Topic: IPv6 ping working, but IPv6 web sites timeout

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

jeverett

22 Jan 2009, 02:07

I have a WRT54G v1.1 running OpenWrt Kamikaze - With X-Wrt Extensions 7.09 (extensive details below).

I have IPv4 up and running fine and a 6in4 IPv6 tunnel setup up with a IPv6 /64 subnet from my tunnel broker setup on the LAN.

My 6in4 IPv6 tunnel seems good. From OpenWRT, I can ping6 my tunnel host and beyond, eg. ipv6.google.com. I can likewise ping6 hosts on my LAN segment.

On the LAN, nodes are getting proper IPv6 addresses on my assigned /64 subnet as well as a default IPv6 route to the OpenWRT box. Similarly, LAN nodes can (most times) successfully ping6 hosts on the internet.

However, whenever I try to access an IPv6 web site, the browser eventually times out. Actually I get something this:
The connection to www.sixxs.net was interrupted while the page was loading
or
The server at ipv6.google.com is taking too long to respond.
(If I set Firefox to network.dns.disableIPv6 = true, thus forcing IPv4, connectivity is fine.)

When browsing to an IPv6 web site, I never get a page, but I see netstat stuff like this (in Linux):

[root@Localhost ~]# netstat -l --inet6 -all
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0    266 2001:0db8:1234:5:204:23:44085 noc.sixxs.net:http          ESTABLISH   
tcp        0    521 2001:0db8:1234:5:204:23:34937 noc.sixxs.net:http          LAST_ACK

and like this on a Mac:

Mac:~ user$ netstat -f inet6 -all
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6       0    624  2001:0db8:1234:5:200:beef:beef:0003.56746        2001:4860:b002::68.http                       ESTABLISHED
tcp6       0    505  2001:0db8:1234:5:200:beef:beef:0003.56745        tunnelbroker.net.http                         ESTABLISHED
tcp6       0    214  2001:0db8:1234:5:200:beef:beef:0003.56743        noc.sixxs.net.https                           ESTABLISHED

Success with only ICMP made my think of firewall trouble, but my ip6tables are wide-open ALLOW. Likewise, iptable are configured per guides here (to make the tunnel work, which it does.) However, it seems like IPv6 is getting through, but just too unreliably to be of any use.

I'm kind of at a loss to troubleshoot why the IPv6 on the LAN isn't working quite right. I'd appreciate another set of eyes on my configs and stuff (below) in case I'm missing something, as well as any additional troubleshooting suggestions.

My install:

root@wrt:~# ipkg list
base-files-brcm-2.4 - 10-12557 - 
bridge - 1.0.6-1 - 
busybox - 1.4.2-2 - 
dnsmasq - 2.39-1 - 
dropbear - 0.50-2 - 
haserl - 0.8.0-2 - 
ip - 2.6.20-070313-1 - 
ip6tables - 1.3.7-1 - 
iptables - 1.3.7-1 - 
kernel - 2.4.34-brcm-1 - 
kmod-brcm-wl - 2.4.34+4.80.53.0-1 - 
kmod-diag - 2+2.4.34-brcm-1 - 
kmod-ip6tables - 2.4.34-brcm-1 - 
kmod-ipt-nathelper - 2.4.34-brcm-1 - 
kmod-ipv6 - 2.4.34-brcm-1 - 
kmod-ppp - 2.4.34-brcm-1 - 
kmod-pppoe - 2.4.34-brcm-1 - 
kmod-switch - 2.4.34-brcm-1 - 
kmod-wlcompat - 2.4.34+brcm-6 - 
libgcc - 3.4.6-10 - 
mtd - 5 - 
nas - 4.80.53.0-1 - 
netstat-nat - 1.4.6-1 - 
nvram - 1 - 
ppp - 2.4.3-8 - 
ppp-mod-pppoe - 2.4.3-8 - 
radvd - 1.0-1 - 
tcptraceroute6 - 0.5.1-1 - 
uclibc - 0.9.28-10 - 
webif - 0.3-12 - 
wireless-tools - 29-1 - 
wlc - 4.80.53.0-1 -

