Hi @AndrewN,

Glad that lowering MTU helped.  For OWA in particular, path MTU discovery should get this right by routers on the way sending ICMPv6 back to the originating system (your windows machine) via your Unifi to automatically use a smaller MTU to that site.  Unfortunately the IP4 'block all ICMP inbound' mindset completely breaks IP6 pMTU discovery in a way that's much more obvious than the consequences in IP4-only setups.

So whilst using a lower MTU will help you for sites that need it, if you do find any that need a lower MTU than you have set, and it is your UNIFI firewall doing the filtering of ICMPv6 packets, then you'll still see problems intermittently.

You having set a lower MTU and had the problem go away does indicate this is an MTU discovery issue.  The next step would be to try to fix the ICMP message problem so that pMTU works as intended (and you can go back to using a larger MTU plus discovery).

I don't have Unifi myself, but I did find a page that appears to be on point about this:

https://community.ui.com/questions/Allow-ICMPv6-in-new-UI/fd6c7956-e8a6-4935-b48e-330004e415e7#answe... 

The underlying reference if you don't want to just 'allow all icmpv6 in and out' would be:

https://datatracker.ietf.org/doc/html/rfc4890 

Cheers,

Mark

And there's a link for testing your pmtu settings that cloudflare host:

http://icmpcheckv6.popcount.org/

which is referenced from the final thoughts part of:

https://blog.cloudflare.com/increasing-ipv6-mtu/ 

@MPC thanks for all your help. I've played around with firewall rules on the Unifi gateway, allowing ICMPv6 (through various rules), and set the MTU back to "auto" (the setting is actually called MSS clamping).

This has improved test results on https://ip6.biz/ - ICMP now shows as Reachable rather than Filtered.

All greens on the tests at http://icmpcheckv6.popcount.org/

I'll give it a few days and see how general browsing is, as it was sometimes sporadic before.

@AndrewN You're welcome and that looks like good progress and thanks for the link to the https://ip6.biz/ tester.  And really valuable specific data for anyone else using Unifi about what's needed for ICMPv6.

I will note that sometimes pMTU is broken elsewhere than your local router/firewall, so you'd expect to still see issues occasionally if the breakage is elsewhere on the path with automatic mtu discovery.

I looked at the rules you're using and it looks like you have the right stuff in there to me.  For anyone else reading this - it is section 4.3 in the RFC I linked to earlier that gives the IETF's recommendations.

https://datatracker.ietf.org/doc/html/rfc4890#section-4.3

Just wondering how the trial is going for everyone, an update from my end I did initially have ipv6 and everything was running fine but have noticed during random testing of ipv6 only sites that I'm no longer getting an ipv6 address.

I'm using a Draytek 2862 which is configured to get a WAN V6 address via PPP, this was working fine, I've also tried it with DHCPv6 but neither are working at the moment.

Good luck all.

Andrew

Hi Andrew,

I too am using a Draytek 2862 and haven't seen any issues so far.

I was going to post my settings but as you say it was working initially it doesn't sound like it's a settings issue. Happy to still do so if desired though.

Are there any clues in the syslog that might indicate what's going on?

I have IPv6 working (ipv6-test.com 10/10) when using a Billion 8800NL with Windows 11, Linux & Android clients.

When using a tp-link Archer VR600 it is working on Linux, not working on Android and Windows 11 will work for a minute or two after enabling the ethernet port on Windows 11 but then give 0/10. If I disable and enable the port again it will give 10/10 for another minute or two. All devices are getting and retaining an IPv6 address. 

I am using WIreshark to try and troubleshoot the issue but it is a steep learning curve.

Also in the process of putting OpenWrt on an old Plusnet Hub One to see what happens.

Pete

Hi Andrew,

I'm away from home for a few weeks at the moment, so don't want to fiddle too much, but IP6 is still running fine here.

Note that I wasn't getting anything via DHCPv6 when I tested that a couple of weeks ago, so I'm not surprised that didn't work.

Prefix Delegation was able to be requested happily at that point (at least).

I did then setup static and policy routing for the home lab so I'm somewhat insulated from temporary outages.

I have poked around /var/log/ and it doesn't look like wide-dhcpv6 is actually logging anything for me.  That's something I'll have to add to the list of things to look into when I'm home, so I can't currently tell you when the last successful refresh of the PD happened.

Good luck and sorry I can't be more help than 'IP6 is still working for me at the moment'!

Mark

Hi Dave,

Just wondering about the reverse DNS.

I have a couple I'd like to set to move my mail server over to a plusnet ip6 address.  DNSWL requires forward and reverse match, so it is a little bit of a blocker at present.

Any thoughts about how or if or when this capability might be provided?

My original thought was to use HE's hosted DNS service as they will manage up to 50 domains for free, including IP6 reverse domains, and I have a history with them for the 6in4 tunnels I was using before the IP6 trial.  They appear to have an issue with managing a whole /56 (in that their interface appears built for a /48 or a /64 and doesn't appear to be able to handle a prefix that doesn't split at the colons).  For my purpose, delegating a /64 (or two) would be fine though.

If you have the capability to manually add a couple of reverse IP6 DNS records, I'd greatly appreciate it in the interim.

Cheers,

Mark

---

@MPC wrote:

 

My original thought was to use HE's hosted DNS service as they will manage up to 50 domains for free, including IP6 reverse domains, and I have a history with them for the 6in4 tunnels I was using before the IP6 trial.  They appear to have an issue with managing a whole /56 (in that their interface appears built for a /48 or a /64 and doesn't appear to be able to handle a prefix that doesn't split at the colons).  For my purpose, delegating a /64 (or two) would be fine though.

---

For what it's worth (obviously not much given the delegation to HE hasn't been made!) I've been able to add a /56 to HE's reverse DNS interface and PTR records within it resolve fine.

Hi @MJN ,

I successfully added the whole /56, but then I didn't see a sane way to set the final 2 digits in the interface.  I admit I gave up very easily though.

PlusNet are allocating a /56, so a prefix 'a', 8-bits for local subnetting (XX), and then the addresses in each /64 'b'

aaaa:aaaa:aaaa:aaXX:bbbb:bbbb:bbbb:bbbb

The HE interface presented me:

Uneditable:

aaaa:aaaa:aaaa:aa00:

Editable:

bbbb:bbbb:bbbb:bbbb plus the host name to use.

I'll go back and take another look.  Did you try to set a hostname for a subnet that wasn't XX=00?

Cheers,

Mark

@MPC Try the 'Advanced' tab at the top as it gives you more freedom for how you configure things. Still somewhat clunky though. And, yeah, it'll handle non XX=00 scenarios too (indeed my LAN is XX=01 as the router takes the XX=00 /64 for its WAN interface).

I was going to post some obfuscated screenshots showing my configuration but the obfuscation would likely hide the very detail and nuances that would be most useful! Happy to share by PM if need be.

@MJN Thanks very much for the pointer to the Advanced tab.  Rather ugly for putting in the PTR records but as you say, it does work and I hadn't noticed that interface before.

I did find https://ipv6calc.online/ which has a simple interface to put the IP6 address you want a PTR record for, and then it provides the ip6.arpa form for a simple cut and paste to avoid address formatting errors.

Cheers,

Mark