Re: IPv6 TCP from vnet jail
- In reply to: John Shannon : "IPv6 TCP from vnet jail"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Jun 2026 18:57:24 UTC
> On 1. Jun 2026, at 20:41, John Shannon <john@johnrshannon.com> wrote: > >> root@poly:~ # uname -a >> FreeBSD poly.johnrshannon.com 15.0-RELEASE-p9 FreeBSD 15.0-RELEASE-p9 releng/15.0-n281048-6d536196f1bd GENERIC amd64 > > I have a vnet jail for postfix. Postfix forwards smtp over a Wireguard interface to another postfix server. The relaying works when IPv4 is used; it does not work with IPv6. > > IPv6 networking for the jail is: > >> epair6b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 >> options=60000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6,TXCSUM_IPV6> >> ether 58:9c:fc:10:fc:32 >> inet 10.1.6.32 netmask 0xffffff00 broadcast 10.1.6.255 >> inet6 fe80::5a9c:fcff:fe10:fc32%epair6b prefixlen 64 scopeid 0x1b >> inet6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 prefixlen 64 >> groups: epair >> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) >> status: active >> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > Outside the jail: > >> privatebridge: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 >> options=10<VLAN_HWTAGGING> >> ether 58:9c:fc:10:72:30 >> inet 10.1.6.1 netmask 0xffffff00 broadcast 10.1.6.255 >> inet6 fd4f:7b8c:5ffd:6006::1 prefixlen 64 >> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 >> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> bridge flags=0<> >> member: epair6a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> >> port 26 priority 128 path cost 2000 vlan protocol 802.1q > ... > >> wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1380 >> options=80000<LINKSTATE> >> inet 10.1.5.1 netmask 0xffffff00 >> inet6 fd4f:7b8c:5ffd:6005::1 prefixlen 64 >> groups: wg >> nd6 options=101<PERFORMNUD,NO_DAD> > >> root@poly:/var/log # netstat -rn6 >> Routing tables >> >> Internet6: >> Destination Gateway Flags Netif Expire >> ::/96 link#2 URS lo0 >> default fe80::1%vtnet0 UGS vtnet0 >> ::1 link#2 UHS lo0 >> ::ffff:0.0.0.0/96 link#2 URS lo0 >> 2a01:4ff:1f0:6b41::/64 link#1 U vtnet0 >> 2a01:4ff:1f0:6b41:9000:7ff:fe0f:c2ca link#2 UHS lo0 >> fd4f:7b8c:5ffd:1000::/64 link#5 US wg0 >> fd4f:7b8c:5ffd:1001::/64 link#5 US wg0 >> fd4f:7b8c:5ffd:1002::/64 link#5 US wg0 >> fd4f:7b8c:5ffd:1003::/64 link#5 US wg0 >> fd4f:7b8c:5ffd:1004::/64 link#5 US wg0 >> fd4f:7b8c:5ffd:3000::/52 link#5 US wg0 >> fd4f:7b8c:5ffd:6005::/64 link#5 U wg0 >> fd4f:7b8c:5ffd:6005::1 link#2 UHS lo0 >> fd4f:7b8c:5ffd:6006::/64 link#3 U privatebridg >> fd4f:7b8c:5ffd:6006::1 link#2 UHS lo0 >> fe80::%lo0/10 link#2 URS lo0 >> fe80::%vtnet0/64 link#1 U vtnet0 >> fe80::9000:7ff:fe0f:c2ca%lo0 link#2 UHS lo0 >> fe80::%lo0/64 link#2 U lo0 >> fe80::1%lo0 link#2 UHS lo0 >> ff02::/16 link#2 URS lo0 > > My intention is to route these packets from the bridge over wg0 (Wireguard) to the destination. It works with ping6, but does not work with smtp. > > With smtp and using tcpdump in the jail I see: > >> root@mail:/usr/local/etc/postfix # tcpdump -ni epair6b icmp6 >> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode >> 10:42:54.998257 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:54.998272 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.000250 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.000256 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.002174 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.002178 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.004111 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.004141 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.006112 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.006118 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.008033 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.008038 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.052658 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.091324 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.135036 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.211233 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.254940 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.302406 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.302416 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.347152 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.498540 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.542285 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.675712 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 >> 10:42:55.675749 IP6 fd4f:7b8c:5ffd:6006::1 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu 1380, length 1240 Hi John, could you provide a .pcap file which contains in addition to the ICMP6 PTB message also the TCP packets which trigger the sending of them? Please note that all members of a bridge should have the same MTU. So setting the MTU of the epair interfaces to 1380 should fix your issue. Best regards Michael > ... > > The command > >> root@poly:~ # tcpdump -ni wg0 icmp6 > > displays no output. This isn't surprising as its the IP for privatebridge that's returning the icmp6 "too big" message. > > The result is different using ping6: > >> root@mail:/usr/local/etc/postfix # ping6 -c 6 -D -s 1240 maila >> PING(1288=40+8+1240 bytes) fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 --> fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=0 hlim=62 time=34.601 ms >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=1 hlim=62 time=35.499 ms >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=2 hlim=62 time=31.764 ms >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=3 hlim=62 time=32.029 ms >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=4 hlim=62 time=33.071 ms >> 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=5 hlim=62 time=32.730 ms > > from the jail, I see this on wg0: > > root@poly:~ # tcpdump -ni wg0 icmp6 > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes > 11:00:10.614336 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 0, length 1248 > 11:00:10.646884 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 0, length 1248 > 11:00:11.631213 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 1, length 1248 > 11:00:11.663043 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 1, length 1248 > 11:00:12.646270 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 2, length 1248 > 11:00:12.677520 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 2, length 1248 > 11:00:13.659678 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 3, length 1248 > 11:00:13.693673 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 3, length 1248 > 11:00:14.679861 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 4, length 1248 > 11:00:14.713685 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 4, length 1248 > 11:00:15.701635 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 5, length 1248 > 11:00:15.733886 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 5, length 1248 > > Any suggestions on debugging this? > > -- > John R. Shannon > john@johnrshannon.com > > <OpenPGP_0x1D69BD6DF0FE7B7E.asc>