Running modules:

root@wrt:~# lsmod
Module            Size  Used by    Tainted: P  
wlcompat               14944   0 (unused)
ip_conntrack_tftp       1712   0 (unused)
ip_nat_irc              2336   0 (unused)
ip_conntrack_irc        3128   1
ip_nat_ftp              2960   0 (unused)
ip_conntrack_ftp        4272   1
ip6t_owner              1020   0 (unused)
ip6t_multiport           556   0 (unused)
ip6t_mark                316   0 (unused)
ip6t_mac                 556   0 (unused)
ip6t_limit               892   0 (unused)
ip6t_length              348   0 (unused)
ip6t_eui64               684   0 (unused)
ip6t_MARK                668   0 (unused)
ip6t_LOG                4556   0 (unused)
ip6t_IMQ                 684   0 (unused)
ip6table_mangle         2284   0 (unused)
ip6table_filter         1740   0 (unused)
ip6_tables             17440  12 [ip6t_owner ip6t_multiport ip6t_mark ip6t_mac ip6t_limit ip6t_length ip6t_eui64 ip6t_MARK ip6t_LOG ip6t_IMQ ip6table_mangle ip6table_filter]
ppp_async               7884   0 (unused)
ppp_generic            22300   0 [ppp_async]
slhc                    6064   0 [ppp_generic]
wl                    630776   0 (unused)
ipv6                  197376  -1
switch-adm              6372   0 (unused)
switch-core             4864   0 [switch-adm]
diag                   25520   0 (unused)

My network config:

root@wrt:~# cat /etc/config/network 
#### VLAN configuration 
config switch eth0
    option vlan0    "1 2 3 4 5*"
    option vlan1    "0 5"


#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0


#### LAN configuration
config interface lan
    option type     bridge
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    10.10.10.3
    option netmask    255.255.255.0
    option ip6addr 2001:0db8:1234:5::1/64
    
#### WAN configuration
config interface    wan
    option ifname    "eth0.1"
    option proto    static
    option ipaddr    172.16.1.2
    option netmask    255.255.255.0
    option gateway    172.16.1.1
    option dns    10.10.10.2

My tunnel script config:

root@wrt:~# cat /etc/init.d/tunhe-ipv6 
#!/bin/sh /etc/rc.common
LOCALIP=172.16.1.2
POPIP=209.51.161.58
LOCTUN=2001:0db8:1234:4::2
REMTUN=2001:0db8:1234:4::1 
START=47

start() {
        echo -n "Starting TunnelBroker.net IPv6 tunnel: "
        ip tunnel add he-ipv6 mode sit local $LOCALIP remote $POPIP
        ip link set he-ipv6 up
        ip -6 addr add $LOCTUN/64 dev he-ipv6
        ip -6 ro add default via $REMTUN dev he-ipv6
        echo "Done."
}
stop() {
        echo -n "Stopping TunnelBroker.net IPv6 tunnel: "
        ip link set he-ipv6 down
        ip tunnel del he-ipv6
        echo "Done."
}
restart() {
        stop
        start
}

My radvd config:

root@wrt:~# cat /etc/radvd.conf
# For more examples, see the radvd documentation.
interface br-lan
{
    AdvSendAdvert on;
    prefix 2001:0db8:1234:5::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
    };
};

iptables/iptables6 stuff:

 root@wrt:~# iptables -v -L --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
2     8477  673K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
3        5   200 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=!2 flags:SYN/SYN 
4      646  164K input_rule  all  --  any    any     anywhere             anywhere            
5      156 18004 input_wan  all  --  eth0.1 any     anywhere             anywhere            
6      646  164K LAN_ACCEPT  all  --  any    any     anywhere             anywhere            
7        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
8        0     0 ACCEPT     gre  --  any    any     anywhere             anywhere            
9        0     0 ACCEPT     ipv6 --  eth0.1 any     anywhere             anywhere            
10      11   584 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
11     145 17420 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 27 packets, 1406 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
2       67  3332 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
3        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
4       70  3510 forwarding_rule  all  --  any    any     anywhere             anywhere            
5       27  1406 forwarding_wan  all  --  eth0.1 any     anywhere             anywhere            
6        0     0 ACCEPT     all  --  br-lan br-lan  anywhere             anywhere            
7        0     0 ACCEPT     all  --  br-lan eth0.1  anywhere             anywhere            

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
2     8051  886K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
3      265  123K output_rule  all  --  any    any     anywhere             anywhere            
4      265  123K ACCEPT     all  --  any    any     anywhere             anywhere            
5        0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
6        0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain LAN_ACCEPT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      156 18004 RETURN     all  --  eth0.1 any     anywhere             anywhere            
2      490  146K ACCEPT     all  --  any    any     anywhere             anywhere            

