Sure! Hope you will find the issue.ah, sorry, it seems I attached configuration when I really disabled IPv6 address advertisement. IPv6 advertisement was on on the vlan-local interface where IPv6 address itself is now disabled to avoid full internet outage at the clients.
I have tried to add IPv6 DNS servers and enable MAC and DNS advertisements in ND, but I will double test it. Thanks for the hint! Lets see!
$ ping6 google.com
PING google.com(bud02s27-in-x0e.1e100.net (2a00:1450:400d:804::200e)) 56 data bytes
64 bytes from bud02s27-in-x0e.1e100.net (2a00:1450:400d:804::200e): icmp_seq=1 ttl=57 time=14.7 ms
64 bytes from bud02s27-in-x0e.1e100.net (2a00:1450:400d:804::200e): icmp_seq=2 ttl=57 time=20.3 ms
64 bytes from bud02s27-in-x0e.1e100.net (2a00:1450:400d:804::200e): icmp_seq=3 ttl=57 time=16.8 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 14.786/17.346/20.376/2.306 ms
$ curl -6 ipv6-test.com -vL
* Rebuilt URL to: ipv6-test.com/
* Trying 2001:41d0:701:1100::29c8...
* TCP_NODELAY set
* Connected to ipv6-test.com (2001:41d0:701:1100::29c8) port 80 (#0)
> GET / HTTP/1.1
> Host: ipv6-test.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 14 Dec 2019 07:11:20 GMT
< Server: Apache/2.4.25 (Debian)
< Location: https://ipv6-test.com/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host ipv6-test.com left intact
* Issue another request to this URL: 'https://ipv6-test.com/'
* Connection 0 seems to be dead!
* Closing connection 0
* Trying 2001:41d0:701:1100::29c8...
* TCP_NODELAY set
* Connected to ipv6-test.com (2001:41d0:701:1100::29c8) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
^C
$ time curl -6 -v -L google.com
* Rebuilt URL to: google.com/
* Trying 2a00:1450:400d:808::200e...
* TCP_NODELAY set
* Connected to google.com (2a00:1450:400d:808::200e) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
>
^C
real 0m29.183s
user 0m0.005s
sys 0m0.009s
Yes, this is what you want to see.I started a packet sniffer on the tunnel interface.
I can see a TCP SYN MSS=1220 packet then a TCP SYN ACK mss=1220 (between my PC and google.com)
This seems to be good if 1280 is the MTU on the tunnel. Right?
That is not good! The other end apparently does not respect the MSS, or the datapackets are dropped for some other reason.What is interesting for me is the TCP Retransmission part.
We don't have any firewall rules on our side configured for any tunnel, except SMTP and IRC filters as exist by default.
-- -H U R R I C A N E - E L E C T R I C-
gabor@home:~$ time curl -vL6 index.hu
* Rebuilt URL to: index.hu/
* Trying 2a02:730::1860...
* TCP_NODELAY set
* Connected to index.hu (2a02:730::1860) port 80 (#0)
> GET / HTTP/1.1
> Host: index.hu
> User-Agent: curl/7.58.0
> Accept: */*
>
^C
real 0m40.441s
user 0m0.007s
sys 0m0.007s
130 gabor@home:~$ time curl -vL6 origo.hu
* Rebuilt URL to: origo.hu/
* Trying 2001:4c48:16:6::2:1c...
* TCP_NODELAY set
* Connected to origo.hu (2001:4c48:16:6::2:1c) port 80 (#0)
> GET / HTTP/1.1
> Host: origo.hu
> User-Agent: curl/7.58.0
> Accept: */*
>
^C
gabor@home:~$ time curl -vL6 forum.mikrotik.com
* Rebuilt URL to: forum.mikrotik.com/
* Trying 2a02:610:7501:1000::205...
* TCP_NODELAY set
* Connected to forum.mikrotik.com (2a02:610:7501:1000::205) port 80 (#0)
> GET / HTTP/1.1
> Host: forum.mikrotik.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Mon, 16 Dec 2019 10:59:57 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Keep-Alive: timeout=5
< Location: https://forum.mikrotik.com/
< Strict-Transport-Security: max-age=31536000
<
* Ignoring the response-body
* Connection #0 to host forum.mikrotik.com left intact
* Issue another request to this URL: 'https://forum.mikrotik.com/'
* Connection 0 seems to be dead!
* Closing connection 0
* Trying 2a02:610:7501:1000::205...
* TCP_NODELAY set
* Connected to forum.mikrotik.com (2a02:610:7501:1000::205) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
^C
real 0m25.049s
user 0m0.028s
sys 0m0.000s
130 gabor@home:~$ ping ipv6.google.com
PING ipv6.google.com(bud02s26-in-x0e.1e100.net (2a00:1450:400d:809::200e)) 56 data bytes
64 bytes from bud02s26-in-x0e.1e100.net (2a00:1450:400d:809::200e): icmp_seq=1 ttl=57 time=15.7 ms
64 bytes from bud02s26-in-x0e.1e100.net (2a00:1450:400d:809::200e): icmp_seq=2 ttl=57 time=15.3 ms
^C
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 15.332/15.530/15.729/0.234 ms
gabor@home:~$ ping forum.mikrotik.com
PING forum.mikrotik.com(forum.mikrotik.com (2a02:610:7501:1000::205)) 56 data bytes
^C
--- forum.mikrotik.com ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6130ms
$ cat /sys/class/net/ens3/mtu
1500
ping [my-remote-ubuntu]
PING [my-remote-ubuntu] 56(84) bytes of data.
64 bytes from [my-remote-ubuntu]: icmp_seq=1 ttl=55 time=40.1 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=2 ttl=55 time=14.1 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=3 ttl=55 time=52.1 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=4 ttl=55 time=16.6 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=5 ttl=55 time=13.0 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=6 ttl=55 time=13.1 ms
64 bytes from [my-remote-ubuntu]: icmp_seq=7 ttl=55 time=13.2 ms
^C
--- [my-remote-ubuntu] ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6007ms
rtt min/avg/max/mdev = 13.007/23.221/52.171/14.918 ms
That (the 1460 in the SYN) must be a bug in your client!There an 1460 MSS in the SYN and 1440 in the SYN ACK.
In order to try it to others with ipv6 connectivity, you can print here its dns A record.LAN interface MTU is 1500, true. In IPv6, ND MTU is set to 1280 for all interfaces.
I'm trying to connect servers within Hungary such as the biggest news portal (6ms ping on IPv4, 0% packet loss).
Thanks for your effort!