• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Check your firewall to make sure that ICMPv6 Packet Too Big messages are allowed

Started by bartgrefte, January 03, 2015, 02:01:29 AM

Previous topic - Next topic

bartgrefte

So I've been using a HE-tunnel for years, without any problems (that I remember). Until this morning. I noticed that anything Google related (search engine, translate etc) wouldn't load. Didn't get any errors, Firefox just kept on "loading", while Google opened just fine using IPv4.

Other websites seem to open just fine using IPv6, but after a while, Facebook and this website wouldn't load either via IPv6.

Then I opened up http://test-ipv6.com/ which gave a 1 out of 10 score and this is what it said:
QuoteLET OP! IPv6 werkt een beetje, maar grote pakketten lijken niet aan te komen, waardoor websites stuk kunnen lijken te zijn als deze IPv6 gebruiken. Vraag uw ISP over MTU problemen, mogelijk gerelateerd aan uw tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).
The Dutch part says that large packets don't seem to arrive and to ask the ISP about MTU issues.

After GooglingBinging (is that even a word?) about "packet too big" issues, I entered ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
on my IPFire router, everything was fine again and that test-website gave a 10 out of 10 score :)

I don't suppose anyone could explain why this suddenly happened? Don't think I ever had MTU/packettoobig issues before.

antillie

My guess would be that some router somewhere between you and the wider IPv6 internet had its MTU changed and the inability of your tunnel to negotiate an MTU with ICMPv6 suddenly caused an issue when this happened. By allowing the proper ICMPv6 packets you allowed MTU negotiation and fixed the issue.

There really isn't any reason to filter ICMPv6 anyway. All of the stupid and/or risky ICMP types like timestamp request/reply and mask request/reply were removed from the protocol when it was redesigned for IPv6. The only ones that might cause issues, such as router, neighbor, or prefix advertisements, can't cross a router anyway and are better handled by a managed switch as outlined in RFC 6105.

bartgrefte

Hmm, okay. So those three rules are essential?

When I wrote the ip6tables-rules, I started with blocking everything by default and then only allow what's needed. Didn't had to enter those rules to get things going.

broquea

Rate limit ICMP(6), do not block. The only ICMP6 types I might block outright are 139/140, but hosts have to have that enabled in the first place, which they don't.

bartgrefte

So... I should write the rules like this?

ip6tables -A INPUT -p icmpv6 -j ACCEPT --match limit --limit 30/minute
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT --match limit --limit 30/minute
ip6tables -A FORWARD -p icmpv6 -j ACCEPT --match limit --limit 30/minute

Although I'm not sure if 30/minute is enough, or not enough.

bartgrefte

Hmm, it looked likeip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
fixed it, but now the IPv6-troubles are back again. However, this time only with Google-services and it looks like I'm not the only one: http://forums.whirlpool.net.au/forum-replies.cfm?t=2360847 , IPv6 test-websites don't indicate any problems this time.
http://test-ipv6.com/ : 10/10
http://ipv6-test.com/ : 17/20, "Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all." and "Get a reverse DNS record"
ESS is blocking ping-replies, that shouldn't cause any problems and disabling the firewall doesn't solve the connection issue.

Is there any way to troubleshoot problems connecting to a website through IPv6? As soon as I disable IPv6 or manually enter the IPv4 address (apparently Firefox doesn't automatically falls back on IPv4 with Google), I can access Google without problems and just like with the others from that link, the problem is intermittent. Sometimes it works, but mostly doesn't.
Someone from that link mentioned something about routing issues.

It happens with both Google.com and Google.nl and a traceroute doesn't seem to show anything out of the ordinary.
C:\Users\Bart>tracert google.nl

Traceren van de route naar google.nl [2a00:1450:4013:c01::5e]
via maximaal 30 hops:

  1   <1 ms   <1 ms     1 ms  2001:*:*:*::1
  2     8 ms     7 ms     8 ms  bartgrefte-1.tunnel.tserv11.ams1.ipv6.he.net [2001:*:*:*::1]
  3    12 ms     4 ms    18 ms  v213.core1.ams1.he.net [2001:470:0:7d::1]
  4     5 ms     5 ms     6 ms  core1.ams.net.google.com [2001:7f8:1::a501:5169:2]
  5     5 ms     5 ms     5 ms  2001:4860::1:0:4b3
  6     5 ms     5 ms     5 ms  2001:4860::8:0:51a0
  7     8 ms    14 ms     8 ms  2001:4860::8:0:517a
  8     8 ms     8 ms     8 ms  2001:4860::2:0:8651
  9     *        *        *     Time-out bij opdracht.
10     8 ms     8 ms     8 ms  ea-in-x5e.1e100.net [2a00:1450:4013:c01::5e]

De trace is voltooid.

C:\Users\Bart>tracert google.com

Traceren van de route naar google.com [2a00:1450:4013:c01::8a]
via maximaal 30 hops:

  1   <1 ms   <1 ms   <1 ms  2001:*:*:*::1
  2     8 ms     8 ms     8 ms  bartgrefte-1.tunnel.tserv11.ams1.ipv6.he.net [2001:*:*:*::1]
  3     7 ms     5 ms     4 ms  v213.core1.ams1.he.net [2001:470:0:7d::1]
  4     5 ms     5 ms     5 ms  core1.ams.net.google.com [2001:7f8:1::a501:5169:2]
  5     5 ms     5 ms     6 ms  2001:4860::1:0:4b3
  6     5 ms     5 ms     5 ms  2001:4860::8:0:519f
  7    12 ms     9 ms    18 ms  2001:4860::8:0:517a
  8     8 ms     8 ms     8 ms  2001:4860::2:0:8652
  9     *        *        *     Time-out bij opdracht.
10     8 ms     8 ms     8 ms  ea-in-x8a.1e100.net [2a00:1450:4013:c01::8a]

De trace is voltooid.

C:\Users\Bart>


edit: This problem is now reported on the Dutch IT-forum Tweakers.net as well.

snarked

The only ICMP(6) packets that I rate-limit are pings (echo-requests).  All error types should be accepted without limit.