Chain forwarding_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination




root@wrt:~# iptables -t nat -v -L --line-numbers
Chain PREROUTING (policy ACCEPT 1297 packets, 177K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       58  2864 NEW        tcp  --  any    any     anywhere             anywhere            state NEW 
2     1313  177K prerouting_rule  all  --  any    any     anywhere             anywhere            
3      287 41566 prerouting_wan  all  --  eth0.1 any     anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT 28 packets, 4583 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       39  5023 postrouting_rule  all  --  any    any     anywhere             anywhere            
2       11   440 MASQUERADE !ipv6 --  any    eth0.1  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 12 packets, 3811 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain NEW (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       58  2864 RETURN     all  --  any    any     anywhere             anywhere            limit: avg 50/sec burst 100 
2        0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain postrouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     esp  --  any    any     anywhere             anywhere            
2        0     0 ACCEPT     ah   --  any    any     anywhere             anywhere            

Chain prerouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination





root@wrt:~# ip6tables -v -L --line-numbers
Chain INPUT (policy ACCEPT 2701 packets, 246K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 8504 packets, 794K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1909 packets, 193K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Connectivity view from the router:

root@wrt:~# ip -6 addr
1: lo: <LOOPBACK,UP> 
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
    inet6 fe80::200:beef:beef:0001/64 scope link 
4: eth0.0: <BROADCAST,MULTICAST,PROMISC,UP> 
    inet6 fe80::200:beef:beef:0001/64 scope link 
5: eth0.1: <BROADCAST,MULTICAST,UP> 
    inet6 fe80::200:beef:beef:0001/64 scope link 
8: wl0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
    inet6 fe80::200:beef:beef:0010/64 scope link 
9: br-lan: <BROADCAST,MULTICAST,UP> 
    inet6 fe80::200:ff:fe00:0/64 scope link 
    inet6 2001:0db8:1234:5::1/64 scope global 
10: he-ipv6: <POINTOPOINT,NOARP,UP> 
    inet6 2001:0db8:1234:4::2/64 scope global 
    inet6 fe80::d1d8:4646/128 scope link 

root@wrt:~# ip -6 route
2001:0db8:1234:4::/64 via :: dev he-ipv6  metric 256  mtu 1480 advmss 1420
2001:0db8:1234:5::/64 dev br-lan  metric 256  mtu 1500 advmss 1440
default via 2001:0db8:1234:4::1 dev he-ipv6  metric 1024  mtu 1480 advmss 1420

root@wrt:~# ping6 ipv6.google.com
PING ipv6.l.google.com (2001:4860:b002::68): 56 data bytes
64 bytes from 2001:4860:b002::68: icmp6_seq=0 ttl=60 time=163.4 ms

root@wrt:~# tcptraceroute6 ipv6.google.com      
traceroute to 2001:4860:b002::68 (2001:4860:b002::68) from 2001:0db8:1234:4::2, port 80, 30 hops max
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  2001:4860:b002::68 (2001:4860:b002::68) [open]  163.466 ms  161.816 ms  161.970 ms

Client Connectivity view from a Mac:

Mac:~ user$ ifconfig en0
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    inet 10.10.10.3 netmask 0xffffff00 broadcast 10.10.10.255
    inet6 fe80::200:beef:beef:0003%en0 prefixlen 64 scopeid 0x4 
    inet6 2001:0db8:1234:5:200:beef:beef:0003 prefixlen 64 autoconf 
    ether 00:00:00:00:00:03 

Mac:~ root# netstat -r -l -f inet6
Routing tables
Internet6:
Destination                             Gateway                         Flags    Refs      Use    Mtu    Netif Expire
default                                 fe80::200:ff:fe00:0%en0         UGc         3        0   1500      en0
2001:0db8:1234:5::                        link#4                          UC          1        0   1500      en0
2001:0db8:1234:5::1                       0:c:41:ab:9c:cd                 UHLW        0       20   1500      en0

Mac:~ user$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:0db8:1234:5:200:beef:beef:0003 --> 2001:4860:b002::68
16 bytes from 2001:4860:b002::68, icmp_seq=0 hlim=59 time=191.412 ms

Mac:~ user$ traceroute6  ipv6.google.com
traceroute6 to ipv6.l.google.com (2001:4860:b002::68) from 2001:0db8:1234:5:200:beef:beef:0003, 30 hops max, 12 byte packets
 1  2001:0db8:1234:5::1  1.056 ms  0.665 ms  0.667 ms

Client Connectivity view from Linux:

