tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPV6 router works, but clients fail
On Thursday 02 July 2009 22:23:20 Miles Nordin wrote:
> >>>>> "rm" == Roy Marples <roy%marples.name@localhost> writes:
>
> rm> I needed to clamp max-mss in pppoe0 to 1432. It used to be
> rm> 1452, which I recall was needed for my wireless
> rm> clients. Probably the extra overhead of IPv6.
>
> The PPPoE MTU problem should not exist on IPv6, and at my site where I
> have <1500 links to the internet I didn't have to change mss-scrubbing
> smaller for IPv6. It's possible you are creating the PPPoE problem
> yourself somewhere by blocking ICMPv6 'too-big' packages.
I've attached my current pf.conf
As Brian pointed out in this thread, PF does not handle IPv6 fragments which
could be the issue as well. However, the router does need a firewall as it's
also my server.
> You should never find you need the mss scrubbing to reach the Internet
> period---if you do, you must be blocking too much ICMP on your end.
> The symptom of needing smaller mss scrubbing is that a few of other
> people's misconfigured sites on the Internet don't work, just a few
> not all. I wish you would have a look to your ICMP rules to avoid
> publishing bad examples which will infect other sites and spread the
> PPPoE problem.
>
> The way it's documented/supposed to work, you must either pass too-big
> / frag-needed ICMP, *or* use 'keep state' TCP rules which pass that
> ICMP implicitly. The way it actually works, I'm not so sure.
Well the router and clients passes all ICMP packets - the clients didn't even
have firewalls installed. Anyway, here's the lines from the attached pf.conf
pass in proto icmp all
pass in proto ipv6-icmp all
It doesn't help that I'm using a PPPoA->PPPoE modem, which apparently affects
things as well.
Interestingly enough, if I drop the MTU on my clients to 1492 then I don't
need the scrub mss line. Anyone have an opinion on which would be better?
Thanks
Roy
# $NetBSD: pf.conf,v 1.4 2008/06/18 09:06:25 yamt Exp $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="pppoe0"
int_if="ath0"
int_net="10.73.1.0/24"
int_net6="2a01:348:31::/48"
int_addr6="2a01:348:31:2:209:5bff:fe84:887d"
mynets="{ $int_net, $int_inet6 }"
# asterisk needs 5060 (tcp, udp) and 4569 (udp)
# We special case ssh and domain
tcp_services="{ ident, smtp, www, imap, git, svn, \
ftp, ftp-data, 50000:50100, svn, rsync }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# We need to clamp max-mss so that IPv6 wireless clients work
scrub out on pppoe0 max-mss 1432
# Schedulers
altq on $ext_if priq bandwidth 500Kb \
queue { std_out, ssh_out, dns_out, tcp_ack_out }
queue std_out priq(default)
queue ssh_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 3.5Mb \
queue { std_in, ssh_in, dns_in }
queue std_in cbq(default)
queue ssh_in priority 4
queue dns_in priority 5
# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if inet proto tcp from any to any port ftp -> 127.0.0.1 port
8021
rdr-anchor miniupnpd
anchor miniupnpd
# filter rules
block in log all
anchor "ftp-proxy/*"
antispoof quick for lo
# antispoof fails for inet6?
antispoof quick for { $int_if } inet
pass out
pass from { $int_net, $int_net6 } to any
pass in proto icmp all
pass in proto ipv6-icmp all
pass in proto tcp from any to self port ssh queue ssh_out
pass in proto tcp from any to self port domain queue dns_out
pass in proto tcp from any to self port $tcp_services \
queue(std_out, tcp_ack_out)
# To allow IPv6 traffic to move unmolested to our LAN
block quick from any to $int_addr6
pass in from any to $int_net6
Home |
Main Index |
Thread Index |
Old Index