From nobody Tue Dec 10 14:36:29 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y71Wm4YcBz5gChM for ; Tue, 10 Dec 2024 14:36:36 +0000 (UTC) (envelope-from mail@souji-thenria.net) Received: from alisa.souji-thenria.net (alisa.souji-thenria.net [188.68.37.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y71Wm03kDz4Z6x for ; Tue, 10 Dec 2024 14:36:35 +0000 (UTC) (envelope-from mail@souji-thenria.net) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=souji-thenria.net; s=20231116; t=1733841392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+P4+L6yTngeTKeBMFcU+jDFL6zQ2BDl4S8lgskr+2+E=; b=sCuC3GLZCbaq4zmlrQsW6DR0DB9g4BePExmNSgJJI4OMW5yuQmthhtKajR4k9q3+s9M4ew CKgUi82PFikSJIbIJn5j5FjW6fBW6/qCLG6EVkLS7NfC0uNMfhmvWqZt8UeD09d5Qb2WmZ hGuusW6Lggy2upbTn/lWeMakJayz3+EOLggbHQ3+X3t81g3G4a6QvaTTTb/c2+rGuGPK5Y 9hvCyDD7Tgnpds2QjZXLHqtJhB1B6iZEhjg1zkpLjD/au2AltcYab2Ysuw6QWX1NV0DHTO feLONReGgLsQqXIUL1KqIx0JrZvNe9YlZPT7Vc2SRMu02mVzZNRgFdcx5c3mJcE/RdVkXy VWutP9JExKsRKc3vMkMFMfI1WJhc12kVwNi6uvY+/z35sdjj39HCTqE9UDNeL2y+p/druZ KVyzzJsjDirw/7pjARUGYePrxCA/AyPnn22xiR4gr+6eqi1LOqB5Hd76GZFRuS9rpeDYeK 6aiNeoyO/O7fmh4tOAsyt0XAB2qnEkVG+LJEvIQuEPq4TAJLbmR9ofcLQ8V8YY0zCCRACD Vm8D+NBQZ7mzmd+cAqXt24Ajee/lyKgdTt0vfjcwHgcNy3IGPzPYfhC82OBW2wB4SvYtDB IgVc7I2BoYyhSA8iD5SRn2l80aHsbS+MOX3/SF5L4xGfM7A/nBvko= Received: by alisa.souji-thenria.net (OpenSMTPD) with ESMTPSA id 58c37e3f (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 10 Dec 2024 15:36:29 +0100 (CET) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary=bdc1737083ead81b1cf56f72192a9c76889f199b2ff91395dd6be19303c9; micalg=pgp-sha256; protocol="application/pgp-signature" Date: Tue, 10 Dec 2024 15:36:29 +0100 Message-Id: Cc: Subject: Re: IPv6 MTU discovery - packet too big From: "Souji Thenria" To: "Robert" <0x1eef@protonmail.com> References: In-Reply-To: X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:197540, ipnet:188.68.32.0/20, country:DE] X-Rspamd-Queue-Id: 4Y71Wm03kDz4Z6x X-Spamd-Bar: ---- --bdc1737083ead81b1cf56f72192a9c76889f199b2ff91395dd6be19303c9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8; format=Flowed On Tue Dec 10, 2024 at 3:42 AM CET, Robert wrote: > On Mon, Dec 09, 2024 at 07:47:05PM -0300, Souji Thenria wrote: > > Hey all, > > > > On a VPS, I want to create separate jails for most services and assign > > each jail a public IPv6 address. However, I ran into an MTU issue, where > > the external interface of the host system sends multiple ICMPv6 > > messages, stating that the received packets are too big to a remote > > server I tried to connect to from inside a jail. And the other server is > > ignoring these messages. > > > > I'm running FreeBSD 14.1-RELEASE on that server and use Bastille to > > manage my jails. > > > > The setup is as follows: > > -- -- -- > > > > ext_inter: This interface is connected to the internet and has a public > > IPv6 address. It is NOT connected to the bridge. > > > > bridge: The bridge acts as default gateway for the jails and has a > > public IPv6 address assigned to it. > > > > epair0: Is a member of the bridge. > > > > epair1: This interface is passed to the jail, and a public IPv6 address is > > assigned inside the jail. > > > > The idea is that the jails can communicate over the bridge with each > > other, and when communicating with hosts on the internet, the traffic is > > routed over the ext_inter interface. > > All interfaces have an MTU of 1500 configured. > > > > > > The Problem: > > When I try to connect to, e.g. a web server, the ext_inter interface > > sends a lot of ICMPv6 packets saying: > > ICMP6, packet too big, mtu 1500, length 1240 > > > > When I make the same request from the host itself, it works without any > > issues. I suspect that this is because the ext_inter interface has the > > 'JUMBO_MTU' option set, allowing packets to pass with a larger MTU. > > However, this shouldn't happen since the bridge and epair0/1 don't have > > this option. > > > > I can also confirm that the ICMP messages pass the firewall and reach > > the remote server. However, all servers I tried seemed to ignore that > > message and resent their packets without fragmenting them to a fitting > > size. > > > > > > Does anyone know what the issue might be, or have they had a similar > > problem and been able to solve it? > > > > Hi ! > > I'm no expert on this, but I had a similar experience. > > I came across something similar when I set up pppoe on my router, where > all LAN computers have an MTU of 1500 but pppoe expects messages to fit > within 1492 or less. I solved via pf.conf on the router: > > match out on any from $lan:network scrub (max-mss 1440) > > The OpenBSD man page has a section touching on the topic: > https://man.openbsd.org/pppoe#MTU/MSS_NEGOTIATION > > I hope this might help Hi Robert, Thanks for the idea. I tried it; But sadly, it looks like it won't solve my problem. Regards, Souji -- Souji Thenria Website: www.souji-thenria.net --bdc1737083ead81b1cf56f72192a9c76889f199b2ff91395dd6be19303c9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQSG4/SRE6pqved9MLdAFYmA9YTsaAUCZ1hR7RccbWFpbEBzb3Vq aS10aGVucmlhLm5ldAAKCRBAFYmA9YTsaKn+AQC1jANHhK8CJvSVTd1jcxA05vcG dzR7w4k6qg8IcTzSbQEAlCRFKAsxhi3WGlSRVdx6nam0tutN0lRehg9ii+kU0wk= =Nsst -----END PGP SIGNATURE----- --bdc1737083ead81b1cf56f72192a9c76889f199b2ff91395dd6be19303c9--