Well, I think it's MTU issue at least.
I've had a ERL for around a month now which replaced a virtualised Sophos UTM 9 machine. I've noticed some weird issues however where certain websites just wouldn't respond. After a bit of digging I discovered these websites are IPV6 enabled. Not all IPV6 websites cause issues - Google for instance works fine, as does test-ipv6 but other websites like Tumblr and some Microsoft sites never load. I'd seen something similar a few years ago with IPv4 when the MTU was set wrong on a router and certain websites wouldn't work so on a hunch I did some research and it seems to explain things but I'm not sure why IPv4 would be working fine. Here's how I've tested so far:
- Turned off IPV6 on a PC which forces the websites to use IPv4- everything works fine when this is done.
- Various ping tests. If I use "ping google.com -6 -l 1443" the ping goes through fine. If I use "ping google.com -6 -l 1444" there's no response. Alternatively, if I use "ping -4 -f" and choose a size that's bigger than the MTU than it tells me that the packet needs to be fragmented, if I take off the "-f" and ping too high I get a response. I see the same symptoms on an Ubuntu machine using its equivilent switches with ping6 and ping (to rule out Windows)
- On the ERL from the console I've tried the same ping tests and seen the same results.
These issues weren't present with IPv6 on Sophos UTM (well, I don't know about the ping tests)
Currently this is how my config looks:
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 12 {
action accept
description "Reverse Proxy v6"
destination {
address <ipv6 address>
port 80,443
}
protocol tcp
}
rule 13 {
action accept
description Exchange
destination {
address <ipv6 address>
port 80,443,25
}
protocol tcp
}
rule 14 {
action accept
description "ipv6 test"
destination {
address <ipv6 address>
port 80,443,25
}
protocol tcp
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol icmpv6
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_DNS {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
address 192.168.0.104-192.168.0.105
port 53
}
log disable
protocol tcp_udp
source {
address <public ipv4 subnet>/29
}
}
rule 2 {
action accept
description "DMZ Outbound"
log disable
protocol all
}
rule 3 {
action drop
description "DMZ LAN Block"
destination {
address 192.168.0.0/24
}
log disable
protocol all
}
}
name DMZ_Inbound {
default-action accept
description ""
rule 10 {
action drop
description "Mikrotik DNS block"
destination {
address <public IPv4 address>
port 53
}
log disable
protocol tcp_udp
}
rule 20 {
action drop
description "Mikrotik Telnet block"
destination {
address <public IPv4 address>
port 23
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description Mikrotik
destination {
address <public IPv4 address>
}
log disable
protocol all
}
rule 31 {
action accept
description "Reverse Proxy"
destination {
address <public IPv4 address>
port 443
}
log disable
protocol tcp
}
rule 32 {
action accept
description "Reverse Proxy 80"
destination {
address <public IPv4 address>
port 80
}
log disable
protocol tcp
}
}
name Management_IN {
default-action drop
description ""
rule 1 {
action accept
description Switch
destination {
address 192.168.3.203
port 22
}
log disable
protocol tcp
}
}
name PPPOE {
default-action accept
description ""
rule 1 {
action accept
description Ping
log disable
protocol icmp
}
}
name ReverseProxy {
default-action accept
description ""
rule 1 {
action accept
destination {
address <public IPv4 address>
port 443
}
log disable
protocol tcp
}
rule 2 {
action accept
destination {
address <public IPv4 address>
port 80
}
log disable
protocol tcp
}
}
name WAN6_LOCAL {
default-action drop
description ""
rule 1 {
action accept
description "allow DHCPv6 client/server"
destination {
port 546
}
log disable
protocol udp
source {
port 547
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description Ping
log disable
protocol icmp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 40 {
action accept
description dmz
destination {
address <public IPv4 address>/29
}
log disable
protocol all
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description ping
log disable
protocol icmp
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
vif 10 {
description "Internet (PPPoE)"
pppoe 0 {
default-route auto
dhcpv6-pd {
pd 0 {
interface eth0 {
prefix-id :6
}
interface eth1 {
host-address ::1
prefix-id 0
service slaac
}
interface eth1.104 {
host-address ::1
prefix-id 1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
interface pppoe0 {
host-address ::1
prefix-id :5
}
prefix-length /56
}
rapid-commit disable
}
firewall {
in {
ipv6-name WANv6_IN
name PPPOE
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
enable {
}
router-advert {
cur-hop-limit 64
link-mtu 1492
managed-flag false
max-interval 600
other-config-flag false
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1492
name-server auto
password <password>
user-id <username>
}
}
}
ethernet eth1 {
address 192.168.0.202/24
description Local
duplex auto
speed auto
vif 103 {
address 192.168.3.202/24
description Management
}
vif 104 {
address <public ipv4>/29
description DMZ
firewall {
in {
name DMZ_Inbound
}
out {
name DMZ_DNS
}
}
mtu 1500
}
vif 106 {
address 192.168.6.202/24
description "Guest Wifi"
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description Plex
forward-to {
address 192.168.0.26
port 32400
}
original-port 32400
protocol tcp_udp
}
rule 2 {
description "Exchange SMTP"
forward-to {
address 192.168.0.110
port 25
}
original-port 25
protocol tcp_udp
}
wan-interface pppoe0
}
protocols {
static {
route 10.3.0.0/16 {
next-hop 192.168.0.220 {
description <company>
distance 10
}
}
route 192.168.9.0/24 {
next-hop 192.168.0.220 {
description <company>
distance 10
}
}
}
}
service {
dhcp-relay {
interface eth1
interface eth1.106
server 192.168.0.101
server 192.168.0.102
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
rule 5011 {
description Management
log disable
outbound-interface eth1.103
protocol all
source {
group {
}
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name fortress.local
host-name edge
login {
radius-server 192.168.0.105 {
port 1812
secret <password>
timeout 2
}
radius-server 192.168.0.106 {
port 1812
secret <password>
timeout 2
}
user <user> {
authentication {
encrypted-password <password>
plaintext-password ""
}
full-name <user>
level admin
}
user localadmin {
authentication {
encrypted-password <password>
plaintext-password ""
}
level admin
}
user <user> {
authentication {
encrypted-password <password>
plaintext-password ""
}
full-name <user>
level admin
}
}
name-server 192.168.0.101
name-server 192.168.0.102
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Pacific/Auckland
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */These lines I've added or modified from some Googling but it hasn't made a difference:
router-advert {
cur-hop-limit 64
link-mtu 1492
managed-flag false
max-interval 600
other-config-flag false
reachable-time 0
retrans-timer 0
send-advert trueand
options {
mss-clamp {
interface-type pppoe
mss 1452 (was previously 1412)Anything that I might have missed?