Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 
956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 1307907 19-May-2015 18:22
Send private message

Out of interest where did you enable MSS clamping on pfsense?



253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1308066 19-May-2015 22:21
Send private message

Interfaces menu --> WAN - In the top section under your WAN device configuration.

I set this to 1460.





 
 
 
 


956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 1308090 19-May-2015 22:53
Send private message

So obvious.. must've glanced over that so many times -_-

388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 1308105 20-May-2015 03:02
Send private message

bonkas, I was wondering why you are having problems with the packet sizes, as IPv6 is supposed to handle that properly.  So is pfSense by any chance set up to drop ICMPv6 packets coming into your network?  Unlike IPv4, IPv6 requires quite a few ICMPv6 packet types in order to be able to work properly.  If you want full information on this, take a look at the relevant RFC:

  https://www.ietf.org/rfc/rfc4890.txt

But the absolute minimum ICPMv6 types needed (copied from the RFC) are:

 

   o  Destination Unreachable (Type 1) - All codes

 

o Packet Too Big (Type 2)

 

o Time Exceeded (Type 3) - Code 0 only

 

o Parameter Problem (Type 4) - Codes 1 and 2 only

 

In particular, if it is dropping Packet Too Big packets, then you are guaranteed to have packet size problems as MTU Path Discovery will not work, and IPv6 will never fragment packets when they are too big, they will just be dropped.



253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1308159 20-May-2015 08:55
Send private message

pfsense blocks incoming ICMP traffic by default - This is something I had not thought of. I will try opening this up and see if anything changes.

I was not seeing any blocked ICMP traffic in the firewall logs either which is strange, like it being blocked further up the chain.





388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 1308687 20-May-2015 17:56
Send private message

You probably need to allow IPv4 ICMP "Packet Too Big" packets in as wll now - modern TCP/IP stacks use MTU Path Discovery in IPv4 also, but they fall back to fragmenting packets if necessary.  I allow in pretty much the same IPv4 ICMP packets as I do for ICMPv6.



253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1308708 20-May-2015 18:15
Send private message

I have allowed all ICMP traffic fo IPv4 and IPv6, I can get to facebook on my desktop now but many images, scrips are not loading. Websites such as geekzone are loading indefinately as it is failing to connect to the google ad services etc.







253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1308830 20-May-2015 20:33
Send private message

Hmm Okay it was my PC being wierd. After adding the firewall rules and refreshing my network adaptor I get 10/10 for test.ipv6.com but same old issues of pages not fully loading, no facebook, google services, one drive not working etc etc.

I can only resolve this with mss clamping.

I have disable ipv6 again so I can get some work done.

Reading Many, many articles on the issue but have not come up with any solutions yet.

Can anyone else running pfsense through snap with IPv6 enabled let me know of your settings?





796 posts

Ultimate Geek
+1 received by user: 262

Trusted

  Reply # 1308899 20-May-2015 21:49
One person supports this post
Send private message

If MSS clamping solves the issue why not leave it on?



253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1309852 22-May-2015 12:51
Send private message

Lorenceo: If MSS clamping solves the issue why not leave it on?


Although this appeared to resolve the issue. I was being yelled at by the missus when one of her "obscure" websites I would never visit wasnt working.

Easiest way out was to disable ipv6 for now and keep the peace at home :)

I will be away this weekend so wont be able to try again but I am still keen to get this working 100%, just gotta trackdown where the issue is to resolve this 100%.





148 posts

Master Geek
+1 received by user: 40


  Reply # 1309873 22-May-2015 13:28
Send private message

^ try dropping the segment size even lower, i'd start at 1420-1430 then tweak

266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1334625 1-Jul-2015 08:43
Send private message

Did you have any luck with this bonkas? I'm about to try and get this working with pfsense on WXC and was curious about your end result.



253 posts

Ultimate Geek
+1 received by user: 11


  Reply # 1334684 1-Jul-2015 09:31
Send private message

sorceror: ^ try dropping the segment size even lower, i'd start at 1420-1430 then tweak


I haven't had a chance to try this.

Although changing the clamping and segment size seems to have resolved some websites.. Mobile Facebook, TVNZ On Demand, Spotify refuse to work at all - Among other obscure websites.

For now I have turned IPv6 off as the downtime testing this is a real inconvenience.

I will need some motivation to try again as everything is working with it off and I dont "need" IPv6 haha





1 | 2 | 3 | 4 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.