlK+0kTWDHFTIXqNSrx+eIEmdVoxpc7OxyrKzngpz40hGCD42 N2CxgHBX6RSKsvEy7JiiUdbjUpe1o35DMaUncMvm0uxBGMNLRn1aJKwI6RPqSKv7jM RZswL4wZ9ev9vKPSAC+0MKP22AkI7X1g9dhIOWmeD9+b++kvPMtwLFNEyLfoEeuo4t 7XekCGUGe4Qzf6FF5QCgPaiCvfI9440c3rLPILe/eQsEudLjXdWGnOLZigAGRRMf++ gBnP7cm9PNB2YdP7XOnRO8V1LHbBSWEvNRPhh+PKkvl0Wj4NS/WPrPj2ah1CwaUA9M YWM5en8HasDPA== Date: Tue, 10 Dec 2024 02:42:31 +0000 To: Souji Thenria From: Robert <0x1eef@protonmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPv6 MTU discovery - packet too big Message-ID: In-Reply-To: References: Feedback-ID: 39071764:user:proton X-Pm-Message-ID: 53143562a6101598e1f91c9c01ddcf9c1f7636a6 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:62371, ipnet:185.70.43.0/24, country:CH] X-Rspamd-Queue-Id: 4Y6jgz51GTz4ngm X-Spamd-Bar: ---- On Mon, Dec 09, 2024 at 07:47:05PM -0300, Souji Thenria wrote: > Hey all, >=20 > On a VPS, I want to create separate jails for most services and assign > each jail a public IPv6 address. However, I ran into an MTU issue, where > the external interface of the host system sends multiple ICMPv6 > messages, stating that the received packets are too big to a remote > server I tried to connect to from inside a jail. And the other server is > ignoring these messages. >=20 > I'm running FreeBSD 14.1-RELEASE on that server and use Bastille to > manage my jails. >=20 > The setup is as follows: > -- -- -- >=20 > ext_inter: This interface is connected to the internet and has a public > IPv6 address. It is NOT connected to the bridge. >=20 > bridge: The bridge acts as default gateway for the jails and has a > public IPv6 address assigned to it. >=20 > epair0: Is a member of the bridge. >=20 > epair1: This interface is passed to the jail, and a public IPv6 address i= s > assigned inside the jail. >=20 > The idea is that the jails can communicate over the bridge with each > other, and when communicating with hosts on the internet, the traffic is > routed over the ext_inter interface. > All interfaces have an MTU of 1500 configured. >=20 >=20 > The Problem: > When I try to connect to, e.g. a web server, the ext_inter interface > sends a lot of ICMPv6 packets saying: > ICMP6, packet too big, mtu 1500, length 1240 >=20 > When I make the same request from the host itself, it works without any > issues. I suspect that this is because the ext_inter interface has the > 'JUMBO_MTU' option set, allowing packets to pass with a larger MTU. > However, this shouldn't happen since the bridge and epair0/1 don't have > this option. >=20 > I can also confirm that the ICMP messages pass the firewall and reach > the remote server. However, all servers I tried seemed to ignore that > message and resent their packets without fragmenting them to a fitting > size. >=20 >=20 > Does anyone know what the issue might be, or have they had a similar > problem and been able to solve it? >=20 Hi ! I'm no expert on this, but I had a similar experience. I came across something similar when I set up pppoe on my router, where all LAN computers have an MTU of 1500 but pppoe expects messages to fit within 1492 or less. I solved via pf.conf on the router: match out on any from $lan:network scrub (max-mss 1440) The OpenBSD man page has a section touching on the topic: https://man.openbsd.org/pppoe#MTU/MSS_NEGOTIATION I hope this might help