Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Check your firewall to make sure that ICMPv6 Packet Too Big messages are allowed  (Read 6966 times)

bartgrefte

  • Newbie
  • *
  • Posts: 38

So I've been using a HE-tunnel for years, without any problems (that I remember). Until this morning. I noticed that anything Google related (search engine, translate etc) wouldn't load. Didn't get any errors, Firefox just kept on "loading", while Google opened just fine using IPv4.

Other websites seem to open just fine using IPv6, but after a while, Facebook and this website wouldn't load either via IPv6.

Then I opened up http://test-ipv6.com/ which gave a 1 out of 10 score and this is what it said:
Quote
LET OP! IPv6 werkt een beetje, maar grote pakketten lijken niet aan te komen, waardoor websites stuk kunnen lijken te zijn als deze IPv6 gebruiken. Vraag uw ISP over MTU problemen, mogelijk gerelateerd aan uw tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).
The Dutch part says that large packets don't seem to arrive and to ask the ISP about MTU issues.

After GooglingBinging (is that even a word?) about "packet too big" issues, I entered
Code: [Select]
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
on my IPFire router, everything was fine again and that test-website gave a 10 out of 10 score :)

I don't suppose anyone could explain why this suddenly happened? Don't think I ever had MTU/packettoobig issues before.
Logged

antillie

  • Full Member
  • ***
  • Posts: 104

My guess would be that some router somewhere between you and the wider IPv6 internet had its MTU changed and the inability of your tunnel to negotiate an MTU with ICMPv6 suddenly caused an issue when this happened. By allowing the proper ICMPv6 packets you allowed MTU negotiation and fixed the issue.

There really isn't any reason to filter ICMPv6 anyway. All of the stupid and/or risky ICMP types like timestamp request/reply and mask request/reply were removed from the protocol when it was redesigned for IPv6. The only ones that might cause issues, such as router, neighbor, or prefix advertisements, can't cross a router anyway and are better handled by a managed switch as outlined in RFC 6105.
« Last Edit: January 10, 2015, 04:19:17 PM by antillie »
Logged

bartgrefte

  • Newbie
  • *
  • Posts: 38

Hmm, okay. So those three rules are essential?

When I wrote the ip6tables-rules, I started with blocking everything by default and then only allow what's needed. Didn't had to enter those rules to get things going.
« Last Edit: January 13, 2015, 08:28:12 AM by bartgrefte »
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722

Rate limit ICMP(6), do not block. The only ICMP6 types I might block outright are 139/140, but hosts have to have that enabled in the first place, which they don't.
Logged

bartgrefte

  • Newbie
  • *
  • Posts: 38

So... I should write the rules like this?

ip6tables -A INPUT -p icmpv6 -j ACCEPT --match limit --limit 30/minute
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT --match limit --limit 30/minute
ip6tables -A FORWARD -p icmpv6 -j ACCEPT --match limit --limit 30/minute

Although I'm not sure if 30/minute is enough, or not enough.
« Last Edit: January 16, 2015, 02:09:31 AM by bartgrefte »
Logged

bartgrefte

  • Newbie
  • *
  • Posts: 38

Hmm, it looked like
Code: [Select]
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
fixed it, but now the IPv6-troubles are back again. However, this time only with Google-services and it looks like I'm not the only one: http://forums.whirlpool.net.au/forum-replies.cfm?t=2360847 , IPv6 test-websites don't indicate any problems this time.
http://test-ipv6.com/ : 10/10
http://ipv6-test.com/ : 17/20, "Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all." and "Get a reverse DNS record"
ESS is blocking ping-replies, that shouldn't cause any problems and disabling the firewall doesn't solve the connection issue.

Is there any way to troubleshoot problems connecting to a website through IPv6? As soon as I disable IPv6 or manually enter the IPv4 address (apparently Firefox doesn't automatically falls back on IPv4 with Google), I can access Google without problems and just like with the others from that link, the problem is intermittent. Sometimes it works, but mostly doesn't.
Someone from that link mentioned something about routing issues.

It happens with both Google.com and Google.nl and a traceroute doesn't seem to show anything out of the ordinary.
Code: [Select]
C:\Users\Bart>tracert google.nl

Traceren van de route naar google.nl [2a00:1450:4013:c01::5e]
via maximaal 30 hops:

  1   <1 ms   <1 ms     1 ms  2001:*:*:*::1
  2     8 ms     7 ms     8 ms  bartgrefte-1.tunnel.tserv11.ams1.ipv6.he.net [2001:*:*:*::1]
  3    12 ms     4 ms    18 ms  v213.core1.ams1.he.net [2001:470:0:7d::1]
  4     5 ms     5 ms     6 ms  core1.ams.net.google.com [2001:7f8:1::a501:5169:2]
  5     5 ms     5 ms     5 ms  2001:4860::1:0:4b3
  6     5 ms     5 ms     5 ms  2001:4860::8:0:51a0
  7     8 ms    14 ms     8 ms  2001:4860::8:0:517a
  8     8 ms     8 ms     8 ms  2001:4860::2:0:8651
  9     *        *        *     Time-out bij opdracht.
 10     8 ms     8 ms     8 ms  ea-in-x5e.1e100.net [2a00:1450:4013:c01::5e]

De trace is voltooid.

C:\Users\Bart>tracert google.com

Traceren van de route naar google.com [2a00:1450:4013:c01::8a]
via maximaal 30 hops:

  1   <1 ms   <1 ms   <1 ms  2001:*:*:*::1
  2     8 ms     8 ms     8 ms  bartgrefte-1.tunnel.tserv11.ams1.ipv6.he.net [2001:*:*:*::1]
  3     7 ms     5 ms     4 ms  v213.core1.ams1.he.net [2001:470:0:7d::1]
  4     5 ms     5 ms     5 ms  core1.ams.net.google.com [2001:7f8:1::a501:5169:2]
  5     5 ms     5 ms     6 ms  2001:4860::1:0:4b3
  6     5 ms     5 ms     5 ms  2001:4860::8:0:519f
  7    12 ms     9 ms    18 ms  2001:4860::8:0:517a
  8     8 ms     8 ms     8 ms  2001:4860::2:0:8652
  9     *        *        *     Time-out bij opdracht.
 10     8 ms     8 ms     8 ms  ea-in-x8a.1e100.net [2a00:1450:4013:c01::8a]

De trace is voltooid.

C:\Users\Bart>

edit: This problem is now reported on the Dutch IT-forum Tweakers.net as well.
« Last Edit: January 18, 2015, 11:35:47 AM by bartgrefte »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 761

The only ICMP(6) packets that I rate-limit are pings (echo-requests).  All error types should be accepted without limit.
Logged