[root@Localhost ~]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:02  
          inet addr:10.10.10.2  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: 2001:0db8:1234:5:200:beef:beef:0002/64 Scope:Global
          inet6 addr: fe80::200:beef:beef:0002/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5730699 errors:0 dropped:165 overruns:0 frame:0
          TX packets:9003682 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2305322659 (2.1 GiB)  TX bytes:1320775781 (1.2 GiB)
          Base address:0xac00 Memory:fc4e0000-fc500000 


[root@Localhost ~]# netstat -r -l --inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
2001:0db8:1234:5::/64                         *                                       UA    256    48       0 eth1    
*/0                                         fe80::200:ff:fe00:0                     UGDA  1024   315       0 eth1    

[root@Localhost ~]# ping6 ipv6.google.com
PING ipv6.google.com(2001:4860:b002::68) 56 data bytes
64 bytes from 2001:4860:b002::68: icmp_seq=0 ttl=59 time=192 ms
64 bytes from 2001:4860:b002::68: icmp_seq=1 ttl=59 time=177 ms

--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 177.923/185.220/192.517/7.297 ms, pipe 2
[root@Localhost ~]# traceroute6 ipv6.google.com
traceroute to ipv6.google.com (2001:4860:b002::68), 30 hops max, 40 byte packets
 1  2001:0db8:1234:5::1 (2001:0db8:1234:5::1)  0.599 ms  1.596 ms  1.886 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  2001:4860:b002::68 (2001:4860:b002::68)  162.522 ms  171.255 ms  172.155 ms

Post #2

gerald

24 Jan 2009, 21:27

Which kernel are you running (2.4 or 2.6)? I'm seeing the same problem here (WRT54G 1.1) running Kamikaze 7.09 brcm-2.4 with a tunnel to HE (tunnelbroker.net). Connections work just fine from the router, but it won't forward large packets from the LAN to the outside. That is, "ping6 -s 190" works...

bam:/home/gerald$ ping6 -s 190 -c 3 ipv6.google.com
PING ipv6.google.com(2001:4860:b002::68) 190 data bytes
198 bytes from 2001:4860:b002::68: icmp_seq=1 ttl=58 time=101 ms
198 bytes from 2001:4860:b002::68: icmp_seq=2 ttl=58 time=101 ms
198 bytes from 2001:4860:b002::68: icmp_seq=3 ttl=58 time=98.9 ms

--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 98.957/100.423/101.231/1.101 ms

...but "ping6 -s 191" does not:

bam:/home/gerald$ ping6 -s 191 -c 3 ipv6.google.com
PING ipv6.google.com(2001:4860:b002::68) 191 data bytes

--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

It looks like the problem might be the same as described in https://dev.openwrt.org/ticket/683 . However, there are two notable differences (for me, at least): My max ping6 payload sizes are slightly smaller and I'm not seeing any packet mangling -- tcpdump says they're not being forwarded at all.

I think the problem is with the 2.4 kernel. I'd like to upgrade to 2.6 but I'd rather not trade broken wireless for working IPv6. Wireless is supposed to be working better in 8.09 RC2, so that might be the answer.

Or maybe I'll shell out the money for an ALIX box and put OpenBSD on it, since I prefer pf's syntax over that of iptables.

