• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 tunnel PPPoE issue - Does not seem MSS related

Started by ppurroy, January 30, 2017, 06:40:47 AM

Previous topic - Next topic

ppurroy

Hello All,

I have been trying to make the Hurricane Electric IPv6 tunnel work on my Mikrotik RB2011 for a few days now. I had it working in the past but removed the configuration.

Now I am trying to configure it again and I have a strange issue. The tunnel gets setup correctly and I can Ping6 through it without issues and all of the UDP protocols work perfectly. When trying to make this work with TCP the session does not get stablished. I have been doing some packet captures and I am attaching three files; one for the client side, one from the server side and the last one from the ethernet interface in the router that creates the PPPoE session.

The TCP handshake starts normally and the TCP MSS is changed as per the Mangle rule in the IPv6 Firewall section. What happens is strange.

- In the client side I can see the SYN (client), SYN-ACK (server); ACK (client) correctly. After that there is a lot of retransmissions for the serverĀ“s original SYN-ACK and the clients original ACK.
- In the server side I can only see the SYN (client) and SYN-ACK (server) but no ACK from the client. After that I can see a lot of retransmissions of the servers original SYN-ACK.
- In the pope facing ethernet port I can see SYN (client), SYN-ACK (server); ACK (client). However in the client ACKs (both original and retransmissions) the PPPoE session has an error in the sniffer capture that the payload length is incorrect/malformed.

So it is clear that the router is not forwarding the traffic contained in the PPPoE frames and it is dropping it.

I have played a lot with the TCP MSS settings, I am fairly certain that it is not the issue, and have removed any IPv6 Firewall rules.

If anyone can check my packet captures and give my any pointers it will be appreciated!

TIA

ppurroy

I am unable to upload the attachements with the packet captures.  Is there anyone that knows what might be wrong with my setup?

cholzhauer


ppurroy

Yes, That is what I thought at first but MSS is set to 1280 so I should not be having MTU issues, if I am correct.

I modify MSS in this way:

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1280 out-interface=sit1 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1281-65535
add action=change-mss chain=forward in-interface=sit1 new-mss=1280 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1281-65535

Wouldn't this avoid any MTU issues?

cholzhauer


ppurroy

I have set up in the Tunnel Details page an MTU of 1400 and in the following setting in the mikrotik router:

/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=81.44.140.127 mtu=1400 name=sit1 remote-address=216.66.88.98