On 07/01/2017 08:18 AM, Tom Eastep wrote:
> On 06/30/2017 07:47 PM, Sam wrote:
>> Hi again.
>>
>> Spent the last week getting my home network(s) online with IPv6. I think
>> I'm on the finishing stretch. One last issue has popped up that I am not
>> sure how to fix.
>>
>> I'm running squid in transparent proxy mode via tproxy. Had it like that
>> for years on ipv4.
>>
>> I've pretty much just followed the guide at the bottom here:
>> http://shorewall.org/Shorewall_Squid_Usage.html
>>
>> I've attached a shorewall6 dump for good measure
>>
>> Before I enabled the tproxy rules over ipv6 (and thus not using squid),
>> all tests on this site passed: http://test-ipv6.com/
>>
>> Once I got the tproxy rules enabled, one test started failing.
>>
>> That was the "Test IPv6 large packet" test. Your browser basically
>> fetches a url with 1600 characters in it. I shortened it and added it
>> here: http://preview.tinyurl.com/y9vy2j3u
>>
>> I can fetch that url fine without squid and tproxy. But once it is
>> enabled, I can't. Looking at tcpdump, I see the request made goes out of
>> my wan nic, what comes back is an icmp "packet too big" response. That
>> icmp packet then flows back out (through shorewall) to the computer on
>> the lan that made the request. I'm thinking since squid intercepted the
>> HTTP request, that the icmp response should be going to squid. So I
>> don't know if this is just an issue of iptable rules or something else
>> at play here. Any thoughts? Googling for squid + mtu+ ipv6 + tproxy
>> doesn't give me too many results other than someone with the same issue
>> here (which never responds back with what the fix was):
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-Timeouts-on-Select-Websites-td4657073.html
>>
>>
>>
>> I've not found any websites that are proxied that don't work. Only issue
>> seems to be with the ipv6 test website. So perhaps I can ignore this...
>>
> 
> FWIW, my configuration also fails this test and I've noticed no problems.
> 

This is apparently a known limitation of interception caching -- see
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy?highlight=%28PMTU%29.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to