IPv6 Only PPPoE with AFTR/GIF Tunnel for IPv4 Connectivity (Deutsche Giganetz)

[jobraun2]

Hey, so I just got my new Fiber Connection from Deutsche Giganetz - provider is mentioned a few times for older releases of OPNsense on the forum.

I've some really strange issues that I would like to share, but first my Config:

The provider requires PPPoE on VLAN 7 on IPv6 and a GIF Tunnel (AFTR / RFC6333 https://www.lacnic.net/innovaportal/file/5522/1/ds-lite-en.pdf)

VLAN Config / PPPoE Config:

You cannot view this attachment.

WAN Config:

You cannot view this attachment.

So far good so good - working IPv6 Connectivity, with Track Interface also from LAN.



Now the tricky part configuring Legacy IP:

You cannot view this attachment.

Created a GIF Device, assigned it to a new Interface - tunnel comes up and I've IPv4 Connectivity. (Same AFIR that FritzBox automatically configures, with Tunnel IPs from RFC)

From a device in LAN I'm able to do ping and traceroute:

Code Select Expand

C:\Users\user>ping 1.1

Ping wird ausgeführt für 1.0.0.1 mit 32 Bytes Daten:
Antwort von 1.0.0.1: Bytes=32 Zeit=3ms TTL=57
Antwort von 1.0.0.1: Bytes=32 Zeit=4ms TTL=57
Antwort von 1.0.0.1: Bytes=32 Zeit=4ms TTL=57
Antwort von 1.0.0.1: Bytes=32 Zeit=4ms TTL=57

Ping-Statistik für 1.0.0.1:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 3ms, Maximum = 4ms, Mittelwert = 3ms

C:\Users\user>tracert 1.1

Routenverfolgung zu one.one.one.one [1.0.0.1]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  OPNsense.localdomain [192.168.1.1]
  2     2 ms     2 ms     2 ms  100.83.142.141
  3     7 ms     3 ms     3 ms  100.83.140.62
  4     3 ms     3 ms     2 ms  100.83.140.234
  5     3 ms     2 ms     2 ms  100.83.140.33
  6     6 ms     4 ms     *     de-cix-frankfurt.as13335.net [80.81.193.129]
  7    39 ms     8 ms    18 ms  162.158.84.137
  8     4 ms     3 ms     3 ms  one.one.one.one [1.0.0.1]

From my understanding everything should be fine at this point - however it isn't.

Webpages that only support IPv4 are still broken in a really strange way - most webpages do not work, but there are also some exceptions:

For example, GitHub over HTTP works (returns redirect to HTTPS), Github over HTTPS does run into a timeout, a server that I started at netcup for testing works via IPv4.

On the firewall itself I can do a curl to https://github.com perfectly fine without any issues.

I don't see anything blocked in the livelog and there are only any rules, as I installed a new firewall for testing this.


This issue is soo strange that I'm out of ideas - with the FritzBox provided by GigaNetz everything is fine ...

I tried configuring an Outbound NAT for the Interface attached to the GIF Device, however that didn't help.

Would appriciate any ideas :)

[franco]

I'm leaning towards MTU issue but someone more versed in this can surely help here.

Just nice to see IPv6-only PPPoE is up and running after working on it for 25.1.  ;)


Cheers,
Franco

[jobraun2]

Something I also played around with - did some more try and error, adding 1452 MSS to the gif Interface and everything starts to work:

Seems to work - in case sombody has a better suggestion - I volunteer to test ;)


You cannot view this attachment.

[franco]

This seems like the right thing to do. The IPv6 header was not accounted for so packets were too big!


Cheers,
Franco

[Rappelkiste98]

This seems like the right thing to do. The IPv6 header was not accounted for so packets were too big!


Cheers,
Franco

Hay Franco,

we have Deutsche GigaNetz too and the same Problems as you describe.
I also found the solution to edit the GiF Settings MTU = 1492 and MSS = 1452 through Trial-and-Error.

Did you understand why we have to change the MTU and MSS to this specify values? Everything I read to the GiF topic says totally other values.

For me, it seems like the MTU is equals to the MTU of the WAN Interface and the MSS is the "real" MTU through the 4in6 tunnel.

Cheers,
Rappelkiste98