Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4


242 posts

Master Geek
+1 received by user: 11


  Reply # 1306324 16-May-2015 15:29
Send private message

Okay heres the info you needed.

nslookup:
nslookup facebook.com
Server:  pfsense.home
Address:  2406:e000:e1e8:0:20c:29ff:fec0:f7a7

Non-authoritative answer:
Name:    facebook.com
Addresses:  2a03:2880:2130:cf05:face:b00c:0:1
          173.252.120.6

tracert 2a03:2880:2130:cf05:face:b00c:0:1

Tracing route to edge-star6-shv-12-frc3.facebook.com [2a03:2880:2130:cf05:face:b00c:0:1]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  pfsense.home [2406:e000:e1e8:0:20c:29ff:fec0:f7a7]
  2     9 ms    11 ms    11 ms  2406:e000:97:1::1
  3     *        *        *     Request timed out.
  4    29 ms    29 ms    33 ms  23655.syd.equinix.com [2001:de8:6::2:3655:1]
  5    29 ms    29 ms    29 ms  32934.syd.equinix.com [2001:de8:6::3:2934:1]
  6   228 ms   228 ms   228 ms  be23.bb01.lax1.tfbnw.net [2620:0:1cff:dead:beef::304]
  7   204 ms   204 ms   204 ms  ae27.bb02.atl1.tfbnw.net [2620:0:1cff:dead:beef::c68]
  8   210 ms   211 ms   210 ms  ae5.bb05.frc3.tfbnw.net [2620:0:1cff:dead:beef::f9]
  9   247 ms   303 ms   234 ms  be35.bb02.frc3.tfbnw.net [2620:0:1cff:dead:beef::ac]
 10   210 ms   210 ms   210 ms  ae29.dr06.frc3.tfbnw.net [2620:0:1cff:dead:beef::a2b]
 11   237 ms   237 ms   237 ms  po1020.csw12c.frc3.tfbnw.net [2620:0:1cff:dead:beef::25f]
 12     *        *        *     Request timed out.
 13   227 ms   227 ms   227 ms  edge-star6-shv-12-frc3.facebook.com [2a03:2880:2130:cf05:face:b00c:0:1]

Trace complete.

I will run wireshark and see if i can pick up on anything.

EDIT: I have captured the relevant packets of trying to load the facebook webpage but from here I am not sure what I am looking for - can you point me in the right direction?





363 posts

Ultimate Geek
+1 received by user: 75


  Reply # 1306417 16-May-2015 20:24
Send private message

The traceroute looks fine - just like mine, which it should as we are both on Snap.

When I go to [2a03:2880:2130:cf05:face:b00c:0:1] in Firefox with Wireshark watching, I see a TCP connection to that address start with a SYN/ACK sequence, then an HTTP Get command is transmitted over the TCP connection and the Facebook site replies with 301 "Moved permanently" response, directing Firefox to fetch another page: "http://www.facebook.com/".  Firefox then goes and fetches the new page, on a different IPv6 address: [2a03:2880:2130:7f07:face:b00c:0:1] - it opens a new TCP connection to that address with the usual SYN/ACK sequence, and then starts talking on the TCP connection in TLSv1.2 encrypted traffic as it loads the Facebook front page.

Because of the transfer to a new server address, I had to change the capture filter I was using in Wireshark to include the new address in order to see everything:

  ip6 and (icmp6 or host 2a03:2880:2130:cf05:face:b00c:0:1 or host 2a03:2880:2130:7f07:face:b00c:0:1)

But that probably does not matter - if your capture is showing that first IPv6 TCP/HTTP connection to 2a03:2880:2130:cf05:face:b00c:0:1, then IPv6 is working properly, so we need to confirm that first.  I have posted a copy of my capture on my web server as:

  http://www.jsw.gen.nz/facebook_IPv6_capture.pcapng

You can save your Wireshark capture and load mine to see what it looks like to compare with yours.  If you have not changed the Wireshark defaults, the first IPv6 TCP/HTTP conversation with 2a03:2880:2130:cf05:face:b00c:0:1 is coloured in light green.



242 posts

Master Geek
+1 received by user: 11


  Reply # 1306724 17-May-2015 18:49
Send private message

Yep, Does not seem I am getting the "get" packets.

here is my log: http://www.bonkas.kiwi.nz/pcap-facebook-ipv6-firefox2.pcapng

If you could browse your eyes over my log that would be great. Sooms like your very knowledgable in this area!





363 posts

Ultimate Geek
+1 received by user: 75


  Reply # 1306863 17-May-2015 21:40
Send private message

Your capture does not show the HTTP redirection that I get from the initial web server (2a03:2880:2130:cf05:face:b00c:0:1) to the second web server (2a03:2880:2130:7f07:face:b00c:0:1).  Instead, your Firefox seems to be talking to both servers at once, using TLS1.2 encrypted HTTPS.  The conversation with the initial web server is fairly short, but seems to be complete.  The conversation with the second web server looks much like what I got with that server - longer, transferring enough data to be able to display the Facebook front page.  So Firefox should have been able to display a page for you.  Did you get anything at all displayed?  Or was it still twirling its little "I am still downloading" widget on the tab for the page?

I am guessing that you might have been using a bookmark to go to Facebook, and that bookmark used https instead of http and that was what caused the difference between our captures.  Is that correct?  If so, please try going to http://www.facebook.com and see what happens.

In any case, IPv6 seems to be functioning completely correctly - it is able to do TCP connections to the site.  The problem seems to be elsewhere.

PS If you want to follow one TCP conversation in Wireshark, click on a TCP SYN packet that starts a TCP connection, then use Analyze > Follow TCP stream.  Close the popup window and then you will just have the data for that one conversation displayed.  In the Filter toolbar, click Clear when you want to go back to the full display again.



242 posts

Master Geek
+1 received by user: 11


  Reply # 1306878 17-May-2015 22:16
Send private message

Firefox is displaying the page title and nothing else, page load never completes, only get the twirling "loading" icon.

Chrome give me the Page title, tells me the page load is complete but page is blank.

Facebok phone app is also not functioning at all.

Any websites with "Like on facebook" etc and some google ads are also failing to display.

I dont think I know enough about inspecting wireshark data to troubleshoot this further.
.
To add - I was not using a bookmark, manually typing the webpage in and browsing to it each time. Fresh Win7 and Win10 VM is exhibiting the same issue





796 posts

Ultimate Geek
+1 received by user: 262

Trusted

  Reply # 1306892 17-May-2015 22:45
One person supports this post
Send private message

The symptoms you describe sound very similar to the ones I've had in the past where my router was telling clients the IPv6 MTU was 1500 when it was in fact 1492. When the MTU was set correctly v6 traffic worked without issue.

Looking at your pcap the MTU in the router advertisements is 1500. Try setting the IPv6 MTU on your box to 1492 and see if you can get Facebook to load.

netsh interface ipv6 show subinterfaces
netsh interface ipv6 set subinterface "name of adapter" mtu=1492



242 posts

Master Geek
+1 received by user: 11


  Reply # 1307360 18-May-2015 17:31
Send private message

Setting MTU to 1492 at the pfsense level seems to have resolved it... I appreciate everyones input to resolving this. I will continue to test it.

You guys will be the first to know if I have any issues with this :)





796 posts

Ultimate Geek
+1 received by user: 262

Trusted

  Reply # 1307364 18-May-2015 17:37
One person supports this post
Send private message

Good to hear. :)



242 posts

Master Geek
+1 received by user: 11


  Reply # 1307389 18-May-2015 18:44
Send private message

Spoke too soon. Appears to have fixed the desktop facebook website (only one a single PC it seems) this does not make sence... but same symtoms are being exhibited on mobile devices with the m.facebook.com page. m.facebook.com also fails to load under firefox, chrome and IE on desktop.

Also noticing alot of webpages failing to load completely, geekzone, youtube I have noticed to far. geekzone is stuck on "transferring data from pixel.quantserve.com" and "Waitting for google.com" and "transferring data from pagead2.googlesyndication.com" so looks like some ads are failing to load contributing to page load errors.. grr. Im starting to think I should switch IPv6 off again.

Any other ideas?





956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 1307435 18-May-2015 19:39
Send private message

This android phones? I've disabled IPV6 as it seems its broken on Nexus 5 running Android 5.x. Will probably take google a couple of years to acknowledge then another year or so to fix.

https://code.google.com/p/android/issues/detail?id=79576



242 posts

Master Geek
+1 received by user: 11


  Reply # 1307441 18-May-2015 19:51
Send private message

Desktops also. One of my PC's is loading facebook OK but getting timeouts on other things above.

I tried m.facebook.com on the PC that is loading facebook desktop site without issue but the mobile site is failing there also.

Reboot of pfsense has not helped.

Any other information I can provide to help troubleshoot this?





142 posts

Master Geek
+1 received by user: 40


  Reply # 1307478 18-May-2015 20:27
Send private message

can you enable TCP MSS clamping for IPv6 in pfSense?



242 posts

Master Geek
+1 received by user: 11


  Reply # 1307493 18-May-2015 20:44
One person supports this post
Send private message

sorceror: can you enable TCP MSS clamping for IPv6 in pfSense?


Interesting. This seems to have resolved facebook on ALL devices.

Can you explain wether I should leave this setting permanently, what effect does it have? or is this confirming another issue/incorrect configuration?

I dont beleive anyone else here has these settings set for ipv6, pfsense and snap combination.

Keen to learn what is going on here.







242 posts

Master Geek
+1 received by user: 11


  Reply # 1307639 19-May-2015 09:49
Send private message

Okay I have done a bit of reading on this to try and further my knowledge in this area.

From what I gathered, packets over 1492 (pfsense was autosensing the adapter capabilites and setting this to 1500) in size get fragmented and this is not being handled correctly either by pfsense or the remote server (facebook, google etc). Setting MSS Clamping does not allow the packets to be larger than this value and as such plays nicely with the remote server?

Is there an explanation on why this is only affecting me?





142 posts

Master Geek
+1 received by user: 40


  Reply # 1307736 19-May-2015 12:17
Send private message

bonkas: Okay I have done a bit of reading on this to try and further my knowledge in this area.

From what I gathered, packets over 1492 (pfsense was autosensing the adapter capabilites and setting this to 1500) in size get fragmented and this is not being handled correctly either by pfsense or the remote server (facebook, google etc). Setting MSS Clamping does not allow the packets to be larger than this value and as such plays nicely with the remote server?

Is there an explanation on why this is only affecting me?


in theory you shouldn't need to configure MSS clamping if PMTUD is working correctly.

in practice PMTUD doesn't work due to over protective filters/firewalls so we need to set MSS.

most 'home' routers (like the Fritzbox) automatically clamp MSS so you'll find you're not alone.


1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.