PMTUD IPv6 weird routing

following setup

reverse proxy (2001:67c:fe8::2) <--ethernet (1500)--> (2001:67c:fe8::1) openwrt (2a0a:4580:1a:1::2) <--wireguard (1412) --> (2a0a:4580:1a:1::1) debian router

a host from the internet tries to access the reverse proxy. When the reverse proxy answers the packet will not arrive at its destination as it sends a frame of 1500 bytes. As the tunnel doesn't allow the openwrt firewall sends a packet too big message. So far so good.

11:41:17.648493 IP6 2001:67c:fe8::1 > 2001:67c:fe8::2: ICMP6, packet too big, mtu 1412, length 1240

The weird thing is that the message is sent by the openwrt firewall but it's being sent through the wireguard interface instead of the ethernet interface (eth2.14).

ip -6 r s |grep 67c

2001:67c:fe8::/64 dev eth2.14 proto kernel metric 256 pref medium

ip -6 n s | grep 67c

2001:67c:fe8::2 dev eth2.14 lladdr bc:24:11:51:58:a9 REACHABLE

Does someone have an idea why that happens? Due to that problem the connection stalls and the traffic never actually flows.
The OpenWrt device is a banana pi r4 with OpenWrt 24.10.0-rc2 r28161-ea17e958b9

You need source routing. Please show us your route table. But in the end its something like

ip route [add|replace] ${destination} from ${source} [via ${nexthop}|dev ${interface}]

I'm sure this should also be configurable via LUCI. (I use hotplug scripts for that or even static routes configured by bird2 (a dynamic routing daemon).

Edit: And ensure that all needed ICMPv6 messages are allowed!

you're right. There are rules and additional routing tables I forgot about.
Thanks so much for the hint.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.