Post #3

jeverett

24 Jan 2009, 22:05

Good find! And, yes I'm running 2.4 on my WRT54G 1.1. A packet size bug may be a good suspect, because in addition to ping6, I can also ftp to ftp.kame.net and get connected. Also, looking at the failing traffic in Wireshark, I see this:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c ICMPv6   Echo request
      2 0.223670    2001:838:1:1:210:dcff:fe20:7c7c 2001:0db8:1234:5::2 ICMPv6   Echo reply
      3 1.000267    2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c ICMPv6   Echo request
      4 1.229484    2001:838:1:1:210:dcff:fe20:7c7c 2001:0db8:1234:5::2 ICMPv6   Echo reply
      5 2.000239    2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c ICMPv6   Echo request
      6 2.231640    2001:838:1:1:210:dcff:fe20:7c7c 2001:0db8:1234:5::2 ICMPv6   Echo reply
      7 4.200672    2001:0db8:1234:5::2 2001:200::8002:203:47ff:fea5:3085 TCP      64028 > ftp [SYN] Seq=0 Win=65535 Len=0 MSS=1440 WS=1 TSV=469803456 TSER=0
      8 4.552528    2001:200::8002:203:47ff:fea5:3085 2001:0db8:1234:5::2 TCP      ftp > 64028 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=1 TSV=2633855784 TSER=469803456
      9 4.552687    2001:0db8:1234:5::2 2001:200::8002:203:47ff:fea5:3085 TCP      64028 > ftp [ACK] Seq=1 Ack=1 Win=65688 Len=0 TSV=469803459 TSER=2633855784
     10 4.898084    2001:200::8002:203:47ff:fea5:3085 2001:0db8:1234:5::2 FTP      Response: 220 orange.kame.net FTP server (Version 6.00LS) ready.
     11 4.898248    2001:0db8:1234:5::2 2001:200::8002:203:47ff:fea5:3085 TCP      64028 > ftp [ACK] Seq=1 Ack=57 Win=65632 Len=0 TSV=469803463 TSER=2633856127
     14 14.690193   2001:0db8:1234:5::2 2001:4860:b002::68    HTTP     GET / HTTP/1.1 
     15 19.726367   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c TCP      64030 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1440 WS=1 TSV=469803611 TSER=0
     16 19.999024   2001:838:1:1:210:dcff:fe20:7c7c 2001:0db8:1234:5::2 TCP      http > 64030 [SYN, ACK] Seq=0 Ack=1 Win=5712 Len=0 MSS=1440 TSV=2951720160 TSER=469803611 WS=9
     17 19.999167   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c TCP      64030 > http [ACK] Seq=1 Ack=1 Win=65688 Len=0 TSV=469803613 TSER=2951720160
     18 19.999372   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c HTTP     GET / HTTP/1.1 
     19 20.903464   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c HTTP     [TCP Retransmission] GET / HTTP/1.1 
     20 22.907468   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c HTTP     [TCP Retransmission] GET / HTTP/1.1 
     21 23.394512   2001:838:1:1:210:dcff:fe20:7c7c 2001:0db8:1234:5::2 TCP      http > 64030 [SYN, ACK] Seq=0 Ack=1 Win=5712 Len=0 MSS=1440 TSV=2951721010 TSER=469803613 WS=9
     22 23.394577   2001:0db8:1234:5::2 2001:838:1:1:210:dcff:fe20:7c7c TCP      [TCP Dup ACK 20#1] 64030 > http [ACK] Seq=425 Ack=1 Win=65688 Len=0 TSV=469803647 TSER=2951721010

Notice, ping is fine; ftp is fine; the start of the http handshake is fine (SYN, SYN-ACK), but it looks like my ACK doesn't make it through (and I get a second SYN-ACK and send a second ACK.)

What's your tunnel script look like? I can't play with my config right now but I wonder if a workaround could be to add something to keep the packet size under the bug limit, maybe like this:

...
start() {
        echo -n "Starting TunnelBroker.net IPv6 tunnel: "
        ip tunnel add he-ipv6 mode sit local $LOCALIP remote $POPIP
        ip link set he-ipv6 up
        ip link set mtu 190 dev he-ipv6
        ip -6 addr add $LOCTUN/64 dev he-ipv6
        ip -6 ro add default via $REMTUN dev he-ipv6
        echo "Done."
}
...

or just run 'ip link set mtu 190 dev he-ipv6' on an existing tunnel.

(Last edited by jeverett on 24 Jan 2009, 22:06)

Post #4

jeverett

26 Jan 2009, 17:31

gerald wrote:

...but "ping6 -s 191" does not:

I can confirm that exact cut off point for failure on mine as well:

Mac:~ user# ping6 -s 190 www.sixxs.net
PING6(238=40+8+190 bytes) 2001:0db8:1234:5::2 --> 2001:838:1:1:210:dcff:fe20:7c7c
198 bytes from 2001:838:1:1:210:dcff:fe20:7c7c, icmp_seq=0 hlim=53 time=200.615 ms
198 bytes from 2001:838:1:1:210:dcff:fe20:7c7c, icmp_seq=1 hlim=53 time=204.706 ms
198 bytes from 2001:838:1:1:210:dcff:fe20:7c7c, icmp_seq=2 hlim=53 time=200.536 ms
^C
--- www.m.sixxs.net ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 200.536/201.952/204.706 ms

Mac:~ user# ping6 -s 191 www.sixxs.net
PING6(239=40+8+191 bytes) 2001:0db8:1234:5::2 --> 2001:838:1:1:210:dcff:fe20:7c7c
^C
--- www.m.sixxs.net ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

jeverett wrote:

...'ip link set mtu 190 dev he-ipv6'...

That doesn't work. Per Wikipedia, "IPv6 routers do not perform fragmentation. IPv6 hosts are required to either perform PMTU discovery, perform end-to-end fragmentation, or to send packets smaller than the IPv6 minimum maximum packet size."

