Hi Forum,
I am experimenting with IPV6 and run into an issue when using an HE as IPV6 tunnelbroker. As far as I understand the MTU of the tunnel interface will be 1280 instead of the usual 1500. Now when I connect to a TLS encrypted side I see that I can connect via IPV4 but not with IPV6. I noticed that the TLS Server Hello packet is > 1280 bytes long ( over IPV4 ) and wonder if the HE tunnel endpoint sends ICMP DF to the server to split the TLS packet. Can someone confirm that that will be done and if the server blocks ICMP I get this issue ?
Thank you
Markus
Your understanding is incorrect.
1280 bytes is the minimum size of an IPv6 packet.
Typical IPv6 in IPv4 encapsulated packets have an MTU of 1480 bytes (1500 bytes less 20 for the IPv4 outer header].
Try increasing your IPv6 MTU to 1480 bytes first. Worry about the rest only if this doesn't solve your problem.
Hi snarked,
Thank you for the correction. I changed the tunnel interface to 1480 bytes, but still have a hanging connection with TLS over IPv6 to some sides. I see the server hello in wireshark to have 1508 bytes ( over ipv4 ). When the server hello is smaller it works over ipv6.
Markus
Hi
I created a little test using socat
On an oracle free cloud server
#printf '%*s' 1500 | tr ' ' 'A' > filename.txt
#socat TCP6-LISTEN:8888,reuseaddr,fork FILE:"filename.txt",rdonly
On my client through the tunnel I run telnet and it hangs
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
When I reduce the file size to 1400 bytes e.g.
#printf '%*s' 1400 | tr ' ' 'A' > filename.txt
the telnet works
#telnet [v6-ip] 8888
Connected to [v6-ip] (v6-ip).
Escape character is '^]'.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
As soon as I go over 1400 bytes it breaks :-(
I see the icmp for it, but seems to be ignored.
14:51:58.837064 IP6 tserv1.lon1.he.net > first-instance-20210620: ICMP6, packet too big, mtu 1480, length 1240
Regards
Markus
Then set it to 1400, as you discovered.
HE tunnels should handle up to 1480.
Wireguard (encrypted) tunnels handle 1420.
I don't know of anything that reduces MTU to 1400, other than the combination of both tunnel types.
Looking at my wireshark capture I am missing the ICMPv6 packet to big message from the HE tunnel endpoint. Can someone from HE confirm they get send ?
Thank you
Markus
'he-ipv6' interface MTU 1480(def)
Use TCP MSS clamping on router
nftables:
chain forward {
type filter hook forward priority filter;
oifname he-ipv6 tcp flags syn tcp option maxseg size set rt mtu
}
Hi XQZR
Yes setting the MSS lower works. Hopefully I get no large UDP packets.
Thank you
Markus
Quote from: moeller on August 02, 2025, 05:00:17 AMHopefully I get no large UDP packets.
Don't worry, you usually won't receive oversized UDP packets.
1. Tunnel servers have a default MTU of 1480.
2. HTTP/3 (QUIC), as a common type of UDP traffic, performs PMTU probing. When it receives an ICMPv6 Packet Too Big message or detects packet loss, the HTTP/3 server will reduce the packet size.