On 07/01/2017 08:18 AM, Tom Eastep wrote: > On 06/30/2017 07:47 PM, Sam wrote: >> Hi again. >> >> Spent the last week getting my home network(s) online with IPv6. I think >> I'm on the finishing stretch. One last issue has popped up that I am not >> sure how to fix. >> >> I'm running squid in transparent proxy mode via tproxy. Had it like that >> for years on ipv4. >> >> I've pretty much just followed the guide at the bottom here: >> http://shorewall.org/Shorewall_Squid_Usage.html >> >> I've attached a shorewall6 dump for good measure >> >> Before I enabled the tproxy rules over ipv6 (and thus not using squid), >> all tests on this site passed: http://test-ipv6.com/ >> >> Once I got the tproxy rules enabled, one test started failing. >> >> That was the "Test IPv6 large packet" test. Your browser basically >> fetches a url with 1600 characters in it. I shortened it and added it >> here: http://preview.tinyurl.com/y9vy2j3u >> >> I can fetch that url fine without squid and tproxy. But once it is >> enabled, I can't. Looking at tcpdump, I see the request made goes out of >> my wan nic, what comes back is an icmp "packet too big" response. That >> icmp packet then flows back out (through shorewall) to the computer on >> the lan that made the request. I'm thinking since squid intercepted the >> HTTP request, that the icmp response should be going to squid. So I >> don't know if this is just an issue of iptable rules or something else >> at play here. Any thoughts? Googling for squid + mtu+ ipv6 + tproxy >> doesn't give me too many results other than someone with the same issue >> here (which never responds back with what the fix was): >> http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-Timeouts-on-Select-Websites-td4657073.html >> >> >> >> I've not found any websites that are proxied that don't work. Only issue >> seems to be with the ipv6 test website. So perhaps I can ignore this... >> > > FWIW, my configuration also fails this test and I've noticed no problems. >
This is apparently a known limitation of interception caching -- see http://wiki.squid-cache.org/SquidFaq/InterceptionProxy?highlight=%28PMTU%29. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
