-
Notifications
You must be signed in to change notification settings - Fork 75
Open
Description
Hi there,
want to use jool as SNAT64 with IPv6 tunnel clients (e.g., WireGuard). And i run into an issue, that packets got not correctly fragmented:
- IPv6 client connects via a tunnel interface to the SNAT64 Gateway (MTU 1420)
- Jool translates incoming IPv4 packets to IPv6 (expected max MTU 1280 due to lowest-ipv6-mtu configuration)
Expected behavior:
- Packet should be crafted/fragmented, that they will fit into the tunnel device MTU size or icmp replies has to be generated to the relying party.
Tested with the following steps:
- ICMP echo with default packet size works well
- HTTP or Small DNS requests/responses works < 1420 MTU
- HTTPS breaks
- ICMP echo via packet size of 1500 for testing
Discovered via tcpdump/wireshark the following on the last test via ICMP echo:
- Echo request from client to Gateway was fragmented correctly (size 1508) => 1368 + 140
- Echo request got translated to IPv4 from Gateway with packet size of 1508, 2 IPv4 fragments were sent 1480 + 28
- Echo reply received to Gateway with packet size of 1508, 2 IPv4 fragments (760, 748)
- Echo reply was generated from Gateway with payload size of 1508 and packet size of 1568
- Interface Response with ICMP6 package to big (of course)
Question:
• Do i miss something? I read the documentation of https://nicmx.github.io/Jool/en/mtu.html, but i expect, this setting should solve the discovered issue.
Diagram:
IPv6 Client (WireGuard)
|
| IPv6 packets (MTU 1420)
v
+-------------+
| Jool | <-- NAT64 (lowest-ipv6-mtu: 1280)
+-------------+
|
| IPv4 packets (MTU: 1500)
v
Public Internet Server
OS: Debian 13.3
Package: 4.1.13-1.1 (jool-dkms, jool-tools)
Jool Version: 4.1.13.0
Debian Kernel: 6.12.63+deb13-cloud-amd64
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels