bonkas, I was wondering why you are having problems with the packet sizes, as IPv6 is supposed to handle that properly. So is pfSense by any chance set up to drop ICMPv6 packets coming into your network? Unlike IPv4, IPv6 requires quite a few ICMPv6 packet types in order to be able to work properly. If you want full information on this, take a look at the relevant RFC:
But the absolute minimum ICPMv6 types needed (copied from the RFC) are:
o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only
In particular, if it is dropping Packet Too Big packets, then you are guaranteed to have packet size problems as MTU Path Discovery will not work, and IPv6 will never fragment packets when they are too big, they will just be dropped.
You probably need to allow IPv4 ICMP "Packet Too Big" packets in as wll now - modern TCP/IP stacks use MTU Path Discovery in IPv4 also, but they fall back to fragmenting packets if necessary. I allow in pretty much the same IPv4 ICMP packets as I do for ICMPv6.
I have allowed all ICMP traffic fo IPv4 and IPv6, I can get to facebook on my desktop now but many images, scrips are not loading. Websites such as geekzone are loading indefinately as it is failing to connect to the google ad services etc.
Hmm Okay it was my PC being wierd. After adding the firewall rules and refreshing my network adaptor I get 10/10 for test.ipv6.com but same old issues of pages not fully loading, no facebook, google services, one drive not working etc etc.
I can only resolve this with mss clamping.
I have disable ipv6 again so I can get some work done.
Reading Many, many articles on the issue but have not come up with any solutions yet.
Can anyone else running pfsense through snap with IPv6 enabled let me know of your settings?
Lorenceo: If MSS clamping solves the issue why not leave it on?
Although this appeared to resolve the issue. I was being yelled at by the missus when one of her "obscure" websites I would never visit wasnt working.
Easiest way out was to disable ipv6 for now and keep the peace at home :)
I will be away this weekend so wont be able to try again but I am still keen to get this working 100%, just gotta trackdown where the issue is to resolve this 100%.
sorceror: ^ try dropping the segment size even lower, i'd start at 1420-1430 then tweak
I haven't had a chance to try this.
Although changing the clamping and segment size seems to have resolved some websites.. Mobile Facebook, TVNZ On Demand, Spotify refuse to work at all - Among other obscure websites.
For now I have turned IPv6 off as the downtime testing this is a real inconvenience.
I will need some motivation to try again as everything is working with it off and I dont "need" IPv6 haha
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly
to your computer or smartphone by using a feed reader.
Trusted