I did get IPv6 http to work by changing my IPv6 client to an mtu of 190 -- but that setting is for the entire interface IPv4 and IPv6, local and remote communication, and is ridiculously inefficient.

I guess for all practical purposes, IPv6 is broke when stuck with a device that requires the 2.4 kernel.

(Last edited by jeverett on 26 Jan 2009, 17:31)

Post #5

MaZe

13 Feb 2010, 08:55

I don't think Google likes responding to large pings, hence I don't think testing with large pings against Google works...

$ ping6 -s 65 ipv6.google.com
PING ipv6.google.com(pv-in-x93.1e100.net) 65 data bytes
72 bytes from pv-in-x93.1e100.net: icmp_seq=1 ttl=54 (truncated)
^C
--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4546ms
rtt min/avg/max/mdev = 19.190/19.467/20.271/0.449 ms

$ ping6 -s 64 ipv6.google.com
PING ipv6.google.com(pv-in-x68.1e100.net) 64 data bytes
72 bytes from pv-in-x68.1e100.net: icmp_seq=1 ttl=54 time=19.6 ms
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3430ms
rtt min/avg/max/mdev = 19.113/19.551/19.747/0.307 ms

I have a guess at what the actual problem is though.

Could you run "sudo ip link set eth0 mtu 1481" on your desktop and verify it is still broken, then run "sudo ip link set eth0 mtu 1480" and verify if it now works?

Post #6

lore20

12 Sep 2010, 13:48

same problem here with linux 2.6.30.10 (self-compiled openwrt)

router <=> ipv6 network works fine, 10Mbps bandwidth, large TCP/UDP/ICMP session without any problem
clientsv6 <=> router everything right, 100Mbps bandwidth, no oproblem

clientsv4 <=> router <=> ipv4 network GOOD
clientsv6 <=> router <=> ipv6 network .............. EXTREMELY SLOW!

Ping latency is under 100ms but it wait about 10s before starting a new request to the server (i don't know why) with any -s (190,191)

The strangest things is that some websites (i'm working on a ipv6-only client, so there is not any risk that some connections escape to ipv4) likes google, gmail, google maps works perfectly (i can reach from che client 5-6 Mbps) but other (youtube, kame.net, sixxs.net, tunnelbroker.net) are unusable (with wireshark i see that many tcp packets aren't forwarded)

Some months ago everything worked perfectly, i haven't made any configuration change but now this is my situation.

Post #7

lore20

6 Jan 2011, 14:11

it's only a MTU problem, this should be enough to fix it:

ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

put this line somewhere in /etc/firewall.user and ensure that firewall.user is included in /etc/config/firewall

Post #8

KillaB

6 Jan 2011, 21:22

I fixed my MTU with radvd: http://forum.openwrt.org/viewtopic.php? … 81#p123881

Relevant section from /etc/config/radvd:

config interface
        option interface        'lan'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 0
        option AdvLinkMTU       1280
        option ignore           0

root@OpenWrt:~# ip -6 route
2001:470:x1:x::/64 via :: dev 6in4-henet  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 0
2001:470:x2:x::/64 dev br-lan  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev br-lan  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0.1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0.2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 via :: dev 6in4-henet  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 0
default dev 6in4-henet  metric 1024  mtu 1280 advmss 1220 hoplimit 0

user@Client:~$ ip -6 route
2001:470:x2:x::/64 dev eth0  proto kernel  metric 256  expires 86147sec mtu 1280 advmss 1220 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 0
default via fe80::x:x:x:x dev eth0  proto kernel  metric 1024  expires 1542sec mtu 1280 advmss 1220 hoplimit 64

(Last edited by KillaB on 6 Jan 2011, 21:37)

Post #9

MaZe

7 Jan 2011, 01:45

Yes, that's my current solution as well (except I'm advertising 1480 not 1280 instead of the default 1500)

Post #10

awm1

14 Feb 2011, 15:20

Hello,

I have the same problem as in the first post. I tried both lore20's and KillaB's solutions, however, I can't still get IPv6 pages working. Only ping works on my computer (notebook with Ubuntu 10.10, WiFi connection, MTU in NetworkManager set to 1280) - it is connected to Asus WL-500gP with Backfire rc4, which is behind D-Link DSL-584T with the same release of OpenWrt.

Has anyone some other idea about making it working?

awm1

The discussion might have continued from here.

Page 1 of 1