Hi!
I have run into some bugs after configuring static IPv6 address and gateway on LXC containers in proxmox.
Some details about my network and the proxmox node,
My WAN connection uses 1492 MTU (PPPoE). I use a IPv6 tunnel to get IPv6 connectivity. The MTU on this tunnel is 1472.
I am using Proxmox 7.4-1.
MTU on proxmox host is 1500, MTU in LXC container is 1500.
My issue is, A lot of connections from LXC Containers to public internet over IPv6 are getting stuck at Client Hello.
The IPv6 config in LXC container when I am using SLAAC looks like this,
Notice, The interface MTU is set to 1500 and there is no MTU specified in the default route.
In this setup, Connections to t.me or telegram.org are stuck at Client Hello. These sites are accessible from other LXC containers(that are using slaac) and other machines on my network without any errors.
On the affected container I see,
The IPv6 config in a container configured with SLAAC looks like this,
Notice that there is MTU 1472 specified in the route. This MTU is included in RAs from my router.
Is there some way to specify MTU when using static IPv6 configuration? I do not want to change interface MTU because IPv4 can still use the full 1500 MTU and I will really appreciate a simpler solution that lets me use static ipv6 addresses and doesn't require me to login to every affected instance and make changes there.
I have run into some bugs after configuring static IPv6 address and gateway on LXC containers in proxmox.
Some details about my network and the proxmox node,
My WAN connection uses 1492 MTU (PPPoE). I use a IPv6 tunnel to get IPv6 connectivity. The MTU on this tunnel is 1472.
I am using Proxmox 7.4-1.
MTU on proxmox host is 1500, MTU in LXC container is 1500.
My issue is, A lot of connections from LXC Containers to public internet over IPv6 are getting stuck at Client Hello.
The IPv6 config in LXC container when I am using SLAAC looks like this,
Code:
--- IPv6 details from affected container
root@lldap:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if87: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 92:6c:f5:91:f4:bd brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.50.18/24 brd 10.0.50.255 scope global dynamic eth0
valid_lft 85006sec preferred_lft 85006sec
inet6 2a0a:6040:4004:50::124/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::906c:f5ff:fe91:f4bd/64 scope link
valid_lft forever preferred_lft forever
root@lldap:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a0a:6040:4004:50::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via 2a0a:6040:4004:50::1 dev eth0 metric 1024 onlink pref mediumNotice, The interface MTU is set to 1500 and there is no MTU specified in the default route.
In this setup, Connections to t.me or telegram.org are stuck at Client Hello. These sites are accessible from other LXC containers(that are using slaac) and other machines on my network without any errors.
On the affected container I see,
Code:
root@lldap:~# curl https://t.me -v
* Trying 2001:67c:4e8:f004::9:443...
* Connected to t.me (2001:67c:4e8:f004::9) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):The IPv6 config in a container configured with SLAAC looks like this,
Code:
--- IPv6 details from a working container(which has address from SLAAC)
root@grafana:~# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if151: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0a:0e:01:16:f9:4c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.50.12/24 brd 10.0.50.255 scope global dynamic eth0
valid_lft 86335sec preferred_lft 86335sec
inet6 2a0a:6040:4004:50:80e:1ff:fe16:f94c/64 scope global dynamic mngtmpaddr
valid_lft 89937sec preferred_lft 86337sec
inet6 fe80::80e:1ff:fe16:f94c/64 scope link
valid_lft forever preferred_lft forever
root@grafana:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a0a:6040:4004:50::/64 dev eth0 proto kernel metric 256 expires 89997sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::c6ad:34ff:fe9a:9575 dev eth0 proto ra metric 1024 expires 1797sec mtu 1472 pref mediumNotice that there is MTU 1472 specified in the route. This MTU is included in RAs from my router.
Is there some way to specify MTU when using static IPv6 configuration? I do not want to change interface MTU because IPv4 can still use the full 1500 MTU and I will really appreciate a simpler solution that lets me use static ipv6 addresses and doesn't require me to login to every affected instance and make changes there.