<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">I've been slowly trying to get this fixed for a few years now... I had my system setup to use Squid + TPROXY using IPv6, and it was working great.</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">However, a couple of years ago, it simply stopped working, and I’ve been trying to figure out why ever since.</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">When I try to use IPv6+TPROXY+Squid, most sites simply “hang” and never load. (TPROXY+IPv4 works fine)</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">I'm running Debian Sid, Shorewall6 5.0.15.6, and Squid 3.5.23. My ISP provides native IPv6 (Comcast).</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><br></span></p><p style="margin: 0px; font-stretch: normal; line-height: normal;"><span style="background-color: rgba(255, 255, 255, 0);">I have Squid configured to accept TPROXY on port 3129, and configured clients on port 3128.</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">The best description (and command to reproduce the error) comes from <a href="http://test-IPv6.com">test-IPv6.com</a> (They suggest a curl command at <a href="http://test-ipv6.com/faq_pmtud.html'">http://test-ipv6.com/faq_pmtud.html'</a>)</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">Non-TPROXY connections work fine: Disabling TPROXY, or manually configuring the host to use a proxy @ proxy-hostname:3128 are both fine.</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">When I use TPROXY, there are issues with path MTU detection from the internet to my clients.</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">When I try the test URL to <a href="http://test-ipv6.com">test-ipv6.com</a> from a client inside the network, and check the packet dump using the following:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">$ sudo tcpdump '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp port 80)' </span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">I see messages along the lines of:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><timestamp> IP6 {remote addr} > {my IPv6 addr}: ICMP6, packet too big, MTU 1280, length 1240</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><br></span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">Otherwise, the connection is silent - the curl command doesn’t succeed. (It has no problems succeeding if I set http_proxy, or disable TPROXY).</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><br><span style="font-size: 12pt;"></span></p><p style="margin: 0px; font-stretch: normal; line-height: normal;"><span style="background-color: rgba(255, 255, 255, 0);">Is it an issue with my firewall, is there an issue in Linux TPROXY support, is it Squid? I’m not sure.</span></p><div><span style="font-size: 12pt;"><br></span></div>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">“shorewall6 show | grep -i icmp” shows the expected allow for ICMP (I’m showing only the type2 “packet too big” — but there are the rest suggested in RFC4890)</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"> 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 13.8px;"><span style="font-size: 12pt;"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">I’m fairly sure that the firewall is configured to pass the ICMPv6 messages from any interface to any interface - Clients inside the network are definitely seeing “packet too big” messages.</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><br></span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">So is there something in Squid which could be causing my path MTU issues? Is there anything i can do to eliminate Squid as a source of error?</span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><br></span></p><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;">THanks.</span></p></body></html>