On 10/15/2017 12:59 PM, Troy Telford wrote: > I've been slowly trying to get this fixed for a few years now... I'm > running Debian Sid, Shorewall6 <x-apple-data-detectors://0> 5.0.15.6, > and Squid 3.5.23. My ISP provides > native IPv6 (Comcast). > > I had my system setup to use Squid + TPROXY using IPv6, and it was working > great. However, a couple of years ago, it simply stopped working, and I’ve > been trying to figure out why ever since. When I try to use > IPv6+TPROXY+Squid, most sites simply “hang” and never load. I’ve been > trying to research it myself, and I think I can say that it appears to be > an ICMP Path MTU issue. > > I can reproduce the error with test-IPv6.com > <http://test-ipv6.com/>(They suggest a curl command > at http://test-ipv6.com/faq_pmtud.html') Non- TPROXY connections work fine, > whether connecting directly or if their http proxy is configured. However > it appears that when I use TPROXY, there are issues with Path MTU Detection > from the internet to my clients. > > When I try the test URL from test-ipv6.com <http://test-ipv6.com/>, and > check the packet dump using > the following: > > $ sudo tcpdump '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp port 80)' > > I see messages along the lines of: > > <timestamp> IP6 {remote addr} > {my IPv6 addr}: ICMP6, packet too big, MTU > 1280, length 1240 > > “shorewall6 show | grep -i icmp” shows the expected allow for ICMP: > > 0 0 ACCEPT icmpv6 * * ::/0 ::/0 > ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */ > > It looks to me like the ICMPv6 packets should be getting handled passed > through correctly; however as the packet dumps show, that does not appear > to be the case. > > Does anyone have an idea how I can figure out what is happening so I can > get it working again? >
From https://wiki.squid-cache.org/SquidFaq/InterceptionProxy: However there are also significant disadvantages for this strategy, as outlined by Mark Elsen: ... -It causes path-MTU (PMTUD) to fail, possibly making some remote sites inaccessible. This is not usually a problem if your client machines are connected via Ethernet or DSL PPPoATM where the MTU of all links between the cache and client is 1500 or more. If your clients are connecting via DSL PPPoE then this is likely to be a problem as PPPoE links often have a reduced MTU (1472 is very common). So this is a known TPROXY restriction... -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
