Messages

This is your problem :(

https://github.com/opnsense/core/issues/3173

For now I'll place my follow-ups on the Github, where I have the same userid, because I assume some change has to be made either in code or a default config. If my case isn't isolated, I can't image the OPNsense install guide saying you have to do a dance with MTU settings before IPv6 or other stuff that relies on frame sizes like UDP streams from some cameras, VPN, etc work properly :)

Just as a note, about an hour since the previous post, my LAN side started acting up. I forced the MTU on that side as well (2000 because that's what the switch supports)

[the MTU on my WAN interface being forced to 576]

Hello all,

This is just a note about my upgrade to OPNsense 19.1, that needed manual intervention.

The upgrade appeared to work with everything back up, but I had spotty Internet access (slow, DNS didn't resolve most of the time, etc), which I traced back to the MTU on my WAN interface being forced to 576. With that small MTU, IPv4 worked, but IPv6 did not work. I had to manually set the WAN interface MTU to 1280 (the minimum required for IPv6 to work) to get full connectivity again.

I'm only guessing from my network security training, but if this happened to your LAN instead of WAN it's possible your switches attached to your router would go crazy, or stuff won't appear to connect at all because there aren't that many "LAN" devices that would expect an MTU of 576. You should still however get "packet too big" warning packets from a packet capture including Wireshark.

I didn't have issues on my LAN side, which is an Intel 82579LM on my machine.



Debugging

Wireshark + IPv6 test web site clued me in to that: I kept getting ICMPv6 "Packet Too Big" in my Wireshark, where the MTU number in the packet was 576.

I have an oddball network card (an ExpressCard adapter Intellinet 524056):

Code Select Expand

re0@pci0:4:0:0: class=0x020000 card=0x816810ec chip=0x816810ec rev=0x02 hdr=0x00
    vendor     = 'Realtek Semiconductor Co., Ltd.'
    device     = 'RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
    class      = network
    subclass   = ethernet



Here's a step-by-step in case someone else upgraded and is in the same mess as I was in (and probably reading from an unpleasant situation like mobile device).

1. Launch a web browser to the web console of the firewall. Force IPv4 because as mentioned, 576 MTU is too small for IPv6. For me, I forced IPv4 by using my 192.168.1.1 address of the firewall rather than the DNS entry I normally use.
2. Log in to the web console of the firewall.
3. On the side bar (or menu from the box with 3 lines if you're unlucky enough to be on a mobile), select Interfaces -> [the interface that is a Realtek 8168]. For me it was [WAN], but of course you could have it on the [LAN] or even [OPTn] if you enabled that.
4. Find the MTU field, which is current blank, and set it to 1280, 1496, 1500, or whatever you may know your MTU to be. If your Realtek NIC is directly connected to a modem, 1280 will get your IPv6 to work. If the interface is the LAN or connected to another router, you're probably going to want MTU of 1496 or 1500, which are common for Ethernet cards. (If the MTU field is not blank and you know the number already there is correct, my post isn't for your issue and you should stop and try to debug further.)
5. Scroll all the way to the bottom, and click "Save".
6. Scroll all the way to the top, and click "Apply Changes".
7. Wait about a minute. It's possible (like what happened to me) that changing the MTU also disconnected everything, so if everything doesn't come back, you can wait another minute and reboot your firewall.
8. Retry the steps 1-3, and see that the MTU was set properly.



To summarize, after upgrading, it the default MTU on my Realtek LAN card was set to 576 which meant that IPv4 worked and IPv6 didn't work, so I raised it to 1280.